backport upstream patch to add more notes for crypto-policies exceptions

Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
2022-10-20 02:46:12 +00:00 · 2022-10-20 02:46:12 +00:00 · 75927e6f73
commit 75927e6f73
parent c813320b04
2 changed files with 61 additions and 1 deletions
--- a/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
+++ b/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
@ -0,0 +1,56 @@
+From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 2 Jul 2020 15:40:01 +0200
+Subject: [PATCH] Describe some of the quirks of the back-end config
+ generators.
+
+---
+ crypto-policies.7.txt | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt
+index 0971935..2b583b8 100644
+--- a/crypto-policies.7.txt
+++ b/crypto-policies.7.txt
+@@ -277,7 +277,7 @@ COMMANDS
+ NOTES
+ -----
+ 
+-*Exceptions:*
+*Exceptions*
+ 
+ * *Go-language* applications do not yet follow the system-wide policy.
+ * *GnuPG-2* application does not follow the system-wide policy.
+@@ -323,6 +323,29 @@ of individual applications:
+ * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
+ * *IKEv1*
+ 
+*Notable irregularities in the individual configuration generators*
+
+* *OpenSSL*: The minimum length of the keys and some other parameters
+are enforced by the @SECLEVEL value which does not provide a fine
+granularity. The list of *TLS* ciphers is not generated as an exact list
+but by subtracting from all the supported ciphers for the enabled key
+exchange methods. For that reason there is no way to disable a random cipher.
+In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not
+present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM*
+is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1*
+in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM*
+ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher
+list.
+
+* *GnuTLS*: The minimum length of the keys and some other parameters
+are enforced by min-verification-profile setting in the *GnuTLS* configuration
+file which does not provide fine granularity.
+
+* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy
+allows 1024 bit *DH* groups in general. The OpenSSH configuration option
+HostKeyAlgorithms is set only for the *SSH* server as otherwise the
+handling of the existing known hosts entries would be broken on client.
+
+ HISTORY
+ -------
+ 
+-- 
+2.33.0
+
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -4,7 +4,7 @@

 Name:           crypto-policies
 Version:        %{git_date}
-Release:        2.git%{git_commit_hash}
+Release:        3.git%{git_commit_hash}
 Summary:        Crypto policies package for Fedora

 License:        LGPLv2+
@ -17,6 +17,7 @@ Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archiv
 Patch0:         backport-rewrite-test-nss-pl-in-python.patch
 Patch1:         backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
 Patch2:         crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
+Patch3:         backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch

 BuildArch: noarch
 BuildRequires: asciidoc
@ -148,6 +149,9 @@ make check %{?_smp_mflags}
 %license COPYING.LESSER

 %changelog
+* Thu Oct 20 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-3.git781bbd4
+- backport upstream patch to add more notes for crypto-policies exceptions
+
 * Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
 - add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)