packages/crypto-policies
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 20230614

Browse Source
This commit is contained in:
yixiangzhike 2024-01-26 09:44:47 +08:00
parent 1da2312e95
commit e30ed8ec48
9 changed files with 39 additions and 474 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
View File

@ -1,56 +0,0 @@
From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 2 Jul 2020 15:40:01 +0200
Subject: [PATCH] Describe some of the quirks of the back-end config
generators.
---
crypto-policies.7.txt | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt
index 0971935..2b583b8 100644
--- a/crypto-policies.7.txt
+++ b/crypto-policies.7.txt
@@ -277,7 +277,7 @@ COMMANDS
NOTES
-----
-*Exceptions:*
+*Exceptions*
* *Go-language* applications do not yet follow the system-wide policy.
* *GnuPG-2* application does not follow the system-wide policy.
@@ -323,6 +323,29 @@ of individual applications:
* all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
* *IKEv1*
+*Notable irregularities in the individual configuration generators*
+
+* *OpenSSL*: The minimum length of the keys and some other parameters
+are enforced by the @SECLEVEL value which does not provide a fine
+granularity. The list of *TLS* ciphers is not generated as an exact list
+but by subtracting from all the supported ciphers for the enabled key
+exchange methods. For that reason there is no way to disable a random cipher.
+In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not
+present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM*
+is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1*
+in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM*
+ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher
+list.
+
+* *GnuTLS*: The minimum length of the keys and some other parameters
+are enforced by min-verification-profile setting in the *GnuTLS* configuration
+file which does not provide fine granularity.
+
+* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy
+allows 1024 bit *DH* groups in general. The OpenSSH configuration option
+HostKeyAlgorithms is set only for the *SSH* server as otherwise the
+handling of the existing known hosts entries would be broken on client.
+
HISTORY
-------
--
2.33.0

36
backport-Makefile-support-overriding-asciidoc-executable-name.patch
View File

@ -1,36 +0,0 @@
From 66c30b1e2de5fd37d610463a8fb6e70f6164fecc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
Date: Mon, 7 Nov 2022 16:56:43 +0100
Subject: [PATCH] Makefile: support overriding asciidoc executable name
Support `ASCIIDOC` override to specify another name for the asciidoc
executable. On Gentoo, only `asciidoc` is installed and there is no
`asciidoc.py`. Furthermore, this makes it possible to easily use
asciidoctor in place of asciidoc.
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 0d93587..f99dc6d 100644
--- a/Makefile
+++ b/Makefile
@@ -10,5 +10,6 @@ SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3
+ASCIIDOC?=asciidoc.py
all: build
@@ -109,7 +110,7 @@ clean:
rm -rf output
%: %.txt
- asciidoc.py -v -d manpage -b docbook $<
+ $(ASCIIDOC) -v -d manpage -b docbook $<
xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
dist:
--
2.27.0

38
backport-Makefile-update-for-asciidoc-10.patch
View File

@ -1,38 +0,0 @@
From 8c7de0471c1de088ff3c332590ea91a71d4273c0 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 20 Feb 2023 11:39:28 +0100
Subject: [PATCH] Makefile: update for asciidoc 10
---
Makefile | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index f99dc6d..e99ca19 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,11 @@ SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3
-ASCIIDOC?=asciidoc.py
+ASCIIDOC?=asciidoc
+ifneq ("$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)","")
+MANPAGEXSL?=$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)
+else
+MANPAGEXSL?=/usr/share/asciidoc/docbook-xsl/manpage.xsl
+endif
all: build
@@ -111,7 +116,7 @@ clean:
%: %.txt
$(ASCIIDOC) -v -d manpage -b docbook $<
- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--
2.27.0

192
backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
View File

@ -1,192 +0,0 @@
From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 18 Jan 2021 17:58:45 +0100
Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)
Actually, checking for 3.60 because Fedora has reverted the change.
---
python/policygenerators/nss.py | 36 ++++++++++++++++++++++++++++++++---
tests/nss.py | 15 +++++++++++++++
tests/outputs/DEFAULT-nss.txt | 2 +-
tests/outputs/FIPS-nss.txt | 2 +-
tests/outputs/FIPS:ECDHE-ONLY-nss.txt | 2 +-
tests/outputs/FIPS:OSPP-nss.txt | 2 +-
tests/outputs/FUTURE-nss.txt | 2 +-
tests/outputs/LEGACY-nss.txt | 2 +-
9 files changed, 55 insertions(+), 10 deletions(-)
diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
index ee10025..00935a2 100644
--- a/python/policygenerators/nss.py
+++ b/python/policygenerators/nss.py
@@ -6,6 +6,8 @@
from subprocess import call, CalledProcessError
from tempfile import mkstemp
+import ctypes
+import ctypes.util
import os
from .configgenerator import ConfigGenerator
@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
'DTLS1.2':'dtls1.2'
}
+ # Depends on a dict being ordered,
+ # impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
+ sign_prefix_ordmap = {
+ 'RSA-PSS-':'RSA-PSS', # must come before RSA-
+ 'RSA-':'RSA-PKCS',
+ 'ECDSA-':'ECDSA',
+ 'DSA-':'DSA',
+ }
+
@classmethod
def generate_config(cls, policy):
p = policy.props
@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
except KeyError:
pass
- dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
- if dsa:
- s = cls.append(s, 'DSA')
+ enabled_sigalgs = set()
+ for i in p['sign']:
+ for prefix, sigalg in cls.sign_prefix_ordmap.items():
+ if i.startswith(prefix):
+ if sigalg not in enabled_sigalgs:
+ enabled_sigalgs.add(sigalg)
+ s = cls.append(s, sigalg)
+ break # limit to first match
try:
minver = cls.protocol_map[p['min_tls_version']]
@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
@classmethod
def test_config(cls, config):
+ try:
+ nss_path = ctypes.util.find_library('nss3')
+ nss_lib = ctypes.CDLL(nss_path)
+ if not nss_lib.NSS_VersionCheck(b'3.60'):
+ # Cannot validate with pre-3.59 NSS
+ # that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+ # identifiers yet.
+ # 3.60 because Fedora's 3.59 has that reverted
+ cls.eprint('Skipping nss-policy-check due to '
+ 'nss being older than 3.60')
+ return True
+ except AttributeError:
+ cls.eprint('Cannot determine nss version with ctypes')
+
if not os.access('/usr/bin/nss-policy-check', os.X_OK):
return True
diff --git a/tests/nss.py b/tests/nss.py
index 4d2cee1..a16d984 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -1,5 +1,7 @@
#!/usr/bin/python3
+import ctypes
+import ctypes.util
import glob
import os
import shutil
@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
sys.exit(0)
+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
+try:
+ nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
+ if not nss.NSS_VersionCheck(b'3.60'):
+ print('Skipping nss-policy-check verification '
+ 'due to nss being older than 3.60', file=sys.stderr)
+ sys.exit(0)
+except AttributeError:
+ print('Cannot determine nss version with ctypes, hoping for >=3.59',
+ file=sys.stderr)
+
+
print('Checking the NSS configuration')
for policy_path in glob.glob('tests/outputs/*-nss.txt'):
diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
index 6a93308..500cd70 100644
--- a/tests/outputs/DEFAULT-nss.txt
+++ b/tests/outputs/DEFAULT-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
index c9809b9..4fdf6bc 100644
--- a/tests/outputs/FIPS-nss.txt
+++ b/tests/outputs/FIPS-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
index 78f4844..399bc5c 100644
--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
index 0ca1ab0..d172a83 100644
--- a/tests/outputs/FIPS:OSPP-nss.txt
+++ b/tests/outputs/FIPS:OSPP-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
index 23d1ce8..9cea0a4 100644
--- a/tests/outputs/FUTURE-nss.txt
+++ b/tests/outputs/FUTURE-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
index e16b6ce..8bf8bd1 100644
--- a/tests/outputs/LEGACY-nss.txt
+++ b/tests/outputs/LEGACY-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
--
1.8.3.1

115
backport-rewrite-test-nss-pl-in-python.patch
View File

@ -1,115 +0,0 @@
From 4fb6cdf626ee35623400ca557198cecb4efd4e88 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 18 Jan 2021 17:43:53 +0100
Subject: [PATCH] tests/nss.pl: rewrite in Python
---
Makefile | 2 +-
tests/nss.pl | 41 -----------------------------------------
tests/nss.py | 33 +++++++++++++++++++++++++++++++++
3 files changed, 34 insertions(+), 42 deletions(-)
delete mode 100755 tests/nss.pl
create mode 100755 tests/nss.py
diff --git a/Makefile b/Makefile
index 2699ac6..a50408e 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ check:
python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
tests/openssl.pl
tests/gnutls.pl
- tests/nss.pl
+ tests/nss.py
tests/java.pl
tests/krb5.py
top_srcdir=. tests/update-crypto-policies.sh
diff --git a/tests/nss.pl b/tests/nss.pl
deleted file mode 100755
index e021ffd..0000000
--- a/tests/nss.pl
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/perl
-
-my $RESULTFILE="result-nss.tmp";
-
-use File::Which qw(which);
-
-print "Checking the NSS configuration\n";
-
-my $dir = 'tests/outputs';
-
-opendir(DIR, $dir) or die $!;
-
-my @nsspolicies
- = grep {
- /-nss/ # has -nss in name
- && -f "$dir/$_" # and is a file
- } readdir(DIR);
-
-foreach my $policyfile (@nsspolicies) {
- my $policy = $policyfile;
- $policy =~ s/-[^-]+$//;
-
- print "Checking policy $policy\n";
- my $tool = which "nss-policy-check";
-
- if ($policy ne 'EMPTY' and $tool ne undef) {
-
- system("nss-policy-check $dir/$policyfile >$RESULTFILE 2>&1") ;
- if ($? != 0) {
- print "Error in NSS policy for $policy\n";
- print STDERR "NSS policy for $policy:\n";
- system("cat $dir/$policyfile 1>&2");
- print STDERR "\nnss-policy-check error:\n";
- system("cat $RESULTFILE 1>&2");
- exit 1;
- }
- unlink($RESULTFILE);
- }
-}
-
-exit 0;
diff --git a/tests/nss.py b/tests/nss.py
new file mode 100755
index 0000000..4d2cee1
--- /dev/null
+++ b/tests/nss.py
@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+
+import glob
+import os
+import shutil
+import subprocess
+import sys
+
+
+if shutil.which('nss-policy-check') is None:
+ print('nss-policy-check not found, skipping check', file=sys.stderr)
+ sys.exit(0)
+
+
+print('Checking the NSS configuration')
+
+for policy_path in glob.glob('tests/outputs/*-nss.txt'):
+ policy = os.path.basename(policy_path)[:-len('-nss.txt')]
+ print(f'Checking policy {policy}')
+ if policy not in ('EMPTY', 'GOST-ONLY'):
+ p = subprocess.Popen(['nss-policy-check', policy_path],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT)
+ output, _ = p.communicate()
+ if p.wait():
+ print(f'Error in NSS policy for {policy}')
+ print(f'NSS policy for {policy}:', file=sys.stderr)
+ with open(policy_path) as policy_file:
+ shutil.copyfileobj(policy_file, sys.stderr)
+ sys.stderr.write('\n')
+ print('nss-policy-check error:', file=sys.stderr)
+ print(output.decode(), file=sys.stderr)
+ sys.exit(1)
--
1.8.3.1

BIN
crypto-policies-git5f3458e.tar.gz Normal file
View File

Binary file not shown.

BIN
crypto-policies-git781bbd4.tar.gz
View File

Binary file not shown.

24
crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
View File

@ -1,24 +0,0 @@
From 79b03b7a6ea10c8ed2a4a35d5daa8842922641f4 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Fri, 7 Jan 2022 15:12:26 +0800
Subject: [PATCH] tests outputs NEXT-nss: output sigalgs (nss >=3.59)
---
tests/outputs/NEXT-nss.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/outputs/NEXT-nss.txt b/tests/outputs/NEXT-nss.txt
index 1c2e182..846beb2 100644
--- a/tests/outputs/NEXT-nss.txt
+++ b/tests/outputs/NEXT-nss.txt
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
--
1.8.3.1

52
crypto-policies.spec
View File

@ -1,10 +1,10 @@
%global git_date 20200619
%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68
%global git_commit_hash 781bbd4
%global git_date 20230614
%global git_commit 5f3458e619628288883f22695f3311f1ccd6a39f
%global git_commit_hash 5f3458e
Name: crypto-policies
Version: %{git_date}
Release: 4.git%{git_commit_hash}
Release: 1.git%{git_commit_hash}
Summary: Crypto policies package for Fedora
License: LGPLv2+
@ -14,25 +14,23 @@ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies
# directory.
Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
Patch0: backport-rewrite-test-nss-pl-in-python.patch
Patch1: backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
Patch2: crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
Patch3: backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
Patch4: backport-Makefile-support-overriding-asciidoc-executable-name.patch
Patch5: backport-Makefile-update-for-asciidoc-10.patch
BuildArch: noarch
BuildRequires: asciidoc
BuildRequires: libxslt
BuildRequires: openssl
BuildRequires: gnutls-utils >= 3.6.0
BuildRequires: java-1.8.0-openjdk-devel
BuildRequires: java-21-openjdk-devel
BuildRequires: bind
BuildRequires: perl-interpreter
BuildRequires: perl-generators
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
BuildRequires: perl(File::Which)
BuildRequires: python3-devel
BuildRequires: openssh-clients
Conflicts: openssl-libs < 3.0.2
Conflicts: openssh < 9.0p1
Conflicts: gnutls < 3.7.3
# used by update-crypto-policies
Requires: coreutils
@ -73,6 +71,13 @@ to enable or disable the system FIPS mode.
%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
%build
# Drop pre-generated GOST-ONLY policies
rm -rf policies/GOST-ONLY.pol
# Drop FEDORA policies
rm -rf policies/FEDORA38.pol
rm -rf policies/TEST-FEDORA39.pol
make %{?_smp_mflags}
%install
@ -97,6 +102,11 @@ done
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
%check
# Don't diff FEDORA38 policies, it's deleted
sed -i '/diff\ policies\/DEFAULT.pol\ policies\/FEDORA38.pol/d' Makefile
# Don't check GOST-ONLY policies, it's deleted
sed -i '/\ GOST-ONLY\ /d' Makefile
make check %{?_smp_mflags}
%post
@ -126,13 +136,15 @@ make check %{?_smp_mflags}
%ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config
%ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
%ghost %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
%{_bindir}/update-crypto-policies
%{_mandir}/man7/crypto-policies.7*
%{_mandir}/man8/update-crypto-policies.8*
%{_datarootdir}/crypto-policies/LEGACY/*
%{_datarootdir}/crypto-policies/DEFAULT/*
%{_datarootdir}/crypto-policies/NEXT/*
%{_datarootdir}/crypto-policies/FUTURE/*
%{_datarootdir}/crypto-policies/FIPS/*
%{_datarootdir}/crypto-policies/EMPTY/*
@ -151,6 +163,20 @@ make check %{?_smp_mflags}
%license COPYING.LESSER
%changelog
* Fri Jan 26 2024 yixiangzhike <yixiangzhike007@163.com> - 20230614-1.git5f3458e
- update version to 20230614
- DEFAULT policy drop DH<2048bits,TLS1.0,TLS1.1,SHA-1
- Remove the CBC ciphers from DEFAULT policy in openssh
- FIPS policy drop the CBC ciphersuites
- Enable RSA-PSK algorithms in DEFAULT and LEGACY policies
- Add the diffie-hellman-group14-sha256 to libssh
- Add --check option to update-crypto-policies
- Add AES-192 algorithms support
- Use allowlisting config for gnutls
- Enable SHAKE algorithms for gnutls,java and nss
- Openssl disable SHA-1 signatures in FUTURE policy
- Openssh add HostbasedAcceptedAlgorithms and RequiresRSASize config options
* Mon Feb 27 2023 yixiangzhike <yixiangzhike007@163.com> - 20200619-4.git781bbd4
- Makefile support overriding asciidoc executable name
- update Makefile for asciidoc 10