Compare commits
10 Commits
a7fe562334
...
b25678312b
| Author | SHA1 | Date | |
|---|---|---|---|
|
b25678312b | ||
|
|
deff47403e | ||
|
|
65ac68a7fe | ||
|
|
e30ed8ec48 | ||
|
|
1da2312e95 | ||
|
|
2ca91d9a63 | ||
|
|
b652447ec0 | ||
|
|
75927e6f73 | ||
|
|
c813320b04 | ||
|
|
577432fc23 |
BIN
crypto-policies-git5f3458e.tar.gz
Normal file
BIN
crypto-policies-git5f3458e.tar.gz
Normal file
Binary file not shown.
Binary file not shown.
@ -1,10 +1,10 @@
|
||||
%global git_date 20200619
|
||||
%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68
|
||||
%global git_commit_hash 781bbd4
|
||||
%global git_date 20230614
|
||||
%global git_commit 5f3458e619628288883f22695f3311f1ccd6a39f
|
||||
%global git_commit_hash 5f3458e
|
||||
|
||||
Name: crypto-policies
|
||||
Version: %{git_date}
|
||||
Release: 1.git%{git_commit_hash}
|
||||
Release: 2.git%{git_commit_hash}
|
||||
Summary: Crypto policies package for Fedora
|
||||
|
||||
License: LGPLv2+
|
||||
@ -19,13 +19,18 @@ BuildRequires: asciidoc
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: openssl
|
||||
BuildRequires: gnutls-utils >= 3.6.0
|
||||
BuildRequires: java-1.8.0-openjdk-devel
|
||||
BuildRequires: java-21-openjdk-devel
|
||||
BuildRequires: bind
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: perl-generators
|
||||
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
|
||||
BuildRequires: perl(File::Which)
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: openssh-clients
|
||||
|
||||
Conflicts: openssl-libs < 3.0.2
|
||||
Conflicts: openssh < 9.0p1
|
||||
Conflicts: gnutls < 3.7.3
|
||||
|
||||
# used by update-crypto-policies
|
||||
Requires: coreutils
|
||||
@ -63,13 +68,21 @@ The package also provides a tool fips-mode-setup, which can be used
|
||||
to enable or disable the system FIPS mode.
|
||||
|
||||
%prep
|
||||
%setup -q -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
|
||||
%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
|
||||
|
||||
%build
|
||||
# Drop pre-generated GOST-ONLY policies
|
||||
rm -rf policies/GOST-ONLY.pol
|
||||
|
||||
# Drop FEDORA policies
|
||||
rm -rf policies/FEDORA38.pol
|
||||
rm -rf policies/TEST-FEDORA39.pol
|
||||
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
|
||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
|
||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
|
||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
|
||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
|
||||
@ -79,23 +92,34 @@ mkdir -p -m 755 %{buildroot}%{_bindir}
|
||||
|
||||
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
|
||||
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
|
||||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
|
||||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
||||
|
||||
# Create back-end configs for mounting with read-only /etc/
|
||||
for d in LEGACY DEFAULT FUTURE FIPS ; do
|
||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
|
||||
for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
|
||||
ln -s $(basename $f) $(dirname $f)/$(basename $f .txt).config
|
||||
ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
|
||||
done
|
||||
done
|
||||
|
||||
for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
|
||||
ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
|
||||
done
|
||||
|
||||
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
|
||||
|
||||
%check
|
||||
# Don't diff FEDORA38 policies, it's deleted
|
||||
sed -i '/diff\ policies\/DEFAULT.pol\ policies\/FEDORA38.pol/d' Makefile
|
||||
# Don't check GOST-ONLY policies, it's deleted
|
||||
sed -i '/\ GOST-ONLY\ /d' Makefile
|
||||
|
||||
make check %{?_smp_mflags}
|
||||
|
||||
%post
|
||||
%posttrans scripts
|
||||
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
|
||||
|
||||
|
||||
%files
|
||||
|
||||
%dir %{_sysconfdir}/crypto-policies/
|
||||
@ -108,33 +132,40 @@ make check %{?_smp_mflags}
|
||||
|
||||
%config(noreplace) %{_sysconfdir}/crypto-policies/config
|
||||
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/java.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config
|
||||
%ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
|
||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
|
||||
|
||||
%ghost %{_sysconfdir}/crypto-policies/state/current
|
||||
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
||||
|
||||
%{_bindir}/update-crypto-policies
|
||||
%{_mandir}/man7/crypto-policies.7*
|
||||
%{_mandir}/man8/update-crypto-policies.8*
|
||||
%{_datarootdir}/crypto-policies/LEGACY/*
|
||||
%{_datarootdir}/crypto-policies/DEFAULT/*
|
||||
%{_datarootdir}/crypto-policies/NEXT/*
|
||||
%{_datarootdir}/crypto-policies/FUTURE/*
|
||||
%{_datarootdir}/crypto-policies/FIPS/*
|
||||
%{_datarootdir}/crypto-policies/EMPTY/*
|
||||
%{_datarootdir}/crypto-policies/back-ends/*
|
||||
%{_datarootdir}/crypto-policies/default-config
|
||||
%{_datarootdir}/crypto-policies/reload-cmds.sh
|
||||
%{_datarootdir}/crypto-policies/policies
|
||||
%{_datarootdir}/crypto-policies/python
|
||||
|
||||
%files scripts
|
||||
%{_bindir}/update-crypto-policies
|
||||
%{_mandir}/man8/update-crypto-policies.8*
|
||||
%{_datarootdir}/crypto-policies/python
|
||||
|
||||
%{_bindir}/fips-mode-setup
|
||||
%{_bindir}/fips-finish-install
|
||||
%{_mandir}/man8/fips-mode-setup.8*
|
||||
@ -144,6 +175,33 @@ make check %{?_smp_mflags}
|
||||
%license COPYING.LESSER
|
||||
|
||||
%changelog
|
||||
* Thu Mar 21 2024 duyiwei <duyiwei@kylinos.cn> - 20230614-2.git5f3458e
|
||||
- package pruning to minimize dependencies
|
||||
|
||||
* Fri Jan 26 2024 yixiangzhike <yixiangzhike007@163.com> - 20230614-1.git5f3458e
|
||||
- update version to 20230614
|
||||
- DEFAULT policy drop DH<2048bits,TLS1.0,TLS1.1,SHA-1
|
||||
- Remove the CBC ciphers from DEFAULT policy in openssh
|
||||
- FIPS policy drop the CBC ciphersuites
|
||||
- Enable RSA-PSK algorithms in DEFAULT and LEGACY policies
|
||||
- Add the diffie-hellman-group14-sha256 to libssh
|
||||
- Add --check option to update-crypto-policies
|
||||
- Add AES-192 algorithms support
|
||||
- Use allowlisting config for gnutls
|
||||
- Enable SHAKE algorithms for gnutls,java and nss
|
||||
- Openssl disable SHA-1 signatures in FUTURE policy
|
||||
- Openssh add HostbasedAcceptedAlgorithms and RequiresRSASize config options
|
||||
|
||||
* Mon Feb 27 2023 yixiangzhike <yixiangzhike007@163.com> - 20200619-4.git781bbd4
|
||||
- Makefile support overriding asciidoc executable name
|
||||
- update Makefile for asciidoc 10
|
||||
|
||||
* Thu Oct 20 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-3.git781bbd4
|
||||
- backport upstream patch to add more notes for crypto-policies exceptions
|
||||
|
||||
* Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
|
||||
- add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)
|
||||
|
||||
* Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
|
||||
- downgrade version to 20200619
|
||||
|
||||
@ -395,5 +453,4 @@ make check %{?_smp_mflags}
|
||||
- Updated spec based on comments by Petr Lautrbach.
|
||||
|
||||
* Mon May 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-1-20140519gitf15621a
|
||||
- Initial package build
|
||||
|
||||
- Initial package build
|
||||
Loading…
x
Reference in New Issue
Block a user