diff --git a/crypto-policies.spec b/crypto-policies.spec index e730e87..ff55b5e 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,12 +1,12 @@ -%global git_date 20210218 -%global git_commit 2246c55565af8c3bf09aa268eac55aa537678bb4 +%global git_date 20210628 +%global git_commit dd7d273d76b0739fcff5d95c39d7486bdb9b7410 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 Name: crypto-policies Version: %{git_date} -Release: 3.git%{git_commit_hash}%{?dist} +Release: 1.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies License: LGPLv2+ @@ -26,15 +26,17 @@ BuildRequires: perl-generators BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) BuildRequires: perl(File::Which) BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-pytest +# BuildRequires: python3-pylint # CentOS 9 Stream doesn't have it +# BuildRequires: python3-flake8 # CentOS 9 Stream doesn't have it +BuildRequires: python3-coverage BuildRequires: make +Conflicts: openssl < 1.1.1h Conflicts: nss < 3.44.0 Conflicts: libreswan < 3.28 -Conflicts: openssh < 8.2p1 -Conflicts: gnutls < 3.6.11 - -# Most users want this, the split is mostly for Fedora CoreOS -Recommends: crypto-policies-scripts +Conflicts: openssh < 8.5p1 +Conflicts: gnutls < 3.7.2-3 %description This package provides pre-built configuration files with @@ -44,10 +46,7 @@ such as SSL/TLS libraries. %package scripts Summary: Tool to switch between crypto policies Requires: %{name} = %{version}-%{release} -Recommends: grubby - -# fips-mode-setup merged into the scripts subpackage -Obsoletes: fips-mode-setup < 20200702-1.c40cede +Recommends: (grubby if kernel) Provides: fips-mode-setup = %{version}-%{release} %description scripts @@ -61,8 +60,10 @@ to enable or disable the system FIPS mode. %prep %setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit} +%autopatch -p1 %build +export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot %make_build %install @@ -80,8 +81,8 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol -# Drop pre-generated GOST-ONLY policy, we do not need to ship the files -rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY +# Drop pre-generated EMPTY policy, we do not need to ship it +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/EMPTY # Create back-end configs for mounting with read-only /etc/ for d in LEGACY DEFAULT FUTURE FIPS ; do @@ -98,7 +99,10 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %check -make check %{?_smp_mflags} +export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot +sed -i 's|test: \(.*\) runflake8|test: \1|' Makefile # CentOS 9 Stream has no flake8 +sed -i 's|test: \(.*\) runpylint|test: \1|' Makefile # CentOS 9 Stream has no pylint +make ON_RHEL9=1 test %{?_smp_mflags} %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -147,17 +151,20 @@ end %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +# %verify(not mode) comes from the fact +# these turn into symlinks and back to regular files at will, see bz1898986 %ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -167,7 +174,6 @@ end %{_datarootdir}/crypto-policies/DEFAULT %{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FIPS -%{_datarootdir}/crypto-policies/EMPTY %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/reload-cmds.sh @@ -186,6 +192,28 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Mon Jun 28 2021 Alexander Sosedkin - 20210628-1.gitdd7d273 +- implement scoped policies, e.g., cipher@SSH = ... +- implement algorithm globbing, e.g., cipher@SSH = -*-CBC +- deprecate derived properties: + tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec +- deprecate unscoped form of protocol property +- openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS +- openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes +- libssh: respect ssh_certs +- restrict FIPS:OSPP further +- improve Python 3.10 compatibility +- update documentation +- expand upstream test coverage +- FUTURE: disable CBC ciphers for all backends but krb5 +- openssl: LEGACY must have SECLEVEL=1, enabling SHA1 +- disable DHE-DSS in LEGACY +- bump LEGACY key size requirements from 1023 to 1024 +- add javasystem backend +- *ssh: condition ecdh-sha2-nistp384 on SECP384R1 +- set %verify(not mode) for backend sometimes-symlinks-sometimes-not +- gnutls: use allowlisting + * Tue Jun 22 2021 Mohan Boddu - 20210218-3.git2246c55 - Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 diff --git a/sources b/sources index 9e05f10..4b8873e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crypto-policies-git2246c55.tar.gz) = 3b681d2d0b550a127de9ae706b6280710d144845d0ea5a78ebbb327adc6c6644dcc2016cbda2f68ed670a3c5395c494b9fbc4c2ca97832a1237ec618c2943b4e +SHA512 (crypto-policies-gitdd7d273.tar.gz) = 9797e6c6b95ab4cb13e30016ac76b3bbdc5e23b42848ea11e81e91d433f62a5f1c3c6992f83760e69a5c3529e13d18b2f843e097e5be1afeb2b31dc1b39e94c0