Update from upstream: scoped policies, gnutls allowlisting, ...

implement scoped policies, e.g., cipher@SSH = ... implement algorithm globbing, e.g., cipher@SSH = -*-CBC deprecate derived properties: tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec deprecate unscoped form of protocol property openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes libssh: respect ssh_certs restrict FIPS:OSPP further improve Python 3.10 compatibility update documentation expand upstream test coverage FUTURE: disable CBC ciphers for all backends but krb5 openssl: LEGACY must have SECLEVEL=1, enabling SHA1 disable DHE-DSS in LEGACY bump LEGACY key size requirements from 1023 to 1024 add javasystem backend *ssh: condition ecdh-sha2-nistp384 on SECP384R1 set %verify(not mode) for backend sometimes-symlinks-sometimes-not gnutls: use allowlisting Resolves: bz1975854
2021-06-28 17:16:34 +02:00 · 2021-06-28 17:16:34 +02:00 · 7c076748f3
commit 7c076748f3
parent bd79a31b29
2 changed files with 56 additions and 28 deletions
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -1,12 +1,12 @@
-%global git_date 20210218
+%global git_date 20210628
-%global git_commit 2246c55565af8c3bf09aa268eac55aa537678bb4
+%global git_commit dd7d273d76b0739fcff5d95c39d7486bdb9b7410
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
 %global _python_bytecompile_extra 0
 Name:           crypto-policies
 Version:        %{git_date}
-Release:        3.git%{git_commit_hash}%{?dist}
+Release:        1.git%{git_commit_hash}%{?dist}
 Summary:        System-wide crypto policies
 License:        LGPLv2+
@ -26,15 +26,17 @@ BuildRequires: perl-generators
 BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
 BuildRequires: perl(File::Which)
 BuildRequires: python3-devel >= 3.6
 BuildRequires: python3-pytest
 # BuildRequires: python3-pylint  # CentOS 9 Stream doesn't have it
 # BuildRequires: python3-flake8  # CentOS 9 Stream doesn't have it
 BuildRequires: python3-coverage
 BuildRequires: make
 Conflicts: openssl < 1.1.1h
 Conflicts: nss < 3.44.0
 Conflicts: libreswan < 3.28
-Conflicts: openssh < 8.2p1
+Conflicts: openssh < 8.5p1
-Conflicts: gnutls < 3.6.11
+Conflicts: gnutls < 3.7.2-3
 # Most users want this, the split is mostly for Fedora CoreOS
 Recommends: crypto-policies-scripts
 %description
 This package provides pre-built configuration files with
@ -44,10 +46,7 @@ such as SSL/TLS libraries.
 %package scripts
 Summary: Tool to switch between crypto policies
 Requires: %{name} = %{version}-%{release}
-Recommends: grubby
+Recommends: (grubby if kernel)
 # fips-mode-setup merged into the scripts subpackage
 Obsoletes: fips-mode-setup < 20200702-1.c40cede
 Provides: fips-mode-setup = %{version}-%{release}
 %description scripts
@ -61,8 +60,10 @@ to enable or disable the system FIPS mode.
 %prep
 %setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
 %autopatch -p1
 %build
 export OLD_GNUTLS=1  # FIXME: remove once gnutls-3.7.2-3 is in buildroot
 %make_build
 %install
@ -80,8 +81,8 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
-# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+# Drop pre-generated EMPTY policy, we do not need to ship it
-rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/EMPTY
 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS ; do
@ -98,7 +99,10 @@ done
 %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
 %check
-make check %{?_smp_mflags}
+export OLD_GNUTLS=1  # FIXME: remove once gnutls-3.7.2-3 is in buildroot
 sed -i 's|test: \(.*\) runflake8|test: \1|' Makefile  # CentOS 9 Stream has no flake8
 sed -i 's|test: \(.*\) runpylint|test: \1|' Makefile  # CentOS 9 Stream has no pylint
 make ON_RHEL9=1 test %{?_smp_mflags}
 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -147,17 +151,20 @@ end
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
 # %verify(not mode) comes from the fact
 # these turn into symlinks and back to regular files at will, see bz1898986
 %ghost %{_sysconfdir}/crypto-policies/state/current
 %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@ -167,7 +174,6 @@ end
 %{_datarootdir}/crypto-policies/DEFAULT
 %{_datarootdir}/crypto-policies/FUTURE
 %{_datarootdir}/crypto-policies/FIPS
 %{_datarootdir}/crypto-policies/EMPTY
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
@ -186,6 +192,28 @@ end
 %{_mandir}/man8/fips-finish-install.8*
 %changelog
 * Mon Jun 28 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210628-1.gitdd7d273
 - implement scoped policies, e.g., cipher@SSH = ...
 - implement algorithm globbing, e.g., cipher@SSH = -*-CBC
 - deprecate derived properties:
  tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
 - deprecate unscoped form of protocol property
 - openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
 - openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
 - libssh: respect ssh_certs
 - restrict FIPS:OSPP further
 - improve Python 3.10 compatibility
 - update documentation
 - expand upstream test coverage
 - FUTURE: disable CBC ciphers for all backends but krb5
 - openssl: LEGACY must have SECLEVEL=1, enabling SHA1
 - disable DHE-DSS in LEGACY
 - bump LEGACY key size requirements from 1023 to 1024
 - add javasystem backend
 - *ssh: condition ecdh-sha2-nistp384 on SECP384R1
 - set %verify(not mode) for backend sometimes-symlinks-sometimes-not
 - gnutls: use allowlisting
 * Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 20210218-3.git2246c55
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (crypto-policies-git2246c55.tar.gz) = 3b681d2d0b550a127de9ae706b6280710d144845d0ea5a78ebbb327adc6c6644dcc2016cbda2f68ed670a3c5395c494b9fbc4c2ca97832a1237ec618c2943b4e
+SHA512 (crypto-policies-gitdd7d273.tar.gz) = 9797e6c6b95ab4cb13e30016ac76b3bbdc5e23b42848ea11e81e91d433f62a5f1c3c6992f83760e69a5c3529e13d18b2f843e097e5be1afeb2b31dc1b39e94c0
`@ -1 +1 @@`
	`SHA512 (crypto-policies-git2246c55.tar.gz) = 3b681d2d0b550a127de9ae706b6280710d144845d0ea5a78ebbb327adc6c6644dcc2016cbda2f68ed670a3c5395c494b9fbc4c2ca97832a1237ec618c2943b4e`	`SHA512 (crypto-policies-gitdd7d273.tar.gz) = 9797e6c6b95ab4cb13e30016ac76b3bbdc5e23b42848ea11e81e91d433f62a5f1c3c6992f83760e69a5c3529e13d18b2f843e097e5be1afeb2b31dc1b39e94c0`