Update from upstream: scoped policies, gnutls allowlisting, ...

implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
This commit is contained in:
Alexander Sosedkin 2021-06-28 17:16:34 +02:00
parent bd79a31b29
commit 7c076748f3
2 changed files with 56 additions and 28 deletions

View File

@ -1,12 +1,12 @@
%global git_date 20210218
%global git_commit 2246c55565af8c3bf09aa268eac55aa537678bb4
%global git_date 20210628
%global git_commit dd7d273d76b0739fcff5d95c39d7486bdb9b7410
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0
Name: crypto-policies
Version: %{git_date}
Release: 3.git%{git_commit_hash}%{?dist}
Release: 1.git%{git_commit_hash}%{?dist}
Summary: System-wide crypto policies
License: LGPLv2+
@ -26,15 +26,17 @@ BuildRequires: perl-generators
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
BuildRequires: perl(File::Which)
BuildRequires: python3-devel >= 3.6
BuildRequires: python3-pytest
# BuildRequires: python3-pylint # CentOS 9 Stream doesn't have it
# BuildRequires: python3-flake8 # CentOS 9 Stream doesn't have it
BuildRequires: python3-coverage
BuildRequires: make
Conflicts: openssl < 1.1.1h
Conflicts: nss < 3.44.0
Conflicts: libreswan < 3.28
Conflicts: openssh < 8.2p1
Conflicts: gnutls < 3.6.11
# Most users want this, the split is mostly for Fedora CoreOS
Recommends: crypto-policies-scripts
Conflicts: openssh < 8.5p1
Conflicts: gnutls < 3.7.2-3
%description
This package provides pre-built configuration files with
@ -44,10 +46,7 @@ such as SSL/TLS libraries.
%package scripts
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
Recommends: grubby
# fips-mode-setup merged into the scripts subpackage
Obsoletes: fips-mode-setup < 20200702-1.c40cede
Recommends: (grubby if kernel)
Provides: fips-mode-setup = %{version}-%{release}
%description scripts
@ -61,8 +60,10 @@ to enable or disable the system FIPS mode.
%prep
%setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
%autopatch -p1
%build
export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot
%make_build
%install
@ -80,8 +81,8 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
# Drop pre-generated EMPTY policy, we do not need to ship it
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/EMPTY
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
@ -98,7 +99,10 @@ done
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
%check
make check %{?_smp_mflags}
export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot
sed -i 's|test: \(.*\) runflake8|test: \1|' Makefile # CentOS 9 Stream has no flake8
sed -i 's|test: \(.*\) runpylint|test: \1|' Makefile # CentOS 9 Stream has no pylint
make ON_RHEL9=1 test %{?_smp_mflags}
%post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -147,17 +151,20 @@ end
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
# %verify(not mode) comes from the fact
# these turn into symlinks and back to regular files at will, see bz1898986
%ghost %{_sysconfdir}/crypto-policies/state/current
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@ -167,7 +174,6 @@ end
%{_datarootdir}/crypto-policies/DEFAULT
%{_datarootdir}/crypto-policies/FUTURE
%{_datarootdir}/crypto-policies/FIPS
%{_datarootdir}/crypto-policies/EMPTY
%{_datarootdir}/crypto-policies/back-ends
%{_datarootdir}/crypto-policies/default-config
%{_datarootdir}/crypto-policies/reload-cmds.sh
@ -186,6 +192,28 @@ end
%{_mandir}/man8/fips-finish-install.8*
%changelog
* Mon Jun 28 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210628-1.gitdd7d273
- implement scoped policies, e.g., cipher@SSH = ...
- implement algorithm globbing, e.g., cipher@SSH = -*-CBC
- deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
- deprecate unscoped form of protocol property
- openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
- openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
- libssh: respect ssh_certs
- restrict FIPS:OSPP further
- improve Python 3.10 compatibility
- update documentation
- expand upstream test coverage
- FUTURE: disable CBC ciphers for all backends but krb5
- openssl: LEGACY must have SECLEVEL=1, enabling SHA1
- disable DHE-DSS in LEGACY
- bump LEGACY key size requirements from 1023 to 1024
- add javasystem backend
- *ssh: condition ecdh-sha2-nistp384 on SECP384R1
- set %verify(not mode) for backend sometimes-symlinks-sometimes-not
- gnutls: use allowlisting
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 20210218-3.git2246c55
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065

View File

@ -1 +1 @@
SHA512 (crypto-policies-git2246c55.tar.gz) = 3b681d2d0b550a127de9ae706b6280710d144845d0ea5a78ebbb327adc6c6644dcc2016cbda2f68ed670a3c5395c494b9fbc4c2ca97832a1237ec618c2943b4e
SHA512 (crypto-policies-gitdd7d273.tar.gz) = 9797e6c6b95ab4cb13e30016ac76b3bbdc5e23b42848ea11e81e91d433f62a5f1c3c6992f83760e69a5c3529e13d18b2f843e097e5be1afeb2b31dc1b39e94c0