diff --git a/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch b/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch deleted file mode 100644 index 21390a771a5da404a563b8ad93e35a2991f9cb22..0000000000000000000000000000000000000000 --- a/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 2 Jul 2020 15:40:01 +0200 -Subject: [PATCH] Describe some of the quirks of the back-end config - generators. - ---- - crypto-policies.7.txt | 25 ++++++++++++++++++++++++- - 1 file changed, 24 insertions(+), 1 deletion(-) - -diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt -index 0971935..2b583b8 100644 ---- a/crypto-policies.7.txt -+++ b/crypto-policies.7.txt -@@ -277,7 +277,7 @@ COMMANDS - NOTES - ----- - --*Exceptions:* -+*Exceptions* - - * *Go-language* applications do not yet follow the system-wide policy. - * *GnuPG-2* application does not follow the system-wide policy. -@@ -323,6 +323,29 @@ of individual applications: - * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1 - * *IKEv1* - -+*Notable irregularities in the individual configuration generators* -+ -+* *OpenSSL*: The minimum length of the keys and some other parameters -+are enforced by the @SECLEVEL value which does not provide a fine -+granularity. The list of *TLS* ciphers is not generated as an exact list -+but by subtracting from all the supported ciphers for the enabled key -+exchange methods. For that reason there is no way to disable a random cipher. -+In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not -+present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM* -+is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1* -+in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM* -+ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher -+list. -+ -+* *GnuTLS*: The minimum length of the keys and some other parameters -+are enforced by min-verification-profile setting in the *GnuTLS* configuration -+file which does not provide fine granularity. -+ -+* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy -+allows 1024 bit *DH* groups in general. The OpenSSH configuration option -+HostKeyAlgorithms is set only for the *SSH* server as otherwise the -+handling of the existing known hosts entries would be broken on client. -+ - HISTORY - ------- - --- -2.33.0 - diff --git a/backport-Makefile-support-overriding-asciidoc-executable-name.patch b/backport-Makefile-support-overriding-asciidoc-executable-name.patch deleted file mode 100644 index 9a5af4634b7951eef5c356816af281b9c5d83a48..0000000000000000000000000000000000000000 --- a/backport-Makefile-support-overriding-asciidoc-executable-name.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 66c30b1e2de5fd37d610463a8fb6e70f6164fecc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= -Date: Mon, 7 Nov 2022 16:56:43 +0100 -Subject: [PATCH] Makefile: support overriding asciidoc executable name - -Support `ASCIIDOC` override to specify another name for the asciidoc -executable. On Gentoo, only `asciidoc` is installed and there is no -`asciidoc.py`. Furthermore, this makes it possible to easily use -asciidoctor in place of asciidoc. ---- - Makefile | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 0d93587..f99dc6d 100644 ---- a/Makefile -+++ b/Makefile -@@ -10,5 +10,6 @@ SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup - NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) - PYVERSION = -3 -+ASCIIDOC?=asciidoc.py - - all: build - -@@ -109,7 +110,7 @@ clean: - rm -rf output - - %: %.txt -- asciidoc.py -v -d manpage -b docbook $< -+ $(ASCIIDOC) -v -d manpage -b docbook $< - xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml - - dist: --- -2.27.0 - diff --git a/backport-Makefile-update-for-asciidoc-10.patch b/backport-Makefile-update-for-asciidoc-10.patch deleted file mode 100644 index a7694aa9a7a83d0afc29fdf8d877c976da5f5567..0000000000000000000000000000000000000000 --- a/backport-Makefile-update-for-asciidoc-10.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8c7de0471c1de088ff3c332590ea91a71d4273c0 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 20 Feb 2023 11:39:28 +0100 -Subject: [PATCH] Makefile: update for asciidoc 10 - ---- - Makefile | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index f99dc6d..e99ca19 100644 ---- a/Makefile -+++ b/Makefile -@@ -10,6 +10,11 @@ SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup - NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) - PYVERSION = -3 --ASCIIDOC?=asciidoc.py -+ASCIIDOC?=asciidoc -+ifneq ("$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)","") -+MANPAGEXSL?=$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl) -+else -+MANPAGEXSL?=/usr/share/asciidoc/docbook-xsl/manpage.xsl -+endif - - all: build - -@@ -111,7 +116,7 @@ clean: - - %: %.txt - $(ASCIIDOC) -v -d manpage -b docbook $< -- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml -+ xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml - - dist: - rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies --- -2.27.0 - diff --git a/backport-policygenerators-nss-output-sigalgs-nss-3-59.patch b/backport-policygenerators-nss-output-sigalgs-nss-3-59.patch deleted file mode 100644 index d4e011c71adedab61e144250a3d11b2921c81237..0000000000000000000000000000000000000000 --- a/backport-policygenerators-nss-output-sigalgs-nss-3-59.patch +++ /dev/null @@ -1,192 +0,0 @@ -From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 18 Jan 2021 17:58:45 +0100 -Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59) - -Actually, checking for 3.60 because Fedora has reverted the change. ---- - python/policygenerators/nss.py | 36 ++++++++++++++++++++++++++++++++--- - tests/nss.py | 15 +++++++++++++++ - tests/outputs/DEFAULT-nss.txt | 2 +- - tests/outputs/FIPS-nss.txt | 2 +- - tests/outputs/FIPS:ECDHE-ONLY-nss.txt | 2 +- - tests/outputs/FIPS:OSPP-nss.txt | 2 +- - tests/outputs/FUTURE-nss.txt | 2 +- - tests/outputs/LEGACY-nss.txt | 2 +- - 9 files changed, 55 insertions(+), 10 deletions(-) - -diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py -index ee10025..00935a2 100644 ---- a/python/policygenerators/nss.py -+++ b/python/policygenerators/nss.py -@@ -6,6 +6,8 @@ - from subprocess import call, CalledProcessError - from tempfile import mkstemp - -+import ctypes -+import ctypes.util - import os - - from .configgenerator import ConfigGenerator -@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator): - 'DTLS1.2':'dtls1.2' - } - -+ # Depends on a dict being ordered, -+ # impl. detail in CPython 3.6, guaranteed starting from Python 3.7. -+ sign_prefix_ordmap = { -+ 'RSA-PSS-':'RSA-PSS', # must come before RSA- -+ 'RSA-':'RSA-PKCS', -+ 'ECDSA-':'ECDSA', -+ 'DSA-':'DSA', -+ } -+ - @classmethod - def generate_config(cls, policy): - p = policy.props -@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator): - except KeyError: - pass - -- dsa = [i for i in p['sign'] if i.find('DSA-') == 0] -- if dsa: -- s = cls.append(s, 'DSA') -+ enabled_sigalgs = set() -+ for i in p['sign']: -+ for prefix, sigalg in cls.sign_prefix_ordmap.items(): -+ if i.startswith(prefix): -+ if sigalg not in enabled_sigalgs: -+ enabled_sigalgs.add(sigalg) -+ s = cls.append(s, sigalg) -+ break # limit to first match - - try: - minver = cls.protocol_map[p['min_tls_version']] -@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator): - - @classmethod - def test_config(cls, config): -+ try: -+ nss_path = ctypes.util.find_library('nss3') -+ nss_lib = ctypes.CDLL(nss_path) -+ if not nss_lib.NSS_VersionCheck(b'3.60'): -+ # Cannot validate with pre-3.59 NSS -+ # that doesn't know ECDSA/RSA-PSS/RSA-PKCS -+ # identifiers yet. -+ # 3.60 because Fedora's 3.59 has that reverted -+ cls.eprint('Skipping nss-policy-check due to ' -+ 'nss being older than 3.60') -+ return True -+ except AttributeError: -+ cls.eprint('Cannot determine nss version with ctypes') -+ - if not os.access('/usr/bin/nss-policy-check', os.X_OK): - return True - -diff --git a/tests/nss.py b/tests/nss.py -index 4d2cee1..a16d984 100755 ---- a/tests/nss.py -+++ b/tests/nss.py -@@ -1,5 +1,7 @@ - #!/usr/bin/python3 - -+import ctypes -+import ctypes.util - import glob - import os - import shutil -@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None: - sys.exit(0) - - -+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS -+# identifiers yet. Checking for 3.60 because Fedora has reverted the change. -+try: -+ nss = ctypes.CDLL(ctypes.util.find_library('nss3')) -+ if not nss.NSS_VersionCheck(b'3.60'): -+ print('Skipping nss-policy-check verification ' -+ 'due to nss being older than 3.60', file=sys.stderr) -+ sys.exit(0) -+except AttributeError: -+ print('Cannot determine nss version with ctypes, hoping for >=3.59', -+ file=sys.stderr) -+ -+ - print('Checking the NSS configuration') - - for policy_path in glob.glob('tests/outputs/*-nss.txt'): -diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt -index 6a93308..500cd70 100644 ---- a/tests/outputs/DEFAULT-nss.txt -+++ b/tests/outputs/DEFAULT-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048" - - -diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt -index c9809b9..4fdf6bc 100644 ---- a/tests/outputs/FIPS-nss.txt -+++ b/tests/outputs/FIPS-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" - - -diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt -index 78f4844..399bc5c 100644 ---- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt -+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" - - -diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt -index 0ca1ab0..d172a83 100644 ---- a/tests/outputs/FIPS:OSPP-nss.txt -+++ b/tests/outputs/FIPS:OSPP-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" - - -diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt -index 23d1ce8..9cea0a4 100644 ---- a/tests/outputs/FUTURE-nss.txt -+++ b/tests/outputs/FUTURE-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072" - - -diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt -index e16b6ce..8bf8bd1 100644 ---- a/tests/outputs/LEGACY-nss.txt -+++ b/tests/outputs/LEGACY-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" - - --- -1.8.3.1 - diff --git a/backport-rewrite-test-nss-pl-in-python.patch b/backport-rewrite-test-nss-pl-in-python.patch deleted file mode 100644 index 5741aef93ba2e8bcb0c407b62f26c3599f7705a9..0000000000000000000000000000000000000000 --- a/backport-rewrite-test-nss-pl-in-python.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 4fb6cdf626ee35623400ca557198cecb4efd4e88 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 18 Jan 2021 17:43:53 +0100 -Subject: [PATCH] tests/nss.pl: rewrite in Python - ---- - Makefile | 2 +- - tests/nss.pl | 41 ----------------------------------------- - tests/nss.py | 33 +++++++++++++++++++++++++++++++++ - 3 files changed, 34 insertions(+), 42 deletions(-) - delete mode 100755 tests/nss.pl - create mode 100755 tests/nss.py - -diff --git a/Makefile b/Makefile -index 2699ac6..a50408e 100644 ---- a/Makefile -+++ b/Makefile -@@ -43,7 +43,7 @@ check: - python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs - tests/openssl.pl - tests/gnutls.pl -- tests/nss.pl -+ tests/nss.py - tests/java.pl - tests/krb5.py - top_srcdir=. tests/update-crypto-policies.sh -diff --git a/tests/nss.pl b/tests/nss.pl -deleted file mode 100755 -index e021ffd..0000000 ---- a/tests/nss.pl -+++ /dev/null -@@ -1,41 +0,0 @@ --#!/usr/bin/perl -- --my $RESULTFILE="result-nss.tmp"; -- --use File::Which qw(which); -- --print "Checking the NSS configuration\n"; -- --my $dir = 'tests/outputs'; -- --opendir(DIR, $dir) or die $!; -- --my @nsspolicies -- = grep { -- /-nss/ # has -nss in name -- && -f "$dir/$_" # and is a file -- } readdir(DIR); -- --foreach my $policyfile (@nsspolicies) { -- my $policy = $policyfile; -- $policy =~ s/-[^-]+$//; -- -- print "Checking policy $policy\n"; -- my $tool = which "nss-policy-check"; -- -- if ($policy ne 'EMPTY' and $tool ne undef) { -- -- system("nss-policy-check $dir/$policyfile >$RESULTFILE 2>&1") ; -- if ($? != 0) { -- print "Error in NSS policy for $policy\n"; -- print STDERR "NSS policy for $policy:\n"; -- system("cat $dir/$policyfile 1>&2"); -- print STDERR "\nnss-policy-check error:\n"; -- system("cat $RESULTFILE 1>&2"); -- exit 1; -- } -- unlink($RESULTFILE); -- } --} -- --exit 0; -diff --git a/tests/nss.py b/tests/nss.py -new file mode 100755 -index 0000000..4d2cee1 ---- /dev/null -+++ b/tests/nss.py -@@ -0,0 +1,33 @@ -+#!/usr/bin/python3 -+ -+import glob -+import os -+import shutil -+import subprocess -+import sys -+ -+ -+if shutil.which('nss-policy-check') is None: -+ print('nss-policy-check not found, skipping check', file=sys.stderr) -+ sys.exit(0) -+ -+ -+print('Checking the NSS configuration') -+ -+for policy_path in glob.glob('tests/outputs/*-nss.txt'): -+ policy = os.path.basename(policy_path)[:-len('-nss.txt')] -+ print(f'Checking policy {policy}') -+ if policy not in ('EMPTY', 'GOST-ONLY'): -+ p = subprocess.Popen(['nss-policy-check', policy_path], -+ stdout=subprocess.PIPE, -+ stderr=subprocess.STDOUT) -+ output, _ = p.communicate() -+ if p.wait(): -+ print(f'Error in NSS policy for {policy}') -+ print(f'NSS policy for {policy}:', file=sys.stderr) -+ with open(policy_path) as policy_file: -+ shutil.copyfileobj(policy_file, sys.stderr) -+ sys.stderr.write('\n') -+ print('nss-policy-check error:', file=sys.stderr) -+ print(output.decode(), file=sys.stderr) -+ sys.exit(1) --- -1.8.3.1 - diff --git a/crypto-policies-git5f3458e.tar.gz b/crypto-policies-git5f3458e.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e45fe61ba71794b5e11e6017611f5f34032c9c2e Binary files /dev/null and b/crypto-policies-git5f3458e.tar.gz differ diff --git a/crypto-policies-git781bbd4.tar.gz b/crypto-policies-git781bbd4.tar.gz deleted file mode 100644 index b8b3732b23481e5f26be61e326c1f5f65e79a36c..0000000000000000000000000000000000000000 Binary files a/crypto-policies-git781bbd4.tar.gz and /dev/null differ diff --git a/crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch b/crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch deleted file mode 100644 index dd51e6ead869797d26f4c62ba8bbfe2e3db7bfcb..0000000000000000000000000000000000000000 --- a/crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 79b03b7a6ea10c8ed2a4a35d5daa8842922641f4 Mon Sep 17 00:00:00 2001 -From: yixiangzhike -Date: Fri, 7 Jan 2022 15:12:26 +0800 -Subject: [PATCH] tests outputs NEXT-nss: output sigalgs (nss >=3.59) - ---- - tests/outputs/NEXT-nss.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/outputs/NEXT-nss.txt b/tests/outputs/NEXT-nss.txt -index 1c2e182..846beb2 100644 ---- a/tests/outputs/NEXT-nss.txt -+++ b/tests/outputs/NEXT-nss.txt -@@ -1,6 +1,6 @@ - library= - name=Policy - NSS=flags=policyOnly,moduleDB --config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" - - --- -1.8.3.1 - diff --git a/crypto-policies.spec b/crypto-policies.spec index 17528fc9fc055a043dbc860c293353a8321f64ac..6be7ecb9cd541e8df464d67af95ac6663525343b 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,10 +1,10 @@ -%global git_date 20200619 -%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68 -%global git_commit_hash 781bbd4 +%global git_date 20230614 +%global git_commit 5f3458e619628288883f22695f3311f1ccd6a39f +%global git_commit_hash 5f3458e Name: crypto-policies Version: %{git_date} -Release: 4.git%{git_commit_hash} +Release: 1.git%{git_commit_hash} Summary: Crypto policies package for Fedora License: LGPLv2+ @@ -14,25 +14,23 @@ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # directory. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz -Patch0: backport-rewrite-test-nss-pl-in-python.patch -Patch1: backport-policygenerators-nss-output-sigalgs-nss-3-59.patch -Patch2: crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch -Patch3: backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch -Patch4: backport-Makefile-support-overriding-asciidoc-executable-name.patch -Patch5: backport-Makefile-update-for-asciidoc-10.patch - BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: openssl BuildRequires: gnutls-utils >= 3.6.0 -BuildRequires: java-1.8.0-openjdk-devel +BuildRequires: java-21-openjdk-devel BuildRequires: bind BuildRequires: perl-interpreter BuildRequires: perl-generators BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) BuildRequires: perl(File::Which) BuildRequires: python3-devel +BuildRequires: openssh-clients + +Conflicts: openssl-libs < 3.0.2 +Conflicts: openssh < 9.0p1 +Conflicts: gnutls < 3.7.3 # used by update-crypto-policies Requires: coreutils @@ -73,6 +71,13 @@ to enable or disable the system FIPS mode. %autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit} %build +# Drop pre-generated GOST-ONLY policies +rm -rf policies/GOST-ONLY.pol + +# Drop FEDORA policies +rm -rf policies/FEDORA38.pol +rm -rf policies/TEST-FEDORA39.pol + make %{?_smp_mflags} %install @@ -97,6 +102,11 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %check +# Don't diff FEDORA38 policies, it's deleted +sed -i '/diff\ policies\/DEFAULT.pol\ policies\/FEDORA38.pol/d' Makefile +# Don't check GOST-ONLY policies, it's deleted +sed -i '/\ GOST-ONLY\ /d' Makefile + make check %{?_smp_mflags} %post @@ -126,13 +136,15 @@ make check %{?_smp_mflags} %ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config %ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %{_sysconfdir}/crypto-policies/back-ends/sequoia.config +%ghost %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config %{_bindir}/update-crypto-policies %{_mandir}/man7/crypto-policies.7* %{_mandir}/man8/update-crypto-policies.8* %{_datarootdir}/crypto-policies/LEGACY/* %{_datarootdir}/crypto-policies/DEFAULT/* -%{_datarootdir}/crypto-policies/NEXT/* %{_datarootdir}/crypto-policies/FUTURE/* %{_datarootdir}/crypto-policies/FIPS/* %{_datarootdir}/crypto-policies/EMPTY/* @@ -151,6 +163,20 @@ make check %{?_smp_mflags} %license COPYING.LESSER %changelog +* Fri Jan 26 2024 yixiangzhike - 20230614-1.git5f3458e +- update version to 20230614 + - DEFAULT policy drop DH<2048bits,TLS1.0,TLS1.1,SHA-1 + - Remove the CBC ciphers from DEFAULT policy in openssh + - FIPS policy drop the CBC ciphersuites + - Enable RSA-PSK algorithms in DEFAULT and LEGACY policies + - Add the diffie-hellman-group14-sha256 to libssh + - Add --check option to update-crypto-policies + - Add AES-192 algorithms support + - Use allowlisting config for gnutls + - Enable SHAKE algorithms for gnutls,java and nss + - Openssl disable SHA-1 signatures in FUTURE policy + - Openssh add HostbasedAcceptedAlgorithms and RequiresRSASize config options + * Mon Feb 27 2023 yixiangzhike - 20200619-4.git781bbd4 - Makefile support overriding asciidoc executable name - update Makefile for asciidoc 10