Accepting request 921687 from security:tls

OBS-URL: https://build.opensuse.org/request/show/921687
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crypto-policies?expand=0&rev=2

README.SUSE

@@ -1,2 +1,2 @@
-Currently only OpenSSL, GnuTLS, and NSS policies are supported.
+Currently only OpenSSL and GnuTLS policies are supported.
 The rest of the modules ignore the policy settings for the time being.

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">%cd.%h</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param>
+    <param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
-              <param name="changesrevision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param></service></servicedata>
+              <param name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata>

crypto-policies-FIPS.patch

@@ -0,0 +1,72 @@
+Index: fedora-crypto-policies/Makefile
+===================================================================
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
+ CONFDIR?=/etc/crypto-policies
+ DESTDIR?=
+ MAN7PAGES=crypto-policies.7
+-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
+-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
++MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
++SCRIPTS=update-crypto-policies fips-finish-install
+ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
+ PYVERSION = -3
+ DIFFTOOL?=meld
+Index: fedora-crypto-policies/crypto-policies.7.txt
+===================================================================
+--- fedora-crypto-policies.orig/crypto-policies.7.txt
++++ fedora-crypto-policies/crypto-policies.7.txt
+@@ -144,9 +144,6 @@ PROVIDED POLICIES
+ 
+ *FIPS*::
+   A policy to aid conformance to the *FIPS 140-2* requirements.
+-  This policy is used internally by the *fips-mode-setup(8)* tool
+-  which can switch the system into the *FIPS 140-2* mode.
+-  This policy provides at least 112-bit security.
+ 
+   * MACs: all *HMAC* with *SHA1* or better
+   * Curves: all prime >= 256 bits
+@@ -255,12 +252,6 @@ COMMANDS
+   back ends and allows the system administrator to change the active
+   cryptographic policy.
+ 
+-*fips-mode-setup(8)*::
+-  This command allows the system administrator to enable, or disable the
+-  system FIPS mode and also apply the *FIPS* cryptographic policy
+-  which limits the allowed algorithms and protocols to these allowed by
+-  the FIPS 140-2 requirements.
+-
+ 
+ NOTES
+ -----
+@@ -427,7 +418,7 @@ FILES
+ 
+ SEE ALSO
+ --------
+-update-crypto-policies(8), fips-mode-setup(8)
++update-crypto-policies(8)
+ 
+ 
+ AUTHOR
+Index: fedora-crypto-policies/python/update-crypto-policies.py
+===================================================================
+--- fedora-crypto-policies.orig/python/update-crypto-policies.py
++++ fedora-crypto-policies/python/update-crypto-policies.py
+@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
+                 eprint("Warning: Using 'update-crypto-policies --set FIPS' "
+                        "is not sufficient for")
+                 eprint("         FIPS compliance.")
+-                eprint("         Use 'fips-mode-setup --enable' "
+-                       "command instead.")
+             elif fips_mode():
+                 eprint("Warning: Using 'update-crypto-policies --set' "
+                        "in FIPS mode will make the system")
+                 eprint("         non-compliant with FIPS.")
+                 eprint("         It can also break "
+                        "the ssh access to the system.")
+-                eprint("         Use 'fips-mode-setup --disable' "
+-                       "to disable the system FIPS mode.")
+ 
+     if base_dir == DEFAULT_BASE_DIR:
+         if not os.geteuid() == 0:

crypto-policies-asciidoc.patch

@@ -1,15 +0,0 @@
-Index: fedora-crypto-policies-master/Makefile
-===================================================================
---- fedora-crypto-policies-master.orig/Makefile	2020-09-23 08:49:28.000000000 +0200
-+++ fedora-crypto-policies-master/Makefile	2020-11-12 10:00:52.418204054 +0100
-@@ -60,8 +60,8 @@ clean:
- 	rm -rf output
- 
- %: %.txt
--	asciidoc.py -v -d manpage -b docbook $<
--	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+	asciidoc -v -d manpage -b docbook $<
-+	xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
- 
- dist:
- 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies

crypto-policies-no-build-manpages.patch

@@ -1,23 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
 ===================================================================
---- fedora-crypto-policies-master.orig/Makefile	2020-09-23 08:49:28.000000000 +0200
-+++ fedora-crypto-policies-master/Makefile	2020-11-12 10:00:52.418204054 +0100
-@@ -60,8 +60,8 @@ clean:
- 	rm -rf output
- 
- %: %.txt
--	asciidoc -v -d manpage -b docbook $<
--	xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+	# asciidoc -v -d manpage -b docbook $<
-+	# xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
- 
- dist:
- 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
-Index: fedora-crypto-policies-master
-===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -21,9 +21,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -22,9 +22,9 @@ install: $(MANPAGES)
  	mkdir -p $(DESTDIR)$(MANDIR)/man7
  	mkdir -p $(DESTDIR)$(MANDIR)/man8
  	mkdir -p $(DESTDIR)$(BINDIR)
@@ -30,3 +15,14 @@ Index: fedora-crypto-policies-master
  	mkdir -p $(DESTDIR)$(DIR)/
  	install -p -m 644 default-config $(DESTDIR)$(DIR)
  	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -106,8 +106,8 @@ clean:
+ 	rm -rf output
+ 
+ %: %.txt
+-	asciidoc.py -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
++	# asciidoc -v -d manpage -b docbook $<
++	# xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ 
+ dist:
+ 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies

crypto-policies-test_supported_modules_only.patch

@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
 ===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -45,8 +45,6 @@ check:
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -56,8 +56,6 @@ check:
  	tests/openssl.pl
  	tests/gnutls.pl
  	tests/nss.py
@@ -10,4 +10,4 @@ Index: fedora-crypto-policies-master/Makefile
 -	tests/krb5.py
  	top_srcdir=. tests/update-crypto-policies.sh
  
- test: check runpylint
+ # Alternative, equivalent ways to write the same policies

crypto-policies-typos.patch

@@ -1,48 +0,0 @@
-From: Hideki Yamane <h-yamane@sios.com>
-Date: Sun, 25 Aug 2019 04:08:35 +0900
-Subject: fix typos
-
----
- crypto-policies.7.txt        | 2 +-
- fips-finish-install          | 2 +-
- fips-finish-install.8.txt    | 2 +-
-
-Index: fedora-crypto-policies-master/crypto-policies.7.txt
-===================================================================
---- fedora-crypto-policies-master.orig/crypto-policies.7.txt
-+++ fedora-crypto-policies-master/crypto-policies.7.txt
-@@ -236,7 +236,7 @@ To completely override a list value in a
- sign. Combining 'list-items' with and without signs in a single list value assignment is
- not allowed however an existing list value can be modified in multiple further assignments.
- 
--Non-list key values in the policy module files are simply overriden.
-+Non-list key values in the policy module files are simply overridden.
- 
- The keys marked as *Optional* can be omitted in the policy definition
- files. In that case, the values will be derived from the base
-Index: fedora-crypto-policies-master/fips-finish-install
-===================================================================
---- fedora-crypto-policies-master.orig/fips-finish-install
-+++ fedora-crypto-policies-master/fips-finish-install
-@@ -12,7 +12,7 @@ if test -f /run/ostree-booted; then
- fi
- 
- if test x"$1" !=  x--complete ; then
--	echo "Complete the instalation of FIPS modules."
-+	echo "Complete the installation of FIPS modules."
- 	echo "usage: $0 --complete"
- 	exit 2
- fi
-Index: fedora-crypto-policies-master/fips-finish-install.8.txt
-===================================================================
---- fedora-crypto-policies-master.orig/fips-finish-install.8.txt
-+++ fedora-crypto-policies-master/fips-finish-install.8.txt
-@@ -21,7 +21,7 @@ fips-finish-install(8)
- 
- NAME
- ----
--fips-finish-install - complete the instalation of FIPS modules.
-+fips-finish-install - complete the installation of FIPS modules.
- 
- 
- SYNOPSIS

crypto-policies.changes

@@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove the scripts and documentation regarding
+  fips-finish-install and test-fips-setup
+  * Add crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20210917.c9d86d1:
+  * openssl: fix disabling ChaCha20
+  * pacify pylint 2.11: use format strings
+  * pacify pylint 2.11: specify explicit encoding
+  * fix minor things found by new pylint
+  * update-crypto-policies: --check against regenerated
+  * update-crypto-policies: fix --check's walking order
+  * policygenerators/gnutls: revert disabling DTLS0.9...
+  * policygenerators/java: add javasystem backend
+  * LEGACY: bump 1023 key size to 1024
+  * cryptopolicies: fix 'and' in deprecation warnings
+  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
+  * nss: hopefully the last fix for nss sigalgs check
+  * cryptopolicies: Python 3.10 compatibility
+  * nss: postponing check + testing at least something
+  * Rename 'policy modules' to 'subpolicies'
+  * validation.rules: fix a missing word in error
+  * cryptopolicies: raise errors right after warnings
+  * update-crypto-policies: capitalize warnings
+  * cryptopolicies: syntax-precheck scope errors
+  * .gitlab-ci.yml, Makefile: enable codespell
+  * all: fix several typos
+  * docs: don't leave zero TLS/DTLS protocols on
+  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
+  * alg_lists: order protocols new-to-old for consistency
+  * alg_lists: max_{d,}tls_version
+  * update-crypto-policies: fix pregenerated + local.d
+  * openssh: allow validation with pre-8.5
+  * .gitlab-ci.yml: run commit-range against upstream
+  * openssh: Use the new name for PubkeyAcceptedKeyTypes
+  * sha1_in_dnssec: deprecate
+  * .gitlab-ci.yml: test commit ranges
+  * FIPS:OSPP: sign = -*-SHA2-224
+  * scoped policies: documentation update
+  * scoped policies: use new features to the fullest...
+  * scoped policies: rewrite + minimal policy changes
+  * scoped policies: rewrite preparations
+  * nss: postponing the version check again, to 3.64
+- Remove patches fixed upstream: crypto-policies-typos.patch
+- Rebase: crypto-policies-test_supported_modules_only.patch
+- Merge crypto-policies-asciidoc.patch into
+    crypto-policies-no-build-manpages.patch
+
 -------------------------------------------------------------------
 Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 

crypto-policies.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package crypto-policies
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %global _python_bytecompile_extra 0
 Name:           crypto-policies
-Version:        20210225.05203d2
+Version:        20210917.c9d86d1
 Release:        0
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
@@ -28,18 +28,23 @@ Source0:        fedora-%{name}-%{version}.tar.gz
 Source1:        README.SUSE
 Source2:        crypto-policies.7.gz
 Source3:        update-crypto-policies.8.gz
-Patch0:         crypto-policies-asciidoc.patch
-Patch1:         crypto-policies-typos.patch
-Patch2:         crypto-policies-test_supported_modules_only.patch
-Patch3:         crypto-policies-no-build-manpages.patch
+Patch0:         crypto-policies-test_supported_modules_only.patch
+Patch1:         crypto-policies-no-build-manpages.patch
+Patch2:         crypto-policies-FIPS.patch
 BuildRequires:  python3-base
+# For testing, the following buildrequires need to be uncommented.
 # BuildRequires:  asciidoc
+# BuildRequires:  bind
 # BuildRequires:  gnutls >= 3.6.0
 # BuildRequires:  java-devel
 # BuildRequires:  libxslt
 # BuildRequires:  openssl
 # BuildRequires:  perl
+# BuildRequires:  python3-coverage
 # BuildRequires:  python3-devel >= 3.6
+# BuildRequires:  python3-flake8
+# BuildRequires:  python3-pylint
+# BuildRequires:  python3-pytest
 # BuildRequires:  perl(File::Copy)
 # BuildRequires:  perl(File::Temp)
 # BuildRequires:  perl(File::Which)
@@ -102,6 +107,11 @@ touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
 # Drop pre-generated GOST-ONLY policy, we do not need to ship the files
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
 
+# Remove fips-finish-install and test-fips-setup scripts and man
+find -type f -name fips-finish-install -delete
+find -type f -name fips-finish-install.8.txt -delete
+find -type f -name test-fips-setup.sh -delete
+
 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS ; do
     mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -119,7 +129,7 @@ done
 cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
 
 %check
-%make_build check || :
+%make_build test || :
 
 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -175,6 +185,7 @@ end
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config

fedora-crypto-policies-20210225.05203d2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:773522be2bf98a7e88bc684d33c846b337d170cf33001dc2b20eee35c82c8030
-size 58094

fedora-crypto-policies-20210917.c9d86d1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
+size 75022