diff --git a/crypto-policies-git027799d.tar.gz b/crypto-policies-git027799d.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b437bb3a7b04043e63a45005c5ebc4a3a1af98a4 Binary files /dev/null and b/crypto-policies-git027799d.tar.gz differ diff --git a/crypto-policies-gita4c31a3.tar.gz b/crypto-policies-gita4c31a3.tar.gz deleted file mode 100644 index a1d90fe8dd69a4e7fa0ccf84dc5b0ebb9f7ed026..0000000000000000000000000000000000000000 Binary files a/crypto-policies-gita4c31a3.tar.gz and /dev/null differ diff --git a/crypto-policies.spec b/crypto-policies.spec index 431203ca56baffae7cdd1ad1b7e03b082a27eeaf..1e1fb627ced3668e323a2ad75619691b8324580e 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,58 +1,61 @@ -%define anolis_release 5 -%global git_date 20221215 -%global git_commit a4c31a34711325447363d87ba9fec5bb5535903a +%global git_date 20230614 +%global git_commit 027799d4336eb324f4543f64db8f17ad45cbcb46 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} -%bcond_with check + %global _python_bytecompile_extra 0 +# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 +%if 0%{?rhel} == 9 + # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced, + %global MIN_RSA_NAME RequiredRSASize +%elif 0%{?rhel} == 10 + # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2 + %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5" + %global MIN_RSA_NAME RequiredRSASize + %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2" + %global MIN_RSA_NAME RSAMinSize + %else + %global MIN_RSA_NAME none + %endif +%else + # some other distro, follow autodetection which checks for openssh >= 9.1 + %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1" + %global MIN_RSA_NAME RequiredRSASize + %else + %global MIN_RSA_NAME none + %endif +%endif + Name: crypto-policies Version: %{git_date} -Release: %{anolis_release}%{?dist} +Release: 1.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies -License: LGPLv2.1+ +License: LGPLv2+ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies +# For RHEL-9 we use the upstream branch rhel9. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz -Patch1: update-for-asciidoc-10.patch - BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: openssl BuildRequires: gnutls-utils >= 3.6.0 -%ifnarch loongarch64 -BuildRequires: java-1.8.0-alibaba-dragonwell-devel -%else BuildRequires: java-1.8.0-openjdk-devel -%endif BuildRequires: bind BuildRequires: perl-interpreter BuildRequires: perl-generators BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) BuildRequires: perl(File::Which) BuildRequires: python3-devel >= 3.6 -Buildrequires: python3-toml -%if %{with check} BuildRequires: python3-pytest -BuildRequires: python3-pylint -BuildRequires: python3-flake8 -BuildRequires: python3-coverage -BuildRequires: python3-platformdirs -BuildRequires: codespell -%endif BuildRequires: make -BuildRequires: krb5-devel -BuildRequires: openssh-clients -BuildRequires: openssh-server - -Conflicts: openssl-libs < 3.0.2-2 + +Conflicts: openssl < 1:3.0.1-10 Conflicts: nss < 3.44.0 Conflicts: libreswan < 3.28 -Conflicts: openssh < 9.0p1 -Conflicts: gnutls < 3.7.3 - -Recommends: crypto-policies-scripts +Conflicts: openssh < 8.7p1-24 +Conflicts: gnutls < 3.7.2-3 %description This package provides pre-built configuration files with @@ -62,10 +65,7 @@ such as SSL/TLS libraries. %package scripts Summary: Tool to switch between crypto policies Requires: %{name} = %{version}-%{release} -Recommends: grubby - -# fips-mode-setup merged into the scripts subpackage -Obsoletes: fips-mode-setup < 20200702-1.c40cede +Recommends: (grubby if kernel) Provides: fips-mode-setup = %{version}-%{release} %description scripts @@ -77,21 +77,15 @@ defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode. -%package doc -Summary: Documentation files for %{name} -Requires: %{name} = %{version}-%{release} -BuildArch: noarch - -%description doc -The %{name}-doc package contains documentation files for %{name}. - %prep -%autosetup -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit} -p1 - +%setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit} +%autopatch -p1 %build -sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ - python/policygenerators/openssh.py +sed -i \ + "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ + python/policygenerators/openssh.py +grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py %make_build %install @@ -109,11 +103,10 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol -rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY - -rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* - +# Drop pre-generated EMPTY policy, we do not need to ship it +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/EMPTY +# Create back-end configs for mounting with read-only /etc/ for d in LEGACY DEFAULT FUTURE FIPS ; do mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do @@ -127,12 +120,16 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python -%generate_compatibility_deps - -%if %{with check} %check -make test %{?_smp_mflags} +# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 +%if "%{MIN_RSA_NAME}" == "none" + sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt +%elif "%{MIN_RSA_NAME}" == "RSAMinSize" + sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt +%else + [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7 %endif +make ON_RHEL9=1 test %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -170,7 +167,7 @@ end %files -%license COPYING.LESSER + %dir %{_sysconfdir}/crypto-policies/ %dir %{_sysconfdir}/crypto-policies/back-ends/ %dir %{_sysconfdir}/crypto-policies/state/ @@ -178,7 +175,9 @@ end %dir %{_sysconfdir}/crypto-policies/policies/ %dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ + %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config @@ -191,7 +190,6 @@ end %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config # %verify(not mode) comes from the fact # these turn into symlinks and back to regular files at will, see bz1898986 @@ -203,28 +201,27 @@ end %{_datarootdir}/crypto-policies/DEFAULT %{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FIPS -%{_datarootdir}/crypto-policies/EMPTY %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies +%license COPYING.LESSER %files scripts -%dir %{abidir} %{_bindir}/update-crypto-policies -%{abidir}/update-crypto-policies-option.list %{_mandir}/man8/update-crypto-policies.8* %{_datarootdir}/crypto-policies/python + %{_bindir}/fips-mode-setup %{_bindir}/fips-finish-install %{_mandir}/man8/fips-mode-setup.8* %{_mandir}/man8/fips-finish-install.8* -%files doc -%doc NEWS README.md CONTRIBUTING.md - %changelog +* Wed Mar 20 2024 yangxianzhao 20230614-1.git027799d +- Update to 20230614-1 + * Thu Oct 12 2023 Jingyun Hua - 20221215-5 - fix BuildRequires package for loongarch64 @@ -232,7 +229,7 @@ end - disable python check * Wed Mar 22 2023 happy_orange - 20221215-3 -- fix the build error beacuse of asciidoc update to 10.x.x +- fix the build error beacuse of asciidoc update to 10.x.x * Thu Feb 02 2023 happy_orange - 20221215-2 - change the version of conflict package openssh @@ -244,4 +241,5 @@ end - optimise spec file * Mon Mar 14 2022 forrest_ly - 20220314-1 -- Init for Anolis OS 23 +- Init for Anolis OS 23 + diff --git a/update-for-asciidoc-10.patch b/update-for-asciidoc-10.patch deleted file mode 100644 index 6f0df57868c0f6ef909a6bf00563fd6b9bfcaa3a..0000000000000000000000000000000000000000 --- a/update-for-asciidoc-10.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 8c7de0471c1de088ff3c332590ea91a71d4273c0 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Mon, 20 Feb 2023 11:39:28 +0100 -Subject: [PATCH] Makefile: update for asciidoc 10 - ---- - Makefile | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index f99dc6d..e99ca19 100644 ---- a/Makefile -+++ b/Makefile -@@ -10,7 +10,12 @@ SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup - NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) - PYVERSION = -3 - DIFFTOOL?=meld --ASCIIDOC?=asciidoc.py -+ASCIIDOC?=asciidoc -+ifneq ("$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)","") -+MANPAGEXSL?=$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl) -+else -+MANPAGEXSL?=/usr/share/asciidoc/docbook-xsl/manpage.xsl -+endif - - all: build - -@@ -111,7 +116,7 @@ clean: - - %: %.txt - $(ASCIIDOC) -v -d manpage -b docbook $< -- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml -+ xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml - - dist: - rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies --- -GitLab -