backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch

@@ -1,56 +0,0 @@
-From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Thu, 2 Jul 2020 15:40:01 +0200
-Subject: [PATCH] Describe some of the quirks of the back-end config
- generators.
-
----
- crypto-policies.7.txt | 25 ++++++++++++++++++++++++-
- 1 file changed, 24 insertions(+), 1 deletion(-)
-
-diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt
-index 0971935..2b583b8 100644
---- a/crypto-policies.7.txt
-+++ b/crypto-policies.7.txt
-@@ -277,7 +277,7 @@ COMMANDS
- NOTES
- -----
- 
--*Exceptions:*
-+*Exceptions*
- 
- * *Go-language* applications do not yet follow the system-wide policy.
- * *GnuPG-2* application does not follow the system-wide policy.
-@@ -323,6 +323,29 @@ of individual applications:
- * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
- * *IKEv1*
- 
-+*Notable irregularities in the individual configuration generators*
-+
-+* *OpenSSL*: The minimum length of the keys and some other parameters
-+are enforced by the @SECLEVEL value which does not provide a fine
-+granularity. The list of *TLS* ciphers is not generated as an exact list
-+but by subtracting from all the supported ciphers for the enabled key
-+exchange methods. For that reason there is no way to disable a random cipher.
-+In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not
-+present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM*
-+is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1*
-+in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM*
-+ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher
-+list.
-+
-+* *GnuTLS*: The minimum length of the keys and some other parameters
-+are enforced by min-verification-profile setting in the *GnuTLS* configuration
-+file which does not provide fine granularity.
-+
-+* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy
-+allows 1024 bit *DH* groups in general. The OpenSSH configuration option
-+HostKeyAlgorithms is set only for the *SSH* server as otherwise the
-+handling of the existing known hosts entries would be broken on client.
-+
- HISTORY
- -------
- 
--- 
-2.33.0
-

backport-policygenerators-nss-output-sigalgs-nss-3-59.patch

@@ -1,192 +0,0 @@
-From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Mon, 18 Jan 2021 17:58:45 +0100
-Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)
-
-Actually, checking for 3.60 because Fedora has reverted the change.
----
- python/policygenerators/nss.py        | 36 ++++++++++++++++++++++++++++++++---
- tests/nss.py                          | 15 +++++++++++++++
- tests/outputs/DEFAULT-nss.txt         |  2 +-
- tests/outputs/FIPS-nss.txt            |  2 +-
- tests/outputs/FIPS:ECDHE-ONLY-nss.txt |  2 +-
- tests/outputs/FIPS:OSPP-nss.txt       |  2 +-
- tests/outputs/FUTURE-nss.txt          |  2 +-
- tests/outputs/LEGACY-nss.txt          |  2 +-
- 9 files changed, 55 insertions(+), 10 deletions(-)
-
-diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
-index ee10025..00935a2 100644
---- a/python/policygenerators/nss.py
-+++ b/python/policygenerators/nss.py
-@@ -6,6 +6,8 @@
- from subprocess import call, CalledProcessError
- from tempfile import mkstemp
- 
-+import ctypes
-+import ctypes.util
- import os
- 
- from .configgenerator import ConfigGenerator
-@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
- 		'DTLS1.2':'dtls1.2'
- 	}
- 
-+	# Depends on a dict being ordered,
-+	# impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
-+	sign_prefix_ordmap = {
-+		'RSA-PSS-':'RSA-PSS',  # must come before RSA-
-+		'RSA-':'RSA-PKCS',
-+		'ECDSA-':'ECDSA',
-+		'DSA-':'DSA',
-+	}
-+
- 	@classmethod
- 	def generate_config(cls, policy):
- 		p = policy.props
-@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
- 			except KeyError:
- 				pass
- 
--		dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
--		if dsa:
--			s = cls.append(s, 'DSA')
-+		enabled_sigalgs = set()
-+		for i in p['sign']:
-+			for prefix, sigalg in cls.sign_prefix_ordmap.items():
-+				if i.startswith(prefix):
-+					if sigalg not in enabled_sigalgs:
-+						enabled_sigalgs.add(sigalg)
-+						s = cls.append(s, sigalg)
-+					break  # limit to first match
- 
- 		try:
- 			minver = cls.protocol_map[p['min_tls_version']]
-@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
- 
- 	@classmethod
- 	def test_config(cls, config):
-+		try:
-+			nss_path = ctypes.util.find_library('nss3')
-+			nss_lib = ctypes.CDLL(nss_path)
-+			if not nss_lib.NSS_VersionCheck(b'3.60'):
-+				# Cannot validate with pre-3.59 NSS
-+				# that doesn't know ECDSA/RSA-PSS/RSA-PKCS
-+				# identifiers yet.
-+				# 3.60 because Fedora's 3.59 has that reverted
-+				cls.eprint('Skipping nss-policy-check due to '
-+				           'nss being older than 3.60')
-+				return True
-+		except AttributeError:
-+			cls.eprint('Cannot determine nss version with ctypes')
-+
- 		if not os.access('/usr/bin/nss-policy-check', os.X_OK):
- 			return True
- 
-diff --git a/tests/nss.py b/tests/nss.py
-index 4d2cee1..a16d984 100755
---- a/tests/nss.py
-+++ b/tests/nss.py
-@@ -1,5 +1,7 @@
- #!/usr/bin/python3
- 
-+import ctypes
-+import ctypes.util
- import glob
- import os
- import shutil
-@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
-     sys.exit(0)
- 
- 
-+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
-+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
-+try:
-+    nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
-+    if not nss.NSS_VersionCheck(b'3.60'):
-+        print('Skipping nss-policy-check verification '
-+              'due to nss being older than 3.60', file=sys.stderr)
-+        sys.exit(0)
-+except AttributeError:
-+    print('Cannot determine nss version with ctypes, hoping for >=3.59',
-+          file=sys.stderr)
-+
-+
- print('Checking the NSS configuration')
- 
- for policy_path in glob.glob('tests/outputs/*-nss.txt'):
-diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
-index 6a93308..500cd70 100644
---- a/tests/outputs/DEFAULT-nss.txt
-+++ b/tests/outputs/DEFAULT-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
- 
- 
-diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
-index c9809b9..4fdf6bc 100644
---- a/tests/outputs/FIPS-nss.txt
-+++ b/tests/outputs/FIPS-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
- 
- 
-diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
-index 78f4844..399bc5c 100644
---- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
-+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
- 
- 
-diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
-index 0ca1ab0..d172a83 100644
---- a/tests/outputs/FIPS:OSPP-nss.txt
-+++ b/tests/outputs/FIPS:OSPP-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
- 
- 
-diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
-index 23d1ce8..9cea0a4 100644
---- a/tests/outputs/FUTURE-nss.txt
-+++ b/tests/outputs/FUTURE-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
- 
- 
-diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
-index e16b6ce..8bf8bd1 100644
---- a/tests/outputs/LEGACY-nss.txt
-+++ b/tests/outputs/LEGACY-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
- 
- 
--- 
-1.8.3.1
-

backport-rewrite-test-nss-pl-in-python.patch

@@ -1,115 +0,0 @@
-From 4fb6cdf626ee35623400ca557198cecb4efd4e88 Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Mon, 18 Jan 2021 17:43:53 +0100
-Subject: [PATCH] tests/nss.pl: rewrite in Python
-
----
- Makefile     |  2 +-
- tests/nss.pl | 41 -----------------------------------------
- tests/nss.py | 33 +++++++++++++++++++++++++++++++++
- 3 files changed, 34 insertions(+), 42 deletions(-)
- delete mode 100755 tests/nss.pl
- create mode 100755 tests/nss.py
-
-diff --git a/Makefile b/Makefile
-index 2699ac6..a50408e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -43,7 +43,7 @@ check:
- 	python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
- 	tests/openssl.pl
- 	tests/gnutls.pl
--	tests/nss.pl
-+	tests/nss.py
- 	tests/java.pl
- 	tests/krb5.py
- 	top_srcdir=. tests/update-crypto-policies.sh
-diff --git a/tests/nss.pl b/tests/nss.pl
-deleted file mode 100755
-index e021ffd..0000000
---- a/tests/nss.pl
-+++ /dev/null
-@@ -1,41 +0,0 @@
--#!/usr/bin/perl
--
--my $RESULTFILE="result-nss.tmp";
--
--use File::Which qw(which);
--
--print "Checking the NSS configuration\n";
--
--my $dir = 'tests/outputs';
--
--opendir(DIR, $dir) or die $!;
--
--my @nsspolicies
--    = grep {
--        /-nss/             # has -nss in name
--        && -f "$dir/$_"   # and is a file
--    } readdir(DIR);
--
--foreach my $policyfile (@nsspolicies) {
--	my $policy = $policyfile;
--	$policy =~ s/-[^-]+$//;
--
--	print "Checking policy $policy\n";
--	my $tool = which "nss-policy-check";
--
--	if ($policy ne 'EMPTY' and $tool ne undef) {
--
--		system("nss-policy-check $dir/$policyfile >$RESULTFILE 2>&1") ;
--		if ($? != 0) {
--			print "Error in NSS policy for $policy\n";
--			print STDERR "NSS policy for $policy:\n";
--			system("cat $dir/$policyfile 1>&2");
--			print STDERR "\nnss-policy-check error:\n";
--			system("cat $RESULTFILE 1>&2");
--			exit 1;
--		}
--		unlink($RESULTFILE);
--	}
--}
--
--exit 0;
-diff --git a/tests/nss.py b/tests/nss.py
-new file mode 100755
-index 0000000..4d2cee1
---- /dev/null
-+++ b/tests/nss.py
-@@ -0,0 +1,33 @@
-+#!/usr/bin/python3
-+
-+import glob
-+import os
-+import shutil
-+import subprocess
-+import sys
-+
-+
-+if shutil.which('nss-policy-check') is None:
-+    print('nss-policy-check not found, skipping check', file=sys.stderr)
-+    sys.exit(0)
-+
-+
-+print('Checking the NSS configuration')
-+
-+for policy_path in glob.glob('tests/outputs/*-nss.txt'):
-+    policy = os.path.basename(policy_path)[:-len('-nss.txt')]
-+    print(f'Checking policy {policy}')
-+    if policy not in ('EMPTY', 'GOST-ONLY'):
-+        p = subprocess.Popen(['nss-policy-check', policy_path],
-+                             stdout=subprocess.PIPE,
-+                             stderr=subprocess.STDOUT)
-+        output, _ = p.communicate()
-+        if p.wait():
-+            print(f'Error in NSS policy for {policy}')
-+            print(f'NSS policy for {policy}:', file=sys.stderr)
-+            with open(policy_path) as policy_file:
-+                shutil.copyfileobj(policy_file, sys.stderr)
-+                sys.stderr.write('\n')
-+            print('nss-policy-check error:', file=sys.stderr)
-+            print(output.decode(), file=sys.stderr)
-+            sys.exit(1)
--- 
-1.8.3.1
-

crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch

@@ -1,24 +0,0 @@
-From 79b03b7a6ea10c8ed2a4a35d5daa8842922641f4 Mon Sep 17 00:00:00 2001
-From: yixiangzhike <yixiangzhike007@163.com>
-Date: Fri, 7 Jan 2022 15:12:26 +0800
-Subject: [PATCH] tests outputs NEXT-nss: output sigalgs (nss >=3.59)
-
----
- tests/outputs/NEXT-nss.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/outputs/NEXT-nss.txt b/tests/outputs/NEXT-nss.txt
-index 1c2e182..846beb2 100644
---- a/tests/outputs/NEXT-nss.txt
-+++ b/tests/outputs/NEXT-nss.txt
-@@ -1,6 +1,6 @@
- library=
- name=Policy
- NSS=flags=policyOnly,moduleDB
--config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
-+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
- 
- 
--- 
-1.8.3.1
-

crypto-policies.spec

@@ -1,6 +1,5 @@
-%global git_date 20200619
+%global git_date 20180925
-%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68
+%global git_commit_hash 71ca85f
-%global git_commit_hash 781bbd4
 
 Name:           crypto-policies
 Version:        %{git_date}
@@ -12,12 +11,7 @@ URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 
 # This is a tarball of the git repository without the .git/
 # directory.
-Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
+Source0:        crypto-policies-git%{git_commit_hash}.tar.gz
-
-Patch0:         backport-rewrite-test-nss-pl-in-python.patch
-Patch1:         backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
-Patch2:         crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
-Patch3:         backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
 
 BuildArch: noarch
 BuildRequires: asciidoc
@@ -30,7 +24,7 @@ BuildRequires: perl-interpreter
 BuildRequires: perl-generators
 BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
 BuildRequires: perl(File::Which)
-BuildRequires: python3-devel
+BuildRequires: python3
 
 # used by update-crypto-policies
 Requires: coreutils
@@ -49,26 +43,9 @@ SSL/TLS libraries. The policy set by the tool will be the default policy
 used by these back-ends unless the application user configures them otherwise.
 https://fedoraproject.org/wiki/Changes/CryptoPolicy
 
-%package scripts
-Summary: Tool to switch between crypto policies
-Requires: %{name} = %{version}-%{release}
-Recommends: grubby
-
-# fips-mode-setup merged into the scripts subpackage
-Obsoletes: fips-mode-setup < 20200702-1.c40cede
-Provides: fips-mode-setup = %{version}-%{release}
-
-%description scripts
-This package provides a tool update-crypto-policies, which applies
-the policies provided by the crypto-policies package. These can be
-either the pre-built policies from the base package or custom policies
-defined in simple policy definition files.
-
-The package also provides a tool fips-mode-setup, which can be used
-to enable or disable the system FIPS mode.
 
 %prep
-%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
+%setup -q -n %{name}
 
 %build
 make %{?_smp_mflags}
@@ -76,39 +53,25 @@ make %{?_smp_mflags}
 %install
 mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
-mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
-mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man8
-mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}
 
-make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir}/man8 %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 
-# Create back-end configs for mounting with read-only /etc/
-for d in LEGACY DEFAULT FUTURE FIPS ; do
-    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
-        ln -s $(basename $f) $(dirname $f)/$(basename $f .txt).config
-    done
-done
-
-%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
-
 %check
 make check %{?_smp_mflags}
 
 %post
-%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
+%{_bindir}/update-crypto-policies --no-check >/dev/null
 
 
 %files
 
 %dir %{_sysconfdir}/crypto-policies/
 %dir %{_sysconfdir}/crypto-policies/back-ends/
-%dir %{_sysconfdir}/crypto-policies/state/
 %dir %{_sysconfdir}/crypto-policies/local.d/
-%dir %{_sysconfdir}/crypto-policies/policies/
-%dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/
 
 %config(noreplace) %{_sysconfdir}/crypto-policies/config
@@ -126,8 +89,11 @@ make check %{?_smp_mflags}
 %ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 
 %{_bindir}/update-crypto-policies
-%{_mandir}/man7/crypto-policies.7*
+%{_bindir}/fips-mode-setup
-%{_mandir}/man8/update-crypto-policies.8*
+%{_bindir}/fips-finish-install
+%{_mandir}/man8/update-crypto-policies.8.gz
+%{_mandir}/man8/fips-mode-setup.8.gz
+%{_mandir}/man8/fips-finish-install.8.gz
 %{_datarootdir}/crypto-policies/LEGACY/*
 %{_datarootdir}/crypto-policies/DEFAULT/*
 %{_datarootdir}/crypto-policies/NEXT/*
@@ -136,31 +102,11 @@ make check %{?_smp_mflags}
 %{_datarootdir}/crypto-policies/EMPTY/*
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
-%{_datarootdir}/crypto-policies/policies
-%{_datarootdir}/crypto-policies/python
-
-%files scripts
-%{_bindir}/fips-mode-setup
-%{_bindir}/fips-finish-install
-%{_mandir}/man8/fips-mode-setup.8*
-%{_mandir}/man8/fips-finish-install.8*
 
 %{!?_licensedir:%global license %%doc}
 %license COPYING.LESSER
 
 %changelog
-* Thu Oct 20 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-3.git781bbd4
-- backport upstream patch to add more notes for crypto-policies exceptions
-
-* Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
-- add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)
-
-* Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
-- downgrade version to 20200619
-
-* Sat Aug 1 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200702-1.gitc40cede
-- update version to 20200702
-
 * Sun Mar 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 20180925-3.git71ca85f
 - fix make check failed
 

crypto-policies.yaml

@@ -1,4 +0,0 @@
-version_control: git
-src_repo: https://gitlab.com/redhat-crypto/fedora-crypto-policies.git
-tag_prefix: "^f"
-seperator: