!12 【openEuler-22.03-LTS-Next】backport upstream patch to add more notes for crypto-policies exceptions

From: @yixiangzhike 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite

backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch

@@ -0,0 +1,56 @@
+From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 2 Jul 2020 15:40:01 +0200
+Subject: [PATCH] Describe some of the quirks of the back-end config
+ generators.
+
+---
+ crypto-policies.7.txt | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt
+index 0971935..2b583b8 100644
+--- a/crypto-policies.7.txt
++++ b/crypto-policies.7.txt
+@@ -277,7 +277,7 @@ COMMANDS
+ NOTES
+ -----
+ 
+-*Exceptions:*
++*Exceptions*
+ 
+ * *Go-language* applications do not yet follow the system-wide policy.
+ * *GnuPG-2* application does not follow the system-wide policy.
+@@ -323,6 +323,29 @@ of individual applications:
+ * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
+ * *IKEv1*
+ 
++*Notable irregularities in the individual configuration generators*
++
++* *OpenSSL*: The minimum length of the keys and some other parameters
++are enforced by the @SECLEVEL value which does not provide a fine
++granularity. The list of *TLS* ciphers is not generated as an exact list
++but by subtracting from all the supported ciphers for the enabled key
++exchange methods. For that reason there is no way to disable a random cipher.
++In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not
++present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM*
++is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1*
++in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM*
++ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher
++list.
++
++* *GnuTLS*: The minimum length of the keys and some other parameters
++are enforced by min-verification-profile setting in the *GnuTLS* configuration
++file which does not provide fine granularity.
++
++* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy
++allows 1024 bit *DH* groups in general. The OpenSSH configuration option
++HostKeyAlgorithms is set only for the *SSH* server as otherwise the
++handling of the existing known hosts entries would be broken on client.
++
+ HISTORY
+ -------
+ 
+-- 
+2.33.0
+

backport-policygenerators-nss-output-sigalgs-nss-3-59.patch

@@ -0,0 +1,192 @@
+From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 18 Jan 2021 17:58:45 +0100
+Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)
+
+Actually, checking for 3.60 because Fedora has reverted the change.
+---
+ python/policygenerators/nss.py        | 36 ++++++++++++++++++++++++++++++++---
+ tests/nss.py                          | 15 +++++++++++++++
+ tests/outputs/DEFAULT-nss.txt         |  2 +-
+ tests/outputs/FIPS-nss.txt            |  2 +-
+ tests/outputs/FIPS:ECDHE-ONLY-nss.txt |  2 +-
+ tests/outputs/FIPS:OSPP-nss.txt       |  2 +-
+ tests/outputs/FUTURE-nss.txt          |  2 +-
+ tests/outputs/LEGACY-nss.txt          |  2 +-
+ 9 files changed, 55 insertions(+), 10 deletions(-)
+
+diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
+index ee10025..00935a2 100644
+--- a/python/policygenerators/nss.py
++++ b/python/policygenerators/nss.py
+@@ -6,6 +6,8 @@
+ from subprocess import call, CalledProcessError
+ from tempfile import mkstemp
+ 
++import ctypes
++import ctypes.util
+ import os
+ 
+ from .configgenerator import ConfigGenerator
+@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
+ 		'DTLS1.2':'dtls1.2'
+ 	}
+ 
++	# Depends on a dict being ordered,
++	# impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
++	sign_prefix_ordmap = {
++		'RSA-PSS-':'RSA-PSS',  # must come before RSA-
++		'RSA-':'RSA-PKCS',
++		'ECDSA-':'ECDSA',
++		'DSA-':'DSA',
++	}
++
+ 	@classmethod
+ 	def generate_config(cls, policy):
+ 		p = policy.props
+@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
+ 			except KeyError:
+ 				pass
+ 
+-		dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
+-		if dsa:
+-			s = cls.append(s, 'DSA')
++		enabled_sigalgs = set()
++		for i in p['sign']:
++			for prefix, sigalg in cls.sign_prefix_ordmap.items():
++				if i.startswith(prefix):
++					if sigalg not in enabled_sigalgs:
++						enabled_sigalgs.add(sigalg)
++						s = cls.append(s, sigalg)
++					break  # limit to first match
+ 
+ 		try:
+ 			minver = cls.protocol_map[p['min_tls_version']]
+@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
+ 
+ 	@classmethod
+ 	def test_config(cls, config):
++		try:
++			nss_path = ctypes.util.find_library('nss3')
++			nss_lib = ctypes.CDLL(nss_path)
++			if not nss_lib.NSS_VersionCheck(b'3.60'):
++				# Cannot validate with pre-3.59 NSS
++				# that doesn't know ECDSA/RSA-PSS/RSA-PKCS
++				# identifiers yet.
++				# 3.60 because Fedora's 3.59 has that reverted
++				cls.eprint('Skipping nss-policy-check due to '
++				           'nss being older than 3.60')
++				return True
++		except AttributeError:
++			cls.eprint('Cannot determine nss version with ctypes')
++
+ 		if not os.access('/usr/bin/nss-policy-check', os.X_OK):
+ 			return True
+ 
+diff --git a/tests/nss.py b/tests/nss.py
+index 4d2cee1..a16d984 100755
+--- a/tests/nss.py
++++ b/tests/nss.py
+@@ -1,5 +1,7 @@
+ #!/usr/bin/python3
+ 
++import ctypes
++import ctypes.util
+ import glob
+ import os
+ import shutil
+@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
+     sys.exit(0)
+ 
+ 
++# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
++# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
++try:
++    nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
++    if not nss.NSS_VersionCheck(b'3.60'):
++        print('Skipping nss-policy-check verification '
++              'due to nss being older than 3.60', file=sys.stderr)
++        sys.exit(0)
++except AttributeError:
++    print('Cannot determine nss version with ctypes, hoping for >=3.59',
++          file=sys.stderr)
++
++
+ print('Checking the NSS configuration')
+ 
+ for policy_path in glob.glob('tests/outputs/*-nss.txt'):
+diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
+index 6a93308..500cd70 100644
+--- a/tests/outputs/DEFAULT-nss.txt
++++ b/tests/outputs/DEFAULT-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
+index c9809b9..4fdf6bc 100644
+--- a/tests/outputs/FIPS-nss.txt
++++ b/tests/outputs/FIPS-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+index 78f4844..399bc5c 100644
+--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
++++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
+index 0ca1ab0..d172a83 100644
+--- a/tests/outputs/FIPS:OSPP-nss.txt
++++ b/tests/outputs/FIPS:OSPP-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
+index 23d1ce8..9cea0a4 100644
+--- a/tests/outputs/FUTURE-nss.txt
++++ b/tests/outputs/FUTURE-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+ 
+ 
+diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
+index e16b6ce..8bf8bd1 100644
+--- a/tests/outputs/LEGACY-nss.txt
++++ b/tests/outputs/LEGACY-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+ 
+ 
+-- 
+1.8.3.1
+

backport-rewrite-test-nss-pl-in-python.patch

@@ -0,0 +1,115 @@
+From 4fb6cdf626ee35623400ca557198cecb4efd4e88 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 18 Jan 2021 17:43:53 +0100
+Subject: [PATCH] tests/nss.pl: rewrite in Python
+
+---
+ Makefile     |  2 +-
+ tests/nss.pl | 41 -----------------------------------------
+ tests/nss.py | 33 +++++++++++++++++++++++++++++++++
+ 3 files changed, 34 insertions(+), 42 deletions(-)
+ delete mode 100755 tests/nss.pl
+ create mode 100755 tests/nss.py
+
+diff --git a/Makefile b/Makefile
+index 2699ac6..a50408e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -43,7 +43,7 @@ check:
+ 	python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
+ 	tests/openssl.pl
+ 	tests/gnutls.pl
+-	tests/nss.pl
++	tests/nss.py
+ 	tests/java.pl
+ 	tests/krb5.py
+ 	top_srcdir=. tests/update-crypto-policies.sh
+diff --git a/tests/nss.pl b/tests/nss.pl
+deleted file mode 100755
+index e021ffd..0000000
+--- a/tests/nss.pl
++++ /dev/null
+@@ -1,41 +0,0 @@
+-#!/usr/bin/perl
+-
+-my $RESULTFILE="result-nss.tmp";
+-
+-use File::Which qw(which);
+-
+-print "Checking the NSS configuration\n";
+-
+-my $dir = 'tests/outputs';
+-
+-opendir(DIR, $dir) or die $!;
+-
+-my @nsspolicies
+-    = grep {
+-        /-nss/             # has -nss in name
+-        && -f "$dir/$_"   # and is a file
+-    } readdir(DIR);
+-
+-foreach my $policyfile (@nsspolicies) {
+-	my $policy = $policyfile;
+-	$policy =~ s/-[^-]+$//;
+-
+-	print "Checking policy $policy\n";
+-	my $tool = which "nss-policy-check";
+-
+-	if ($policy ne 'EMPTY' and $tool ne undef) {
+-
+-		system("nss-policy-check $dir/$policyfile >$RESULTFILE 2>&1") ;
+-		if ($? != 0) {
+-			print "Error in NSS policy for $policy\n";
+-			print STDERR "NSS policy for $policy:\n";
+-			system("cat $dir/$policyfile 1>&2");
+-			print STDERR "\nnss-policy-check error:\n";
+-			system("cat $RESULTFILE 1>&2");
+-			exit 1;
+-		}
+-		unlink($RESULTFILE);
+-	}
+-}
+-
+-exit 0;
+diff --git a/tests/nss.py b/tests/nss.py
+new file mode 100755
+index 0000000..4d2cee1
+--- /dev/null
++++ b/tests/nss.py
+@@ -0,0 +1,33 @@
++#!/usr/bin/python3
++
++import glob
++import os
++import shutil
++import subprocess
++import sys
++
++
++if shutil.which('nss-policy-check') is None:
++    print('nss-policy-check not found, skipping check', file=sys.stderr)
++    sys.exit(0)
++
++
++print('Checking the NSS configuration')
++
++for policy_path in glob.glob('tests/outputs/*-nss.txt'):
++    policy = os.path.basename(policy_path)[:-len('-nss.txt')]
++    print(f'Checking policy {policy}')
++    if policy not in ('EMPTY', 'GOST-ONLY'):
++        p = subprocess.Popen(['nss-policy-check', policy_path],
++                             stdout=subprocess.PIPE,
++                             stderr=subprocess.STDOUT)
++        output, _ = p.communicate()
++        if p.wait():
++            print(f'Error in NSS policy for {policy}')
++            print(f'NSS policy for {policy}:', file=sys.stderr)
++            with open(policy_path) as policy_file:
++                shutil.copyfileobj(policy_file, sys.stderr)
++                sys.stderr.write('\n')
++            print('nss-policy-check error:', file=sys.stderr)
++            print(output.decode(), file=sys.stderr)
++            sys.exit(1)
+-- 
+1.8.3.1
+

crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch

@@ -0,0 +1,24 @@
+From 79b03b7a6ea10c8ed2a4a35d5daa8842922641f4 Mon Sep 17 00:00:00 2001
+From: yixiangzhike <yixiangzhike007@163.com>
+Date: Fri, 7 Jan 2022 15:12:26 +0800
+Subject: [PATCH] tests outputs NEXT-nss: output sigalgs (nss >=3.59)
+
+---
+ tests/outputs/NEXT-nss.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/outputs/NEXT-nss.txt b/tests/outputs/NEXT-nss.txt
+index 1c2e182..846beb2 100644
+--- a/tests/outputs/NEXT-nss.txt
++++ b/tests/outputs/NEXT-nss.txt
+@@ -1,6 +1,6 @@
+ library=
+ name=Policy
+ NSS=flags=policyOnly,moduleDB
+-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+ 
+ 
+-- 
+1.8.3.1
+

crypto-policies.spec

@@ -1,5 +1,6 @@
-%global git_date 20180925
-%global git_commit_hash 71ca85f
+%global git_date 20200619
+%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68
+%global git_commit_hash 781bbd4
 
 Name:           crypto-policies
 Version:        %{git_date}
@@ -11,7 +12,12 @@ URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 
 # This is a tarball of the git repository without the .git/
 # directory.
-Source0:        crypto-policies-git%{git_commit_hash}.tar.gz
+Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
+
+Patch0:         backport-rewrite-test-nss-pl-in-python.patch
+Patch1:         backport-policygenerators-nss-output-sigalgs-nss-3-59.patch
+Patch2:         crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch
+Patch3:         backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
 
 BuildArch: noarch
 BuildRequires: asciidoc
@@ -24,7 +30,7 @@ BuildRequires: perl-interpreter
 BuildRequires: perl-generators
 BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
 BuildRequires: perl(File::Which)
-BuildRequires: python3
+BuildRequires: python3-devel
 
 # used by update-crypto-policies
 Requires: coreutils
@@ -43,9 +49,26 @@ SSL/TLS libraries. The policy set by the tool will be the default policy
 used by these back-ends unless the application user configures them otherwise.
 https://fedoraproject.org/wiki/Changes/CryptoPolicy
 
+%package scripts
+Summary: Tool to switch between crypto policies
+Requires: %{name} = %{version}-%{release}
+Recommends: grubby
+
+# fips-mode-setup merged into the scripts subpackage
+Obsoletes: fips-mode-setup < 20200702-1.c40cede
+Provides: fips-mode-setup = %{version}-%{release}
+
+%description scripts
+This package provides a tool update-crypto-policies, which applies
+the policies provided by the crypto-policies package. These can be
+either the pre-built policies from the base package or custom policies
+defined in simple policy definition files.
+
+The package also provides a tool fips-mode-setup, which can be used
+to enable or disable the system FIPS mode.
 
 %prep
-%setup -q -n %{name}
+%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
 
 %build
 make %{?_smp_mflags}
@@ -53,25 +76,39 @@ make %{?_smp_mflags}
 %install
 mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
-mkdir -p -m 755 %{buildroot}%{_mandir}/man8
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}
 
-make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir}/man8 %{?_smp_mflags} install
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 
+# Create back-end configs for mounting with read-only /etc/
+for d in LEGACY DEFAULT FUTURE FIPS ; do
+    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
+        ln -s $(basename $f) $(dirname $f)/$(basename $f .txt).config
+    done
+done
+
+%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
+
 %check
 make check %{?_smp_mflags}
 
 %post
-%{_bindir}/update-crypto-policies --no-check >/dev/null
+%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
 
 
 %files
 
 %dir %{_sysconfdir}/crypto-policies/
 %dir %{_sysconfdir}/crypto-policies/back-ends/
+%dir %{_sysconfdir}/crypto-policies/state/
 %dir %{_sysconfdir}/crypto-policies/local.d/
+%dir %{_sysconfdir}/crypto-policies/policies/
+%dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/
 
 %config(noreplace) %{_sysconfdir}/crypto-policies/config
@@ -89,11 +126,8 @@ make check %{?_smp_mflags}
 %ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 
 %{_bindir}/update-crypto-policies
-%{_bindir}/fips-mode-setup
-%{_bindir}/fips-finish-install
-%{_mandir}/man8/update-crypto-policies.8.gz
-%{_mandir}/man8/fips-mode-setup.8.gz
-%{_mandir}/man8/fips-finish-install.8.gz
+%{_mandir}/man7/crypto-policies.7*
+%{_mandir}/man8/update-crypto-policies.8*
 %{_datarootdir}/crypto-policies/LEGACY/*
 %{_datarootdir}/crypto-policies/DEFAULT/*
 %{_datarootdir}/crypto-policies/NEXT/*
@@ -102,11 +136,31 @@ make check %{?_smp_mflags}
 %{_datarootdir}/crypto-policies/EMPTY/*
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
+%{_datarootdir}/crypto-policies/policies
+%{_datarootdir}/crypto-policies/python
+
+%files scripts
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
+%{_mandir}/man8/fips-mode-setup.8*
+%{_mandir}/man8/fips-finish-install.8*
 
 %{!?_licensedir:%global license %%doc}
 %license COPYING.LESSER
 
 %changelog
+* Thu Oct 20 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-3.git781bbd4
+- backport upstream patch to add more notes for crypto-policies exceptions
+
+* Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
+- add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)
+
+* Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
+- downgrade version to 20200619
+
+* Sat Aug 1 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200702-1.gitc40cede
+- update version to 20200702
+
 * Sun Mar 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 20180925-3.git71ca85f
 - fix make check failed
 

crypto-policies.yaml

@@ -0,0 +1,4 @@
+version_control: git
+src_repo: https://gitlab.com/redhat-crypto/fedora-crypto-policies.git
+tag_prefix: "^f"
+seperator: