Bug 1641830 - additional files in /etc/crypto-policies/local.d do not get appended
Summary: additional files in /etc/crypto-policies/local.d do not get appended
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 29
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-22 22:26 UTC by Michael Riss
Modified: 2018-11-03 00:01 UTC (History)
4 users (show)

Fixed In Version: crypto-policies-20181026-1.gitd42aaa6.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-03 00:01:21 UTC


Attachments (Terms of Use)

Description Michael Riss 2018-10-22 22:26:12 UTC
Description of problem:

`update-crypto-policies --set <policy>` should create the files and symbolic links in /etc/crypto-policies/back-ends.
If there is a file of the form $app-XXX.config in /etc/crypto-policies/local.d
it's supposed to be appended to the policy file of $app.

Currently, this does not work, local custom files get ignored.


Version-Release number of selected component (if applicable):
crypto-policies-20180925-1.git71ca85f.fc29


How reproducible:

Steps to Reproduce:
1. place a custom file in /etc/crypto-policies/local.d, e.g. 
  /etc/crypto-policies/local.d/gnutls-test.config, fill it with some
  string, e.g. 
  "OPENCONNECT=NONE:+DHE-RSA:+AES-256-CBC:+SHA256:+VERS-TLS1.2:+SIGN-RSA-SHA256"
2. run `update-crypto-policies --set DEFAULT`
3. /etc/crypto-policies/back-ends/gnutls.config should now contain the content
  of /usr/share/crypto-policies/DEFAULT/gnutls.txt and appended 
  "OPENCONNECT=NONE:+DHE-RSA:+AES-256-CBC:+SHA256:+VERS-TLS1.2:+SIGN-RSA-SHA256"
  but it's just a link to /usr/share/crypto-policies/DEFAULT/gnutls.txt


Actual results:
The custom configuration files don't get included.


Expected results:
The custom configuration files should get included.


Additional info:
I believe the culprit is in /usr/bin/update-crypto-policies in line 90:
```
	if test -z $(ls "$local_dir/$basefile-*.config" 2>/dev/null);then
```
Here, the glob symbol * gets used within quotation marks and this does not expand. Therefore the local customization file isn't found and the code branch
for appending it does not get executed.
I think the quotation marks are intended to catch the case that someone uses 
custom configuration files with white spaces in the file name.
In this case I propose
```
	if test -z "$(ls $local_dir/$basefile-*.config 2>/dev/null)";then
```
This way `test -z` gets a quoted string that can contain white spaces and the
glob within also works. But please take a critical look at it yourself, I might
have misunderstood what was intended with the quotes.

Comment 1 Fedora Update System 2018-10-26 09:54:37 UTC
crypto-policies-20181026-1.gitd42aaa6.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd3e06a89a

Comment 2 Fedora Update System 2018-10-31 18:49:22 UTC
crypto-policies-20181026-1.gitd42aaa6.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd3e06a89a

Comment 3 Fedora Update System 2018-11-03 00:01:21 UTC
crypto-policies-20181026-1.gitd42aaa6.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.