import crypto-policies-20240828-2.git626aa59.el9_5

1 month ago · 0f8ca1d293
parent 3ed68fe0bd
commit 0f8ca1d293
6 changed files with 12 additions and 6566 deletions
--- a/.crypto-policies.metadata
+++ b/.crypto-policies.metadata
@ -1 +1 @@
-61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz
+d43a8ec9893ba0079437515360db8b2483bb0351 SOURCES/crypto-policies-git626aa59.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/crypto-policies-git283706d.tar.gz
+SOURCES/crypto-policies-git626aa59.tar.gz
--- a/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch
+++ b/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch
--- a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch
+++ b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch
--- a/SOURCES/0001-Added-tests-fix-for-9.4-version.patch
+++ b/SOURCES/0001-Added-tests-fix-for-9.4-version.patch
@ -1,59 +0,0 @@
-From e9833880700ad839bb8061c4fa6682229ae29bca Mon Sep 17 00:00:00 2001
-From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
-Date: Mon, 13 May 2024 18:55:28 +0300
-Subject: [PATCH] Added tests fix for 9.4 version
-
---
- tests/outputs/GOST-ONLY-PAM-bind.txt | 2 --
- tests/outputs/GOST-ONLY-PAM-java.txt | 2 +-
- tests/outputs/GOST-ONLY-bind.txt     | 2 --
- tests/outputs/GOST-ONLY-java.txt     | 2 +-
- 4 files changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
-index 3976d4a..e701c5c 100644
--- a/tests/outputs/GOST-ONLY-PAM-bind.txt
-+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
-@@ -10,8 +10,6 @@ ECDSAP384SHA384;
- RSASHA512;
- ED25519;
- ED448;
-ECDSAP256SHA256;
-ECDSAP384SHA384;
- };
- disable-ds-digests "." {
- SHA-256;
-diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
-index b6d04cf..088a698 100644
--- a/tests/outputs/GOST-ONLY-PAM-java.txt
-+++ b/tests/outputs/GOST-ONLY-PAM-java.txt
-@@ -1,3 +1,3 @@
- jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
-+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
- jdk.tls.legacyAlgorithms=
-diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
-index 3976d4a..e701c5c 100644
--- a/tests/outputs/GOST-ONLY-bind.txt
-+++ b/tests/outputs/GOST-ONLY-bind.txt
-@@ -10,8 +10,6 @@ ECDSAP384SHA384;
- RSASHA512;
- ED25519;
- ED448;
-ECDSAP256SHA256;
-ECDSAP384SHA384;
- };
- disable-ds-digests "." {
- SHA-256;
-diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
-index b6d04cf..088a698 100644
--- a/tests/outputs/GOST-ONLY-java.txt
-+++ b/tests/outputs/GOST-ONLY-java.txt
-@@ -1,3 +1,3 @@
- jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
-+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
- jdk.tls.legacyAlgorithms=
-- 
-2.43.0
-
--- a/SPECS/crypto-policies.spec
+++ b/SPECS/crypto-policies.spec
@ -1,19 +1,18 @@
-%global git_date 20240822
-%global git_commit baf3e063c68f6c69eec1bf79c1b3e9a745640183
+%global git_date 20240828
+%global git_commit 626aa590f9c1ffe7ce108952e9449f22a642cca2
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}

 %global _python_bytecompile_extra 0

 Name:           crypto-policies
 Version:        %{git_date}
-Release:        1.git%{git_commit_hash}%{?dist}.inferit
+Release:        2.git%{git_commit_hash}%{?dist}
 Summary:        System-wide crypto policies

 License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 # For RHEL-9 we use the upstream branch rhel9.
 Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
-Patch1:         0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch

 BuildArch: noarch
 BuildRequires: asciidoc
@ -33,11 +32,6 @@ Conflicts: nss < 3.90.0
 Conflicts: libreswan < 3.28
 Conflicts: openssh < 8.7p1-24
 Conflicts: gnutls < 3.7.6-22
-Recommends: openssl-gost-engine
-Requires: authselect
-Requires: findutils
-
-

 %description
 This package provides pre-built configuration files with
@ -80,7 +74,6 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}
-mkdir -p -m 755 %{buildroot}/var/log/crypto-cmc/

 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
@ -151,11 +144,6 @@ end
 %dir %{_sysconfdir}/crypto-policies/policies/
 %dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/
-%dir %{_sysconfdir}/authselect/custom/sssd_gost/
-%dir %{_sysconfdir}/authselect/custom/minimal_gost/
-%dir /var/log/crypto-cmc
-%{_sysconfdir}/authselect/custom/sssd_gost/*
-%{_sysconfdir}/authselect/custom/minimal_gost/*

 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config

@ -172,7 +160,6 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
-%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/auth.config
 # %verify(not mode) comes from the fact
 # these turn into symlinks and back to regular files at will, see bz1898986

@ -184,8 +171,6 @@ end
 %{_datarootdir}/crypto-policies/DEFAULT
 %{_datarootdir}/crypto-policies/FUTURE
 %{_datarootdir}/crypto-policies/FIPS
-%{_datarootdir}/crypto-policies/GOST-ONLY
-%{_datarootdir}/crypto-policies/GOST-ONLY-PAM
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
@ -199,7 +184,6 @@ end
 %{_bindir}/update-crypto-policies
 %{_mandir}/man8/update-crypto-policies.8*
 %{_datarootdir}/crypto-policies/python
-%{_datarootdir}/crypto-policies-scripts/auth_apply.sh

 %{_bindir}/fips-mode-setup
 %{_bindir}/fips-finish-install
@ -207,8 +191,11 @@ end
 %{_mandir}/man8/fips-finish-install.8*

 %changelog
-* Thu Oct 10 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 20240822-1.gitbaf3e06.inferit
- Added GOST
+* Tue Sep 17 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-2.git626aa59
+- release bump
+
+* Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.git626aa59
+- fips-mode-setup: small Argon2 detection fix

 * Thu Aug 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240822-1.gitbaf3e06
 - fips-mode-setup: block if LUKS devices using Argon2 are detected
@ -275,8 +262,8 @@ end
 - openssl: set Groups explicitly
 - openssl: add support for Brainpool curves

-* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
- Rebuilt for MSVSphere 9.2 beta
+* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
+- Rebuilt for MSVSphere 9.1.

 * Thu Dec 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221215-1.git9a18988
 - bind: expand the list of disableable algorithms