|
|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
%global git_date 20240304
|
|
|
|
|
%global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a
|
|
|
|
|
%global git_date 20240815
|
|
|
|
|
%global git_commit e217f0304ed0e94e24a18200fadcc814caa246bd
|
|
|
|
|
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
|
|
|
|
|
|
|
|
|
|
%global _python_bytecompile_extra 0
|
|
|
|
|
@ -14,9 +14,6 @@ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies
|
|
|
|
|
# For RHEL-9 we use the upstream branch rhel9.
|
|
|
|
|
Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
|
|
|
|
|
|
|
|
|
|
%if 0%{?rhel} >= 10
|
|
|
|
|
ExclusiveArch: %{java_arches} noarch
|
|
|
|
|
%endif
|
|
|
|
|
BuildArch: noarch
|
|
|
|
|
BuildRequires: asciidoc
|
|
|
|
|
BuildRequires: libxslt
|
|
|
|
|
@ -65,16 +62,6 @@ sed -i \
|
|
|
|
|
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
|
|
|
|
|
python/policygenerators/openssh.py
|
|
|
|
|
grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
|
|
|
|
|
%if 0%{?rhel} == 11
|
|
|
|
|
# currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch
|
|
|
|
|
sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
|
|
|
|
|
python/policygenerators/nss.py tests/nss.py
|
|
|
|
|
sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
|
|
|
|
|
# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
|
|
|
|
|
sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
|
|
|
|
|
python/policygenerators/gnutls.py
|
|
|
|
|
sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%make_build
|
|
|
|
|
|
|
|
|
|
@ -189,6 +176,8 @@ end
|
|
|
|
|
%{_datarootdir}/crypto-policies/reload-cmds.sh
|
|
|
|
|
%{_datarootdir}/crypto-policies/policies
|
|
|
|
|
|
|
|
|
|
%{_libexecdir}/fips-setup-helper
|
|
|
|
|
|
|
|
|
|
%license COPYING.LESSER
|
|
|
|
|
|
|
|
|
|
%files scripts
|
|
|
|
|
@ -202,6 +191,20 @@ end
|
|
|
|
|
%{_mandir}/man8/fips-finish-install.8*
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Thu Aug 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240815-1.gite217f03
|
|
|
|
|
- java: start controlling / disable DTLSv1.0
|
|
|
|
|
- java: disable anon ciphersuites, tying them to NULL
|
|
|
|
|
- java: respect more key size restrictions
|
|
|
|
|
- java: specify jdk.tls.namedGroups system property
|
|
|
|
|
- java: make hash, mac and sign more orthogonal
|
|
|
|
|
- fips-mode-setup: add another scary "unsupported"
|
|
|
|
|
- fips-mode-setup: flashy ticking warning upon use
|
|
|
|
|
- java: use and include jdk.disabled.namedCurves
|
|
|
|
|
- ec_min_size: introduce and use in java, default to 256
|
|
|
|
|
- java: stop specifying jdk.tls.namedGroups in javasystem
|
|
|
|
|
- fips-setup-helper: add a libexec helper for anaconda
|
|
|
|
|
- fips-mode-setup: force --no-bootcfg when UKI is detected
|
|
|
|
|
|
|
|
|
|
* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
|
|
|
|
|
- packaging: remove perl build-dependency, it's not needed anymore
|
|
|
|
|
- packaging: use newly introduced SKIP_LINTING=1
|
|
|
|
|
|
MSVSphere Packaging Team
3 months ago
