diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index 4e1fdfa..d709cb9 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -0f5b3ec83594d3256334f086b0e1c7755e770022 SOURCES/crypto-policies-gitb1c706d.tar.gz +52780a410c8789cd85a89dbb3352e6faf0a1561e SOURCES/crypto-policies-gite217f03.tar.gz diff --git a/.gitignore b/.gitignore index 8e361e8..f94c048 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-gitb1c706d.tar.gz +SOURCES/crypto-policies-gite217f03.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index a2ed1f7..cdad9a9 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,5 +1,5 @@ -%global git_date 20240304 -%global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a +%global git_date 20240815 +%global git_commit e217f0304ed0e94e24a18200fadcc814caa246bd %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 @@ -14,9 +14,6 @@ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # For RHEL-9 we use the upstream branch rhel9. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz -%if 0%{?rhel} >= 10 -ExclusiveArch: %{java_arches} noarch -%endif BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt @@ -65,16 +62,6 @@ sed -i \ "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ python/policygenerators/openssh.py grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py -%if 0%{?rhel} == 11 -# currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch -sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \ - python/policygenerators/nss.py tests/nss.py -sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt -# currently ELN/RHEL gnutls do not carry the tls-session-hash patch -sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \ - python/policygenerators/gnutls.py -sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt -%endif %make_build @@ -189,6 +176,8 @@ end %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies +%{_libexecdir}/fips-setup-helper + %license COPYING.LESSER %files scripts @@ -202,6 +191,20 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Thu Aug 15 2024 Alexander Sosedkin - 20240815-1.gite217f03 +- java: start controlling / disable DTLSv1.0 +- java: disable anon ciphersuites, tying them to NULL +- java: respect more key size restrictions +- java: specify jdk.tls.namedGroups system property +- java: make hash, mac and sign more orthogonal +- fips-mode-setup: add another scary "unsupported" +- fips-mode-setup: flashy ticking warning upon use +- java: use and include jdk.disabled.namedCurves +- ec_min_size: introduce and use in java, default to 256 +- java: stop specifying jdk.tls.namedGroups in javasystem +- fips-setup-helper: add a libexec helper for anaconda +- fips-mode-setup: force --no-bootcfg when UKI is detected + * Mon Mar 04 2024 Alexander Sosedkin - 20240304-1.gitb1c706d - packaging: remove perl build-dependency, it's not needed anymore - packaging: use newly introduced SKIP_LINTING=1