import crypto-policies-20230731-1.git94f0e2c.el9

i9c-beta changed/i9c-beta/crypto-policies-20230731-1.git94f0e2c.el9
MSVSphere Packaging Team 1 year ago
parent d3030e602b
commit aada5a9541

@ -1 +1 @@
fbe5c6bd87287dd2059da06f83ce4363ed898773 SOURCES/crypto-policies-git9a18988.tar.gz
ebca51d3017ee207680f9ae109e49ed78e8f479b SOURCES/crypto-policies-git94f0e2c.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/crypto-policies-git9a18988.tar.gz
SOURCES/crypto-policies-git94f0e2c.tar.gz

@ -1,5 +1,5 @@
%global git_date 20221215
%global git_commit 9a189880a1cda3c0bbedab06d405c0a724c0a2f7
%global git_date 20230731
%global git_commit 94f0e2c4f7ebf2b1513b405d11227bae79ffe070
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0
@ -40,6 +40,7 @@ BuildArch: noarch
BuildRequires: asciidoc
BuildRequires: libxslt
BuildRequires: openssl
BuildRequires: nss-tools
BuildRequires: gnutls-utils >= 3.6.0
BuildRequires: java-1.8.0-openjdk-devel
BuildRequires: bind
@ -52,10 +53,14 @@ BuildRequires: python3-pytest
BuildRequires: make
Conflicts: openssl < 1:3.0.1-10
Conflicts: nss < 3.44.0
Conflicts: nss < 3.90.0
Conflicts: libreswan < 3.28
Conflicts: openssh < 8.7p1-24
%if 0%{?rhel} == 10
Conflicts: gnutls < 3.7.2-3
%else
Conflicts: gnutls < 3.7.6-22
%endif
%description
This package provides pre-built configuration files with
@ -86,6 +91,18 @@ sed -i \
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
python/policygenerators/openssh.py
grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
%if 0%{?rhel} == 10
# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
python/policygenerators/nss.py tests/nss.py
sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
python/policygenerators/gnutls.py
sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
%endif
%make_build
%install
@ -129,6 +146,7 @@ done
%else
[ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
%endif
make ON_RHEL9=1 test
%post -p <lua>
@ -190,6 +208,7 @@ end
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
# %verify(not mode) comes from the fact
# these turn into symlinks and back to regular files at will, see bz1898986
@ -219,6 +238,22 @@ end
%{_mandir}/man8/fips-finish-install.8*
%changelog
* Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`
* Wed Jun 14 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230614-1.git027799d
- policies: restore group order to old OpenSSL default order
* Fri May 05 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230505-1.gitf69bbc2
- openssl: set Groups explicitly
- openssl: add support for Brainpool curves
* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
- Rebuilt for MSVSphere 9.2 beta

Loading…
Cancel
Save