diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index 3a32f71..ae21469 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -8fe9be3f275cc392417de1c44d15fe4269b609c2 SOURCES/crypto-policies-git03b28b3.tar.gz +ebca51d3017ee207680f9ae109e49ed78e8f479b SOURCES/crypto-policies-git94f0e2c.tar.gz diff --git a/.gitignore b/.gitignore index 996dad3..e8cc4c7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git03b28b3.tar.gz +SOURCES/crypto-policies-git94f0e2c.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 59b1b0f..749375c 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,4 +1,5 @@ -%global git_commit 03b28b32c3dd992c251b9a05352f1234582c18e4 +%global git_date 20230731 +%global git_commit 94f0e2c4f7ebf2b1513b405d11227bae79ffe070 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 @@ -26,13 +27,13 @@ %endif Name: crypto-policies -Version: 20221215 -Release: 1.git9a18988%{?dist}.1 +Version: %{git_date} +Release: 1.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies License: LGPLv2+ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies -# For RHEL-9.2 we use the upstream branch rhel9.2 and are freezing version at 20221215-1.git9a18988. +# For RHEL-9 we use the upstream branch rhel9. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz BuildArch: noarch @@ -55,7 +56,11 @@ Conflicts: openssl < 1:3.0.1-10 Conflicts: nss < 3.90.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.7p1-24 -Conflicts: gnutls < 3.7.6-21.el9_2 +%if 0%{?rhel} == 10 +Conflicts: gnutls < 3.7.2-3 +%else +Conflicts: gnutls < 3.7.6-22 +%endif %description This package provides pre-built configuration files with @@ -86,6 +91,18 @@ sed -i \ "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ python/policygenerators/openssh.py grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py + +%if 0%{?rhel} == 10 +# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch +sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \ + python/policygenerators/nss.py tests/nss.py +sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt +# currently ELN/RHEL gnutls do not carry the tls-session-hash patch +sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \ + python/policygenerators/gnutls.py +sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt +%endif + %make_build %install @@ -129,6 +146,7 @@ done %else [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7 %endif + make ON_RHEL9=1 test %post -p @@ -220,15 +238,23 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog -* Wed Aug 02 2023 Alexander Sosedkin - 20221215-1.git9a18988.1 +* Mon Jul 31 2023 Alexander Sosedkin - 20230731-1.git94f0e2c +- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones - FIPS: enforce EMS in FIPS mode - NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode -- nss: implement EMS enforcement in FIPS mode +- nss: implement EMS enforcement in FIPS mode (disabled in ELN) - openssl: implement EMS enforcement in FIPS mode -- gnutls: implement EMS enforcement in FIPS mode +- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN) - docs: replace `FIPS 140-2` with just `FIPS 140` -* Wed Mar 15 2023 MSVSphere Packaging Team - 20220815-1.git0fbe86f +* Wed Jun 14 2023 Alexander Sosedkin - 20230614-1.git027799d +- policies: restore group order to old OpenSSL default order + +* Fri May 05 2023 Alexander Sosedkin - 20230505-1.gitf69bbc2 +- openssl: set Groups explicitly +- openssl: add support for Brainpool curves + +* Wed Mar 15 2023 MSVSphere Packaging Team - 20221215-1.git9a18988 - Rebuilt for MSVSphere 9.1. * Thu Dec 15 2022 Alexander Sosedkin - 20221215-1.git9a18988