.crypto-policies.metadata

@@ -1 +1 @@
-7b2c7705996b7c988b1fa4852da8e14656326979 SOURCES/crypto-policies-gitb972148.tar.gz
+61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz

.gitignore

@@ -1 +1 @@
-SOURCES/crypto-policies-gitb972148.tar.gz
+SOURCES/crypto-policies-git283706d.tar.gz

SOURCES/0001-Added-tests-fix-for-9.4-version.patch

@@ -0,0 +1,59 @@
+From e9833880700ad839bb8061c4fa6682229ae29bca Mon Sep 17 00:00:00 2001
+From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
+Date: Mon, 13 May 2024 18:55:28 +0300
+Subject: [PATCH] Added tests fix for 9.4 version
+
+---
+ tests/outputs/GOST-ONLY-PAM-bind.txt | 2 --
+ tests/outputs/GOST-ONLY-PAM-java.txt | 2 +-
+ tests/outputs/GOST-ONLY-bind.txt     | 2 --
+ tests/outputs/GOST-ONLY-java.txt     | 2 +-
+ 4 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
+index 3976d4a..e701c5c 100644
+--- a/tests/outputs/GOST-ONLY-PAM-bind.txt
++++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
+@@ -10,8 +10,6 @@ ECDSAP384SHA384;
+ RSASHA512;
+ ED25519;
+ ED448;
+-ECDSAP256SHA256;
+-ECDSAP384SHA384;
+ };
+ disable-ds-digests "." {
+ SHA-256;
+diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
+index b6d04cf..088a698 100644
+--- a/tests/outputs/GOST-ONLY-PAM-java.txt
++++ b/tests/outputs/GOST-ONLY-PAM-java.txt
+@@ -1,3 +1,3 @@
+ jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
++jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+ jdk.tls.legacyAlgorithms=
+diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
+index 3976d4a..e701c5c 100644
+--- a/tests/outputs/GOST-ONLY-bind.txt
++++ b/tests/outputs/GOST-ONLY-bind.txt
+@@ -10,8 +10,6 @@ ECDSAP384SHA384;
+ RSASHA512;
+ ED25519;
+ ED448;
+-ECDSAP256SHA256;
+-ECDSAP384SHA384;
+ };
+ disable-ds-digests "." {
+ SHA-256;
+diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
+index b6d04cf..088a698 100644
+--- a/tests/outputs/GOST-ONLY-java.txt
++++ b/tests/outputs/GOST-ONLY-java.txt
+@@ -1,3 +1,3 @@
+ jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
++jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+ jdk.tls.legacyAlgorithms=
+-- 
+2.43.0
+

SPECS/crypto-policies.spec

@@ -1,65 +1,43 @@
-%global git_commit b972148fd57556f86921a85c960b8808a8a09291
+%global git_date 20240822
+%global git_commit baf3e063c68f6c69eec1bf79c1b3e9a745640183
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
 
 %global _python_bytecompile_extra 0
 
-# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
-%if 0%{?rhel} == 9
-  # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced,
-  %global MIN_RSA_NAME RequiredRSASize
-%elif 0%{?rhel} == 10
-  # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2
-  %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5"
-    %global MIN_RSA_NAME RequiredRSASize
-  %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2"
-    %global MIN_RSA_NAME RSAMinSize
-  %else
-    %global MIN_RSA_NAME none
-  %endif
-%else
-  # some other distro, follow autodetection which checks for openssh >= 9.1
-  %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1"
-    %global MIN_RSA_NAME RequiredRSASize
-  %else
-    %global MIN_RSA_NAME none
-  %endif
-%endif
-
 Name:           crypto-policies
-Version:        20230731
-Release:        1.git94f0e2c%{?dist}.1
+Version:        %{git_date}
+Release:        1.git%{git_commit_hash}%{?dist}.inferit
 Summary:        System-wide crypto policies
 
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
-# For RHEL-9.3 we use the upstream branch rhel9.3 and are freezing version at 20230731-1.git94f0e2c.
+# For RHEL-9 we use the upstream branch rhel9.
 Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
+Patch1:         0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch
 
 BuildArch: noarch
 BuildRequires: asciidoc
 BuildRequires: libxslt
 BuildRequires: openssl
 BuildRequires: nss-tools
-BuildRequires: gnutls-utils >= 3.6.0
+BuildRequires: gnutls-utils
+BuildRequires: openssh-clients
 BuildRequires: java-devel
 BuildRequires: bind
-BuildRequires: perl-interpreter
-BuildRequires: perl-generators
-BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
-BuildRequires: perl(File::Which)
-BuildRequires: python3-devel >= 3.6
+BuildRequires: python3-devel >= 3.9
 BuildRequires: python3-pytest
 BuildRequires: make
 
-Conflicts: openssl < 1:3.0.1-10
+Conflicts: openssl-libs < 1:3.0.1-10
 Conflicts: nss < 3.90.0
 Conflicts: libreswan < 3.28
 Conflicts: openssh < 8.7p1-24
-%if 0%{?rhel} == 10
-Conflicts: gnutls < 3.7.2-3
-%else
 Conflicts: gnutls < 3.7.6-22
-%endif
+Recommends: openssl-gost-engine
+Requires: authselect
+Requires: findutils
+
+
 
 %description
 This package provides pre-built configuration files with
@@ -87,20 +65,9 @@ to enable or disable the system FIPS mode.
 
 %build
 sed -i \
-  "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
+  "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
   python/policygenerators/openssh.py
-grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
-
-%if 0%{?rhel} == 10
-# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
-sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
-  python/policygenerators/nss.py tests/nss.py
-sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
-# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
-sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
-  python/policygenerators/gnutls.py
-sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
-%endif
+grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
 
 %make_build
 
@@ -113,6 +80,7 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}
+mkdir -p -m 755 %{buildroot}/var/log/crypto-cmc/
 
 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
@@ -137,16 +105,7 @@ done
 %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
 
 %check
-# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
-%if "%{MIN_RSA_NAME}" == "none"
-  sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt
-%elif "%{MIN_RSA_NAME}" == "RSAMinSize"
-  sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt
-%else
-  [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
-%endif
-
-make ON_RHEL9=1 test
+make test SKIP_LINTING=1
 
 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -192,6 +151,11 @@ end
 %dir %{_sysconfdir}/crypto-policies/policies/
 %dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/
+%dir %{_sysconfdir}/authselect/custom/sssd_gost/
+%dir %{_sysconfdir}/authselect/custom/minimal_gost/
+%dir /var/log/crypto-cmc
+%{_sysconfdir}/authselect/custom/sssd_gost/*
+%{_sysconfdir}/authselect/custom/minimal_gost/*
 
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
 
@@ -208,6 +172,7 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/auth.config
 # %verify(not mode) comes from the fact
 # these turn into symlinks and back to regular files at will, see bz1898986
 
@@ -219,17 +184,22 @@ end
 %{_datarootdir}/crypto-policies/DEFAULT
 %{_datarootdir}/crypto-policies/FUTURE
 %{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/GOST-ONLY
+%{_datarootdir}/crypto-policies/GOST-ONLY-PAM
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
 %{_datarootdir}/crypto-policies/policies
 
+%{_libexecdir}/fips-setup-helper
+
 %license COPYING.LESSER
 
 %files scripts
 %{_bindir}/update-crypto-policies
 %{_mandir}/man8/update-crypto-policies.8*
 %{_datarootdir}/crypto-policies/python
+%{_datarootdir}/crypto-policies-scripts/auth_apply.sh
 
 %{_bindir}/fips-mode-setup
 %{_bindir}/fips-finish-install
@@ -237,8 +207,57 @@ end
 %{_mandir}/man8/fips-finish-install.8*
 
 %changelog
-* Wed Sep 20 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c.1
+* Thu Oct 10 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 20240822-1.gitbaf3e06.inferit
+- Added GOST
+
+* Thu Aug 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240822-1.gitbaf3e06
+- fips-mode-setup: block if LUKS devices using Argon2 are detected
+
+* Thu Aug 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240815-1.gite217f03
+- java: start controlling / disable DTLSv1.0
+- java: disable anon ciphersuites, tying them to NULL
+- java: respect more key size restrictions
+- java: specify jdk.tls.namedGroups system property
+- java: make hash, mac and sign more orthogonal
+- fips-mode-setup: add another scary "unsupported"
+- fips-mode-setup: flashy ticking warning upon use
+- java: use and include jdk.disabled.namedCurves
+- ec_min_size: introduce and use in java, default to 256
+- java: stop specifying jdk.tls.namedGroups in javasystem
+- fips-setup-helper: add a libexec helper for anaconda
+- fips-mode-setup: force --no-bootcfg when UKI is detected
+
+* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
+- packaging: remove perl build-dependency, it's not needed anymore
+- packaging: use newly introduced SKIP_LINTING=1
+- packaging: drop stale workarounds
+
+* Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d
+- fips-finish-install: make sure ostree is detected in chroot
+- fips-mode-setup: make sure ostree is detected in chroot
+- fips-finish-install: Create/remove /etc/system-fips on ostree systems
+- java: disable ChaCha20-Poly1305 where applicable
+
+* Mon Nov 13 2023 Clemens Lang <cllang@redhat.com> - 20231113-1.gite9247c2
+- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
+- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)
+
+* Thu Nov 09 2023 Clemens Lang <cllang@redhat.com> - 20231109-1.git0ceff7f
+- Restore support for scoped ssh_etm directives (RHEL-15925)
+- Print matches in syntax deprecation warnings (RHEL-15925)
+
+* Wed Nov 08 2023 Clemens Lang <cllang@redhat.com> - 20231108-1.git994ae09
+- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
+- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
+- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)
+
+* Mon Oct 16 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20231016-1.git77ceb0b
+- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
+- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
+
+* Wed Sep 20 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230920-1.git8dcf74d
 - OSPP subpolicy: tighten beyond reason for OSPP 4.3
+- fips-mode-setup: more thorough --disable, still unsupported
 
 * Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c
 - krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
@@ -256,6 +275,9 @@ end
 - openssl: set Groups explicitly
 - openssl: add support for Brainpool curves
 
+* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
+- Rebuilt for MSVSphere 9.2 beta
+
 * Thu Dec 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221215-1.git9a18988
 - bind: expand the list of disableable algorithms