import crypto-policies-20190807-1.git9b1477b.el8

2019-11-05 16:29:12 -05:00 · 2019-11-05 16:29:12 -05:00 · 06e5f99c81
commit 06e5f99c81
parent f73a9c7c88
8 changed files with 34 additions and 1662 deletions
--- a/.crypto-policies.metadata
+++ b/.crypto-policies.metadata
@ -1 +1 @@
-fde6f5eef3fa66d2b12ad3291cfef680727fdc42 SOURCES/crypto-policies-git9a35207.tar.gz
+7800b6d56a63b575dfb7064bc33539af2c50d1cf SOURCES/crypto-policies-git9b1477b.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/crypto-policies-git9a35207.tar.gz
+SOURCES/crypto-policies-git9b1477b.tar.gz
--- a/SOURCES/crypto-policies-java-fix.patch
+++ b/SOURCES/crypto-policies-java-fix.patch
@ -1,71 +0,0 @@
 commit 2ff4c6d3791a0ad581181997ee5a04b83b7c7341
 Author: Tomas Mraz <tmraz@fedoraproject.org>
 Date:   Thu Jan 31 16:23:52 2019 +0100
    java: Allow incorrectly disabled RSA certificates in TLS
    The FUTURE and NEXT policies incorrectly disabled RSA certificates,
    allow them.
 diff --git a/back-ends/java.pl b/back-ends/java.pl
 index 0789251..325544a 100644
 --- a/back-ends/java.pl
 +++ b/back-ends/java.pl
@@ -72,7 +72,7 @@ my %key_exchange_not_map = (
 	'EXPORT' => 'RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT',
 	'DH'         => 'DH_RSA, DH_DSS',
 	'ANON'       => 'DH_anon, ECDH_anon',
 -	'RSA'        => 'RSA',
 +	'RSA'        => 'TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256',
 	'DHE-RSA'      => 'DHE_RSA',
 	'DHE-DSS'      => 'DHE_DSS',
 	'ECDHE'      => 'ECDHE',
 diff --git a/tests/outputs/EMPTY-java.txt b/tests/outputs/EMPTY-java.txt
 index 0011734..3cf0e2a 100644
 --- a/tests/outputs/EMPTY-java.txt
 +++ b/tests/outputs/EMPTY-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=0
 jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA1, MD5, DSA, RSA keySize < 0
 -jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, RSA, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
 +jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
 jdk.tls.legacyAlgorithms=
 diff --git a/tests/outputs/FIPS-java.txt b/tests/outputs/FIPS-java.txt
 index 808778c..d9fe8aa 100644
 --- a/tests/outputs/FIPS-java.txt
 +++ b/tests/outputs/FIPS-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=2048
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
 -jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
 +jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
 jdk.tls.legacyAlgorithms=
 diff --git a/tests/outputs/FUTURE-java.txt b/tests/outputs/FUTURE-java.txt
 index fd2db04..9d57348 100644
 --- a/tests/outputs/FUTURE-java.txt
 +++ b/tests/outputs/FUTURE-java.txt
@@ -1,4 +1,4 @@
 jdk.tls.ephemeralDHKeySize=3072
 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 3072
 -jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
 +jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
 jdk.tls.legacyAlgorithms=
 diff -up crypto-policies/tests/java.pl.java-fix crypto-policies/tests/java.pl
 --- crypto-policies/tests/java.pl.java-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/tests/java.pl	2019-02-08 10:05:28.152358692 +0100
@@ -45,14 +45,7 @@ foreach my $policy (@profiles::common::p
 	}
 	my $lines=`cat $TMPFILE2|wc -l`;
 -	if ("$policy" eq "EMPTY") {
 -		if ($lines >= 2) { # we allow the SCSV
 -			print "Empty policy has ciphersuites!\n";
 -			print "Policy: $tmp\n";
 -			system("cat $TMPFILE2");
 -			exit 1;
 -		}
 -	} else {
 +	if ("$policy" ne "EMPTY") {
 		system("grep \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\" $TMPFILE2 >/dev/null 2>&1");
 		if ($? != 0) {
--- a/SOURCES/crypto-policies-libreswan-fix.patch
+++ b/SOURCES/crypto-policies-libreswan-fix.patch
@ -1,232 +0,0 @@
 diff -up crypto-policies/back-ends/libreswan.pl.libreswan-fix crypto-policies/back-ends/libreswan.pl
 --- crypto-policies/back-ends/libreswan.pl.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/back-ends/libreswan.pl	2019-02-18 10:34:57.525777928 +0100
@@ -26,7 +26,9 @@ sub append {
 my %group_map = (
 	'X448'    => '',
 -	'X25519'    => '', #dh31 - not in f28
 +	'X25519'    => '',
 +# Disabled for now as it cannot be prioritized over others
 +#	'X25519'    => 'dh31',
 	'SECP256R1' => 'dh19',
 	'SECP384R1' => 'dh20',
 	'SECP521R1' => 'dh21',
@@ -38,31 +40,42 @@ my %group_map = (
 	'FFDHE-8192' => 'dh18'
 );
 +my %cipher_map = (
 +	'AES-256-CBC'       => 'aes256',
 +	'AES-128-CBC'       => 'aes128',
 +	'AES-256-GCM'       => 'aes_gcm256',
 +	'AES-128-GCM'       => 'aes_gcm128',
 +	'CHACHA20-POLY1305' => 'chacha20_poly1305',
 +# Unused for IKEv2
 +#	'3DES-CBC'          => '3des',
 +);
 +
 my %cipher_prf_map = (
 -	'AES-256-CBC-HMAC-SHA2-512'       => 'aes256-sha2_512',
 -	'AES-256-CBC-HMAC-SHA2-256'       => 'aes256-sha2_256',
 -	'AES-128-CBC-HMAC-SHA2-256'       => 'aes128-sha2_256',
 -	'AES-256-CBC-HMAC-SHA1'       => 'aes256-sha1',
 -	'AES-128-CBC-HMAC-SHA1'       => 'aes128-sha1',
 -	'AES-256-GCM-HMAC-SHA2-512'       => 'aes_gcm256-sha2_512',
 -	'AES-256-GCM-HMAC-SHA2-256'       => 'aes_gcm256-sha2_256',
 -	'AES-128-GCM-HMAC-SHA2-512'       => 'aes_gcm128-sha2_512',
 -	'AES-128-GCM-HMAC-SHA2-256'       => 'aes_gcm128-sha2_256',
 -	'CHACHA20-POLY1305-HMAC-SHA2-512' => 'chacha20_poly1305-sha2_512',
 -	'CHACHA20-POLY1305-HMAC-SHA2-256' => 'chacha20_poly1305-sha2_256',
 -	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
 +	'AES-256-CBC-HMAC-SHA2-512'       => 'sha2_512',
 +	'AES-256-CBC-HMAC-SHA2-256'       => 'sha2_256',
 +	'AES-128-CBC-HMAC-SHA2-256'       => 'sha2_256',
 +# Not needed for IKEv2
 +#	'AES-256-CBC-HMAC-SHA1'           => 'sha1',
 +#	'AES-128-CBC-HMAC-SHA1'           => 'sha1',
 +	'AES-256-GCM-HMAC-SHA2-512'       => 'sha2_512',
 +	'AES-256-GCM-HMAC-SHA2-256'       => 'sha2_256',
 +	'AES-128-GCM-HMAC-SHA2-512'       => 'sha2_512',
 +	'AES-128-GCM-HMAC-SHA2-256'       => 'sha2_256',
 +	'CHACHA20-POLY1305-HMAC-SHA2-512' => 'sha2_512',
 +	'CHACHA20-POLY1305-HMAC-SHA2-256' => 'sha2_256',
 +#	'3DES-CBC-HMAC-SHA1'              => 'sha1',
 );
 my %cipher_mac_map = (
 -	'AES-256-CBC-HMAC-SHA2-512'       => 'aes256-sha2_512',
 -	'AES-256-CBC-HMAC-SHA2-256'       => 'aes256-sha2_256',
 -	'AES-128-CBC-HMAC-SHA2-256'       => 'aes128-sha2_256',
 -	'AES-256-CBC-HMAC-SHA1'       => 'aes256-sha1',
 -	'AES-128-CBC-HMAC-SHA1'       => 'aes128-sha1',
 -	'AES-256-GCM-AEAD'            => 'aes_gcm256',
 -	'AES-128-GCM-AEAD'            => 'aes_gcm128',
 -	'CHACHA20-POLY1305-AEAD'      => 'chacha20_poly1305',
 -	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
 +	'AES-256-CBC-HMAC-SHA2-512'       => 'sha2_512',
 +	'AES-256-CBC-HMAC-SHA2-256'       => 'sha2_256',
 +	'AES-128-CBC-HMAC-SHA2-256'       => 'sha2_256',
 +	'AES-256-CBC-HMAC-SHA1'       => 'sha1',
 +	'AES-128-CBC-HMAC-SHA1'       => 'sha1',
 +	'AES-256-GCM-AEAD'            => '',
 +	'AES-128-GCM-AEAD'            => '',
 +	'CHACHA20-POLY1305-AEAD'      => '',
 +#	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
 );
 my %protocol_map = (
@@ -147,35 +160,52 @@ sub generate_temp_policy() {
 	$tmp = '';
 	my $cipher;
 +	my $cm;
 	my $group;
 	my $mac;
 +	my $mm;
 	my $combo;
 	%mac_prio_map = %mac_ike_prio_map;
 	my @sorted_mac_list = sort compare @mac_list;
 -	foreach (@group_list) {
 -		$group = $group_map{$_};
 -		if (!defined($group) || $group eq '') {
 +
 +	foreach (@cipher_list) {
 +		$cipher = $_;
 +		$cm = $cipher_map{$cipher};
 +		if (!defined($cm)) {
 +#			print STDERR "libreswan: unknown cipher: $cipher\n";
 			next;
 		}
 +		$combo = $cm."-";
 +		foreach (@sorted_mac_list) {
 +			$mac = $_;
 -		foreach (@cipher_list) {
 -			$cipher = $_;
 -			foreach (@sorted_mac_list) {
 -				$mac = $_;
 -
 -				my $cm=$cipher."-".$mac;
 -				$combo = $cipher_prf_map{$cm};
 -
 -				if (!defined($combo)) {
 -#					print STDERR "libreswan: unknown combo: $cipher-$mac\n";
 -					next;
 -				}
 +			$mm = $cipher_prf_map{$cipher."-".$mac};
 -				append("${combo};${group}", \$tmp);
 +			if (!defined($mm)) {
 +#				print STDERR "libreswan: unknown combo: $cipher-$mac\n";
 +				next;
 			}
 +
 +			$combo = $combo.$mm."+";
 		}
 +
 +		my $lastc = substr($combo, -1);
 +		if ($lastc eq "-") {
 +			next;
 +		}
 +		# Replace the last + with -
 +		substr($combo, -1) = "-";
 +		foreach (@group_list) {
 +			$group = $group_map{$_};
 +			if (!defined($group) || $group eq '') {
 +				next;
 +			}
 +			$combo = $combo.$group."+";
 +		}
 +		substr($combo, -1) = '';
 +		append("${combo}", \$tmp);
 	}
 	if ($tmp ne '') {
@@ -189,20 +219,35 @@ sub generate_temp_policy() {
 	$tmp = '';
 	foreach (@cipher_list) {
 		$cipher = $_;
 +		$cm = $cipher_map{$cipher};
 +		if (!defined($cm)) {
 +#			print STDERR "libreswan: unknown cipher: $cipher\n";
 +			next;
 +		}
 +		$combo = $cm."-";
 		foreach (@sorted_mac_list) {
 			$mac = $_;
 -			my $cm=$cipher."-".$mac;
 -			$combo = $cipher_mac_map{$cm};
 +			$mm = $cipher_mac_map{$cipher."-".$mac};
 -			if (!defined($combo)) {
 +			if (!defined($mm)) {
 				next;
 			}
 -			if ($tmp !~ $combo) {
 -				append("${combo}", \$tmp);
 +			if ($mm eq '') {
 +				# Special handling for AEAD
 +				substr($combo, -1) = '+';
 +			} else {
 +				$combo = $combo.$mm."+";
 			}
 		}
 +
 +		my $lastc = substr($combo, -1);
 +		if ($lastc eq "-") {
 +			next;
 +		}
 +		substr($combo, -1) = '';
 +		append("${combo}", \$tmp);
 	}
 	if ($tmp ne '') {
 diff -up crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/DEFAULT-libreswan.txt
 --- crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/tests/outputs/DEFAULT-libreswan.txt	2019-02-18 10:34:57.526777910 +0100
@@ -1,5 +1,5 @@
 conn %default
 	ikev2=insist
 	pfs=yes
 -	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
 -	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
 +	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
 +	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
 diff -up crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FIPS-libreswan.txt
 --- crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/tests/outputs/FIPS-libreswan.txt	2019-02-18 10:34:57.526777910 +0100
@@ -1,5 +1,5 @@
 conn %default
 	ikev2=insist
 	pfs=yes
 -	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
 -	esp=aes_gcm256,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
 +	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
 +	esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
 diff -up crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FUTURE-libreswan.txt
 --- crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/tests/outputs/FUTURE-libreswan.txt	2019-02-18 10:34:57.527777893 +0100
@@ -1,5 +1,5 @@
 conn %default
 	ikev2=insist
 	pfs=yes
 -	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18
 -	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha2_256
 +	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18
 +	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha2_256
 diff -up crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/LEGACY-libreswan.txt
 --- crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
 +++ crypto-policies/tests/outputs/LEGACY-libreswan.txt	2019-02-18 10:34:57.527777893 +0100
@@ -1,5 +1,5 @@
 conn %default
 	ikev2=insist
 	pfs=yes
 -	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,3des-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,3des-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,3des-sha1;dh21,aes_gcm256-sha2_512;dh5,aes_gcm256-sha2_256;dh5,chacha20_poly1305-sha2_512;dh5,chacha20_poly1305-sha2_256;dh5,aes256-sha2_512;dh5,aes256-sha2_256;dh5,aes256-sha1;dh5,aes_gcm128-sha2_512;dh5,aes_gcm128-sha2_256;dh5,aes128-sha2_256;dh5,aes128-sha1;dh5,3des-sha1;dh5,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,3des-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,3des-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,3des-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18,3des-sha1;dh18
 -	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256,3des-sha1
 +	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18
 +	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
--- a/SOURCES/crypto-policies-manpage.patch
+++ b/SOURCES/crypto-policies-manpage.patch
@ -1,55 +0,0 @@
 diff --git a/update-crypto-policies.8.txt b/update-crypto-policies.8.txt
 index 7a1564c..3655ba8 100644
 --- a/update-crypto-policies.8.txt
 +++ b/update-crypto-policies.8.txt
@@ -32,24 +32,13 @@ SYNOPSIS
 DESCRIPTION
 -----------
 -update-crypto-policies(8) is used to set the policy applicable for the
 +*update-crypto-policies(8)* is used to set the policy applicable for the
 various cryptographic back-ends, such as SSL/TLS libraries. That will
 be the default policy used by these back-ends unless the application user
 configures them otherwise.
 -The available policies are restricted to the following profiles.
 -
 -* LEGACY: Ensures maximum compatibility with legacy systems (64-bit
 -  security)
 -
 -* DEFAULT: A reasonable default for today's standards (80-bit security).
 -
 -* FUTURE: A level that will provide security on a conservative level that is
 -  believed to withstand any near-term future attacks (112-bit security).
 -
 -* FIPS: Policy that enables only FIPS 140-2 approved or allowed algorithms.
 -
 -* EMPTY: All cryptographic algorithms are disabled (used for debugging only)
 +The available policies are described in the *crypto-policies(7)* manual
 +page.
 The desired system policy is selected in /etc/crypto-policies/config
 and this tool will generate the individual policy requirements for
@@ -201,10 +190,11 @@ In case of a parsing error no policies will be updated.
 FILES
 -----
 /etc/crypto-policies/config::
 -	The file contains the current system policy. It should contain a string of one of the profiles listed above (e.g., DEFAULT).
 +	The file contains the current system policy. It should contain a string of one of the
 +	profiles listed in the *crypto-policies(7)* page (e.g., DEFAULT).
 /etc/crypto-policies/back-ends::
 -	Contains the generated policies in separated files, and in a format readable by the supported back-ends.
 +	Contains the generated policies in separated files, and in a format readable by the supported back ends.
 /etc/crypto-policies/local.d::
 	Contains additional files to be appended to the generated policy
@@ -218,7 +208,7 @@ FILES
 SEE ALSO
 --------
 -fips-mode-setup(8)
 +crypto-policies(7), fips-mode-setup(8)
 AUTHOR
 ------
--- a/SOURCES/crypto-policies.7
+++ b/SOURCES/crypto-policies.7
--- a/SOURCES/crypto-policies.7.txt
+++ b/SOURCES/crypto-policies.7.txt
@ -1,254 +0,0 @@
 ////
 Copyright (C) 2019 Red Hat, Inc.
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published by
 the Free Software Foundation; either version 2.1 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 ////
 crypto-policies(7)
 ==================
 :doctype: manpage
 :man source: crypto-policies
 NAME
 ----
 crypto-policies - system-wide crypto policies overview
 DESCRIPTION
 -----------
 The security of cryptographic components of the operating system
 does not remain constant over time. Algorithms, such as
 cryptographic hashing and encryption, typically have a lifetime,
 after which they are considered either too risky to use or plain insecure.
 That means, we need to phase out such algorithms from the default
 settings or completely disable them if they could cause an irreparable problem.
 While in the past the algorithms were not disabled in a consistent way
 and different applications applied different policies, the system-wide
 crypto-policies followed by the crypto core components allow consistently
 deprecating and disabling algorithms system-wide.
 The individual policy levels (*DEFAULT*, *LEGACY*, *FUTURE*, and *FIPS*)
 are included in the *crypto-policies(7)* package. In the future, there will
 be also a mechanism for easy creation and deployment of policies defined
 by the system administrator or a third party vendor.
 For rationale, see *RFC 7457* for a list of attacks taking advantage of
 legacy crypto algorithms.
 COVERED APPLICATIONS
 --------------------
 Crypto-policies apply to the configuration of the core cryptographic subsystems,
 covering *TLS*, *IKE*, *IPSec*, *DNSSec*, and *Kerberos* protocols; i.e., the
 supported secure communications protocols on the base operating system.
 Once an application runs in the operating system, it follows the default
 or selected policy and refuses to fall back to algorithms and protocols not
 within the policy, unless the user has explicitly requested the application
 to do so. That is, the policy applies to the default behavior of applications
 when running with the system-provided configuration but the user can override
 it on an application-specific basis.
 The policies currently provide settings for these applications and libraries:
 * *BIND* DNS name server daemon
 * *GnuTLS* TLS library
 * *OpenJDK* runtime environment
 * *Kerberos 5* library
 * *Libreswan* IPsec and IKE protocol implementation
 * *NSS* TLS library
 * *OpenSSH* SSH2 protocol implementation
 * *OpenSSL* TLS library
 Applications using the above libraries and tools are covered by the
 cryptographic policies unless they are explicitly configured not to be so.
 PROVIDED POLICY LEVELS
 ----------------------
 *LEGACY*::
  This policy ensures maximum compatibility with legacy systems; it is
  less secure and it includes support for *TLS 1.0*, *TLS 1.1*, and *SSH2*
  protocols or later. The algorithms *DSA*, *3DES*, and *RC4* are allowed,
  while *RSA* and *Diffie-Hellman* parameters are accepted if larger than 1023 bits.
  The level provides at least 64-bit security.
  * MACs: all *HMAC* with *SHA-1* or better + all modern MACs (*Poly1305*
    etc.)
  * Curves: all prime >= 255 bits (including Bernstein curves)
  * Signature algorithms: with *SHA1* hash or better (*DSA* allowed)
  * *TLS* Ciphers: all available >= 112-bit key, >= 128-bit block (including
    *RC4* and *3DES*)
  * Non-TLS Ciphers: same as *TLS* ciphers with added *Camellia*
  * Key exchange: *ECDHE*, *RSA*, *DHE*
  * *DH* params size: >= 1023
  * *RSA* keys size: >= 1023
  * *DSA* params size: >= 1023
  * *TLS* protocols: *TLS* >= 1.0, *DTLS* >= 1.0
 *DEFAULT*::
  The *DEFAULT* policy is a reasonable default policy for today's standards,
  compatible with *PCI-DSS* requirements. It allows the *TLS 1.2* and
  *TLS 1.3* protocols, as well as *IKEv2* and *SSH2*. The *RSA* and
  *Diffie-Hellman* parameters are accepted if larger than 2047 bits.
  The level provides at least 112-bit security with the exception of *SHA-1*
  signatures needed for *DNSSec* and other still prevalent legacy use of
  *SHA-1* signatures.
  * MACs: all *HMAC* with *SHA-1* or better + all modern MACs (*Poly1305*
    etc.)
  * Curves: all prime >= 255 bits (including Bernstein curves)
  * Signature algorithms: with *SHA-1* hash or better (no *DSA*)
  * *TLS* Ciphers: >= 128-bit key, >= 128-bit block (*AES*, *ChaCha20*,
    including *AES-CBC*)
  * non-TLS Ciphers: as *TLS* Ciphers with added *Camellia*
  * key exchange: *ECDHE*, *RSA*, *DHE* (no *DHE-DSS*)
  * *DH* params size: >= 2048
  * *RSA* keys size: >= 2048
  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
 *FUTURE*::
  A conservative security level that is believed to withstand any near-term
  future attacks. This level does not allow the use of *SHA-1* in signature
  algorithms. The level also provides some (not complete) preparation for
  post-quantum encryption support in form of 256-bit symmetric encryption
  requirement. The *RSA* and *Diffie-Hellman* parameters are accepted if
  larger than 3071 bits. The level provides at least 128-bit security.
  * MACs: all *HMAC* with *SHA-256* or better + all modern MACs (*Poly1305*
    etc.)
  * Curves: all prime >= 255 bits (including Bernstein curves)
  * Signature algorithms: with *SHA-256* hash or better (no *DSA*)
  * *TLS* Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
    Encryption (AE) ciphers
  * non-TLS Ciphers: same as *TLS* ciphers with added non AE ciphers and
    *Camellia*
  * key exchange: *ECDHE*, *DHE* (no *DHE-DSS*, no *RSA*)
  * *DH* params size: >= 3072
  * *RSA* keys size: >= 3072
  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
 *FIPS*::
  A level that conforms to the *FIPS 140-2* requirements. This policy is used
  internally by the *fips-mode-setup(8)* tool which can switch the system
  into the *FIPS 140-2* compliance mode.
  The level provides at least 112-bit security.
  * MACs: all *HMAC* with *SHA1* or better
  * Curves: all prime >= 256 bits
  * Signature algorithms: with *SHA-256* hash or better (no *DSA*)
  * *TLS* Ciphers: >= 128-bit key, >= 128-bit block (*AES*,
    including *AES-CBC*)
  * non-TLS Ciphers: same as *TLS* Ciphers
  * key exchange: *ECDHE*, *DHE* (no *DHE-DSS*, no *RSA*)
  * *DH* params size: >= 2048
  * *RSA* params size: >= 2048
  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
 *EMPTY*::
  All cryptographic algorithms are disabled (used for debugging only, do not
  use).
 COMMANDS
 --------
 *update-crypto-policies(8)*::
  This command manages the policies available to the various cryptographic
  back ends and allows the system administrator to change the active
  cryptographic policy level.
 *fips-mode-setup(8)*::
  This command allows the system administrator to enable, or disable the
  system FIPS mode and also apply the *FIPS* cryptographic policy level
  which limits the allowed algorithms and protocols to these allowed by
  the FIPS 140-2 requirements.
 NOTES
 -----
 *Exceptions:*
 * *Go-language* applications do not yet follow the system-wide policy.
 * *Libssh* applications do not yet follow the system-wide policy.
 * *GnuPG-2* application does not follow the system-wide policy.
 In general only the data-in-transit is currently covered by the system-wide
 policy.
 If the system administrator changes the system-wide policy level with
 the *update-crypto-policies(8)* command it is advisable to restart the
 system as the individual back-end libraries read the configuration files
 usually during their initialization. The changes in the policy level
 thus take place in most cases only when the applications using the back-end
 libraries are restarted.
 *Removed cipher suites and protocols*
 The following cipher suites and protocols are completely removed from the
 core cryptographic libraries listed above:
 * *DES*
 * All export grade cipher suites
 * *MD5* in signatures
 * *SSLv2*
 * *SSLv3*
 * All *ECC* curves smaller than 224 bits
 * All binary field *ECC* curves
 *Cipher suites and protocols disabled in all policy levels*
 The following ciphersuites and protocols are available but disabled in all
 crypto policy levels. They can be enabled only by explicit configuration
 of individual applications:
 * *DH* with parameters < 1024 bits
 * *RSA* with key size < 1024 bits
 * *Camellia*
 * *ARIA*
 * *SEED*
 * *IDEA*
 * Integrity only ciphersuites
 * *TLS* *CBC mode* ciphersuites using *SHA-384* HMAC
 * *AES-CCM8*
 * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
 * *IKEv1*
 FILES
 -----
 /etc/crypto-policies/back-ends::
 	The individual cryptographical back-end configuration files.
 	Usually linked to the configuration shipped in the crypto-policies
 	package unless a configuration from *local.d* is added.
 /etc/crypto-policies/config::
 	The active crypto-policies level set on the system.
 /etc/crypto-policies/local.d::
 	Additional configuration shipped by other packages or created by
 	the system administrator. The contents of the *<back-end>-file.config*
 	is appended to the configuration from the policy back end as
 	shipped in the crypto-policies package.
 SEE ALSO
 --------
 update-crypto-policies(8), fips-mode-setup(8)
 AUTHOR
 ------
 Written by Tomáš Mráz.
--- a/SPECS/crypto-policies.spec
+++ b/SPECS/crypto-policies.spec
@ -1,9 +1,9 @@
-%global git_date 20181217
+%global git_date 20190807
-%global git_commit_hash 9a35207
+%global git_commit_hash 9b1477b
 Name:           crypto-policies
 Version:        %{git_date}
-Release:        6.git%{git_commit_hash}%{?dist}
+Release:        1.git%{git_commit_hash}%{?dist}
 Summary:        Systemwide crypto policies
 License:        LGPLv2+
@ -13,11 +13,6 @@ URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 # directory.
 # For RHEL-8 we use the upstream branch next-default.
 Source0:        crypto-policies-git%{git_commit_hash}.tar.gz
 Source1:        crypto-policies.7.txt
 Source2:        crypto-policies.7
 Patch1:         crypto-policies-manpage.patch
 Patch2:         crypto-policies-java-fix.patch
 Patch3:         crypto-policies-libreswan-fix.patch
 BuildArch: noarch
 BuildRequires: asciidoc
@ -39,6 +34,9 @@ Requires: sed
 Requires(post): coreutils
 Requires(post): grep
 Requires(post): sed
 Conflicts: nss < 3.44.0
 Conflicts: libreswan < 3.28
 Conflicts: openssh < 8.0p1
 # used by fips-mode-setup
 Recommends: grubby
@ -53,9 +51,6 @@ to enable or disable the system FIPS mode.
 %prep
 %setup -q -n %{name}
 %patch1 -p1 -b .manpage
 %patch2 -p1 -b .java-fix
 %patch3 -p1 -b .libreswan-fix
 %build
 make %{?_smp_mflags}
@ -64,13 +59,10 @@ make %{?_smp_mflags}
 mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
 mkdir -p -m 755 %{buildroot}%{_mandir}/man7
 mkdir -p -m 755 %{buildroot}%{_mandir}/man8
 mkdir -p -m 755 %{buildroot}%{_bindir}
-make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir}/man8 %{?_smp_mflags} install
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 install -p -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man7/crypto-policies.7
 %check
 make check %{?_smp_mflags}
@ -103,15 +95,15 @@ make check %{?_smp_mflags}
 %{_bindir}/update-crypto-policies
 %{_bindir}/fips-mode-setup
 %{_bindir}/fips-finish-install
-%{_mandir}/man7/crypto-policies.7.gz
+%{_mandir}/man7/crypto-policies.7*
-%{_mandir}/man8/update-crypto-policies.8.gz
+%{_mandir}/man8/update-crypto-policies.8*
-%{_mandir}/man8/fips-mode-setup.8.gz
+%{_mandir}/man8/fips-mode-setup.8*
-%{_mandir}/man8/fips-finish-install.8.gz
+%{_mandir}/man8/fips-finish-install.8*
-%{_datarootdir}/crypto-policies/LEGACY/*
+%{_datarootdir}/crypto-policies/LEGACY
-%{_datarootdir}/crypto-policies/DEFAULT/*
+%{_datarootdir}/crypto-policies/DEFAULT
-%{_datarootdir}/crypto-policies/FUTURE/*
+%{_datarootdir}/crypto-policies/FUTURE
-%{_datarootdir}/crypto-policies/FIPS/*
+%{_datarootdir}/crypto-policies/FIPS
-%{_datarootdir}/crypto-policies/EMPTY/*
+%{_datarootdir}/crypto-policies/EMPTY
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
@ -119,6 +111,22 @@ make check %{?_smp_mflags}
 %license COPYING.LESSER
 %changelog
 * Wed Aug  7 2019 Tomáš Mráz <tmraz@redhat.com> - 20190807-1.git9b1477b
 - gnutls: enable TLS-1.3 in the FIPS policy
 * Mon Aug  5 2019 Tomáš Mráz <tmraz@redhat.com> - 20190613-2.git21ffdc8
 - fix ownership of policy directories
 - nss: enable X25519 in appropriate policies and conflict with old nss
 - openssh: conflict with old incompatible openssh version
 * Thu Jun 13 2019 Tomáš Mráz <tmraz@redhat.com> - 20190613-1.git21ffdc8
 - openssh: add missing curve25519-sha256 to the key exchange list
 - openssh: fix RSA certificate support
 - fips-mode-setup: drop the kernel boot option if there is no separate
  /boot drive
 - fips-finish-install: regenerate all initramdisks
 - add libssh configuration backend
 * Mon Feb 18 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-6.git9a35207
 - libreswan: Allow coalescing the IKE/IPSEC proposals
`@ -1 +1 @@`
	`fde6f5eef3fa66d2b12ad3291cfef680727fdc42 SOURCES/crypto-policies-git9a35207.tar.gz`	`7800b6d56a63b575dfb7064bc33539af2c50d1cf SOURCES/crypto-policies-git9b1477b.tar.gz`
`@ -1 +1 @@`
	`SOURCES/crypto-policies-git9a35207.tar.gz`	`SOURCES/crypto-policies-git9b1477b.tar.gz`