From 19188a581d622e60e12e45444931eccad12bf952 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 12 Sep 2023 09:52:29 +0000 Subject: [PATCH] import UBI crypto-policies-20221215-1.git9a18988.el9_2.1 --- .crypto-policies.metadata | 2 +- .gitignore | 2 +- SPECS/crypto-policies.spec | 23 ++++++++++++++++------- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index 449b892..3a32f71 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -fbe5c6bd87287dd2059da06f83ce4363ed898773 SOURCES/crypto-policies-git9a18988.tar.gz +8fe9be3f275cc392417de1c44d15fe4269b609c2 SOURCES/crypto-policies-git03b28b3.tar.gz diff --git a/.gitignore b/.gitignore index 429dbaf..996dad3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git9a18988.tar.gz +SOURCES/crypto-policies-git03b28b3.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 16e1c97..052368c 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,5 +1,4 @@ -%global git_date 20221215 -%global git_commit 9a189880a1cda3c0bbedab06d405c0a724c0a2f7 +%global git_commit 03b28b32c3dd992c251b9a05352f1234582c18e4 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 @@ -27,19 +26,20 @@ %endif Name: crypto-policies -Version: %{git_date} -Release: 1.git%{git_commit_hash}%{?dist} +Version: 20221215 +Release: 1.git9a18988%{?dist}.1 Summary: System-wide crypto policies License: LGPLv2+ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies -# For RHEL-9 we use the upstream branch rhel9. +# For RHEL-9.2 we use the upstream branch rhel9.2 and are freezing version at 20221215-1.git9a18988. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: openssl +BuildRequires: nss-tools BuildRequires: gnutls-utils >= 3.6.0 BuildRequires: java-1.8.0-openjdk-devel BuildRequires: bind @@ -52,10 +52,10 @@ BuildRequires: python3-pytest BuildRequires: make Conflicts: openssl < 1:3.0.1-10 -Conflicts: nss < 3.44.0 +Conflicts: nss < 3.90.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.7p1-24 -Conflicts: gnutls < 3.7.2-3 +Conflicts: gnutls < 3.7.6-21.el9_2 %description This package provides pre-built configuration files with @@ -190,6 +190,7 @@ end %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config # %verify(not mode) comes from the fact # these turn into symlinks and back to regular files at will, see bz1898986 @@ -219,6 +220,14 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Wed Aug 02 2023 Alexander Sosedkin - 20221215-1.git9a18988.1 +- FIPS: enforce EMS in FIPS mode +- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode +- nss: implement EMS enforcement in FIPS mode +- openssl: implement EMS enforcement in FIPS mode +- gnutls: implement EMS enforcement in FIPS mode +- docs: replace `FIPS 140-2` with just `FIPS 140` + * Thu Dec 15 2022 Alexander Sosedkin - 20221215-1.git9a18988 - bind: expand the list of disableable algorithms