Update from upstream (krb5 reorder, EMS...):

- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`

Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257

crypto-policies.spec

@@ -1,5 +1,5 @@
-%global git_date 20230614
-%global git_commit 027799d4336eb324f4543f64db8f17ad45cbcb46
+%global git_date 20230731
+%global git_commit 94f0e2c4f7ebf2b1513b405d11227bae79ffe070
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
 
 %global _python_bytecompile_extra 0
@@ -40,6 +40,7 @@ BuildArch: noarch
 BuildRequires: asciidoc
 BuildRequires: libxslt
 BuildRequires: openssl
+BuildRequires: nss-tools
 BuildRequires: gnutls-utils >= 3.6.0
 BuildRequires: java-1.8.0-openjdk-devel
 BuildRequires: bind
@@ -52,10 +53,14 @@ BuildRequires: python3-pytest
 BuildRequires: make
 
 Conflicts: openssl < 1:3.0.1-10
-Conflicts: nss < 3.44.0
+Conflicts: nss < 3.90.0
 Conflicts: libreswan < 3.28
 Conflicts: openssh < 8.7p1-24
+%if 0%{?rhel} == 10
 Conflicts: gnutls < 3.7.2-3
+%else
+Conflicts: gnutls < 3.7.6-22
+%endif
 
 %description
 This package provides pre-built configuration files with
@@ -86,6 +91,18 @@ sed -i \
   "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
   python/policygenerators/openssh.py
 grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
+
+%if 0%{?rhel} == 10
+# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
+sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
+  python/policygenerators/nss.py tests/nss.py
+sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
+# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
+sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
+  python/policygenerators/gnutls.py
+sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
+%endif
+
 %make_build
 
 %install
@@ -129,6 +146,7 @@ done
 %else
   [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
 %endif
+
 make ON_RHEL9=1 test
 
 %post -p <lua>
@@ -190,6 +208,7 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
 # %verify(not mode) comes from the fact
 # these turn into symlinks and back to regular files at will, see bz1898986
 
@@ -219,6 +238,15 @@ end
 %{_mandir}/man8/fips-finish-install.8*
 
 %changelog
+* Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c
+- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
+- FIPS: enforce EMS in FIPS mode
+- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
+- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
+- openssl: implement EMS enforcement in FIPS mode
+- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
+- docs: replace `FIPS 140-2` with just `FIPS 140`
+
 * Wed Jun 14 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230614-1.git027799d
 - policies: restore group order to old OpenSSL default order
 

sources

@@ -1 +1 @@
-SHA512 (crypto-policies-git027799d.tar.gz) = 0f3c18d8ecb5acb421d3a4b01319eed35a50c265a40bf5c067e00325dd03babc224ba1eb8c9e125ff9eca092b40f6c84485034740201affc089a66fbbd9a676a
+SHA512 (crypto-policies-git94f0e2c.tar.gz) = 3284b38772740db388f65717cb74c844de62b49e334f998dc3b118f1f24e06d9fdde81289e4a083c5c8bec321278acbe7acb78b2e97aad3ed25daa751e0b8be0