Update from upstream (RequiredRSASize):

- openssh: rename RSAMinSize option to RequiredRSASize

Resolves: bz2129036

crypto-policies.spec

@@ -1,9 +1,31 @@
-%global git_date 20220815
-%global git_commit 0fbe86f88d51fb210d536908b10450eb7467e1d6
+%global git_date 20221003
+%global git_commit 04dee29f738ccfeee4f61eb4fc8beb0ad29451d8
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
 
 %global _python_bytecompile_extra 0
 
+# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
+%if 0%{?rhel} == 9
+  # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced,
+  %global MIN_RSA_NAME RequiredRSASize
+%elif 0%{?rhel} == 10
+  # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2
+  %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5"
+    %global MIN_RSA_NAME RequiredRSASize
+  %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2"
+    %global MIN_RSA_NAME RSAMinSize
+  %else
+    %global MIN_RSA_NAME none
+  %endif
+%else
+  # some other distro, follow autodetection which checks for openssh >= 9.1
+  %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1"
+    %global MIN_RSA_NAME RequiredRSASize
+  %else
+    %global MIN_RSA_NAME none
+  %endif
+%endif
+
 Name:           crypto-policies
 Version:        %{git_date}
 Release:        1.git%{git_commit_hash}%{?dist}
@@ -32,7 +54,7 @@ BuildRequires: make
 Conflicts: openssl < 1:3.0.1-10
 Conflicts: nss < 3.44.0
 Conflicts: libreswan < 3.28
-Conflicts: openssh < 8.7p1-10
+Conflicts: openssh < 8.7p1-24
 Conflicts: gnutls < 3.7.2-3
 
 %description
@@ -60,6 +82,10 @@ to enable or disable the system FIPS mode.
 %autopatch -p1
 
 %build
+sed -i \
+  "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
+  python/policygenerators/openssh.py
+grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
 %make_build
 
 %install
@@ -95,7 +121,15 @@ done
 %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
 
 %check
-make ON_RHEL9=1 test %{?_smp_mflags}
+# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
+%if "%{MIN_RSA_NAME}" == "none"
+  sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt
+%elif "%{MIN_RSA_NAME}" == "RSAMinSize"
+  sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt
+%else
+  [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
+%endif
+make ON_RHEL9=1 test
 
 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -185,6 +219,9 @@ end
 %{_mandir}/man8/fips-finish-install.8*
 
 %changelog
+* Mon Oct 03 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221003-1.git04dee29
+- openssh: rename RSAMinSize option to RequiredRSASize
+
 * Mon Aug 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20220815-1.git0fbe86f
 - openssh: add RSAMinSize option following min_rsa_size
 

sources

@@ -1 +1 @@
-SHA512 (crypto-policies-git0fbe86f.tar.gz) = c012346f9fb4d8e03211a5498dbab79c34ba912b98493c01c877112aee0fa0ba8df9e4c6cae30285927fe5fb56034ea93008198740a1b75886bc2c220d29fa5f
+SHA512 (crypto-policies-git04dee29.tar.gz) = 9b7c3631cdcb6a651608e94dd7ef6ed727e518306b594fe5443f0a3de4e1c2378c61f03dba9e067e20312f9d1d56082dcd0c4527ba80f4973b602c93c70e6817