From a56329e5d8ed75ff4d0980a0ffcf17fe13ac4502 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Mon, 3 Oct 2022 11:51:46 +0200 Subject: [PATCH] Update from upstream (RequiredRSASize): - openssh: rename RSAMinSize option to RequiredRSASize Resolves: bz2129036 --- crypto-policies.spec | 45 ++++++++++++++++++++++++++++++++++++++++---- sources | 2 +- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/crypto-policies.spec b/crypto-policies.spec index d2e47e9..eadf2ce 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,9 +1,31 @@ -%global git_date 20220815 -%global git_commit 0fbe86f88d51fb210d536908b10450eb7467e1d6 +%global git_date 20221003 +%global git_commit 04dee29f738ccfeee4f61eb4fc8beb0ad29451d8 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 +# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 +%if 0%{?rhel} == 9 + # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced, + %global MIN_RSA_NAME RequiredRSASize +%elif 0%{?rhel} == 10 + # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2 + %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5" + %global MIN_RSA_NAME RequiredRSASize + %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2" + %global MIN_RSA_NAME RSAMinSize + %else + %global MIN_RSA_NAME none + %endif +%else + # some other distro, follow autodetection which checks for openssh >= 9.1 + %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1" + %global MIN_RSA_NAME RequiredRSASize + %else + %global MIN_RSA_NAME none + %endif +%endif + Name: crypto-policies Version: %{git_date} Release: 1.git%{git_commit_hash}%{?dist} @@ -32,7 +54,7 @@ BuildRequires: make Conflicts: openssl < 1:3.0.1-10 Conflicts: nss < 3.44.0 Conflicts: libreswan < 3.28 -Conflicts: openssh < 8.7p1-10 +Conflicts: openssh < 8.7p1-24 Conflicts: gnutls < 3.7.2-3 %description @@ -60,6 +82,10 @@ to enable or disable the system FIPS mode. %autopatch -p1 %build +sed -i \ + "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ + python/policygenerators/openssh.py +grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py %make_build %install @@ -95,7 +121,15 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %check -make ON_RHEL9=1 test %{?_smp_mflags} +# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 +%if "%{MIN_RSA_NAME}" == "none" + sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt +%elif "%{MIN_RSA_NAME}" == "RSAMinSize" + sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt +%else + [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7 +%endif +make ON_RHEL9=1 test %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -185,6 +219,9 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Mon Oct 03 2022 Alexander Sosedkin - 20221003-1.git04dee29 +- openssh: rename RSAMinSize option to RequiredRSASize + * Mon Aug 15 2022 Alexander Sosedkin - 20220815-1.git0fbe86f - openssh: add RSAMinSize option following min_rsa_size diff --git a/sources b/sources index d77526d..0f6c51d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crypto-policies-git0fbe86f.tar.gz) = c012346f9fb4d8e03211a5498dbab79c34ba912b98493c01c877112aee0fa0ba8df9e4c6cae30285927fe5fb56034ea93008198740a1b75886bc2c220d29fa5f +SHA512 (crypto-policies-git04dee29.tar.gz) = 9b7c3631cdcb6a651608e94dd7ef6ed727e518306b594fe5443f0a3de4e1c2378c61f03dba9e067e20312f9d1d56082dcd0c4527ba80f4973b602c93c70e6817