Update from upstream (TEST-PQ, nss pkcs12/smime, ...)

- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage - LEGACY: enable 192-bit ciphers for nss pkcs12/smime - LEGACY: drop cipher@pkcs12 = SEED-CBC - fips-mode-setup: tolerate fips dracut module presence w/o FIPS - nss: be stricter with new purposes Resolves: RHEL-58241 Resolves: RHEL-59104 Resolves: RHEL-59625 Resolves: RHEL-61275
2024-10-08 12:12:10 +02:00 · 2024-10-08 12:12:10 +02:00 · db441e40e1
commit db441e40e1
parent 0e572a2e61
2 changed files with 41 additions and 4 deletions
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -1,5 +1,5 @@
-%global git_date 20240828
-%global git_commit d2491114dd40d7e6a1e35c418cb48019004bd1b4
+%global git_date 20241010
+%global git_commit 7a71364675f3ffd2b328cabfe4362de0ee0e149d
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}

 %global _python_bytecompile_extra 0
@ -55,6 +55,21 @@ defined in simple policy definition files.
 The package also provides a tool fips-mode-setup, which can be used
 to enable or disable the system FIPS mode.

+%package pq-preview
+Summary: Post-quantum crypto-policies [Technology Preview]
+Requires: %{name} = %{version}-%{release}
+Requires: liboqs
+Requires: oqsprovider
+
+%description pq-preview
+This package TEST-PQ subpolicy policy with postquantum algorithms enabled.
+It also depends on liboqs and oqs-provider to ensure they're installed.
+
+This package is part of a Technology Preview.
+Technology Preview features are not fully supported,
+may not be functionally complete,
+and are not suitable for deployment in production.
+
 %prep
 %setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
 %autopatch -p1
@ -202,7 +217,18 @@ exit 0
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/default-fips-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
-%{_datarootdir}/crypto-policies/policies
+%dir %{_datarootdir}/crypto-policies/policies
+%{_datarootdir}/crypto-policies/policies/DEFAULT.pol
+%{_datarootdir}/crypto-policies/policies/EMPTY.pol
+%{_datarootdir}/crypto-policies/policies/FIPS.pol
+%{_datarootdir}/crypto-policies/policies/FUTURE.pol
+%{_datarootdir}/crypto-policies/policies/LEGACY.pol
+%dir %{_datarootdir}/crypto-policies/policies/modules
+%{_datarootdir}/crypto-policies/policies/modules/AD-SUPPORT.pmod
+%{_datarootdir}/crypto-policies/policies/modules/ECDHE-ONLY.pmod
+%{_datarootdir}/crypto-policies/policies/modules/NO-ENFORCE-EMS.pmod
+%{_datarootdir}/crypto-policies/policies/modules/OSPP.pmod
+# but not TEST-PQ

 %{_libexecdir}/fips-setup-helper
 %{_libexecdir}/fips-crypto-policy-overlay
@ -220,7 +246,18 @@ exit 0
 %{_mandir}/man8/fips-mode-setup.8*
 %{_mandir}/man8/fips-finish-install.8*

+%files pq-preview
+%{_datarootdir}/crypto-policies/policies/modules/TEST-PQ.pmod
+
+
 %changelog
+* Thu Oct 10 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241010-1.git7a71364
+- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage
+- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
+- LEGACY: drop cipher@pkcs12 = SEED-CBC
+- fips-mode-setup: tolerate fips dracut module presence w/o FIPS
+- nss: be stricter with new purposes
+
 * Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.gitd249111
 - fips-mode-setup: small Argon2 detection fix

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (crypto-policies-gitd249111.tar.gz) = ec645097947af08b261fbf432e3877d4caee04edbd562fefb38831178240093a14be29de88737ddf6056308253304c0dddfa269d92b4e13705745110d1538f73
+SHA512 (crypto-policies-git7a71364.tar.gz) = ff03803ae77a7e7a55f929583ebc4a8d92b601ff8450e9d8670021862f50695bb51b72d320548f80e533708114e44ef82823d22c8122eab3a071f880d84d0715