From db441e40e1c9a87632050c7f8d2d70a135559b22 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Tue, 8 Oct 2024 12:12:10 +0200 Subject: [PATCH] Update from upstream (TEST-PQ, nss pkcs12/smime, ...) - reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage - LEGACY: enable 192-bit ciphers for nss pkcs12/smime - LEGACY: drop cipher@pkcs12 = SEED-CBC - fips-mode-setup: tolerate fips dracut module presence w/o FIPS - nss: be stricter with new purposes Resolves: RHEL-58241 Resolves: RHEL-59104 Resolves: RHEL-59625 Resolves: RHEL-61275 --- crypto-policies.spec | 43 ++++++++++++++++++++++++++++++++++++++++--- sources | 2 +- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/crypto-policies.spec b/crypto-policies.spec index e5745a4..4bbf96e 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,5 +1,5 @@ -%global git_date 20240828 -%global git_commit d2491114dd40d7e6a1e35c418cb48019004bd1b4 +%global git_date 20241010 +%global git_commit 7a71364675f3ffd2b328cabfe4362de0ee0e149d %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 @@ -55,6 +55,21 @@ defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode. +%package pq-preview +Summary: Post-quantum crypto-policies [Technology Preview] +Requires: %{name} = %{version}-%{release} +Requires: liboqs +Requires: oqsprovider + +%description pq-preview +This package TEST-PQ subpolicy policy with postquantum algorithms enabled. +It also depends on liboqs and oqs-provider to ensure they're installed. + +This package is part of a Technology Preview. +Technology Preview features are not fully supported, +may not be functionally complete, +and are not suitable for deployment in production. + %prep %setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit} %autopatch -p1 @@ -202,7 +217,18 @@ exit 0 %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/default-fips-config %{_datarootdir}/crypto-policies/reload-cmds.sh -%{_datarootdir}/crypto-policies/policies +%dir %{_datarootdir}/crypto-policies/policies +%{_datarootdir}/crypto-policies/policies/DEFAULT.pol +%{_datarootdir}/crypto-policies/policies/EMPTY.pol +%{_datarootdir}/crypto-policies/policies/FIPS.pol +%{_datarootdir}/crypto-policies/policies/FUTURE.pol +%{_datarootdir}/crypto-policies/policies/LEGACY.pol +%dir %{_datarootdir}/crypto-policies/policies/modules +%{_datarootdir}/crypto-policies/policies/modules/AD-SUPPORT.pmod +%{_datarootdir}/crypto-policies/policies/modules/ECDHE-ONLY.pmod +%{_datarootdir}/crypto-policies/policies/modules/NO-ENFORCE-EMS.pmod +%{_datarootdir}/crypto-policies/policies/modules/OSPP.pmod +# but not TEST-PQ %{_libexecdir}/fips-setup-helper %{_libexecdir}/fips-crypto-policy-overlay @@ -220,7 +246,18 @@ exit 0 %{_mandir}/man8/fips-mode-setup.8* %{_mandir}/man8/fips-finish-install.8* +%files pq-preview +%{_datarootdir}/crypto-policies/policies/modules/TEST-PQ.pmod + + %changelog +* Thu Oct 10 2024 Alexander Sosedkin - 20241010-1.git7a71364 +- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage +- LEGACY: enable 192-bit ciphers for nss pkcs12/smime +- LEGACY: drop cipher@pkcs12 = SEED-CBC +- fips-mode-setup: tolerate fips dracut module presence w/o FIPS +- nss: be stricter with new purposes + * Wed Aug 28 2024 Alexander Sosedkin - 20240828-1.gitd249111 - fips-mode-setup: small Argon2 detection fix diff --git a/sources b/sources index 5ff9502..34558b9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crypto-policies-gitd249111.tar.gz) = ec645097947af08b261fbf432e3877d4caee04edbd562fefb38831178240093a14be29de88737ddf6056308253304c0dddfa269d92b4e13705745110d1538f73 +SHA512 (crypto-policies-git7a71364.tar.gz) = ff03803ae77a7e7a55f929583ebc4a8d92b601ff8450e9d8670021862f50695bb51b72d320548f80e533708114e44ef82823d22c8122eab3a071f880d84d0715