Update from upstream (TEST-PQ, nss pkcs12/smime, ...)

- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage
- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
- LEGACY: drop cipher@pkcs12 = SEED-CBC
- fips-mode-setup: tolerate fips dracut module presence w/o FIPS
- nss: be stricter with new purposes

Resolves: RHEL-58241
Resolves: RHEL-59104
Resolves: RHEL-59625
Resolves: RHEL-61275
This commit is contained in:
Alexander Sosedkin 2024-10-08 12:12:10 +02:00
parent 0e572a2e61
commit db441e40e1
2 changed files with 41 additions and 4 deletions

View File

@ -1,5 +1,5 @@
%global git_date 20240828 %global git_date 20241010
%global git_commit d2491114dd40d7e6a1e35c418cb48019004bd1b4 %global git_commit 7a71364675f3ffd2b328cabfe4362de0ee0e149d
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0 %global _python_bytecompile_extra 0
@ -55,6 +55,21 @@ defined in simple policy definition files.
The package also provides a tool fips-mode-setup, which can be used The package also provides a tool fips-mode-setup, which can be used
to enable or disable the system FIPS mode. to enable or disable the system FIPS mode.
%package pq-preview
Summary: Post-quantum crypto-policies [Technology Preview]
Requires: %{name} = %{version}-%{release}
Requires: liboqs
Requires: oqsprovider
%description pq-preview
This package TEST-PQ subpolicy policy with postquantum algorithms enabled.
It also depends on liboqs and oqs-provider to ensure they're installed.
This package is part of a Technology Preview.
Technology Preview features are not fully supported,
may not be functionally complete,
and are not suitable for deployment in production.
%prep %prep
%setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit} %setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
%autopatch -p1 %autopatch -p1
@ -202,7 +217,18 @@ exit 0
%{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/default-config
%{_datarootdir}/crypto-policies/default-fips-config %{_datarootdir}/crypto-policies/default-fips-config
%{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies %dir %{_datarootdir}/crypto-policies/policies
%{_datarootdir}/crypto-policies/policies/DEFAULT.pol
%{_datarootdir}/crypto-policies/policies/EMPTY.pol
%{_datarootdir}/crypto-policies/policies/FIPS.pol
%{_datarootdir}/crypto-policies/policies/FUTURE.pol
%{_datarootdir}/crypto-policies/policies/LEGACY.pol
%dir %{_datarootdir}/crypto-policies/policies/modules
%{_datarootdir}/crypto-policies/policies/modules/AD-SUPPORT.pmod
%{_datarootdir}/crypto-policies/policies/modules/ECDHE-ONLY.pmod
%{_datarootdir}/crypto-policies/policies/modules/NO-ENFORCE-EMS.pmod
%{_datarootdir}/crypto-policies/policies/modules/OSPP.pmod
# but not TEST-PQ
%{_libexecdir}/fips-setup-helper %{_libexecdir}/fips-setup-helper
%{_libexecdir}/fips-crypto-policy-overlay %{_libexecdir}/fips-crypto-policy-overlay
@ -220,7 +246,18 @@ exit 0
%{_mandir}/man8/fips-mode-setup.8* %{_mandir}/man8/fips-mode-setup.8*
%{_mandir}/man8/fips-finish-install.8* %{_mandir}/man8/fips-finish-install.8*
%files pq-preview
%{_datarootdir}/crypto-policies/policies/modules/TEST-PQ.pmod
%changelog %changelog
* Thu Oct 10 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241010-1.git7a71364
- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage
- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
- LEGACY: drop cipher@pkcs12 = SEED-CBC
- fips-mode-setup: tolerate fips dracut module presence w/o FIPS
- nss: be stricter with new purposes
* Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.gitd249111 * Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.gitd249111
- fips-mode-setup: small Argon2 detection fix - fips-mode-setup: small Argon2 detection fix

View File

@ -1 +1 @@
SHA512 (crypto-policies-gitd249111.tar.gz) = ec645097947af08b261fbf432e3877d4caee04edbd562fefb38831178240093a14be29de88737ddf6056308253304c0dddfa269d92b4e13705745110d1538f73 SHA512 (crypto-policies-git7a71364.tar.gz) = ff03803ae77a7e7a55f929583ebc4a8d92b601ff8450e9d8670021862f50695bb51b72d320548f80e533708114e44ef82823d22c8122eab3a071f880d84d0715