Update from upstream (java, warnings, ...)

- java: start controlling / disable DTLSv1.0 - java: disable anon ciphersuites, tying them to NULL - java: respect more key size restrictions - java: specify jdk.tls.namedGroups system property - java: make hash, mac and sign more orthogonal - fips-mode-setup: add another scary "unsupported" - fips-mode-setup: flashy ticking warning upon use - java: use and include jdk.disabled.namedCurves - ec_min_size: introduce and use in java, default to 256 - java: stop specifying jdk.tls.namedGroups in javasystem - fips-setup-helper: add a libexec helper for anaconda - fips-mode-setup: force --no-bootcfg when UKI is detected Resolves: RHEL-36450 Resolves: RHEL-45618 Resolves: RHEL-45620 Resolves: RHEL-48590
2024-08-14 16:06:45 +02:00 · 2024-08-14 16:06:45 +02:00 · e0a6d022c7
commit e0a6d022c7
parent ad330f5b47
2 changed files with 19 additions and 16 deletions
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -1,5 +1,5 @@
-%global git_date 20240304
-%global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a
+%global git_date 20240815
+%global git_commit e217f0304ed0e94e24a18200fadcc814caa246bd
 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}

 %global _python_bytecompile_extra 0
@ -14,9 +14,6 @@ URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
 # For RHEL-9 we use the upstream branch rhel9.
 Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz

-%if 0%{?rhel} >= 10
-ExclusiveArch: %{java_arches} noarch
-%endif
 BuildArch: noarch
 BuildRequires: asciidoc
 BuildRequires: libxslt
@ -65,16 +62,6 @@ sed -i \
  "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
  python/policygenerators/openssh.py
 grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
-%if 0%{?rhel} == 11
-# currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch
-sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
-  python/policygenerators/nss.py tests/nss.py
-sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
-# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
-sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
-  python/policygenerators/gnutls.py
-sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
-%endif

 %make_build

@ -189,6 +176,8 @@ end
 %{_datarootdir}/crypto-policies/reload-cmds.sh
 %{_datarootdir}/crypto-policies/policies

+%{_libexecdir}/fips-setup-helper
+
 %license COPYING.LESSER

 %files scripts
@ -202,6 +191,20 @@ end
 %{_mandir}/man8/fips-finish-install.8*

 %changelog
+* Thu Aug 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240815-1.gite217f03
+- java: start controlling / disable DTLSv1.0
+- java: disable anon ciphersuites, tying them to NULL
+- java: respect more key size restrictions
+- java: specify jdk.tls.namedGroups system property
+- java: make hash, mac and sign more orthogonal
+- fips-mode-setup: add another scary "unsupported"
+- fips-mode-setup: flashy ticking warning upon use
+- java: use and include jdk.disabled.namedCurves
+- ec_min_size: introduce and use in java, default to 256
+- java: stop specifying jdk.tls.namedGroups in javasystem
+- fips-setup-helper: add a libexec helper for anaconda
+- fips-mode-setup: force --no-bootcfg when UKI is detected
+
 * Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
 - packaging: remove perl build-dependency, it's not needed anymore
 - packaging: use newly introduced SKIP_LINTING=1
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (crypto-policies-gitb1c706d.tar.gz) = 02817c3008d1d7a4533a2d15fbb09fe49bad7776325dd5cf752fc6c8284d45b8a180b88de0105b3ace489d18180b951f1fbf7e265a191d4e8082f980775150dd
+SHA512 (crypto-policies-gite217f03.tar.gz) = d95e0c7cd238688c4106339fafdcf89a450f645d0e094b09b1d31bd5dd4acc63808b486431ab6a9cc2ce46d34650f840435e1a46ed8982e3c4cd01563f1eebcc