import crypto-policies-20181217-6.git9a35207.el8

2019-05-07 08:55:18 -04:00 · 2019-05-07 08:55:18 -04:00 · f73a9c7c88
commit f73a9c7c88
8 changed files with 2017 additions and 0 deletions
--- a/.crypto-policies.metadata
+++ b/.crypto-policies.metadata
@ -0,0 +1 @@
+fde6f5eef3fa66d2b12ad3291cfef680727fdc42 SOURCES/crypto-policies-git9a35207.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/crypto-policies-git9a35207.tar.gz
--- a/SOURCES/crypto-policies-java-fix.patch
+++ b/SOURCES/crypto-policies-java-fix.patch
@ -0,0 +1,71 @@
+commit 2ff4c6d3791a0ad581181997ee5a04b83b7c7341
+Author: Tomas Mraz <tmraz@fedoraproject.org>
+Date:   Thu Jan 31 16:23:52 2019 +0100
+
+    java: Allow incorrectly disabled RSA certificates in TLS
+    
+    The FUTURE and NEXT policies incorrectly disabled RSA certificates,
+    allow them.
+
+diff --git a/back-ends/java.pl b/back-ends/java.pl
+index 0789251..325544a 100644
+--- a/back-ends/java.pl
+++ b/back-ends/java.pl
+@@ -72,7 +72,7 @@ my %key_exchange_not_map = (
+ 	'EXPORT' => 'RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT',
+ 	'DH'         => 'DH_RSA, DH_DSS',
+ 	'ANON'       => 'DH_anon, ECDH_anon',
+-	'RSA'        => 'RSA',
+	'RSA'        => 'TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256',
+ 	'DHE-RSA'      => 'DHE_RSA',
+ 	'DHE-DSS'      => 'DHE_DSS',
+ 	'ECDHE'      => 'ECDHE',
+diff --git a/tests/outputs/EMPTY-java.txt b/tests/outputs/EMPTY-java.txt
+index 0011734..3cf0e2a 100644
+--- a/tests/outputs/EMPTY-java.txt
+++ b/tests/outputs/EMPTY-java.txt
+@@ -1,4 +1,4 @@
+ jdk.tls.ephemeralDHKeySize=0
+ jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA1, MD5, DSA, RSA keySize < 0
+-jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, RSA, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 0, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+ jdk.tls.legacyAlgorithms=
+diff --git a/tests/outputs/FIPS-java.txt b/tests/outputs/FIPS-java.txt
+index 808778c..d9fe8aa 100644
+--- a/tests/outputs/FIPS-java.txt
+++ b/tests/outputs/FIPS-java.txt
+@@ -1,4 +1,4 @@
+ jdk.tls.ephemeralDHKeySize=2048
+ jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
+-jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+ jdk.tls.legacyAlgorithms=
+diff --git a/tests/outputs/FUTURE-java.txt b/tests/outputs/FUTURE-java.txt
+index fd2db04..9d57348 100644
+--- a/tests/outputs/FUTURE-java.txt
+++ b/tests/outputs/FUTURE-java.txt
+@@ -1,4 +1,4 @@
+ jdk.tls.ephemeralDHKeySize=3072
+ jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 3072
+-jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
+jdk.tls.disabledAlgorithms=DH keySize < 3072, SSLv2, SSLv3, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
+ jdk.tls.legacyAlgorithms=
+diff -up crypto-policies/tests/java.pl.java-fix crypto-policies/tests/java.pl
+--- crypto-policies/tests/java.pl.java-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/java.pl	2019-02-08 10:05:28.152358692 +0100
+@@ -45,14 +45,7 @@ foreach my $policy (@profiles::common::p
+ 	}
+ 
+ 	my $lines=`cat $TMPFILE2|wc -l`;
+-	if ("$policy" eq "EMPTY") {
+-		if ($lines >= 2) { # we allow the SCSV
+-			print "Empty policy has ciphersuites!\n";
+-			print "Policy: $tmp\n";
+-			system("cat $TMPFILE2");
+-			exit 1;
+-		}
+-	} else {
+	if ("$policy" ne "EMPTY") {
+ 		system("grep \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\" $TMPFILE2 >/dev/null 2>&1");
+ 		
+ 		if ($? != 0) {
--- a/SOURCES/crypto-policies-libreswan-fix.patch
+++ b/SOURCES/crypto-policies-libreswan-fix.patch
@ -0,0 +1,232 @@
+diff -up crypto-policies/back-ends/libreswan.pl.libreswan-fix crypto-policies/back-ends/libreswan.pl
+--- crypto-policies/back-ends/libreswan.pl.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/back-ends/libreswan.pl	2019-02-18 10:34:57.525777928 +0100
+@@ -26,7 +26,9 @@ sub append {
+ 
+ my %group_map = (
+ 	'X448'    => '',
+-	'X25519'    => '', #dh31 - not in f28
+	'X25519'    => '',
+# Disabled for now as it cannot be prioritized over others
+#	'X25519'    => 'dh31',
+ 	'SECP256R1' => 'dh19',
+ 	'SECP384R1' => 'dh20',
+ 	'SECP521R1' => 'dh21',
+@@ -38,31 +40,42 @@ my %group_map = (
+ 	'FFDHE-8192' => 'dh18'
+ );
+ 
+my %cipher_map = (
+	'AES-256-CBC'       => 'aes256',
+	'AES-128-CBC'       => 'aes128',
+	'AES-256-GCM'       => 'aes_gcm256',
+	'AES-128-GCM'       => 'aes_gcm128',
+	'CHACHA20-POLY1305' => 'chacha20_poly1305',
+# Unused for IKEv2
+#	'3DES-CBC'          => '3des',
+);
+
+ my %cipher_prf_map = (
+-	'AES-256-CBC-HMAC-SHA2-512'       => 'aes256-sha2_512',
+-	'AES-256-CBC-HMAC-SHA2-256'       => 'aes256-sha2_256',
+-	'AES-128-CBC-HMAC-SHA2-256'       => 'aes128-sha2_256',
+-	'AES-256-CBC-HMAC-SHA1'       => 'aes256-sha1',
+-	'AES-128-CBC-HMAC-SHA1'       => 'aes128-sha1',
+-	'AES-256-GCM-HMAC-SHA2-512'       => 'aes_gcm256-sha2_512',
+-	'AES-256-GCM-HMAC-SHA2-256'       => 'aes_gcm256-sha2_256',
+-	'AES-128-GCM-HMAC-SHA2-512'       => 'aes_gcm128-sha2_512',
+-	'AES-128-GCM-HMAC-SHA2-256'       => 'aes_gcm128-sha2_256',
+-	'CHACHA20-POLY1305-HMAC-SHA2-512' => 'chacha20_poly1305-sha2_512',
+-	'CHACHA20-POLY1305-HMAC-SHA2-256' => 'chacha20_poly1305-sha2_256',
+-	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
+	'AES-256-CBC-HMAC-SHA2-512'       => 'sha2_512',
+	'AES-256-CBC-HMAC-SHA2-256'       => 'sha2_256',
+	'AES-128-CBC-HMAC-SHA2-256'       => 'sha2_256',
+# Not needed for IKEv2
+#	'AES-256-CBC-HMAC-SHA1'           => 'sha1',
+#	'AES-128-CBC-HMAC-SHA1'           => 'sha1',
+	'AES-256-GCM-HMAC-SHA2-512'       => 'sha2_512',
+	'AES-256-GCM-HMAC-SHA2-256'       => 'sha2_256',
+	'AES-128-GCM-HMAC-SHA2-512'       => 'sha2_512',
+	'AES-128-GCM-HMAC-SHA2-256'       => 'sha2_256',
+	'CHACHA20-POLY1305-HMAC-SHA2-512' => 'sha2_512',
+	'CHACHA20-POLY1305-HMAC-SHA2-256' => 'sha2_256',
+#	'3DES-CBC-HMAC-SHA1'              => 'sha1',
+ );
+ 
+ my %cipher_mac_map = (
+-	'AES-256-CBC-HMAC-SHA2-512'       => 'aes256-sha2_512',
+-	'AES-256-CBC-HMAC-SHA2-256'       => 'aes256-sha2_256',
+-	'AES-128-CBC-HMAC-SHA2-256'       => 'aes128-sha2_256',
+-	'AES-256-CBC-HMAC-SHA1'       => 'aes256-sha1',
+-	'AES-128-CBC-HMAC-SHA1'       => 'aes128-sha1',
+-	'AES-256-GCM-AEAD'            => 'aes_gcm256',
+-	'AES-128-GCM-AEAD'            => 'aes_gcm128',
+-	'CHACHA20-POLY1305-AEAD'      => 'chacha20_poly1305',
+-	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
+	'AES-256-CBC-HMAC-SHA2-512'       => 'sha2_512',
+	'AES-256-CBC-HMAC-SHA2-256'       => 'sha2_256',
+	'AES-128-CBC-HMAC-SHA2-256'       => 'sha2_256',
+	'AES-256-CBC-HMAC-SHA1'       => 'sha1',
+	'AES-128-CBC-HMAC-SHA1'       => 'sha1',
+	'AES-256-GCM-AEAD'            => '',
+	'AES-128-GCM-AEAD'            => '',
+	'CHACHA20-POLY1305-AEAD'      => '',
+#	'3DES-CBC-HMAC-SHA1'          => '3des-sha1',
+ );
+ 
+ my %protocol_map = (
+@@ -147,35 +160,52 @@ sub generate_temp_policy() {
+ 	$tmp = '';
+ 
+ 	my $cipher;
+	my $cm;
+ 	my $group;
+ 	my $mac;
+	my $mm;
+ 	my $combo;
+ 
+ 	%mac_prio_map = %mac_ike_prio_map;
+ 	my @sorted_mac_list = sort compare @mac_list;
+ 
+-	foreach (@group_list) {
+-		$group = $group_map{$_};
+-		if (!defined($group) || $group eq '') {
+
+	foreach (@cipher_list) {
+		$cipher = $_;
+		$cm = $cipher_map{$cipher};
+		if (!defined($cm)) {
+#			print STDERR "libreswan: unknown cipher: $cipher\n";
+ 			next;
+ 		}
+		$combo = $cm."-";
+		foreach (@sorted_mac_list) {
+			$mac = $_;
+ 
+-		foreach (@cipher_list) {
+-			$cipher = $_;
+-			foreach (@sorted_mac_list) {
+-				$mac = $_;
+-
+-				my $cm=$cipher."-".$mac;
+-				$combo = $cipher_prf_map{$cm};
+-
+-				if (!defined($combo)) {
+-#					print STDERR "libreswan: unknown combo: $cipher-$mac\n";
+-					next;
+-				}
+			$mm = $cipher_prf_map{$cipher."-".$mac};
+ 
+-				append("${combo};${group}", \$tmp);
+			if (!defined($mm)) {
+#				print STDERR "libreswan: unknown combo: $cipher-$mac\n";
+				next;
+ 			}
+
+			$combo = $combo.$mm."+";
+ 		}
+
+		my $lastc = substr($combo, -1);
+		if ($lastc eq "-") {
+			next;
+		}
+		# Replace the last + with -
+		substr($combo, -1) = "-";
+		foreach (@group_list) {
+			$group = $group_map{$_};
+			if (!defined($group) || $group eq '') {
+				next;
+			}
+			$combo = $combo.$group."+";
+		}
+		substr($combo, -1) = '';
+		append("${combo}", \$tmp);
+ 	}
+ 
+ 	if ($tmp ne '') {
+@@ -189,20 +219,35 @@ sub generate_temp_policy() {
+ 	$tmp = '';
+ 	foreach (@cipher_list) {
+ 		$cipher = $_;
+		$cm = $cipher_map{$cipher};
+		if (!defined($cm)) {
+#			print STDERR "libreswan: unknown cipher: $cipher\n";
+			next;
+		}
+		$combo = $cm."-";
+ 		foreach (@sorted_mac_list) {
+ 			$mac = $_;
+ 
+-			my $cm=$cipher."-".$mac;
+-			$combo = $cipher_mac_map{$cm};
+			$mm = $cipher_mac_map{$cipher."-".$mac};
+ 
+-			if (!defined($combo)) {
+			if (!defined($mm)) {
+ 				next;
+ 			}
+ 
+-			if ($tmp !~ $combo) {
+-				append("${combo}", \$tmp);
+			if ($mm eq '') {
+				# Special handling for AEAD
+				substr($combo, -1) = '+';
+			} else {
+				$combo = $combo.$mm."+";
+ 			}
+ 		}
+
+		my $lastc = substr($combo, -1);
+		if ($lastc eq "-") {
+			next;
+		}
+		substr($combo, -1) = '';
+		append("${combo}", \$tmp);
+ 	}
+ 
+ 	if ($tmp ne '') {
+diff -up crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/DEFAULT-libreswan.txt
+--- crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/outputs/DEFAULT-libreswan.txt	2019-02-18 10:34:57.526777910 +0100
+@@ -1,5 +1,5 @@
+ conn %default
+ 	ikev2=insist
+ 	pfs=yes
+-	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
+-	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
+	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+diff -up crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FIPS-libreswan.txt
+--- crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/outputs/FIPS-libreswan.txt	2019-02-18 10:34:57.526777910 +0100
+@@ -1,5 +1,5 @@
+ conn %default
+ 	ikev2=insist
+ 	pfs=yes
+-	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
+-	esp=aes_gcm256,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
+	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+	esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+diff -up crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FUTURE-libreswan.txt
+--- crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/outputs/FUTURE-libreswan.txt	2019-02-18 10:34:57.527777893 +0100
+@@ -1,5 +1,5 @@
+ conn %default
+ 	ikev2=insist
+ 	pfs=yes
+-	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18
+-	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha2_256
+	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18
+	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha2_256
+diff -up crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/LEGACY-libreswan.txt
+--- crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix	2018-12-17 17:01:44.000000000 +0100
+++ crypto-policies/tests/outputs/LEGACY-libreswan.txt	2019-02-18 10:34:57.527777893 +0100
+@@ -1,5 +1,5 @@
+ conn %default
+ 	ikev2=insist
+ 	pfs=yes
+-	ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,3des-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,3des-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,3des-sha1;dh21,aes_gcm256-sha2_512;dh5,aes_gcm256-sha2_256;dh5,chacha20_poly1305-sha2_512;dh5,chacha20_poly1305-sha2_256;dh5,aes256-sha2_512;dh5,aes256-sha2_256;dh5,aes256-sha1;dh5,aes_gcm128-sha2_512;dh5,aes_gcm128-sha2_256;dh5,aes128-sha2_256;dh5,aes128-sha1;dh5,3des-sha1;dh5,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,3des-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,3des-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,3des-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18,3des-sha1;dh18
+-	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256,3des-sha1
+	ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18
+	esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
--- a/SOURCES/crypto-policies-manpage.patch
+++ b/SOURCES/crypto-policies-manpage.patch
@ -0,0 +1,55 @@
+diff --git a/update-crypto-policies.8.txt b/update-crypto-policies.8.txt
+index 7a1564c..3655ba8 100644
+--- a/update-crypto-policies.8.txt
+++ b/update-crypto-policies.8.txt
+@@ -32,24 +32,13 @@ SYNOPSIS
+ 
+ DESCRIPTION
+ -----------
+-update-crypto-policies(8) is used to set the policy applicable for the
+*update-crypto-policies(8)* is used to set the policy applicable for the
+ various cryptographic back-ends, such as SSL/TLS libraries. That will
+ be the default policy used by these back-ends unless the application user
+ configures them otherwise.
+ 
+-The available policies are restricted to the following profiles.
+-
+-* LEGACY: Ensures maximum compatibility with legacy systems (64-bit
+-  security)
+-
+-* DEFAULT: A reasonable default for today's standards (80-bit security).
+-
+-* FUTURE: A level that will provide security on a conservative level that is
+-  believed to withstand any near-term future attacks (112-bit security).
+-
+-* FIPS: Policy that enables only FIPS 140-2 approved or allowed algorithms.
+-
+-* EMPTY: All cryptographic algorithms are disabled (used for debugging only)
+The available policies are described in the *crypto-policies(7)* manual
+page.
+ 
+ The desired system policy is selected in /etc/crypto-policies/config
+ and this tool will generate the individual policy requirements for
+@@ -201,10 +190,11 @@ In case of a parsing error no policies will be updated.
+ FILES
+ -----
+ /etc/crypto-policies/config::
+-	The file contains the current system policy. It should contain a string of one of the profiles listed above (e.g., DEFAULT).
+	The file contains the current system policy. It should contain a string of one of the
+	profiles listed in the *crypto-policies(7)* page (e.g., DEFAULT).
+ 
+ /etc/crypto-policies/back-ends::
+-	Contains the generated policies in separated files, and in a format readable by the supported back-ends.
+	Contains the generated policies in separated files, and in a format readable by the supported back ends.
+ 
+ /etc/crypto-policies/local.d::
+ 	Contains additional files to be appended to the generated policy
+@@ -218,7 +208,7 @@ FILES
+ 
+ SEE ALSO
+ --------
+-fips-mode-setup(8)
+crypto-policies(7), fips-mode-setup(8)
+ 
+ AUTHOR
+ ------
--- a/SOURCES/crypto-policies.7
+++ b/SOURCES/crypto-policies.7
--- a/SOURCES/crypto-policies.7.txt
+++ b/SOURCES/crypto-policies.7.txt
@ -0,0 +1,254 @@
+////
+Copyright (C) 2019 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation; either version 2.1 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+////
+
+
+crypto-policies(7)
+==================
+:doctype: manpage
+:man source: crypto-policies
+
+
+NAME
+----
+crypto-policies - system-wide crypto policies overview
+
+
+DESCRIPTION
+-----------
+The security of cryptographic components of the operating system
+does not remain constant over time. Algorithms, such as
+cryptographic hashing and encryption, typically have a lifetime,
+after which they are considered either too risky to use or plain insecure.
+That means, we need to phase out such algorithms from the default
+settings or completely disable them if they could cause an irreparable problem.
+
+While in the past the algorithms were not disabled in a consistent way
+and different applications applied different policies, the system-wide
+crypto-policies followed by the crypto core components allow consistently
+deprecating and disabling algorithms system-wide.
+
+The individual policy levels (*DEFAULT*, *LEGACY*, *FUTURE*, and *FIPS*)
+are included in the *crypto-policies(7)* package. In the future, there will
+be also a mechanism for easy creation and deployment of policies defined
+by the system administrator or a third party vendor.
+
+For rationale, see *RFC 7457* for a list of attacks taking advantage of
+legacy crypto algorithms.
+
+COVERED APPLICATIONS
+--------------------
+
+Crypto-policies apply to the configuration of the core cryptographic subsystems,
+covering *TLS*, *IKE*, *IPSec*, *DNSSec*, and *Kerberos* protocols; i.e., the
+supported secure communications protocols on the base operating system.
+
+Once an application runs in the operating system, it follows the default
+or selected policy and refuses to fall back to algorithms and protocols not
+within the policy, unless the user has explicitly requested the application
+to do so. That is, the policy applies to the default behavior of applications
+when running with the system-provided configuration but the user can override
+it on an application-specific basis.
+
+The policies currently provide settings for these applications and libraries:
+
+* *BIND* DNS name server daemon
+* *GnuTLS* TLS library
+* *OpenJDK* runtime environment
+* *Kerberos 5* library
+* *Libreswan* IPsec and IKE protocol implementation
+* *NSS* TLS library
+* *OpenSSH* SSH2 protocol implementation
+* *OpenSSL* TLS library
+
+Applications using the above libraries and tools are covered by the
+cryptographic policies unless they are explicitly configured not to be so.
+
+PROVIDED POLICY LEVELS
+----------------------
+
+*LEGACY*::
+  This policy ensures maximum compatibility with legacy systems; it is
+  less secure and it includes support for *TLS 1.0*, *TLS 1.1*, and *SSH2*
+  protocols or later. The algorithms *DSA*, *3DES*, and *RC4* are allowed,
+  while *RSA* and *Diffie-Hellman* parameters are accepted if larger than 1023 bits.
+  The level provides at least 64-bit security.
+
+  * MACs: all *HMAC* with *SHA-1* or better + all modern MACs (*Poly1305*
+    etc.)
+  * Curves: all prime >= 255 bits (including Bernstein curves)
+  * Signature algorithms: with *SHA1* hash or better (*DSA* allowed)
+  * *TLS* Ciphers: all available >= 112-bit key, >= 128-bit block (including
+    *RC4* and *3DES*)
+  * Non-TLS Ciphers: same as *TLS* ciphers with added *Camellia*
+  * Key exchange: *ECDHE*, *RSA*, *DHE*
+  * *DH* params size: >= 1023
+  * *RSA* keys size: >= 1023
+  * *DSA* params size: >= 1023
+  * *TLS* protocols: *TLS* >= 1.0, *DTLS* >= 1.0
+
+*DEFAULT*::
+  The *DEFAULT* policy is a reasonable default policy for today's standards,
+  compatible with *PCI-DSS* requirements. It allows the *TLS 1.2* and
+  *TLS 1.3* protocols, as well as *IKEv2* and *SSH2*. The *RSA* and
+  *Diffie-Hellman* parameters are accepted if larger than 2047 bits.
+  The level provides at least 112-bit security with the exception of *SHA-1*
+  signatures needed for *DNSSec* and other still prevalent legacy use of
+  *SHA-1* signatures.
+
+  * MACs: all *HMAC* with *SHA-1* or better + all modern MACs (*Poly1305*
+    etc.)
+  * Curves: all prime >= 255 bits (including Bernstein curves)
+  * Signature algorithms: with *SHA-1* hash or better (no *DSA*)
+  * *TLS* Ciphers: >= 128-bit key, >= 128-bit block (*AES*, *ChaCha20*,
+    including *AES-CBC*)
+  * non-TLS Ciphers: as *TLS* Ciphers with added *Camellia*
+  * key exchange: *ECDHE*, *RSA*, *DHE* (no *DHE-DSS*)
+  * *DH* params size: >= 2048
+  * *RSA* keys size: >= 2048
+  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
+
+*FUTURE*::
+  A conservative security level that is believed to withstand any near-term
+  future attacks. This level does not allow the use of *SHA-1* in signature
+  algorithms. The level also provides some (not complete) preparation for
+  post-quantum encryption support in form of 256-bit symmetric encryption
+  requirement. The *RSA* and *Diffie-Hellman* parameters are accepted if
+  larger than 3071 bits. The level provides at least 128-bit security.
+
+  * MACs: all *HMAC* with *SHA-256* or better + all modern MACs (*Poly1305*
+    etc.)
+  * Curves: all prime >= 255 bits (including Bernstein curves)
+  * Signature algorithms: with *SHA-256* hash or better (no *DSA*)
+  * *TLS* Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
+    Encryption (AE) ciphers
+  * non-TLS Ciphers: same as *TLS* ciphers with added non AE ciphers and
+    *Camellia*
+  * key exchange: *ECDHE*, *DHE* (no *DHE-DSS*, no *RSA*)
+  * *DH* params size: >= 3072
+  * *RSA* keys size: >= 3072
+  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
+
+
+*FIPS*::
+  A level that conforms to the *FIPS 140-2* requirements. This policy is used
+  internally by the *fips-mode-setup(8)* tool which can switch the system
+  into the *FIPS 140-2* compliance mode.
+  The level provides at least 112-bit security.
+
+  * MACs: all *HMAC* with *SHA1* or better
+  * Curves: all prime >= 256 bits
+  * Signature algorithms: with *SHA-256* hash or better (no *DSA*)
+  * *TLS* Ciphers: >= 128-bit key, >= 128-bit block (*AES*,
+    including *AES-CBC*)
+  * non-TLS Ciphers: same as *TLS* Ciphers
+  * key exchange: *ECDHE*, *DHE* (no *DHE-DSS*, no *RSA*)
+  * *DH* params size: >= 2048
+  * *RSA* params size: >= 2048
+  * *TLS* protocols: *TLS* >= 1.2, *DTLS* >= 1.2
+
+*EMPTY*::
+  All cryptographic algorithms are disabled (used for debugging only, do not
+  use).
+
+COMMANDS
+--------
+
+*update-crypto-policies(8)*::
+  This command manages the policies available to the various cryptographic
+  back ends and allows the system administrator to change the active
+  cryptographic policy level.
+
+*fips-mode-setup(8)*::
+  This command allows the system administrator to enable, or disable the
+  system FIPS mode and also apply the *FIPS* cryptographic policy level
+  which limits the allowed algorithms and protocols to these allowed by
+  the FIPS 140-2 requirements.
+
+
+NOTES
+-----
+
+*Exceptions:*
+
+* *Go-language* applications do not yet follow the system-wide policy.
+* *Libssh* applications do not yet follow the system-wide policy.
+* *GnuPG-2* application does not follow the system-wide policy.
+
+In general only the data-in-transit is currently covered by the system-wide
+policy.
+
+If the system administrator changes the system-wide policy level with
+the *update-crypto-policies(8)* command it is advisable to restart the
+system as the individual back-end libraries read the configuration files
+usually during their initialization. The changes in the policy level
+thus take place in most cases only when the applications using the back-end
+libraries are restarted.
+
+*Removed cipher suites and protocols*
+
+The following cipher suites and protocols are completely removed from the
+core cryptographic libraries listed above:
+
+* *DES*
+* All export grade cipher suites
+* *MD5* in signatures
+* *SSLv2*
+* *SSLv3*
+* All *ECC* curves smaller than 224 bits
+* All binary field *ECC* curves
+
+*Cipher suites and protocols disabled in all policy levels*
+
+The following ciphersuites and protocols are available but disabled in all
+crypto policy levels. They can be enabled only by explicit configuration
+of individual applications:
+
+* *DH* with parameters < 1024 bits
+* *RSA* with key size < 1024 bits
+* *Camellia*
+* *ARIA*
+* *SEED*
+* *IDEA*
+* Integrity only ciphersuites
+* *TLS* *CBC mode* ciphersuites using *SHA-384* HMAC
+* *AES-CCM8*
+* all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
+* *IKEv1*
+
+
+FILES
+-----
+/etc/crypto-policies/back-ends::
+	The individual cryptographical back-end configuration files.
+	Usually linked to the configuration shipped in the crypto-policies
+	package unless a configuration from *local.d* is added.
+
+/etc/crypto-policies/config::
+	The active crypto-policies level set on the system.
+
+/etc/crypto-policies/local.d::
+	Additional configuration shipped by other packages or created by
+	the system administrator. The contents of the *<back-end>-file.config*
+	is appended to the configuration from the policy back end as
+	shipped in the crypto-policies package.
+
+
+SEE ALSO
+--------
+update-crypto-policies(8), fips-mode-setup(8)
+
+
+AUTHOR
+------
+Written by Tomáš Mráz.
--- a/SPECS/crypto-policies.spec
+++ b/SPECS/crypto-policies.spec
@ -0,0 +1,379 @@
+%global git_date 20181217
+%global git_commit_hash 9a35207
+
+Name:           crypto-policies
+Version:        %{git_date}
+Release:        6.git%{git_commit_hash}%{?dist}
+Summary:        Systemwide crypto policies
+
+License:        LGPLv2+
+URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
+
+# This is a tarball of the git repository without the .git/
+# directory.
+# For RHEL-8 we use the upstream branch next-default.
+Source0:        crypto-policies-git%{git_commit_hash}.tar.gz
+Source1:        crypto-policies.7.txt
+Source2:        crypto-policies.7
+Patch1:         crypto-policies-manpage.patch
+Patch2:         crypto-policies-java-fix.patch
+Patch3:         crypto-policies-libreswan-fix.patch
+
+BuildArch: noarch
+BuildRequires: asciidoc
+BuildRequires: libxslt
+BuildRequires: openssl
+BuildRequires: gnutls-utils >= 3.6.0
+BuildRequires: java-1.8.0-openjdk-devel
+BuildRequires: bind
+BuildRequires: perl-interpreter
+BuildRequires: perl-generators
+BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
+BuildRequires: perl(File::Which)
+BuildRequires: python3-devel
+
+# used by update-crypto-policies
+Requires: coreutils
+Requires: grep
+Requires: sed
+Requires(post): coreutils
+Requires(post): grep
+Requires(post): sed
+# used by fips-mode-setup
+Recommends: grubby
+
+%description
+This package provides a tool update-crypto-policies, which sets
+the policy applicable for the various cryptographic back-ends, such as
+SSL/TLS libraries. The policy set by the tool will be the default policy
+used by these back-ends unless the application user configures them otherwise.
+
+The package also provides a tool fips-mode-setup, which can be used
+to enable or disable the system FIPS mode.
+
+%prep
+%setup -q -n %{name}
+%patch1 -p1 -b .manpage
+%patch2 -p1 -b .java-fix
+%patch3 -p1 -b .libreswan-fix
+
+%build
+make %{?_smp_mflags}
+
+%install
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man7
+mkdir -p -m 755 %{buildroot}%{_mandir}/man8
+mkdir -p -m 755 %{buildroot}%{_bindir}
+
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir}/man8 %{?_smp_mflags} install
+install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+install -p -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man7/crypto-policies.7
+
+%check
+make check %{?_smp_mflags}
+
+%post
+%{_bindir}/update-crypto-policies --no-check >/dev/null
+
+
+%files
+
+%dir %{_sysconfdir}/crypto-policies/
+%dir %{_sysconfdir}/crypto-policies/back-ends/
+%dir %{_sysconfdir}/crypto-policies/local.d/
+%dir %{_datarootdir}/crypto-policies/
+
+%config(noreplace) %{_sysconfdir}/crypto-policies/config
+
+%ghost %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config
+%ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+
+%{_bindir}/update-crypto-policies
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
+%{_mandir}/man7/crypto-policies.7.gz
+%{_mandir}/man8/update-crypto-policies.8.gz
+%{_mandir}/man8/fips-mode-setup.8.gz
+%{_mandir}/man8/fips-finish-install.8.gz
+%{_datarootdir}/crypto-policies/LEGACY/*
+%{_datarootdir}/crypto-policies/DEFAULT/*
+%{_datarootdir}/crypto-policies/FUTURE/*
+%{_datarootdir}/crypto-policies/FIPS/*
+%{_datarootdir}/crypto-policies/EMPTY/*
+%{_datarootdir}/crypto-policies/default-config
+%{_datarootdir}/crypto-policies/reload-cmds.sh
+
+%{!?_licensedir:%global license %%doc}
+%license COPYING.LESSER
+
+%changelog
+* Mon Feb 18 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-6.git9a35207
+- libreswan: Allow coalescing the IKE/IPSEC proposals
+
+* Fri Feb  8 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-5.git9a35207
+- cleanups of the crypto-policies.7 manual page
+
+* Fri Feb  1 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-4.git9a35207
+- Java: Fix FIPS and FUTURE policy to allow RSA certificates in TLS
+
+* Tue Jan 22 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-3.git9a35207
+- cleanup duplicate and incorrect information from update-crypto-policies.8
+  manual page
+
+* Mon Jan 21 2019 Tomáš Mráz <tmraz@redhat.com> - 20181217-2.git9a35207
+- add crypto-policies.7 manual page
+
+* Mon Dec 17 2018 Tomáš Mráz <tmraz@redhat.com> - 20181217-1.git9a35207
+- update-crypto-policies: Fix endless loop
+- update-crypto-policies: Add warning about the need of system restart
+- fips-mode-setup: Use grub2-editenv to modify the kernelopts for BLS
+
+* Thu Nov 22 2018 Tomáš Mráz <tmraz@redhat.com> - 20181122-1.git70769d9
+- update-crypto-policies: fix error on multiple matches in local.d
+- Print warning when update-crypto-policies --set is used in the FIPS mode
+- Java: Add 3DES and RC4 to legacy algorithms in LEGACY policy
+- OpenSSL: Properly disable non AEAD and AES128 ciphersuites in FUTURE
+- libreswan: Add chacha20_poly1305 to all policies and drop ikev1 from LEGACY
+
+* Fri Oct 26 2018 Tomáš Mráz <tmraz@redhat.com> - 20181026-1.gitcc78cb7
+- Fix regression in discovery of additional configuration
+- NSS: add DSA keyword to LEGACY policy
+- GnuTLS: Add 3DES and RC4 to LEGACY policy
+
+* Tue Sep 25 2018 Tomáš Mráz <tmraz@redhat.com> - 20180925-2.git3ce363a
+- Improve the package description
+
+* Tue Sep 25 2018 Tomáš Mráz <tmraz@redhat.com> - 20180925-1.git3ce363a
+- Use Recommends instead of Requires for grubby
+- Revert setting of HostKeyAlgorithms for ssh client for now
+
+* Fri Sep 21 2018 Tomáš Mráz <tmraz@redhat.com> - 20180921-1.git62bafde
+- OpenSSH: Generate policy for sign algorithms
+- Enable >= 255 bits EC curves in FUTURE policy
+- OpenSSH: Add group1 key exchanges in LEGACY policy
+- NSS: Add SHA224 to hash lists
+- Print warning when update-crypto-policies --set FIPS is used
+- fips-mode-setup: Kernel boot options are now modified with grubby
+
+* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 20180801-2.git2b95ede
+- Fix build to use the system python
+
+* Wed Aug  1 2018 Tomáš Mráz <tmraz@redhat.com> - 20180801-1.git2b95ede
+- Add OpenSSL configuration file include support
+- Disable TLS-1.0, 1.1 and DH with less than 2048 bits in DEFAULT policy
+
+* Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 20180723-1.gitdb825c0
+- Initial FIPS mode setup support
+- NSS: Add tests for the generated policy
+- Enable TLS-1.3 if available in the respective TLS library
+- Enable SHA1 in certificates in LEGACY policy
+- Disable CAMELLIA
+- libreswan: Multiple bug fixes in policies
+
+* Wed Apr 25 2018 Tomáš Mráz <tmraz@redhat.com> - 20180425-1.git6ad4018
+- Restart/reload only enabled services
+- Do not enable PSK ciphersuites by default in gnutls and openssl
+- krb5: fix when more than 2048 bits keys are required
+- Fix discovery of additional configurations #1564595
+- Fix incorrect ciphersuite setup for libreswan
+
+* Tue Mar  6 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20180306-1.gitaea6928
+- Updated policy to reduce DH parameter size on DEFAULT level, taking into
+  account feedback in #1549242,1#534532.
+- Renamed openssh-server.config to opensshserver.config to reduce conflicts
+  when local.d/ appending is used.
+
+* Tue Feb 27 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20180227-1.git0ce1729
+- Updated to include policies for libreswan
+
+* Mon Feb 12 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20180112-1.git386e3fe
+- Updated to apply the settings as in StrongCryptoSettings project. The restriction
+  to TLS1.2, is not yet applied as we have no method to impose that in openssl.
+  https://fedoraproject.org/wiki/Changes/StrongCryptoSettings
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 20171115-3.git921600e
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 20171115-2.git921600e
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Nov 15 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20171115-1.git921600e
+- Updated openssh policies for new openssh without rc4
+- Removed policies for compat-gnutls28
+
+* Wed Aug 23 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170823-1.git8d18c27
+- Updated gnutls policies for 3.6.0
+
+* Wed Aug 16 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170816-1.git2618a6c
+- Updated to latest upstream
+- Restarts openssh server on policy update
+
+* Wed Aug  2 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170802-1.git9300620
+- Updated to latest upstream
+- Reloads openssh server on policy update
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 20170606-4.git7c32281
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jul 25 2017 Igor Gnatenko <ignatenko@redhat.com> - 20170606-3.git7c32281
+- Restore Requires(post)
+
+* Mon Jul 24 2017 Troy Dawson <tdawson@redhat.com> 20170606-2.git7c32281
+- perl dependency renamed to perl-interpreter <ppisar@redhat.com>
+- remove useless Requires(post) <ignatenko@redhat.com>
+- Fix path of libdir in generate-policies.pl (#1474442) <tdawson@redhat.com>
+
+* Tue Jun  6 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170606-1.git7c32281
+- Updated to latest upstream
+- Allows gnutls applications in LEGACY mode, to use certificates of 768-bits
+
+* Wed May 31 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170531-1.gitce0df7b
+- Updated to latest upstream
+- Added new kerberos key types
+
+* Sat Apr 01 2017 Björn Esser <besser82@fedoraproject.org> - 20170330-3.git55b66da
+- Add Requires for update-crypto-policies in %%post
+
+* Fri Mar 31 2017 Petr Šabata <contyk@redhat.com> - 20170330-2.git55b66da
+- update-crypto-policies uses gred and sed, require them
+
+* Thu Mar 30 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20170330-1-git55b66da
+- GnuTLS policies include RC4 in legacy mode (#1437213)
+
+* Fri Feb 17 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160214-2-gitf3018dd
+- Added openssh file
+
+* Tue Feb 14 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160214-1-gitf3018dd
+- Updated policies for BIND to address #1421875
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 20161111-2.gita2363ce
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Nov 11 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20161111-1-gita2363ce
+- Include OpenJDK documentation.
+
+* Tue Sep 27 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160926-2-git08b5501
+- Improved messages on error.
+
+* Mon Sep 26 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160926-1-git08b5501
+- Added support for openssh client policy
+
+* Wed Sep 21 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160921-1-git75b9b04
+- Updated with latest upstream.
+
+* Thu Jul 21 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160718-2-gitdb5ca59
+- Added support for administrator overrides in generated policies in local.d
+
+* Thu Jul 21 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160718-1-git340cb69
+- Fixed NSS policy generation to include allowed hash algorithms
+
+* Wed Jul 20 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160718-1-gitcaa4a8d
+- Updated to new version with auto-generated policies
+
+* Mon May 16 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20160516-1-git8f69c35
+- Generate policies for NSS
+- OpenJDK policies were updated for opendjk 8
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 20151104-2.gitf1cba5f
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Nov  4 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20151104-1-gitcf1cba5f
+- Generate policies for compat-gnutls28 (#1277790)
+
+* Fri Oct 23 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20151005-2-gitc8452f8
+- Generated files are put in a %%ghost directive
+
+* Mon Oct  5 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20151005-1-gitc8452f8
+- Updated policies from upstream
+- Added support for the generation of libkrb5 policy
+- Added support for the generation of openjdk policy
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 20150518-2.gitffe885e
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon May 18 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20150518-1-gitffe885e
+- Updated policies to remove SSL 3.0 and RC4 (#1220679)
+
+* Fri Mar  6 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20150305-3-git2eeb03b
+- Added make check
+
+* Fri Mar  6 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20150305-2-git44afaa1
+- Removed support for SECLEVEL (#1199274)
+
+* Thu Mar  5 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20150305-1-git098a8a6
+- Include AEAD ciphersuites in gnutls (#1198979)
+
+* Sun Jan 25 2015 Peter Robinson <pbrobinson@fedoraproject.org> 20150115-3-git9ef7493
+- Bump release so lastest git snapshot is newer NVR
+
+* Thu Jan 15 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20150115-2-git9ef7493
+- Updated to newest upstream version.
+- Includes bind policies (#1179925)
+
+* Tue Dec 16 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20141124-2-gitd4aa178
+- Corrected typo in gnutls' future policy (#1173886)
+
+* Mon Nov 24 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20141124-1-gitd4aa178
+- re-enable SSL 3.0 (until its removal is coordinated with a Fedora change request)
+
+* Thu Nov 20 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20141120-1-git9a26a5b
+- disable SSL 3.0 (doesn't work in openssl)
+
+* Fri Sep 05 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140905-1-git4649b7d
+- enforce the acceptable TLS versions in openssl
+
+* Wed Aug 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140827-1-git4e06f1d
+- fix issue with RC4 being disabled in DEFAULT settings for openssl
+
+* Thu Aug 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140814-1-git80e1e98
+- fix issue in post script run on upgrade (#1130074)
+
+* Tue Aug 12 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140812-1-gitb914bfd
+- updated crypto-policies from repository
+
+* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 20140708-2-git3a7ae3f
+- fix license handling
+
+* Tue Jul 08 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140708-1-git3a7ae3f
+- updated crypto-policies from repository
+
+* Fri Jun 20 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 20140620-1-gitdac1524
+- updated crypto-policies from repository
+- changed versioning
+
+* Thu Jun 12 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-7-20140612gita2fa0c6
+- updated crypto-policies from repository
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-7.20140522gita50bad2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu May 29 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-6-20140522gita50bad2
+- Require(post) coreutils (#1100335).
+
+* Tue May 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-5-20140522gita50bad2
+- Require coreutils.
+
+* Thu May 22 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-4-20140522gita50bad2
+- Install the default configuration file.
+
+* Wed May 21 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-3-20140520git81364e4
+- Run update-crypto-policies after installation.
+
+* Tue May 20 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-2-20140520git81364e4
+- Updated spec based on comments by Petr Lautrbach.
+
+* Mon May 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-1-20140519gitf15621a
+- Initial package build
+
				`@ -0,0 +1 @@`
				`fde6f5eef3fa66d2b12ad3291cfef680727fdc42 SOURCES/crypto-policies-git9a35207.tar.gz`