|
|
|
|
@ -1,31 +1,9 @@
|
|
|
|
|
%global git_date 20231113
|
|
|
|
|
%global git_commit e9247c2b86669a983824300002a0f8fc9e8ce333
|
|
|
|
|
%global git_date 20240304
|
|
|
|
|
%global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a
|
|
|
|
|
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
|
|
|
|
|
|
|
|
|
|
%global _python_bytecompile_extra 0
|
|
|
|
|
|
|
|
|
|
# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
|
|
|
|
|
%if 0%{?rhel} == 9
|
|
|
|
|
# RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced,
|
|
|
|
|
%global MIN_RSA_NAME RequiredRSASize
|
|
|
|
|
%elif 0%{?rhel} == 10
|
|
|
|
|
# ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2
|
|
|
|
|
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5"
|
|
|
|
|
%global MIN_RSA_NAME RequiredRSASize
|
|
|
|
|
%elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2"
|
|
|
|
|
%global MIN_RSA_NAME RSAMinSize
|
|
|
|
|
%else
|
|
|
|
|
%global MIN_RSA_NAME none
|
|
|
|
|
%endif
|
|
|
|
|
%else
|
|
|
|
|
# some other distro, follow autodetection which checks for openssh >= 9.1
|
|
|
|
|
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1"
|
|
|
|
|
%global MIN_RSA_NAME RequiredRSASize
|
|
|
|
|
%else
|
|
|
|
|
%global MIN_RSA_NAME none
|
|
|
|
|
%endif
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
Name: crypto-policies
|
|
|
|
|
Version: %{git_date}
|
|
|
|
|
Release: 1.git%{git_commit_hash}%{?dist}
|
|
|
|
|
@ -44,26 +22,19 @@ BuildRequires: asciidoc
|
|
|
|
|
BuildRequires: libxslt
|
|
|
|
|
BuildRequires: openssl
|
|
|
|
|
BuildRequires: nss-tools
|
|
|
|
|
BuildRequires: gnutls-utils >= 3.6.0
|
|
|
|
|
BuildRequires: gnutls-utils
|
|
|
|
|
BuildRequires: openssh-clients
|
|
|
|
|
BuildRequires: java-devel
|
|
|
|
|
BuildRequires: bind
|
|
|
|
|
BuildRequires: perl-interpreter
|
|
|
|
|
BuildRequires: perl-generators
|
|
|
|
|
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
|
|
|
|
|
BuildRequires: perl(File::Which)
|
|
|
|
|
BuildRequires: python3-devel >= 3.6
|
|
|
|
|
BuildRequires: python3-devel >= 3.9
|
|
|
|
|
BuildRequires: python3-pytest
|
|
|
|
|
BuildRequires: make
|
|
|
|
|
|
|
|
|
|
Conflicts: openssl < 1:3.0.1-10
|
|
|
|
|
Conflicts: openssl-libs < 1:3.0.1-10
|
|
|
|
|
Conflicts: nss < 3.90.0
|
|
|
|
|
Conflicts: libreswan < 3.28
|
|
|
|
|
Conflicts: openssh < 8.7p1-24
|
|
|
|
|
%if 0%{?rhel} == 10
|
|
|
|
|
Conflicts: gnutls < 3.7.2-3
|
|
|
|
|
%else
|
|
|
|
|
Conflicts: gnutls < 3.7.6-22
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
%description
|
|
|
|
|
This package provides pre-built configuration files with
|
|
|
|
|
@ -91,12 +62,11 @@ to enable or disable the system FIPS mode.
|
|
|
|
|
|
|
|
|
|
%build
|
|
|
|
|
sed -i \
|
|
|
|
|
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
|
|
|
|
|
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
|
|
|
|
|
python/policygenerators/openssh.py
|
|
|
|
|
grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
|
|
|
|
|
|
|
|
|
|
%if 0%{?rhel} == 10
|
|
|
|
|
# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
|
|
|
|
|
grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
|
|
|
|
|
%if 0%{?rhel} == 11
|
|
|
|
|
# currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch
|
|
|
|
|
sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
|
|
|
|
|
python/policygenerators/nss.py tests/nss.py
|
|
|
|
|
sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
|
|
|
|
|
@ -141,16 +111,7 @@ done
|
|
|
|
|
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
|
|
|
|
|
|
|
|
|
|
%check
|
|
|
|
|
# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
|
|
|
|
|
%if "%{MIN_RSA_NAME}" == "none"
|
|
|
|
|
sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt
|
|
|
|
|
%elif "%{MIN_RSA_NAME}" == "RSAMinSize"
|
|
|
|
|
sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt
|
|
|
|
|
%else
|
|
|
|
|
[ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
make ON_RHEL9=1 test
|
|
|
|
|
make test SKIP_LINTING=1
|
|
|
|
|
|
|
|
|
|
%post -p <lua>
|
|
|
|
|
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
|
|
|
|
|
@ -241,6 +202,17 @@ end
|
|
|
|
|
%{_mandir}/man8/fips-finish-install.8*
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
|
|
|
|
|
- packaging: remove perl build-dependency, it's not needed anymore
|
|
|
|
|
- packaging: use newly introduced SKIP_LINTING=1
|
|
|
|
|
- packaging: drop stale workarounds
|
|
|
|
|
|
|
|
|
|
* Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d
|
|
|
|
|
- fips-finish-install: make sure ostree is detected in chroot
|
|
|
|
|
- fips-mode-setup: make sure ostree is detected in chroot
|
|
|
|
|
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
|
|
|
|
|
- java: disable ChaCha20-Poly1305 where applicable
|
|
|
|
|
|
|
|
|
|
* Mon Nov 13 2023 Clemens Lang <cllang@redhat.com> - 20231113-1.gite9247c2
|
|
|
|
|
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
|
|
|
|
|
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)
|
|
|
|
|
|
Alexander Sosedkin