From 9eda40e0cd33c1bd2be3de1e10e1dd8e7eaf39ff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:12:35 +0000 Subject: import crypto-policies-20200629-1.git806b5d3.el8 --- diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index be05dcf..ace5a12 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -2834b0c37f4c14cfeebb650da7565d2f3830c9c9 SOURCES/crypto-policies-git63fc906.tar.gz +b17e88d01d90c55feb4dd5f5e8faf8e96d3a8069 SOURCES/crypto-policies-git806b5d3.tar.gz diff --git a/.gitignore b/.gitignore index 3a1f41c..1069002 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git63fc906.tar.gz +SOURCES/crypto-policies-git806b5d3.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index c523b31..9e8a066 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,12 +1,12 @@ -%global git_date 20200527 -%global git_commit 63fc906fb32cd699f9bc0a48f9c3b9d0fa7310dd +%global git_date 20200629 +%global git_commit 806b5d33a0cac789fd07da2d2a7c25767b8533a7 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 Name: crypto-policies Version: %{git_date} -Release: 4.git%{git_commit_hash}%{?dist} +Release: 1.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies License: LGPLv2+ @@ -27,16 +27,10 @@ BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) BuildRequires: perl(File::Which) BuildRequires: python3-devel -# used by update-crypto-policies -Requires: coreutils -Requires: grep -Requires: sed -Requires(post): coreutils -Requires(post): grep -Requires(post): sed Conflicts: nss < 3.44.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.0p1-5 +Conflicts: gnutls < 3.6.12 # Most users want this, the split is mostly for minimal images Recommends: crypto-policies-scripts @@ -102,30 +96,30 @@ make check %{?_smp_mflags} %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then - local f = io.open("/proc/sys/crypto/fips_enabled", "r") - if f then - local policy = "DEFAULT" - if f:read() == "1" then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then policy = "FIPS" end - f:close() - local cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") - if cf then - cf:write(policy.."\n") - cf:close() - end - cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") - if cf then - cf:write(policy.."\n") - cf:close() - end - local policypath = "%{_datarootdir}/crypto-policies/"..policy - for fn in posix.files(policypath) do - local backend = fn:gsub(".*/", ""):gsub("%%..*", "") - local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" - posix.unlink(cfgfn) - posix.symlink(policypath.."/"..fn, cfgfn) - end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) end end @@ -185,6 +179,19 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Wed Jul 1 2020 Tomáš Mráz - 20200629-1.git806b5d3 +- disallow X448/ED448 in FIPS policy with gnutls >= 3.6.12 +- add AD-SUPPORT policy module + +* Wed Jun 10 2020 Tomáš Mráz - 20200610-1.git0ac8b1f +- fallback to FIPS policy instead of the default-config in FIPS mode +- java: Document properly how to override the crypto policy +- krb5: No support for 3des anymore +- reorder the signature algorithms to follow the order in default openssl list + +* Tue Jun 9 2020 Tomáš Mráz - 20200527-5.gitb234a47 +- make the post script work in environments where /proc/sys is not available + * Fri May 29 2020 Tomáš Mráz - 20200527-4.gitb234a47 - automatically set up FIPS policy in FIPS mode on first install