Sync from SUSE:SLFO:1.1 crypto-policies revision 9cefc04f311fdcca5a7b3a6516a7e9bc

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="versionformat">%cd.%h</param>
     <param name="changesgenerate">enable</param>
-    <param name="revision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param>
+    <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
   </service>
   <service name="recompress" mode="disabled">
     <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
-              <param name="changesrevision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param></service></servicedata>
+              <param name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>

crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch

@@ -1,50 +0,0 @@
-diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
---- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol	2025-03-18 14:39:54.565216139 +0100
-@@ -15,9 +15,11 @@
- 
- mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
- mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1
-+mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
- 
- group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
-         FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
-+group@SSH = -X25519
- 
- hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \
-        SHAKE-256
-@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM
- 
- # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks
- # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014).
--cipher@SSH = -*-CBC
-+# disable also chachapoly, as we might run DEFAULT in FIPS mode too.
-+cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR
- 
- # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have
- # interoperability issues in TLS.
-diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt
---- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt	2025-03-18 14:40:54.831266197 +0100
-@@ -1,5 +1,5 @@
--Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
--MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
-+Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
-+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
- GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
- HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
-diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt
---- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt	2025-03-18 15:41:32.234673018 +0100
-@@ -1,7 +1,8 @@
--Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
--MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
-+Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
-+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
- GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
-+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
- PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
- HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
- CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512

crypto-policies-FIPS.patch

@@ -1,7 +1,7 @@
-Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
 ===================================================================
---- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
-+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
 @@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
  	exit 1
  fi
@@ -22,48 +22,36 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
  
  # Detect 1: kernel FIPS flag
  fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-@@ -167,10 +180,10 @@ if test $check = 1 ; then
+@@ -204,9 +217,22 @@ else
+         fi
  fi
  
- # Boot configuration
 -if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
--	echo >&2 "The grubby command is missing, please configure the bootloader manually."
+-	echo "The grubby command is missing, please configure the bootloader manually."
 -	boot_config=0
--fi
-+# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-+# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
-+# 	boot_config=0
-+# fi
- 
- if test "$boot_config" = 1 && test ! -d /boot ; then
- 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
-@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then
- 	fi
- fi
- 
 +if test "$boot_config" = 1 ; then
 +	# Install required packages: patterns-base-fips and perl-Bootloader
 +	if test ! -f /etc/dracut.conf.d/40-fips.conf && \
 +		test ! -x "$(command -v pbl)" && \
 +		test "$enable_fips" = 1; then
-+            zypper -n install patterns-base-fips perl-Bootloader
++		zypper -n install patterns-base-fips perl-Bootloader
 +	elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
 +		test "$enable_fips" = 1 ; then
-+            zypper -n install patterns-base-fips
++		zypper -n install patterns-base-fips
 +	elif test ! -x "$(command -v pbl)" ; then
-+            zypper -n install perl-Bootloader
++		zypper -n install perl-Bootloader
 +	fi
 +	if test $? != 0 ; then
-+            echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
++		echo "The pbl command or the fips pattern are missing, please configure the bootloader manually."
-+            boot_config=0
++		boot_config=0
 +	fi
-+fi
+ fi
-+
+ 
  echo "FIPS mode will be $(enable2txt $enable_fips)."
- 
+@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
- fipsopts="fips=$enable_fips$boot_device_opt"
+ 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
- 
+ 	echo "and reboot the system for the setting to take effect."
- if test "$boot_config" = 1 ; then
+ else
 -	grubby --update-kernel=ALL --args="$fipsopts"
 -	if test x"$(uname -m)" = xs390x; then
 -		if command -v zipl >/dev/null; then
@@ -74,7 +62,7 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
 -		fi
 -	fi
 +	pbl --add-option "$fipsopts"
-+	pbl --config; pbl --install && dracut -f --regenerate-all
++	grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
 +
 +	# grubby --update-kernel=ALL --args="$fipsopts"
 +	# if test x"$(uname -m)" = xs390x; then
@@ -87,12 +75,12 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
 +	# fi
 +
  	echo "Please reboot the system for the setting to take effect."
- else
+ fi
- 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
+ 
-Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install
+Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
 ===================================================================
---- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
-+++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install
++++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
 @@ -24,6 +24,15 @@ fi
  
  umask 022
@@ -163,10 +151,10 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install
 +# 		echo '`zipl` execution has been skipped: `zipl` not found.'
 +# 	fi
 +# fi
-Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
 ===================================================================
---- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
 @@ -45,6 +45,23 @@ Then the command modifies the boot loade
  When disabling the system FIPS mode the system crypto policy is switched
  to DEFAULT and the kernel command line option 'fips=0' is set.
@@ -191,129 +179,3 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
  
  [[options]]
  OPTIONS
-Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
-===================================================================
---- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
-+++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
-@@ -8,7 +8,6 @@ check=0
- boot_config=1
- err_if_disabled=0
- output_text=1
--uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
- 
- is_ostree_system=0
- if test -f /run/ostree-booted -o -d /ostree; then
-@@ -61,18 +60,13 @@ while test $# -ge 1 ; do
- done
- 
- if test $usage = 1 -o x$enable_fips = x ; then
--	echo "Check, enable, or disable (unsupported) the system FIPS mode."
-+	echo "Check, enable, or disable the system FIPS mode."
- 	echo "usage: $0 --enable|--disable [--no-bootcfg]"
- 	echo "usage: $0 --check"
- 	echo "usage: $0 --is-enabled"
- 	exit 2
- fi
- 
--if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then
--	echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg."
--	boot_config=0
--fi
--
- # We don't handle the boot config on OSTree systems for now; it is assumed to be
- # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is
- # intrinsically tied to the firstboot procedure.
-@@ -186,12 +180,6 @@ if test $check = 1 ; then
- 	exit 0
- fi
- 
--# Boot configuration
--# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
--# 	echo >&2 "The grubby command is missing, please configure the bootloader manually."
--# 	boot_config=0
--# fi
--
- if test "$boot_config" = 1 && test ! -d /boot ; then
- 	echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)."
- 	echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg."
-@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$
- 	exit 1
- fi
- 
--if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \
--		test -x "$(command -v cryptsetup)" ; then
--	# Best-effort detection of LUKS Argon2 usage
--	argon2_found=''
--	# two redundant ways to list device names
--	devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \
--		dmsetup ls --target crypt | cut -f1) \
--		| sort -u)
--		while IFS= read -r devname; do
--			back=$(cryptsetup status "$devname" | \
--				grep -F device: |
--				sed -E 's/.*device:\s+//')
--			if ! test -b "$back"; then
--				echo >&2 -n "Warning: detected device '$back' "
--				echo >&2 -n 'is not a valid block device. '
--				echo >&2 'Cannot check whether it uses Argon2.'
--				continue
--			fi
--			dump=$(cryptsetup luksDump "$back")
--			if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then
--				argon2_found+=" $back($devname)"
--			fi
--		done <<<"$devs"
--	if test -n "$argon2_found" ; then
--		echo >&2 -n "The following encrypted devices use Argon2 PBKDF:"
--		echo >&2 "$argon2_found"
--		echo >&2 'Aborting fips-mode-setup because of that.'
--		echo >&2 -n 'Please refer to the '
--		echo >&2 'cryptsetup-luksConvertKey(8) manpage.'
--		exit 76
--	fi
--fi
--
- if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then
- 	if test $enable_fips = 1 ; then
- 		echo >&2 "*****************************************************************"
-@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING"
- 		echo >&2 "*                                                               *"
- 		echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *"
- 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
--		echo >&2 "* REINSTALL WITH fips=1 INSTEAD.                                *"
- 		echo >&2 "*****************************************************************"
- 	elif test $enable_fips = 0 ; then
- 		echo >&2 "*****************************************************************"
- 		echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT...                 *"
- 		echo >&2 "*                                                               *"
--		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED.  *"
-+		echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*"
- 		echo >&2 "* THIS OPERATION CANNOT BE UNDONE.                              *"
--		echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD.          *"
- 		echo >&2 "*****************************************************************"
- 	fi
- 	for i in {15..1}; do
-@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_
- if test "$boot_config" = 1 ; then
- 	pbl --add-option "$fipsopts"
- 	pbl --config; pbl --install && dracut -f --regenerate-all
--
--	# grubby --update-kernel=ALL --args="$fipsopts"
--	# if test x"$(uname -m)" = xs390x; then
--	# 	if command -v zipl >/dev/null; then
--	# 		zipl
--	# 	else
--	# 		echo -n '`zipl` execution has been skipped: '
--	# 		echo '`zipl` not found.'
--	# 	fi
--	# fi
--
--	echo "Please reboot the system for the setting to take effect."
-+	echo "Please reboot the system for the settings to take effect."
- else
- 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
--	echo "and reboot the system for the setting to take effect."
-+	echo "and reboot the system for the settings to take effect."
- fi
- 
- exit 0

crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch

@@ -1,55 +0,0 @@
-diff -PpuriN fedora-crypto-policies-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
---- fedora-crypto-policies-orig/policies/DEFAULT.pol	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol	2025-03-11 14:09:01.796831654 +0100
-@@ -1,7 +1,6 @@
- # A reasonable default for today's standards. It should provide
- # 112-bit security with the exception of SHA1 signatures in DNSSec.
- # SHA1 is allowed in HMAC where collision attacks do not matter.
--# OpenSSL distrusts signatures using SHA-1 (Changes/OpenSSLDistrustSHA1SigVer).
- 
- # MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc)
- # Curves: all prime >= 255 bits (including Bernstein curves)
-@@ -88,6 +87,3 @@ etm@SSH = ANY
- sign@RPM = DSA-SHA1+
- hash@RPM = SHA1+
- min_dsa_size@RPM = 1024
--
--# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
--__openssl_block_sha1_signatures = 1
-diff -PpuriN fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol
---- fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol	2025-03-11 13:53:52.231005482 +0100
-@@ -91,6 +91,3 @@ ssh_etm = 1
- sign@rpm-sequoia = DSA-SHA1+
- hash@rpm-sequoia = SHA1+
- min_dsa_size@rpm-sequoia = 1024
--
--# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
--__openssl_block_sha1_signatures = 1
-diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
---- fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt	2025-03-11 14:10:14.134767876 +0100
-@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
- alg_section = evp_properties
- 
- [evp_properties]
--rh-allow-sha1-signatures = no
-+rh-allow-sha1-signatures = yes
-diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt
---- fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt	2025-03-11 14:09:55.798784042 +0100
-@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
- alg_section = evp_properties
- 
- [evp_properties]
--rh-allow-sha1-signatures = no
-+rh-allow-sha1-signatures = yes
-diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
---- fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt	2025-01-24 18:31:31.000000000 +0100
-+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt	2025-03-11 14:10:42.542742833 +0100
-@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768
- alg_section = evp_properties
- 
- [evp_properties]
--rh-allow-sha1-signatures = no
-+rh-allow-sha1-signatures = yes

crypto-policies-no-build-manpages.patch

@@ -1,21 +1,21 @@
-Index: fedora-crypto-policies-20250124.4d262e7/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
 ===================================================================
---- fedora-crypto-policies-20250124.4d262e7.orig/Makefile
+--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
-+++ fedora-crypto-policies-20250124.4d262e7/Makefile
++++ fedora-crypto-policies-20230420.3d08ae7/Makefile
-@@ -34,9 +34,9 @@ install: $(MANPAGES)
+@@ -28,9 +28,9 @@ install: $(MANPAGES)
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man7
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man8
  	mkdir -p $(DESTDIR)$(BINDIR)
- 	mkdir -p $(DESTDIR)$(LIBEXECDIR)
- 	mkdir -p $(DESTDIR)$(UNITDIR)
 -	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 -	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 -	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
 +	# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 +	# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 +	# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
- 	install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR)
- 	install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR)
  	mkdir -p $(DESTDIR)$(DIR)/
-@@ -133,8 +133,8 @@ clean:
+ 	install -p -m 644 default-config $(DESTDIR)$(DIR)
+ 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -114,8 +114,8 @@ clean:
  	rm -rf output
  
  %: %.txt

crypto-policies-nss.patch

@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
 ===================================================================
---- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
-+++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
-@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator):
+@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
          try:
              with os.fdopen(fd, 'w') as f:
                  f.write(config)
@@ -29,7 +29,7 @@ Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
          finally:
              os.unlink(path)
  
-@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator):
+@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
              cls.eprint("There is a warning in NSS generated policy")
              cls.eprint(f'Policy:\n{config}')
              return False
@@ -37,6 +37,6 @@ Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
 +            cls.eprint('Skipping NSS policy check: '
 +                       '/usr/bin/nss-policy-check not found')
 +            return True
-         if ret:
+         elif ret:
              cls.eprint("There is an error in NSS generated policy")
              cls.eprint(f'Policy:\n{config}')

crypto-policies-policygenerators.patch

@@ -1,40 +1,43 @@
-Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
 ===================================================================
---- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
-@@ -7,7 +7,7 @@ from .bind import BindGenerator
+@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
- from .gnutls import GnuTLSGenerator
  from .java import JavaGenerator
+ from .java import JavaSystemGenerator
  from .krb5 import KRB5Generator
 -from .libreswan import LibreswanGenerator
 +# from .libreswan import LibreswanGenerator
  from .libssh import LibsshGenerator
  from .nss import NSSGenerator
- from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
+ from .openssh import OpenSSHClientGenerator
-@@ -16,14 +16,13 @@ from .openssl import (
+@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
-     OpenSSLFIPSGenerator,
+ from .openssl import OpenSSLConfigGenerator
-     OpenSSLGenerator,
+ from .openssl import OpenSSLGenerator
- )
+ from .openssl import OpenSSLFIPSGenerator
--from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+-from .sequoia import SequoiaGenerator
-+#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+-from .sequoia import RPMSequoiaGenerator
++# from .sequoia import SequoiaGenerator
++# from .sequoia import RPMSequoiaGenerator
  
  __all__ = [
      'BindGenerator',
-     'GnuTLSGenerator',
+@@ -25,7 +25,6 @@ __all__ = [
      'JavaGenerator',
+     'JavaSystemGenerator',
      'KRB5Generator',
 -    'LibreswanGenerator',
      'LibsshGenerator',
      'NSSGenerator',
      'OpenSSHClientGenerator',
-@@ -31,6 +30,8 @@ __all__ = [
+@@ -33,6 +32,8 @@ __all__ = [
      'OpenSSLConfigGenerator',
-     'OpenSSLFIPSGenerator',
      'OpenSSLGenerator',
--    'RPMSequoiaGenerator',
+     'OpenSSLFIPSGenerator',
 -    'SequoiaGenerator',
+-    'RPMSequoiaGenerator',
  ]
 +
-+    # 'LibreswanGenerator',
++#   'LibreswanGenerator',
-+    # 'RPMSequoiaGenerator',
++#   'SequoiaGenerator',
-+    # 'SequoiaGenerator',
++#   'RPMSequoiaGenerator',

crypto-policies-revert-rh-allow-sha1-signatures.patch

@@ -0,0 +1,327 @@
+From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 8 Apr 2022 13:47:29 +0200
+Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+
+
+Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol
++++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+@@ -66,7 +66,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod
++++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
+@@ -3,7 +3,3 @@
+ hash = -SHA1
+ sign = -*-SHA1
+ sha1_in_certs = 0
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py
++++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+@@ -24,7 +24,6 @@ from . import validation  # moved out of
+ INT_DEFAULTS = {k: 0 for k in (
+     'arbitrary_dh_groups',
+     'min_dh_size', 'min_dsa_size', 'min_rsa_size',
+-    '__openssl_block_sha1_signatures',  # FUTURE/TEST-FEDORA39/NO-SHA1
+     'sha1_in_certs',
+     'ssh_certs', 'ssh_etm',
+ )}
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py
++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+@@ -7,13 +7,6 @@ from subprocess import check_output, Cal
+ 
+ from .configgenerator import ConfigGenerator
+ 
+-RH_SHA1_SECTION = '''
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = {}
+-'''
+ 
+ FIPS_MODULE_CONFIG = '''
+ [fips_sect]
+@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
+         if policy.enums['__ems'] == 'RELAX':
+             s += 'Options = RHNoEnforceEMSinFIPS\n'
+ 
+-        # In the future it'll be just
+-        # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
+-        # but for now we slow down the roll-out and we have
+-        sha1_sig = not policy.integers['__openssl_block_sha1_signatures']
+-        s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no')
+-
+         return s
+ 
+     @classmethod
+Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol
++++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+@@ -73,7 +73,3 @@ sha1_in_dnssec = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
+@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
+ Ciphersuites = 
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
+@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
+ TLS.MaxProtocol = TLSv1.3
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py
++++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
+@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted(
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol
++++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+@@ -68,7 +68,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures will blocked in OpenSSL
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Options = RHNoEnforceEMSinFIPS
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes

crypto-policies-supported.patch

@@ -13,25 +13,25 @@ Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
 +* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
  
 -* NSS library (NSS, SSL, TLS)
-+* NSS library (NSS, SSL, TLS) (Supported)
++* NSS library (NSS, SSL, TLS) (Not supported)
  
 -* OpenJDK (java-tls, SSL, TLS)
 +* OpenJDK (java-tls, SSL, TLS) (Supported)
  
 -* Libkrb5 (krb5, kerberos)
-+* Libkrb5 (krb5, kerberos) (Supported)
++* Libkrb5 (krb5, kerberos) (Not supported)
  
 -* BIND (BIND, DNSSec)
-+* BIND (BIND, DNSSec) (Supported)
++* BIND (BIND, DNSSec) (Not supported)
  
 -* OpenSSH (OpenSSH, SSH)
-+* OpenSSH (OpenSSH, SSH) (Supported)
++* OpenSSH (OpenSSH, SSH) (Not supported)
  
 -* Libreswan (libreswan, IKE, IPSec)
-+* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE)
++* Libreswan (libreswan, IKE, IPSec) (Not supported)
  
 -* libssh (libssh, SSH)
-+* libssh (libssh, SSH) (Supported)
++* libssh (libssh, SSH) (Not supported)
  
  Applications and languages which rely on any of these back-ends will follow
  the system policies as well. Examples are apache httpd, nginx, php, and

crypto-policies.changes

@@ -1,169 +1,3 @@
--------------------------------------------------------------------
-Thu Mar 27 10:37:18 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Relax the nss version requirement since the mlkem768secp256r1
-  enablement has been reverted.
-
--------------------------------------------------------------------
-Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
-  * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
-
--------------------------------------------------------------------
-Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Enable SHA1 sigver in the DEFAULT policy.
-  * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
-
--------------------------------------------------------------------
-Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637]
-  * Rebase crypto-policies-FIPS.patch
-
--------------------------------------------------------------------
-Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Remove dangling symlink for the libreswan config [bsc#1236858]
-- Remove also sequoia config and generator files
-- Remove not needed fips bind mount service
-
--------------------------------------------------------------------
-Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
-
-- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165]
-  * openssl: stricter enabling of Ciphersuites
-  * openssl: make use of -CBC and -AESGCM keywords
-  * openssl: add TLS 1.3 Brainpool identifiers
-  * fix warning on using experimental key_exchanges
-  * update-crypto-policies: don't output FIPS warning in fips mode
-  * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
-  * openssh, libssh: refactor kx maps to use tuples
-  * alg_lists: mark MLKEM768/SNTRUP kex experimental
-  * nss: revert enabling mlkem768secp256r1
-  * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber
-  * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
-  * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
-  * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768
-  * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
-  * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384...
-  * python/update-crypto-policies: pacify pylint
-  * fips-mode-setup: tolerate fips dracut module presence w/o FIPS
-  * fips-mode-setup: small Argon2 detection fix
-  * SHA1: add __openssl_block_sha1_signatures = 0
-  * fips-mode-setup: block if LUKS devices using Argon2 are detected
-  * update-crypto-policies: skip warning on --set=FIPS if bootc
-  * fips-setup-helper: skip warning, BTW
-  * fips-mode-setup: force --no-bootcfg when UKI is detected
-  * fips-setup-helper: add a libexec helper for anaconda
-  * fips-crypto-policy-overlay: automount FIPS policy
-  * openssh: make dss no longer enableble, support is dropped
-  * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768
-  * DEFAULT: switch to rh-allow-sha1-signatures = no...
-  * java: drop unused javasystem backend
-  * java: stop specifying jdk.tls.namedGroups in javasystem
-  * ec_min_size: introduce and use in java, default to 256
-  * java: use and include jdk.disabled.namedCurves
-  * BSI: Update BSI policy for new 2024 minimum recommendations
-  * fips-mode-setup: flashy ticking warning upon use
-  * fips-mode-setup: add another scary "unsupported"
-  * CONTRIBUTING.md: add a small section on updating policies
-  * CONTRIBUTING.md: remove trailing punctuation from headers
-  * BSI: switch to 3072 minimum RSA key size
-  * java: make hash, mac and sign more orthogonal
-  * java: specify jdk.tls.namedGroups system property
-  * java: respect more key size restrictions
-  * java: disable anon ciphersuites, tying them to NULL...
-  * java: start controlling / disable DTLSv1.0
-  * nss: wire KYBER768 to XYBER768D00
-  * nss: unconditionally load p11-kit-proxy.so
-  * gnutls: make DTLS0.9 controllable again
-  * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH
-  * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE
-  * gnutls: remove extraneous newline
-  * sequoia: move away from subprocess.getstatusoutput
-  * python/cryptopolicies/cryptopolicies.py: add trailing commas
-  * python, tests: rename MalformedLine to MalformedLineError
-  * Makefile: introduce SKIP_LINTING flag for packagers to use
-  * Makefile: run ruff
-  * tests: use pathlib
-  * tests: run(check=True) + CalledProcessError where convenient
-  * tests: use subprocess.run
-  * tests/krb5.py: check all generated policies
-  * tests: print to stderr on error paths
-  * tests/nss.py: also use encoding='utf-8'
-  * tests/nss.py: also use removesuffix
-  * tests/nss.py: skip creating tempfiles
-  * tests/java.pl -> tests/java.py
-  * tests/gnutls.pl -> tests/gnutls.py
-  * tests/openssl.pl -> tests/openssl.py
-  * tests/verify-output.pl: remove
-  * libreswan: do not use up pfs= / ikev2= keywords for default behaviour
-  * Rebase patches:
-    - crypto-policies-no-build-manpages.patch
-    - crypto-policies-policygenerators.patch
-    - crypto-policies-supported.patch
-    - crypto-policies-nss.patch
-
--------------------------------------------------------------------
-Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
-
-- Update to version 20241010.5930b9a:
-  * LEGACY: enable 192-bit ciphers for nss pkcs12/smime
-  * nss: be stricter with new purposes
-  * nss: rewrite backend for 3.101
-  * cryptopolicies: parent scopes for dumping purposes
-  * policygenerators: move scoping inside generators
-  * TEST-PQ: disable pure Kyber768
-  * nss: wire XYBER768D00 to X25519-KYBER768
-  * TEST-PQ: update
-  * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com
-  * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values
-  * TEST-PQ, python: add more groups, mark experimental
-  * openssl: mark liboqsprovider groups optional with ?
-  * Remove patches:
-    - crypto-policies-revert-rh-allow-sha1-signatures.patch
-
--------------------------------------------------------------------
-Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
-
-- Update to version 20240201.9f501f3:
-  * .gitlab-ci.yml: install sequoia-policy-config
-  * java: disable ChaCha20-Poly1305 where applicable
-  * fips-mode-setup: make sure ostree is detected in chroot
-  * fips-finish-install: make sure ostree is detected in chroot
-  * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl
-  * TEST-PQ: add a no-op subpolicy
-  * update-crypto-policies: Keep mid-sentence upper case
-  * fips-mode-setup: Write error messages to stderr
-  * fips-mode-setup: Fix some shellcheck warnings
-  * fips-mode-setup: Fix test for empty /boot
-  * fips-mode-setup: Avoid 'boot=UUID=' if /boot == /
-  * Update man pages
-  * Rebase patches:
-    - crypto-policies-FIPS.patch
-    - crypto-policies-revert-rh-allow-sha1-signatures.patch
-
--------------------------------------------------------------------
-Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
-
-- Update to version 20231108.adb5572b:
-  * Print matches in syntax deprecation warnings
-  * Restore support for scoped ssh_etm directives
-  * fips-mode-setup: Fix usage with --no-bootcfg
-  * turn ssh_etm into an etm@SSH tri-state
-  * fips-mode-setup: increase chroot-friendliness
-  * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
-  * pylintrc: use-implicit-booleaness-not-comparison-to-*
-
--------------------------------------------------------------------
-Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller <dmueller@suse.com>
-
-- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros:
-  we only need python3-base here, we don't need the python
-  macros as no module is being built
-
 -------------------------------------------------------------------
 Thu Oct  5 12:35:57 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 

crypto-policies.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package crypto-policies
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,9 +21,8 @@
 # manbuild is disabled by default
 %bcond_with manbuild
 %global _python_bytecompile_extra 0
-
 Name:           crypto-policies
-Version:        20250124.4d262e7
+Version:        20230920.570ea89
 Release:        0
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
@@ -48,45 +47,49 @@ Patch1:         crypto-policies-no-build-manpages.patch
 Patch2:         crypto-policies-policygenerators.patch
 #PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
 Patch3:         crypto-policies-supported.patch
+#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures
+Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
 #PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
 Patch5:         crypto-policies-pylint.patch
 #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578]
 Patch6:         crypto-policies-FIPS.patch
 #PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301]
 Patch7:         crypto-policies-nss.patch
-#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT
+BuildRequires:  python3-base >= 3.6
-Patch8:         crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+# The sequoia stuff needs python3-toml, removed until needed
-#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
+# BuildRequires:  python3-toml
-Patch9:         crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
-BuildRequires:  python3-base >= 3.11
 %if %{with manbuild}
 BuildRequires:  asciidoc
 %endif
 %if %{with testsuite}
 # The following packages are needed for the testsuite
 BuildRequires:  bind
-BuildRequires:  crypto-policies-scripts
+BuildRequires:  codespell
-BuildRequires:  gnutls
+BuildRequires:  gnutls >= 3.6.0
 BuildRequires:  java-devel
+BuildRequires:  krb5-devel
 BuildRequires:  libxslt
 BuildRequires:  mozilla-nss-tools
-BuildRequires:  openssh-clients
 BuildRequires:  openssl
+BuildRequires:  perl
 BuildRequires:  python-rpm-macros
-BuildRequires:  python3-devel >= 3.11
+BuildRequires:  python3-coverage
+BuildRequires:  python3-devel >= 3.6
+BuildRequires:  python3-flake8
+BuildRequires:  python3-pylint
 BuildRequires:  python3-pytest
-BuildRequires:  systemd-rpm-macros
+BuildRequires:  perl(File::Copy)
-%else
+BuildRequires:  perl(File::Temp)
-# Avoid cycle with python-rpm-macros
+BuildRequires:  perl(File::Which)
-#!BuildIgnore: python-rpm-packaging python-rpm-macros
+BuildRequires:  perl(File::pushd)
 %endif
 %if 0%{?primary_python:1}
 Recommends:     crypto-policies-scripts
 %endif
-Conflicts:      gnutls < 3.8.8
+Conflicts:      gnutls < 3.7.3
-Conflicts:      nss < 3.101
+#Conflicts:      libreswan < 3.28
-Conflicts:      openssh < 9.9p1
+Conflicts:      nss < 3.90.0
-Conflicts:      openssl < 3.0.2
+#Conflicts:      openssh < 8.2p1
 #!BuildIgnore:  crypto-policies
 BuildArch:      noarch
 
@@ -99,7 +102,6 @@ such as SSL/TLS libraries.
 Summary:        Tool to switch between crypto policies
 Requires:       %{name} = %{version}-%{release}
 Recommends:     perl-Bootloader
-Provides:       fips-mode-setup = %{version}-%{release}
 
 %description scripts
 This package provides a tool update-crypto-policies, which applies
@@ -116,8 +118,15 @@ to enable or disable the system FIPS mode.
 # Make README.SUSE available for %%doc
 cp -p %{SOURCE1} .
 
+# Remove not needed policy generators
+find -name libreswan.py -delete
+find -name sequoia.py -delete
+
 %build
 export OPENSSL_CONF=''
+sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
+    python/policygenerators/openssh.py
+grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
 %make_build
 
 %install
@@ -150,19 +159,12 @@ install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
 install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
 install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
 
-# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them
+# Drop pre-generated GOST-ONLY policy, we do not need to ship them
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+
+# Drop FEDORA policies
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
 
-# Drop libreswan and sequoia config files
-find  %{buildroot} -type f -name 'libreswan.*' -print -delete
-find  %{buildroot} -type f -name 'sequoia.*' -print -delete
-
-# Drop not needed fips bind mount service
-find %{buildroot} -type f -name 'default-fips-config' -print -delete
-find %{buildroot} -type f -name 'fips-setup-helper' -print -delete
-find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete
-
 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
     mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -178,7 +180,7 @@ done
 # Fix shebang in scripts
 for f in %{buildroot}%{_datadir}/crypto-policies/python/*
 do
-  [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f
+  [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath %__python3)@" $f
 done
 
 %py3_compile %{buildroot}%{_datadir}/crypto-policies/python
@@ -224,24 +226,12 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
     end
 end
 
-cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config"
-st = posix.stat(cfg_path_libreswan)
-if st and st.type == "link" then
-   posix.unlink(cfg_path_libreswan)
-end
-
-cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config"
-st = posix.stat(cfg_path_javasystem)
-if st and st.type == "link" then
-   posix.unlink(cfg_path_javasystem)
-end
-
 %posttrans scripts
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
 
 %files
 %license COPYING.LESSER
-%doc README.md CONTRIBUTING.md
+%doc README.md NEWS CONTRIBUTING.md
 %doc %{_sysconfdir}/crypto-policies/README.SUSE
 
 %dir %{_sysconfdir}/crypto-policies/
@@ -263,8 +253,12 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
 # %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.
 
 %ghost %{_sysconfdir}/crypto-policies/state/current