Accepting request 1114283 from home:pmonrealgonzalez:branches:security:tls

Update to latest version and update jira tracking number from jsc#PED-4578 to jsc#PED-5041 OBS-URL: https://build.opensuse.org/request/show/1114283 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=23
2023-09-29 08:48:54 +00:00 · 2023-09-29 08:48:54 +00:00 · b59bbd02a8
commit b59bbd02a8
parent f16e5f47af
15 changed files with 248 additions and 219 deletions
--- a/BSI.pol
+++ b/BSI.pol
@ -1,87 +0,0 @@
-# This policy follows the BSI TR-02102-2 "Kryptographische Verfahren: Verwendung von Transport Layer Security (TLS)"
-# 	Generic:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html
-# 	TLS:	https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html
-# 	IPSEC:	https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-3.html
-# 		Note that currently crypto-policies do not adjust ipsec configs, but only openssl or nss.
-# 	SSH:	https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-4.html
-# 		Note that the SUSE openssh is not yet reading crypto policies.
-# Author: Marcus Meissner <meissner@suse.de> 2023
-#
-# Based on NEXT.pol
-
-# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen."
-# 	HMAC-SHA1 is not valid anymore
-# 	UMAC is for SSH... check TODO
-mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-
-# BSI TR 02102-2 / revision 2023.1, Table 4 "Empfohlene Diffie-Hellman-Gruppen für TLS 1.2"
-# not listed in BSI TR, but could be included: FFDHE-6144 FFDHE-8192
-group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 BRAINPOOL-P512R1 BRAINPOOL-P384R1 BRAINPOOL-P256R1
-
-# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen."
-hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512
-
-hash@DNSSec = SHA1+  # SHA1 is still prevalent in DNSSec
-
-# BSI TR 02102-2 / revision 2023.1, Table 5 "Empfohlene Signaturverfahren für TLS 1.2" and
-# Table 6 "Empfohlene Hashfunktionen für Signaturverfahren in TLS 1.2"
-# BSI TR 02102 / revision 2023.1 Section 5 "Hashfunktionen"
-# 	224 bit SHA parts not recommended by BSI: ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA3-224 RSA-PSS-SHA3-224 RSA-SHA3-224 
-sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \
-       ECDSA-SHA3-384 ECDSA-SHA2-384 \
-       ECDSA-SHA3-512 ECDSA-SHA2-512 \
-       EDDSA-ED25519 EDDSA-ED25519-FIDO EDDSA-ED448 \
-       RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 \
-       RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 \
-       RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 \
-       RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 \
-       RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 \
-       RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 \
-       RSA-SHA3-256 RSA-SHA2-256 \
-       RSA-SHA3-384 RSA-SHA2-384 \
-       RSA-SHA3-512 RSA-SHA2-512
-sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+  # SHA1 is still prevalent in DNSSec
-
-# BSI TR 02102 / revision 2023.1
-# Not listed in BSI TR: CHACHA20-POLY1305 CAMELLIA-256-GCM CAMELLIA-128-CBC CAMELLIA-256-CBC CAMELLIA-128-GCM 
-cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC
-
-# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2
-# 	CHACHA20-POLY1305 not listed in TR
-cipher@TLS = AES-256-GCM AES-256-CCM AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC
-
-cipher@sequoia = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB
-cipher@RPM = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB
-
-# CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks
-# and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014).
-cipher@SSH = -*-CBC
-
-# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2
-# Note this goes to all ciphers. DHE-GSS is not valid for TLS, but used in SSH.
-# 	TLS: ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK are ok, GSS is not used in TLS, will not be used for TLS
-key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK ECDHE-GSS DHE-GSS
-
-# BSI TR 02102-2 / revision 2023.1, Section 3.2 "SSL/TLS Versionen"
-protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
-
-protocol@IKE = IKEv2
-
-# Parameter sizes
-min_dh_size = 3072
-min_dsa_size = 3072
-# BSI TR 02102-2 / revision 2023.1: 2k still allowed until end of 2023.
-min_rsa_size = 2048
-
-# GnuTLS only for now
-sha1_in_certs = 0
-
-arbitrary_dh_groups = 1
-ssh_certs = 1
-ssh_etm = 1
-
-# https://pagure.io/fesco/issue/2960
-# "RPM must accept SHA-1 hashes and DSA keys for Fedora 38"
-sign@RPM = DSA-SHA1+
-hash@RPM = SHA1+
-min_dsa_size@RPM = 1024
--- a/2
+++ b/2
@ -4,7 +4,7 @@
    <param name="scm">git</param>
    <param name="versionformat">%cd.%h</param>
    <param name="changesgenerate">enable</param>
-    <param name="revision">5f3458e619628288883f22695f3311f1ccd6a39f</param>
+    <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">*.tar</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
-              <param name="changesrevision">5f3458e619628288883f22695f3311f1ccd6a39f</param></service></servicedata>
+              <param name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -1,7 +1,7 @@
-Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
 	exit 1
 fi
@ -22,7 +22,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
 
 # Detect 1: kernel FIPS flag
 fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-@@ -203,9 +216,22 @@ else
+@@ -204,9 +217,22 @@ else
         fi
 fi
 
@ -48,7 +48,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
 fi
 
 echo "FIPS mode will be $(enable2txt $enable_fips)."
-@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then
+@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
 	echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\""
 	echo "and reboot the system for the setting to take effect."
 else
@ -77,37 +77,40 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
 	echo "Please reboot the system for the setting to take effect."
 fi
 
-Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
+Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install
-+++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install
-@@ -23,7 +23,16 @@ fi
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
+++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
+@@ -24,6 +24,15 @@ fi
 
 umask 022
 
-trap "rm -f $dracut_cfg" ERR
-+# trap "rm -f $dracut_cfg" ERR
-+
 +# Install required packages: patterns-base-fips and perl-Bootloader
 +if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
-+	zypper -n install patterns-base-fips perl-Bootloader
+       zypper -n install patterns-base-fips perl-Bootloader
 +elif test ! -f $dracut_cfg ; then
-+	zypper -n install patterns-base-fips
+       zypper -n install patterns-base-fips
 +elif test ! -x "$(command -v pbl)" ; then
-+	zypper -n install perl-Bootloader
+       zypper -n install perl-Bootloader
 +fi
- 
+
 if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
 	# No dracut configuration or boot directory present, do not try to modify it.
-@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
+ 	# Also, on OSTree systems, we currently rely on the initrd already including
+@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
 	exit 0
 fi
 
-cat >$dracut_cfg <<EOF
+-if test x"$1" == x--complete; then
+-	trap "rm -f $dracut_cfg" ERR
+-	cat >$dracut_cfg <<EOF
 -# turn on fips module
 -
 -add_dracutmodules+=" fips "
 -EOF
+-elif test x"$1" == x--undo; then
+-	rm -f $dracut_cfg
+-fi
 -
 -echo "Kernel initramdisks are being regenerated. This might take some time."
 -
@ -123,16 +126,21 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
 -		echo '`zipl` execution has been skipped: `zipl` not found.'
 -	fi
 -fi
-+# cat >$dracut_cfg <<EOF
+# if test x"$1" == x--complete; then
+# 	trap "rm -f $dracut_cfg" ERR
+# 	cat >$dracut_cfg <<EOF
 +# # turn on fips module
-+#
+
 +# add_dracutmodules+=" fips "
 +# EOF
-+#
+# elif test x"$1" == x--undo; then
+# 	rm -f $dracut_cfg
+# fi
+
 +# echo "Kernel initramdisks are being regenerated. This might take some time."
-+#
+
 +# dracut -f --regenerate-all
-+#
+
 +# # This is supposed to be a fast and safe operation that's always good to run.
 +# # Regenerating an initrd and skipping it might render the system unbootable
 +# # (RHBZ#2013195).
@ -143,10 +151,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
 +# 		echo '`zipl` execution has been skipped: `zipl` not found.'
 +# 	fi
 +# fi
-Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
@@ -45,6 +45,23 @@ Then the command modifies the boot loade
 When disabling the system FIPS mode the system crypto policy is switched
 to DEFAULT and the kernel command line option 'fips=0' is set.
--- a/crypto-policies-nss.patch
+++ b/crypto-policies-nss.patch
@ -0,0 +1,42 @@
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
+         try:
+             with os.fdopen(fd, 'w') as f:
+                 f.write(config)
+-            try:
+-                ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+-                           '>/dev/null',
+-                           shell=True)
+-            except CalledProcessError:
+-                cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            if os.path.exists('/usr/bin/nss-policy-check'):
+                # Perform a policy check only if the mozilla-nss-tools
+                # package is installed. This avoids adding more
+                # dependencies to Ring0.
+                try:
+                    ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+                               '>/dev/null', shell=True)
+                except CalledProcessError:
+                    cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+            else:
+                # The mozilla-nss-tools package is not installed and we can
+                # temporarily skip the policy check for mozilla-nss.
+                ret = 3
+
+         finally:
+             os.unlink(path)
+ 
+@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
+             cls.eprint("There is a warning in NSS generated policy")
+             cls.eprint(f'Policy:\n{config}')
+             return False
+        elif ret == 3:
+            cls.eprint('Skipping NSS policy check: '
+                       '/usr/bin/nss-policy-check not found')
+            return True
+         elif ret:
+             cls.eprint("There is an error in NSS generated policy")
+             cls.eprint(f'Policy:\n{config}')
--- a/crypto-policies-policygenerators.patch
+++ b/crypto-policies-policygenerators.patch
@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
-@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
 from .java import JavaGenerator
 from .java import JavaSystemGenerator
 from .krb5 import KRB5Generator
@ -11,9 +11,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.
 from .libssh import LibsshGenerator
 from .nss import NSSGenerator
 from .openssh import OpenSSHClientGenerator
- from .openssh import OpenSSHServerGenerator
+@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
 from .openssl import OpenSSLConfigGenerator
 from .openssl import OpenSSLGenerator
+ from .openssl import OpenSSLFIPSGenerator
 -from .sequoia import SequoiaGenerator
 -from .sequoia import RPMSequoiaGenerator
 +# from .sequoia import SequoiaGenerator
@ -21,7 +22,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.
 
 __all__ = [
     'BindGenerator',
-@@ -24,13 +24,14 @@ __all__ = [
+@@ -25,7 +25,6 @@ __all__ = [
     'JavaGenerator',
     'JavaSystemGenerator',
     'KRB5Generator',
@ -29,13 +30,14 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.
     'LibsshGenerator',
     'NSSGenerator',
     'OpenSSHClientGenerator',
-     'OpenSSHServerGenerator',
+@@ -33,6 +32,8 @@ __all__ = [
     'OpenSSLConfigGenerator',
     'OpenSSLGenerator',
+     'OpenSSLFIPSGenerator',
 -    'SequoiaGenerator',
 -    'RPMSequoiaGenerator',
 ]
 +
-+#    'LibreswanGenerator',
-+#    'SequoiaGenerator',
-+#    'RPMSequoiaGenerator',
+#   'LibreswanGenerator',
+#   'SequoiaGenerator',
+#   'RPMSequoiaGenerator',
--- a/crypto-policies-revert-rh-allow-sha1-signatures.patch
+++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch
@ -4,11 +4,11 @@ Date: Fri, 8 Apr 2022 13:47:29 +0200
 Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1


-Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
+Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/FUTURE.pol
-+++ fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
-@@ -65,7 +65,3 @@ sha1_in_certs = 0
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+@@ -66,7 +66,3 @@ sha1_in_certs = 0
 arbitrary_dh_groups = 1
 ssh_certs = 1
 ssh_etm = 1
@ -16,10 +16,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
 -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only
 -__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
+Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/modules/NO-SHA1.pmod
-+++ fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
@@ -3,7 +3,3 @@
 hash = -SHA1
 sign = -*-SHA1
@ -28,23 +28,23 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
 -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only
 -__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
+Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/python/cryptopolicies/cryptopolicies.py
-+++ fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
-@@ -19,7 +19,6 @@ from . import validation  # moved out of
+--- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py
+++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+@@ -24,7 +24,6 @@ from . import validation  # moved out of
 INT_DEFAULTS = {k: 0 for k in (
     'arbitrary_dh_groups',
     'min_dh_size', 'min_dsa_size', 'min_rsa_size',
-    '__openssl_block_sha1_signatures',
+-    '__openssl_block_sha1_signatures',  # FUTURE/TEST-FEDORA39/NO-SHA1
     'sha1_in_certs',
     'ssh_certs', 'ssh_etm',
 )}
-Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
+Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/openssl.py
-+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
-@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
+--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+@@ -7,13 +7,6 @@ from subprocess import check_output, Cal
 
 from .configgenerator import ConfigGenerator
 
@ -55,13 +55,12 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.p
 -[evp_properties]
 -rh-allow-sha1-signatures = {}
 -'''
-
 
- class OpenSSLGenerator(ConfigGenerator):
-     CONFIG_NAME = 'openssl'
-@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
-         groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map]
-         s += 'Groups = ' + ':'.join(groups) + '\n'
+ FIPS_MODULE_CONFIG = '''
+ [fips_sect]
+@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
+         if policy.enums['__ems'] == 'RELAX':
+             s += 'Options = RHNoEnforceEMSinFIPS\n'
 
 -        # In the future it'll be just
 -        # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
@ -72,11 +71,11 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.p
         return s
 
     @classmethod
-Index: fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
+Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/alternative-policies/FUTURE.pol
-+++ fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
-@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol
+++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+@@ -73,7 +73,3 @@ sha1_in_dnssec = 0
 arbitrary_dh_groups = 1
 ssh_certs = 1
 ssh_etm = 1
@ -84,10 +83,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE
 -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only
 -__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -98,10 +97,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
@ -112,10 +111,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-op
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -126,10 +125,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-openss
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/EMPTY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
 Ciphersuites = 
 SignatureAlgorithms = 
@ -140,10 +139,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.tx
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -154,10 +153,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -168,10 +167,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-ope
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FUTURE-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
@ -182,10 +181,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.t
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = no
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
 TLS.MaxProtocol = TLSv1.3
 SignatureAlgorithms = 
@ -196,10 +195,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcn
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
@ -210,10 +209,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.t
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
@ -224,10 +223,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-o
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
+Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/unit/test_cryptopolicy.py
-+++ fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
         min_dh_size = 0
         min_dsa_size = 0
@ -236,7 +235,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
         sha1_in_certs = 0
         ssh_certs = 0
         ssh_etm = 0
-@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted(
+@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted(
         min_dh_size = 0
         min_dsa_size = 0
         min_rsa_size = 0
@ -244,11 +243,11 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
         sha1_in_certs = 0
         ssh_certs = 0
         ssh_etm = 0
-Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
+Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/TEST-FEDORA39.pol
-+++ fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
-@@ -67,7 +67,3 @@ sha1_in_certs = 0
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+@@ -68,7 +68,3 @@ sha1_in_certs = 0
 arbitrary_dh_groups = 1
 ssh_certs = 1
 ssh_etm = 1
@ -256,10 +255,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
 -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
 -# SHA-1 signatures will blocked in OpenSSL
 -__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FEDORA38-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -270,10 +269,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@ -284,14 +283,42 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opens
 -
 -[evp_properties]
 -rh-allow-sha1-signatures = no
-Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
 ===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
 DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Options = RHNoEnforceEMSinFIPS
 -
 -[openssl_init]
 -alg_section = evp_properties
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- nss: Skip the NSS policy check if the mozilla-nss-tools package
+  is not installed. This avoids adding more dependencies in ring0.
+  * Add crypto-policies-nss.patch [bsc#1211301]
+
+-------------------------------------------------------------------
+Fri Sep 22 10:27:53 UTC 2023 -  Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20230920.570ea89:
+  * fips-mode-setup: more thorough --disable, still unsupported
+  * FIPS:OSPP: tighten beyond reason for OSPP 4.3
+  * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
+  * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS)
+  * gnutls: prepare for tls-session-hash option coming
+  * nss: prepare for TLS-REQUIRE-EMS option coming
+  * NO-ENFORCE-EMS: add subpolicy
+  * FIPS: set __ems = ENFORCE
+  * cryptopolicies: add enums and __ems tri-state
+  * docs: replace `FIPS 140-2` with just `FIPS 140`
+  * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE
+  * cryptopolicies: add comments on dunder options
+  * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check
+  * BSI: start a BSI TR 02102 policy [jsc#PED-4933]
+  * Rebase patches:
+    - crypto-policies-policygenerators.patch
+    - crypto-policies-revert-rh-allow-sha1-signatures.patch
+    - crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Conditionally recommend the crypto-policies-scripts package
+  when python is not installed in the system [bsc#1215201]
+
 -------------------------------------------------------------------
 Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

@ -11,7 +47,7 @@ Tue Aug  1 12:23:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

 - FIPS: Adapt the fips-mode-setup script to use the pbl command
  from the perl-Bootloader package to replace grubby. Add a note
-  for transactional systems [jsc#PED-4578].
+  for transactional systems [jsc#PED-5041].
  * Rebase crypto-policies-FIPS.patch

 -------------------------------------------------------------------
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -22,7 +22,7 @@
 %bcond_with manbuild
 %global _python_bytecompile_extra 0
 Name:           crypto-policies
-Version:        20230614.5f3458e
+Version:        20230920.570ea89
 Release:        0
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
@ -35,8 +35,6 @@ Source3:        update-crypto-policies.8.gz
 Source4:        fips-mode-setup.8.gz
 Source5:        fips-finish-install.8.gz
 Source6:        crypto-policies-rpmlintrc
-# BSI TR-02102 encoded for jsc#PED-4933 (customer request to have BSI TR-02102 policies)
-Source7:        BSI.pol
 %if %{without manbuild}
 #PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
 # To reduce the build dependencies in Ring0, we have to compile the
@ -55,6 +53,8 @@ Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
 Patch5:         crypto-policies-pylint.patch
 #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578]
 Patch6:         crypto-policies-FIPS.patch
+#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301]
+Patch7:         crypto-policies-nss.patch
 BuildRequires:  python3-base >= 3.6
 # The sequoia stuff needs python3-toml, removed until needed
 # BuildRequires:  python3-toml
@ -69,7 +69,7 @@ BuildRequires:  gnutls >= 3.6.0
 BuildRequires:  java-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libxslt
-#BuildRequires:  mozilla-nss-tools
+BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl
 BuildRequires:  perl
 BuildRequires:  python3-coverage
@ -82,7 +82,9 @@ BuildRequires:  perl(File::Temp)
 BuildRequires:  perl(File::Which)
 BuildRequires:  perl(File::pushd)
 %endif
+%if 0%{?primary_python:1}
 Recommends:     crypto-policies-scripts
+%endif
 Conflicts:      gnutls < 3.7.3
 #Conflicts:      libreswan < 3.28
 Conflicts:      nss < 3.90.0
@ -138,9 +140,6 @@ mkdir -p -m 755 %{buildroot}%{_bindir}

 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install

-# BSI.pol
-install -c -m 644 %{SOURCE7} %{buildroot}/%{_datarootdir}/crypto-policies/policies/
-
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
@ -166,7 +165,7 @@ rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*

 # Create back-end configs for mounting with read-only /etc/
-for d in LEGACY DEFAULT FUTURE FIPS ; do
+for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
    mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
        ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
@ -241,6 +240,7 @@ end
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
 %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
@ -262,6 +262,7 @@ end
 %{_datarootdir}/crypto-policies/DEFAULT
 %{_datarootdir}/crypto-policies/FUTURE
 %{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/BSI
 %{_datarootdir}/crypto-policies/EMPTY
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
--- a/fedora-crypto-policies-20230614.5f3458e.tar.gz
+++ b/fedora-crypto-policies-20230614.5f3458e.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:40cb4cf8f865336b269fdad5d3f5ab81c8dd8c823cb2b2282f6a96252a529dae
-size 85187
--- a/fedora-crypto-policies-20230920.570ea89.tar.gz
+++ b/fedora-crypto-policies-20230920.570ea89.tar.gz
--- a/fips-finish-install.8.gz
+++ b/fips-finish-install.8.gz
--- a/fips-mode-setup.8.gz
+++ b/fips-mode-setup.8.gz
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz