Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2023-10-02 20:03:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Mon Oct 2 20:03:59 2023 rev:6 rq:1114288 version:20230920.570ea89
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2023-09-07 21:12:04.791887233 +0200
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.28202/crypto-policies.changes
2023-10-02 20:04:03.925623668 +0200
@@ -1,0 +2,36 @@
+Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal <[email protected]>
+
+- nss: Skip the NSS policy check if the mozilla-nss-tools package
+ is not installed. This avoids adding more dependencies in ring0.
+ * Add crypto-policies-nss.patch [bsc#1211301]
+
+-------------------------------------------------------------------
+Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Update to version 20230920.570ea89:
+ * fips-mode-setup: more thorough --disable, still unsupported
+ * FIPS:OSPP: tighten beyond reason for OSPP 4.3
+ * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
+ * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS)
+ * gnutls: prepare for tls-session-hash option coming
+ * nss: prepare for TLS-REQUIRE-EMS option coming
+ * NO-ENFORCE-EMS: add subpolicy
+ * FIPS: set __ems = ENFORCE
+ * cryptopolicies: add enums and __ems tri-state
+ * docs: replace `FIPS 140-2` with just `FIPS 140`
+ * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE
+ * cryptopolicies: add comments on dunder options
+ * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check
+ * BSI: start a BSI TR 02102 policy [jsc#PED-4933]
+ * Rebase patches:
+ - crypto-policies-policygenerators.patch
+ - crypto-policies-revert-rh-allow-sha1-signatures.patch
+ - crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Conditionally recommend the crypto-policies-scripts package
+ when python is not installed in the system [bsc#1215201]
+
+-------------------------------------------------------------------
@@ -14 +50 @@
- for transactional systems [jsc#PED-4578].
+ for transactional systems [jsc#PED-5041].
Old:
----
BSI.pol
fedora-crypto-policies-20230614.5f3458e.tar.gz
New:
----
crypto-policies-nss.patch
fedora-crypto-policies-20230920.570ea89.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.881694013 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.885694157 +0200
@@ -22,7 +22,7 @@
%bcond_with manbuild
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20230614.5f3458e
+Version: 20230920.570ea89
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -35,8 +35,6 @@
Source4: fips-mode-setup.8.gz
Source5: fips-finish-install.8.gz
Source6: crypto-policies-rpmlintrc
-# BSI TR-02102 encoded for jsc#PED-4933 (customer request to have BSI TR-02102
policies)
-Source7: BSI.pol
%if %{without manbuild}
#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
# To reduce the build dependencies in Ring0, we have to compile the
@@ -55,6 +53,8 @@
Patch5: crypto-policies-pylint.patch
#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE
[jsc#PED-4578]
Patch6: crypto-policies-FIPS.patch
+#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools
[bsc#1211301]
+Patch7: crypto-policies-nss.patch
BuildRequires: python3-base >= 3.6
# The sequoia stuff needs python3-toml, removed until needed
# BuildRequires: python3-toml
@@ -69,7 +69,7 @@
BuildRequires: java-devel
BuildRequires: krb5-devel
BuildRequires: libxslt
-#BuildRequires: mozilla-nss-tools
+BuildRequires: mozilla-nss-tools
BuildRequires: openssl
BuildRequires: perl
BuildRequires: python3-coverage
@@ -82,7 +82,9 @@
BuildRequires: perl(File::Which)
BuildRequires: perl(File::pushd)
%endif
+%if 0%{?primary_python:1}
Recommends: crypto-policies-scripts
+%endif
Conflicts: gnutls < 3.7.3
#Conflicts: libreswan < 3.28
Conflicts: nss < 3.90.0
@@ -138,9 +140,6 @@
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies
MANDIR=%{_mandir} %{?_smp_mflags} install
-# BSI.pol
-install -c -m 644 %{SOURCE7}
%{buildroot}/%{_datarootdir}/crypto-policies/policies/
-
install -p -m 644 default-config
%{buildroot}%{_sysconfdir}/crypto-policies/config
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
@@ -166,7 +165,7 @@
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
# Create back-end configs for mounting with read-only /etc/
-for d in LEGACY DEFAULT FUTURE FIPS ; do
+for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
ln $f
%{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f
.txt).config
@@ -241,6 +240,7 @@
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/gnutls.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/openssl.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/openssh.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/nss.config
@@ -262,6 +262,7 @@
%{_datarootdir}/crypto-policies/DEFAULT
%{_datarootdir}/crypto-policies/FUTURE
%{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/BSI
%{_datarootdir}/crypto-policies/EMPTY
%{_datarootdir}/crypto-policies/back-ends
%{_datarootdir}/crypto-policies/default-config
++++++ _service ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.921695452 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.925695596 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
- <param name="revision">5f3458e619628288883f22695f3311f1ccd6a39f</param>
+ <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.941696172 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.945696315 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
- <param
name="changesrevision">5f3458e619628288883f22695f3311f1ccd6a39f</param></service></servicedata>
+ <param
name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>
(No newline at EOF)
++++++ crypto-policies-FIPS.patch ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.953696603 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.957696747 +0200
@@ -1,7 +1,7 @@
-Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
exit 1
fi
@@ -22,7 +22,7 @@
# Detect 1: kernel FIPS flag
fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-@@ -203,9 +216,22 @@ else
+@@ -204,9 +217,22 @@ else
fi
fi
@@ -48,7 +48,7 @@
fi
echo "FIPS mode will be $(enable2txt $enable_fips)."
-@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then
+@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
echo "Now you need to configure the bootloader to add kernel options
\"$fipsopts\""
echo "and reboot the system for the setting to take effect."
else
@@ -77,37 +77,40 @@
echo "Please reboot the system for the setting to take effect."
fi
-Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install
+Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install
-+++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install
-@@ -23,7 +23,16 @@ fi
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
++++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
+@@ -24,6 +24,15 @@ fi
umask 022
--trap "rm -f $dracut_cfg" ERR
-+# trap "rm -f $dracut_cfg" ERR
-+
+# Install required packages: patterns-base-fips and perl-Bootloader
+if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then
-+ zypper -n install patterns-base-fips perl-Bootloader
++ zypper -n install patterns-base-fips perl-Bootloader
+elif test ! -f $dracut_cfg ; then
-+ zypper -n install patterns-base-fips
++ zypper -n install patterns-base-fips
+elif test ! -x "$(command -v pbl)" ; then
-+ zypper -n install perl-Bootloader
++ zypper -n install perl-Bootloader
+fi
-
++
if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
# No dracut configuration or boot directory present, do not try to
modify it.
-@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
+ # Also, on OSTree systems, we currently rely on the initrd already
including
+@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot
exit 0
fi
--cat >$dracut_cfg <<EOF
+-if test x"$1" == x--complete; then
+- trap "rm -f $dracut_cfg" ERR
+- cat >$dracut_cfg <<EOF
-# turn on fips module
-
-add_dracutmodules+=" fips "
-EOF
+-elif test x"$1" == x--undo; then
+- rm -f $dracut_cfg
+-fi
-
-echo "Kernel initramdisks are being regenerated. This might take some time."
-
@@ -123,16 +126,21 @@
- echo '`zipl` execution has been skipped: `zipl` not found.'
- fi
-fi
-+# cat >$dracut_cfg <<EOF
++# if test x"$1" == x--complete; then
++# trap "rm -f $dracut_cfg" ERR
++# cat >$dracut_cfg <<EOF
+# # turn on fips module
-+#
++
+# add_dracutmodules+=" fips "
+# EOF
-+#
++# elif test x"$1" == x--undo; then
++# rm -f $dracut_cfg
++# fi
++
+# echo "Kernel initramdisks are being regenerated. This might take some time."
-+#
++
+# dracut -f --regenerate-all
-+#
++
+# # This is supposed to be a fast and safe operation that's always good to
run.
+# # Regenerating an initrd and skipping it might render the system unbootable
+# # (RHBZ#2013195).
@@ -143,10 +151,10 @@
+# echo '`zipl` execution has been skipped: `zipl` not found.'
+# fi
+# fi
-Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
+Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
@@ -45,6 +45,23 @@ Then the command modifies the boot loade
When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.
++++++ crypto-policies-nss.patch ++++++
Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
try:
with os.fdopen(fd, 'w') as f:
f.write(config)
- try:
- ret = call(f'/usr/bin/nss-policy-check {options} {path}'
- '>/dev/null',
- shell=True)
- except CalledProcessError:
- cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+ if os.path.exists('/usr/bin/nss-policy-check'):
+ # Perform a policy check only if the mozilla-nss-tools
+ # package is installed. This avoids adding more
+ # dependencies to Ring0.
+ try:
+ ret = call(f'/usr/bin/nss-policy-check {options} {path}'
+ '>/dev/null', shell=True)
+ except CalledProcessError:
+ cls.eprint("/usr/bin/nss-policy-check: Execution failed")
+ else:
+ # The mozilla-nss-tools package is not installed and we can
+ # temporarily skip the policy check for mozilla-nss.
+ ret = 3
+
finally:
os.unlink(path)
@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
cls.eprint("There is a warning in NSS generated policy")
cls.eprint(f'Policy:\n{config}')
return False
+ elif ret == 3:
+ cls.eprint('Skipping NSS policy check: '
+ '/usr/bin/nss-policy-check not found')
+ return True
elif ret:
cls.eprint("There is an error in NSS generated policy")
cls.eprint(f'Policy:\n{config}')
++++++ crypto-policies-policygenerators.patch ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.977697466 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.981697610 +0200
@@ -1,8 +1,8 @@
-Index:
fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
+Index:
fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py
-@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
+---
fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
from .java import JavaGenerator
from .java import JavaSystemGenerator
from .krb5 import KRB5Generator
@@ -11,9 +11,10 @@
from .libssh import LibsshGenerator
from .nss import NSSGenerator
from .openssh import OpenSSHClientGenerator
- from .openssh import OpenSSHServerGenerator
+@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
from .openssl import OpenSSLConfigGenerator
from .openssl import OpenSSLGenerator
+ from .openssl import OpenSSLFIPSGenerator
-from .sequoia import SequoiaGenerator
-from .sequoia import RPMSequoiaGenerator
+# from .sequoia import SequoiaGenerator
@@ -21,7 +22,7 @@
__all__ = [
'BindGenerator',
-@@ -24,13 +24,14 @@ __all__ = [
+@@ -25,7 +25,6 @@ __all__ = [
'JavaGenerator',
'JavaSystemGenerator',
'KRB5Generator',
@@ -29,14 +30,15 @@
'LibsshGenerator',
'NSSGenerator',
'OpenSSHClientGenerator',
- 'OpenSSHServerGenerator',
+@@ -33,6 +32,8 @@ __all__ = [
'OpenSSLConfigGenerator',
'OpenSSLGenerator',
+ 'OpenSSLFIPSGenerator',
- 'SequoiaGenerator',
- 'RPMSequoiaGenerator',
]
+
-+# 'LibreswanGenerator',
-+# 'SequoiaGenerator',
-+# 'RPMSequoiaGenerator',
++# 'LibreswanGenerator',
++# 'SequoiaGenerator',
++# 'RPMSequoiaGenerator',
++++++ crypto-policies-revert-rh-allow-sha1-signatures.patch ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:05.993698042 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:05.997698185 +0200
@@ -4,11 +4,11 @@
Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
-Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
+Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/policies/FUTURE.pol
-+++ fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
-@@ -65,7 +65,3 @@ sha1_in_certs = 0
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol
++++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol
+@@ -66,7 +66,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
@@ -16,10 +16,10 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
+Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/policies/modules/NO-SHA1.pmod
-+++ fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod
++++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod
@@ -3,7 +3,3 @@
hash = -SHA1
sign = -*-SHA1
@@ -28,23 +28,23 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index:
fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
+Index:
fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/python/cryptopolicies/cryptopolicies.py
-+++
fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
-@@ -19,7 +19,6 @@ from . import validation # moved out of
+---
fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py
++++
fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py
+@@ -24,7 +24,6 @@ from . import validation # moved out of
INT_DEFAULTS = {k: 0 for k in (
'arbitrary_dh_groups',
'min_dh_size', 'min_dsa_size', 'min_rsa_size',
-- '__openssl_block_sha1_signatures',
+- '__openssl_block_sha1_signatures', # FUTURE/TEST-FEDORA39/NO-SHA1
'sha1_in_certs',
'ssh_certs', 'ssh_etm',
)}
-Index:
fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
+Index:
fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/openssl.py
-+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
-@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
+---
fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py
++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py
+@@ -7,13 +7,6 @@ from subprocess import check_output, Cal
from .configgenerator import ConfigGenerator
@@ -55,13 +55,12 @@
-[evp_properties]
-rh-allow-sha1-signatures = {}
-'''
--
- class OpenSSLGenerator(ConfigGenerator):
- CONFIG_NAME = 'openssl'
-@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
- groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map]
- s += 'Groups = ' + ':'.join(groups) + '\n'
+ FIPS_MODULE_CONFIG = '''
+ [fips_sect]
+@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
+ if policy.enums['__ems'] == 'RELAX':
+ s += 'Options = RHNoEnforceEMSinFIPS\n'
- # In the future it'll be just
- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
@@ -72,11 +71,11 @@
return s
@classmethod
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
+Index:
fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/alternative-policies/FUTURE.pol
-+++
fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
-@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol
++++
fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol
+@@ -73,7 +73,3 @@ sha1_in_dnssec = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
@@ -84,10 +83,10 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -98,10 +97,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
@@ -112,10 +111,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -126,10 +125,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/EMPTY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt
@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
Ciphersuites =
SignatureAlgorithms =
@@ -140,10 +139,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -154,10 +153,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -168,10 +167,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FUTURE-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
@@ -182,10 +181,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = no
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
TLS.MaxProtocol = TLSv1.3
SignatureAlgorithms =
@@ -196,10 +195,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY-opensslcnf.txt
-+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
@@ -210,10 +209,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
@@ -224,10 +223,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
+Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/unit/test_cryptopolicy.py
-+++ fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py
++++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py
@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
min_dh_size = 0
min_dsa_size = 0
@@ -236,7 +235,7 @@
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
-@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted(
+@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted(
min_dh_size = 0
min_dsa_size = 0
min_rsa_size = 0
@@ -244,11 +243,11 @@
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
-Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
+Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
===================================================================
---- fedora-crypto-policies-20230614.5f3458e.orig/policies/TEST-FEDORA39.pol
-+++ fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
-@@ -67,7 +67,3 @@ sha1_in_certs = 0
+--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol
++++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol
+@@ -68,7 +68,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
@@ -256,10 +255,10 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures will blocked in OpenSSL
-__openssl_block_sha1_signatures = 1
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FEDORA38-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -270,10 +269,10 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
@@ -284,14 +283,42 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = no
-Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+===================================================================
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms =
ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
-+++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index:
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+===================================================================
+---
fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
++++
fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt
+@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups =
secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Options = RHNoEnforceEMSinFIPS
-
-[openssl_init]
-alg_section = evp_properties
++++++ crypto-policies.7.gz ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:06.025699192 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:06.033699480 +0200
@@ -2,12 +2,12 @@
.\" Title: crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 08/31/2023
+.\" Date: 09/22/2023
.\" Manual: \ \&
.\" Source: crypto-policies
.\" Language: English
.\"
-.TH "CRYPTO\-POLICIES" "7" "08/31/2023" "crypto\-policies" "\ \&"
+.TH "CRYPTO\-POLICIES" "7" "09/22/2023" "crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -646,14 +646,196 @@
.RE
.RE
.PP
+\fBBSI\fR
+.RS 4
+A security policy based on recommendations by the german government agency BSI
(Bundesamt fuer Sicherheit in der Informationstechnik, translated as "agency
for security in software technology") in its ruleset BSI TR 02102 (TR \-
technical recommendation)\&. The BSI TR 02102 standard is updated in regular
intervals\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+This policy does not allow the use of *SHA\-1* in signature algorithms
+(except *DNSSEC* and *RPM*)\&.
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+The policy also provides some (not complete) preparation for
+post\-quantum encryption support in form of 256\-bit symmetric encryption
+requirement\&.
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+The *RSA* parameters are accepted if larger than 2047 bits, and
+*Diffie\-Hellman* parameters are accepted if larger than 3071 bits\&.
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+This policy provides at least 128\-bit security, excepting the transition
+of *RSA*\&.
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MACs: all
+\fBHMAC\fR
+with
+\fBSHA\-256\fR
+or better + all modern MACs
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Curves: all prime >= 255 bits (including Bernstein curves)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Signature algorithms: with
+\fBSHA\-256\fR
+hash or better (no
+\fBDSA\fR)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBTLS\fR
+Ciphers: >= 256\-bit key, >= 128\-bit block, only Authenticated Encryption
(AE) ciphers
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+non\-TLS Ciphers: same as
+\fBTLS\fR
+ciphers with added non AE ciphers
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+key exchange:
+\fBECDHE\fR,
+\fBDHE\fR
+(no
+\fBDHE\-DSS\fR, no
+\fBRSA\fR)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBDH\fR
+params size: >= 3072
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBRSA\fR
+keys size: >= 2048 (until end of 2023, then it will switch to 3072)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBTLS\fR
+protocols:
+\fBTLS\fR
+>= 1\&.2,
+\fBDTLS\fR
+>= 1\&.2
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+Note that compared to others profiles *Chacha20* and *Camellia* are not
+recommended by the BSI\&.
+.fi
+.if n \{\
+.RE
+.\}
+.RE
+.RE
+.PP
\fBFIPS\fR
.RS 4
A policy to aid conformance to the
-\fBFIPS 140\-2\fR
+\fBFIPS 140\fR
requirements\&. This policy is used internally by the
\fBfips\-mode\-setup(8)\fR
tool which can switch the system into the
-\fBFIPS 140\-2\fR
+\fBFIPS 140\fR
mode\&. This policy provides at least 112\-bit security\&.
.sp
.RS 4
@@ -1056,7 +1238,7 @@
.RS 4
This command allows the system administrator to enable, or disable the system
FIPS mode and also apply the
\fBFIPS\fR
-cryptographic policy which limits the allowed algorithms and protocols to
these allowed by the FIPS 140\-2 requirements\&.
+cryptographic policy which limits the allowed algorithms and protocols to
these allowed by the FIPS 140 requirements\&.
.RE
.SH "NOTES"
.sp
++++++ fedora-crypto-policies-20230614.5f3458e.tar.gz ->
fedora-crypto-policies-20230920.570ea89.tar.gz ++++++
++++ 2109 lines of diff (skipped)
++++++ fips-finish-install.8.gz ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:06.177704659 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:06.181704803 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-finish-install
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 08/31/2023
+.\" Date: 09/22/2023
.\" Manual: \ \&
.\" Source: fips-finish-install
.\" Language: English
.\"
-.TH "FIPS\-FINISH\-INSTAL" "8" "08/31/2023" "fips\-finish\-install" "\ \&"
+.TH "FIPS\-FINISH\-INSTAL" "8" "09/22/2023" "fips\-finish\-install" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -31,17 +31,17 @@
fips-finish-install \- complete the installation of FIPS modules\&.
.SH "SYNOPSIS"
.sp
-\fBfips\-finish\-install\fR \-\-complete
+\fBfips\-finish\-install\fR [\-\-complete|\-\-undo]
.SH "DESCRIPTION"
.sp
fips\-finish\-install(8) is used by the fips\-mode\-setup(8) command to
complete the installation of the system FIPS modules\&. The tool is not
supposed to be called directly by the system administrator, but it is possible
to do so\&.
-.sp
-The completion of the installation cannot be undone\&. The system has to be
reinstalled if the FIPS modules are not supposed to be installed anymore\&.
.SH "OPTIONS"
.sp
The only recognized and mandatory option is:
.sp
\-\-complete: The command completes the FIPS module installation and calls
\fIdracut \-f\fR to regenerate the initramfs\&.
+.sp
+\-\-undo: The command undoes some of the FIPS module installation steps\&.
Please note that module installation cannot be undone without reformatting of
and overwriting, at least once, the platform\(cqs hard drive or other permanent
storage media\&. This option is not meant to be used in production, is not
supported, and is implemented for testing purposes only\&.
.SH "SEE ALSO"
.sp
fips\-mode\-setup(8)
++++++ fips-mode-setup.8.gz ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:06.197705378 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:06.205705666 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-mode-setup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 08/31/2023
+.\" Date: 09/22/2023
.\" Manual: \ \&
.\" Source: fips-mode-setup
.\" Language: English
.\"
-.TH "FIPS\-MODE\-SETUP" "8" "08/31/2023" "fips\-mode\-setup" "\ \&"
+.TH "FIPS\-MODE\-SETUP" "8" "09/22/2023" "fips\-mode\-setup" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -120,7 +120,7 @@
.sp -1
.IP \(bu 2.3
.\}
-\-\-disable: Undo some of the FIPS\-enablement steps (unsupported)\&.
+\-\-disable: Undo some of the FIPS\-enablement steps\&. Please note that
module installation cannot be undone without reformatting of and overwriting,
at least once, the platform\(cqs hard drive or other permanent storage media\&.
This option is not meant to be used in production, is not supported, and is
implemented for testing purposes only\&.
.RE
.sp
.RS 4
++++++ update-crypto-policies.8.gz ++++++
--- /var/tmp/diff_new_pack.J7X0d7/_old 2023-10-02 20:04:06.221706241 +0200
+++ /var/tmp/diff_new_pack.J7X0d7/_new 2023-10-02 20:04:06.229706529 +0200
@@ -2,12 +2,12 @@
.\" Title: update-crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 08/31/2023
+.\" Date: 09/22/2023
.\" Manual: \ \&
.\" Source: update-crypto-policies
.\" Language: English
.\"
-.TH "UPDATE\-CRYPTO\-POLI" "8" "08/31/2023" "update\-crypto\-policies" "\ \&"
+.TH "UPDATE\-CRYPTO\-POLI" "8" "09/22/2023" "update\-crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
