Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2025-03-24 13:25:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.2696 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Mon Mar 24 13:25:09 2025 rev:9 rq:1255022 version:20250124.4d262e7
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2024-02-02 15:44:38.615006922 +0100
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.2696/crypto-policies.changes
2025-03-24 13:25:09.818077502 +0100
@@ -1,0 +2,153 @@
+Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
+ * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
+
+-------------------------------------------------------------------
+Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- Enable SHA1 sigver in the DEFAULT policy.
+ * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+
+-------------------------------------------------------------------
+Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637]
+ * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- Remove dangling symlink for the libreswan config [bsc#1236858]
+- Remove also sequoia config and generator files
+- Remove not needed fips bind mount service
+
+-------------------------------------------------------------------
+Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165]
+ * openssl: stricter enabling of Ciphersuites
+ * openssl: make use of -CBC and -AESGCM keywords
+ * openssl: add TLS 1.3 Brainpool identifiers
+ * fix warning on using experimental key_exchanges
+ * update-crypto-policies: don't output FIPS warning in fips mode
+ * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
+ * openssh, libssh: refactor kx maps to use tuples
+ * alg_lists: mark MLKEM768/SNTRUP kex experimental
+ * nss: revert enabling mlkem768secp256r1
+ * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber
+ * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
+ * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
+ * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768
+ * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
+ * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384...
+ * python/update-crypto-policies: pacify pylint
+ * fips-mode-setup: tolerate fips dracut module presence w/o FIPS
+ * fips-mode-setup: small Argon2 detection fix
+ * SHA1: add __openssl_block_sha1_signatures = 0
+ * fips-mode-setup: block if LUKS devices using Argon2 are detected
+ * update-crypto-policies: skip warning on --set=FIPS if bootc
+ * fips-setup-helper: skip warning, BTW
+ * fips-mode-setup: force --no-bootcfg when UKI is detected
+ * fips-setup-helper: add a libexec helper for anaconda
+ * fips-crypto-policy-overlay: automount FIPS policy
+ * openssh: make dss no longer enableble, support is dropped
+ * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768
+ * DEFAULT: switch to rh-allow-sha1-signatures = no...
+ * java: drop unused javasystem backend
+ * java: stop specifying jdk.tls.namedGroups in javasystem
+ * ec_min_size: introduce and use in java, default to 256
+ * java: use and include jdk.disabled.namedCurves
+ * BSI: Update BSI policy for new 2024 minimum recommendations
+ * fips-mode-setup: flashy ticking warning upon use
+ * fips-mode-setup: add another scary "unsupported"
+ * CONTRIBUTING.md: add a small section on updating policies
+ * CONTRIBUTING.md: remove trailing punctuation from headers
+ * BSI: switch to 3072 minimum RSA key size
+ * java: make hash, mac and sign more orthogonal
+ * java: specify jdk.tls.namedGroups system property
+ * java: respect more key size restrictions
+ * java: disable anon ciphersuites, tying them to NULL...
+ * java: start controlling / disable DTLSv1.0
+ * nss: wire KYBER768 to XYBER768D00
+ * nss: unconditionally load p11-kit-proxy.so
+ * gnutls: make DTLS0.9 controllable again
+ * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH
+ * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE
+ * gnutls: remove extraneous newline
+ * sequoia: move away from subprocess.getstatusoutput
+ * python/cryptopolicies/cryptopolicies.py: add trailing commas
+ * python, tests: rename MalformedLine to MalformedLineError
+ * Makefile: introduce SKIP_LINTING flag for packagers to use
+ * Makefile: run ruff
+ * tests: use pathlib
+ * tests: run(check=True) + CalledProcessError where convenient
+ * tests: use subprocess.run
+ * tests/krb5.py: check all generated policies
+ * tests: print to stderr on error paths
+ * tests/nss.py: also use encoding='utf-8'
+ * tests/nss.py: also use removesuffix
+ * tests/nss.py: skip creating tempfiles
+ * tests/java.pl -> tests/java.py
+ * tests/gnutls.pl -> tests/gnutls.py
+ * tests/openssl.pl -> tests/openssl.py
+ * tests/verify-output.pl: remove
+ * libreswan: do not use up pfs= / ikev2= keywords for default behaviour
+ * Rebase patches:
+ - crypto-policies-no-build-manpages.patch
+ - crypto-policies-policygenerators.patch
+ - crypto-policies-supported.patch
+ - crypto-policies-nss.patch
+
+-------------------------------------------------------------------
+Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to version 20241010.5930b9a:
+ * LEGACY: enable 192-bit ciphers for nss pkcs12/smime
+ * nss: be stricter with new purposes
+ * nss: rewrite backend for 3.101
+ * cryptopolicies: parent scopes for dumping purposes
+ * policygenerators: move scoping inside generators
+ * TEST-PQ: disable pure Kyber768
+ * nss: wire XYBER768D00 to X25519-KYBER768
+ * TEST-PQ: update
+ * TEST-PQ: also enable sntrup761x25519-sha...@openssh.com
+ * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values
+ * TEST-PQ, python: add more groups, mark experimental
+ * openssl: mark liboqsprovider groups optional with ?
+ * Remove patches:
+ - crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to version 20240201.9f501f3:
+ * .gitlab-ci.yml: install sequoia-policy-config
+ * java: disable ChaCha20-Poly1305 where applicable
+ * fips-mode-setup: make sure ostree is detected in chroot
+ * fips-finish-install: make sure ostree is detected in chroot
+ * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl
+ * TEST-PQ: add a no-op subpolicy
+ * update-crypto-policies: Keep mid-sentence upper case
+ * fips-mode-setup: Write error messages to stderr
+ * fips-mode-setup: Fix some shellcheck warnings
+ * fips-mode-setup: Fix test for empty /boot
+ * fips-mode-setup: Avoid 'boot=UUID=' if /boot == /
+ * Update man pages
+ * Rebase patches:
+ - crypto-policies-FIPS.patch
+ - crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to version 20231108.adb5572b:
+ * Print matches in syntax deprecation warnings
+ * Restore support for scoped ssh_etm directives
+ * fips-mode-setup: Fix usage with --no-bootcfg
+ * turn ssh_etm into an etm@SSH tri-state
+ * fips-mode-setup: increase chroot-friendliness
+ * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
+ * pylintrc: use-implicit-booleaness-not-comparison-to-*
+
+-------------------------------------------------------------------
Old:
----
crypto-policies-revert-rh-allow-sha1-signatures.patch
fedora-crypto-policies-20230920.570ea89.tar.gz
New:
----
crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
fedora-crypto-policies-20250124.4d262e7.tar.gz
BETA DEBUG BEGIN:
Old: * Remove patches:
- crypto-policies-revert-rh-allow-sha1-signatures.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New:- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
* Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
New:- Enable SHA1 sigver in the DEFAULT policy.
* Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.758116670 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.762116836 +0100
@@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,8 +21,9 @@
# manbuild is disabled by default
%bcond_with manbuild
%global _python_bytecompile_extra 0
+
Name: crypto-policies
-Version: 20230920.570ea89
+Version: 20250124.4d262e7
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -47,41 +48,34 @@
Patch2: crypto-policies-policygenerators.patch
#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
Patch3: crypto-policies-supported.patch
-#PATCH-FIX-OPENSUSE Revert a breaking change that introduces
rh-allow-sha1-signatures
-Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch
#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile
Patch5: crypto-policies-pylint.patch
#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE
[jsc#PED-4578]
Patch6: crypto-policies-FIPS.patch
#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools
[bsc#1211301]
Patch7: crypto-policies-nss.patch
-BuildRequires: python3-base >= 3.6
-# The sequoia stuff needs python3-toml, removed until needed
-# BuildRequires: python3-toml
+#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT
+Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
+#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy
[bsc#1227370]
+Patch9: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
+BuildRequires: python3-base >= 3.11
%if %{with manbuild}
BuildRequires: asciidoc
%endif
%if %{with testsuite}
# The following packages are needed for the testsuite
BuildRequires: bind
-BuildRequires: codespell
-BuildRequires: gnutls >= 3.6.0
+BuildRequires: crypto-policies-scripts
+BuildRequires: gnutls
BuildRequires: java-devel
-BuildRequires: krb5-devel
BuildRequires: libxslt
BuildRequires: mozilla-nss-tools
+BuildRequires: openssh-clients
BuildRequires: openssl
-BuildRequires: perl
BuildRequires: python-rpm-macros
-BuildRequires: python3-coverage
-BuildRequires: python3-devel >= 3.6
-BuildRequires: python3-flake8
-BuildRequires: python3-pylint
+BuildRequires: python3-devel >= 3.11
BuildRequires: python3-pytest
-BuildRequires: perl(File::Copy)
-BuildRequires: perl(File::Temp)
-BuildRequires: perl(File::Which)
-BuildRequires: perl(File::pushd)
+BuildRequires: systemd-rpm-macros
%else
# Avoid cycle with python-rpm-macros
#!BuildIgnore: python-rpm-packaging python-rpm-macros
@@ -89,10 +83,10 @@
%if 0%{?primary_python:1}
Recommends: crypto-policies-scripts
%endif
-Conflicts: gnutls < 3.7.3
-#Conflicts: libreswan < 3.28
-Conflicts: nss < 3.90.0
-#Conflicts: openssh < 8.2p1
+Conflicts: gnutls < 3.8.8
+Conflicts: nss < 3.105
+Conflicts: openssh < 9.9p1
+Conflicts: openssl < 3.0.2
#!BuildIgnore: crypto-policies
BuildArch: noarch
@@ -105,6 +99,7 @@
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
Recommends: perl-Bootloader
+Provides: fips-mode-setup = %{version}-%{release}
%description scripts
This package provides a tool update-crypto-policies, which applies
@@ -121,15 +116,8 @@
# Make README.SUSE available for %%doc
cp -p %{SOURCE1} .
-# Remove not needed policy generators
-find -name libreswan.py -delete
-find -name sequoia.py -delete
-
%build
export OPENSSL_CONF=''
-sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
- python/policygenerators/openssh.py
-grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
%make_build
%install
@@ -162,12 +150,19 @@
install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
-# Drop pre-generated GOST-ONLY policy, we do not need to ship them
+# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
-
-# Drop FEDORA policies
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
+# Drop libreswan and sequoia config files
+find %{buildroot} -type f -name 'libreswan.*' -print -delete
+find %{buildroot} -type f -name 'sequoia.*' -print -delete
+
+# Drop not needed fips bind mount service
+find %{buildroot} -type f -name 'default-fips-config' -print -delete
+find %{buildroot} -type f -name 'fips-setup-helper' -print -delete
+find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete
+
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS BSI ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -229,12 +224,24 @@
end
end
+cfg_path_libreswan =
"%{_sysconfdir}/crypto-policies/back-ends/libreswan.config"
+st = posix.stat(cfg_path_libreswan)
+if st and st.type == "link" then
+ posix.unlink(cfg_path_libreswan)
+end
+
+cfg_path_javasystem =
"%{_sysconfdir}/crypto-policies/back-ends/javasystem.config"
+st = posix.stat(cfg_path_javasystem)
+if st and st.type == "link" then
+ posix.unlink(cfg_path_javasystem)
+end
+
%posttrans scripts
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
%files
%license COPYING.LESSER
-%doc README.md NEWS CONTRIBUTING.md
+%doc README.md CONTRIBUTING.md
%doc %{_sysconfdir}/crypto-policies/README.SUSE
%dir %{_sysconfdir}/crypto-policies/
@@ -256,12 +263,8 @@
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/libssh.config
-%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/sequoia.config
-%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
# %%verify(not mode) comes from the fact that these turn into symlinks and
back to regular files at will.
%ghost %{_sysconfdir}/crypto-policies/state/current
++++++ _service ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.818119170 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.818119170 +0100
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
- <param name="revision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param>
+ <param name="revision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.854120670 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.858120836 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
- <param
name="changesrevision">570ea89092555c6c289f226bb48c2d8c1f332b0f</param></service></servicedata>
+ <param
name="changesrevision">4d262e79be1cd15c84cad55ad88c53a2d7712e85</param></service></servicedata>
(No newline at EOF)
++++++ crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch ++++++
diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol
fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol
2025-01-24 18:31:31.000000000 +0100
+++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
2025-03-18 14:39:54.565216139 +0100
@@ -15,9 +15,11 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512
HMAC-SHA1
+mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group@SSH = -X25519
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224
\
SHAKE-256
@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM
# CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks
# and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014).
-cipher@SSH = -*-CBC
+# disable also chachapoly, as we might run DEFAULT in FIPS mode too.
+cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM
AES-128-CCM CAMELLIA-128-GCM AES-128-CTR
# 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have
# interoperability issues in TLS.
diff -PpuriN
fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt
---
fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt
2025-01-24 18:31:31.000000000 +0100
+++
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt
2025-03-18 14:40:54.831266197 +0100
@@ -1,5 +1,5 @@
-Ciphers
aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes256-ctr,aes128-...@openssh.com,aes128-ctr
-MACs
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha1,umac-...@openssh.com,hmac-sha2-512
+Ciphers aes256-...@openssh.com,aes256-ctr,aes128-...@openssh.com,aes128-ctr
+MACs
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
GSSAPIKexAlgorithms
gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
KexAlgorithms
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com
diff -PpuriN
fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt
---
fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt
2025-01-24 18:31:31.000000000 +0100
+++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt
2025-03-18 15:41:32.234673018 +0100
@@ -1,7 +1,8 @@
-Ciphers
aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes256-ctr,aes128-...@openssh.com,aes128-ctr
-MACs
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha1,umac-...@openssh.com,hmac-sha2-512
+Ciphers aes256-...@openssh.com,aes256-ctr,aes128-...@openssh.com,aes128-ctr
+MACs
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
GSSAPIKexAlgorithms
gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
KexAlgorithms
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com
PubkeyAcceptedAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com
HostbasedAcceptedAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com
CASignatureAlgorithms
ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25...@openssh.com,rsa-sha2-256,rsa-sha2-512
++++++ crypto-policies-FIPS.patch ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.894122337 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.898122503 +0100
@@ -1,7 +1,7 @@
-Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup
-+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then
exit 1
fi
@@ -22,36 +22,48 @@
# Detect 1: kernel FIPS flag
fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
-@@ -204,9 +217,22 @@ else
- fi
+@@ -167,10 +180,10 @@ if test $check = 1 ; then
fi
+ # Boot configuration
-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
-- echo "The grubby command is missing, please configure the bootloader
manually."
+- echo >&2 "The grubby command is missing, please configure the
bootloader manually."
- boot_config=0
+-fi
++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
++# echo >&2 "The grubby command is missing, please configure the
bootloader manually."
++# boot_config=0
++# fi
+
+ if test "$boot_config" = 1 && test ! -d /boot ; then
+ echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt
$enable_fips)."
+@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then
+ fi
+ fi
+
+if test "$boot_config" = 1 ; then
+ # Install required packages: patterns-base-fips and perl-Bootloader
+ if test ! -f /etc/dracut.conf.d/40-fips.conf && \
+ test ! -x "$(command -v pbl)" && \
+ test "$enable_fips" = 1; then
-+ zypper -n install patterns-base-fips perl-Bootloader
++ zypper -n install patterns-base-fips perl-Bootloader
+ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \
+ test "$enable_fips" = 1 ; then
-+ zypper -n install patterns-base-fips
++ zypper -n install patterns-base-fips
+ elif test ! -x "$(command -v pbl)" ; then
-+ zypper -n install perl-Bootloader
++ zypper -n install perl-Bootloader
+ fi
+ if test $? != 0 ; then
-+ echo "The pbl command or the fips pattern are missing, please
configure the bootloader manually."
-+ boot_config=0
++ echo "The pbl command or the fips pattern are missing, please
configure the bootloader manually."
++ boot_config=0
+ fi
- fi
-
++fi
++
echo "FIPS mode will be $(enable2txt $enable_fips)."
-@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then
- echo "Now you need to configure the bootloader to add kernel options
\"$fipsopts\""
- echo "and reboot the system for the setting to take effect."
- else
+
+ fipsopts="fips=$enable_fips$boot_device_opt"
+
+ if test "$boot_config" = 1 ; then
- grubby --update-kernel=ALL --args="$fipsopts"
- if test x"$(uname -m)" = xs390x; then
- if command -v zipl >/dev/null; then
@@ -62,7 +74,7 @@
- fi
- fi
+ pbl --add-option "$fipsopts"
-+ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all
++ pbl --config; pbl --install && dracut -f --regenerate-all
+
+ # grubby --update-kernel=ALL --args="$fipsopts"
+ # if test x"$(uname -m)" = xs390x; then
@@ -75,12 +87,12 @@
+ # fi
+
echo "Please reboot the system for the setting to take effect."
- fi
-
-Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install
+ else
+ echo "Now you need to configure the bootloader to add kernel options
\"$fipsopts\""
+Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install
===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install
-+++ fedora-crypto-policies-20230920.570ea89/fips-finish-install
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install
++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install
@@ -24,6 +24,15 @@ fi
umask 022
@@ -151,10 +163,10 @@
+# echo '`zipl` execution has been skipped: `zipl` not found.'
+# fi
+# fi
-Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt
-+++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt
@@ -45,6 +45,23 @@ Then the command modifies the boot loade
When disabling the system FIPS mode the system crypto policy is switched
to DEFAULT and the kernel command line option 'fips=0' is set.
@@ -179,4 +191,130 @@
[[options]]
OPTIONS
+Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
+===================================================================
+--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup
++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup
+@@ -8,7 +8,6 @@ check=0
+ boot_config=1
+ err_if_disabled=0
+ output_text=1
+-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
+
+ is_ostree_system=0
+ if test -f /run/ostree-booted -o -d /ostree; then
+@@ -61,18 +60,13 @@ while test $# -ge 1 ; do
+ done
+
+ if test $usage = 1 -o x$enable_fips = x ; then
+- echo "Check, enable, or disable (unsupported) the system FIPS mode."
++ echo "Check, enable, or disable the system FIPS mode."
+ echo "usage: $0 --enable|--disable [--no-bootcfg]"
+ echo "usage: $0 --check"
+ echo "usage: $0 --is-enabled"
+ exit 2
+ fi
+
+-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then
+- echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg."
+- boot_config=0
+-fi
+-
+ # We don't handle the boot config on OSTree systems for now; it is assumed to
be
+ # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is
+ # intrinsically tied to the firstboot procedure.
+@@ -186,12 +180,6 @@ if test $check = 1 ; then
+ exit 0
+ fi
+
+-# Boot configuration
+-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+-# echo >&2 "The grubby command is missing, please configure the
bootloader manually."
+-# boot_config=0
+-# fi
+-
+ if test "$boot_config" = 1 && test ! -d /boot ; then
+ echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt
$enable_fips)."
+ echo >&2 "If you want to configure the bootloader manually, re-run with
--no-bootcfg."
+@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$
+ exit 1
+ fi
+
+-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \
+- test -x "$(command -v cryptsetup)" ; then
+- # Best-effort detection of LUKS Argon2 usage
+- argon2_found=''
+- # two redundant ways to list device names
+- devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \
+- dmsetup ls --target crypt | cut -f1) \
+- | sort -u)
+- while IFS= read -r devname; do
+- back=$(cryptsetup status "$devname" | \
+- grep -F device: |
+- sed -E 's/.*device:\s+//')
+- if ! test -b "$back"; then
+- echo >&2 -n "Warning: detected device '$back' "
+- echo >&2 -n 'is not a valid block device. '
+- echo >&2 'Cannot check whether it uses Argon2.'
+- continue
+- fi
+- dump=$(cryptsetup luksDump "$back")
+- if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then
+- argon2_found+=" $back($devname)"
+- fi
+- done <<<"$devs"
+- if test -n "$argon2_found" ; then
+- echo >&2 -n "The following encrypted devices use Argon2 PBKDF:"
+- echo >&2 "$argon2_found"
+- echo >&2 'Aborting fips-mode-setup because of that.'
+- echo >&2 -n 'Please refer to the '
+- echo >&2 'cryptsetup-luksConvertKey(8) manpage.'
+- exit 76
+- fi
+-fi
+-
+ if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then
+ if test $enable_fips = 1 ; then
+ echo >&2
"*****************************************************************"
+@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING"
+ echo >&2 "*
*"
+ echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT
RECOMMENDED. *"
+ echo >&2 "* THIS OPERATION CANNOT BE UNDONE.
*"
+- echo >&2 "* REINSTALL WITH fips=1 INSTEAD.
*"
+ echo >&2
"*****************************************************************"
+ elif test $enable_fips = 0 ; then
+ echo >&2
"*****************************************************************"
+ echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT...
*"
+ echo >&2 "*
*"
+- echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT
SUPPORTED. *"
++ echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT
RECOMMENDED.*"
+ echo >&2 "* THIS OPERATION CANNOT BE UNDONE.
*"
+- echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1
INSTEAD. *"
+ echo >&2
"*****************************************************************"
+ fi
+ for i in {15..1}; do
+@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_
+ if test "$boot_config" = 1 ; then
+ pbl --add-option "$fipsopts"
+ pbl --config; pbl --install && dracut -f --regenerate-all
+-
+- # grubby --update-kernel=ALL --args="$fipsopts"
+- # if test x"$(uname -m)" = xs390x; then
+- # if command -v zipl >/dev/null; then
+- # zipl
+- # else
+- # echo -n '`zipl` execution has been skipped: '
+- # echo '`zipl` not found.'
+- # fi
+- # fi
+-
+- echo "Please reboot the system for the setting to take effect."
++ echo "Please reboot the system for the settings to take effect."
+ else
+ echo "Now you need to configure the bootloader to add kernel options
\"$fipsopts\""
+- echo "and reboot the system for the setting to take effect."
++ echo "and reboot the system for the settings to take effect."
+ fi
+
+ exit 0
++++++ crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch ++++++
diff -PpuriN fedora-crypto-policies-orig/policies/DEFAULT.pol
fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
--- fedora-crypto-policies-orig/policies/DEFAULT.pol 2025-01-24
18:31:31.000000000 +0100
+++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol
2025-03-11 14:09:01.796831654 +0100
@@ -1,7 +1,6 @@
# A reasonable default for today's standards. It should provide
# 112-bit security with the exception of SHA1 signatures in DNSSec.
# SHA1 is allowed in HMAC where collision attacks do not matter.
-# OpenSSL distrusts signatures using SHA-1 (Changes/OpenSSLDistrustSHA1SigVer).
# MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc)
# Curves: all prime >= 255 bits (including Bernstein curves)
@@ -88,6 +87,3 @@ etm@SSH = ANY
sign@RPM = DSA-SHA1+
hash@RPM = SHA1+
min_dsa_size@RPM = 1024
-
-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
-__openssl_block_sha1_signatures = 1
diff -PpuriN fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol
fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol
--- fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol
2025-01-24 18:31:31.000000000 +0100
+++
fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol
2025-03-11 13:53:52.231005482 +0100
@@ -91,6 +91,3 @@ ssh_etm = 1
sign@rpm-sequoia = DSA-SHA1+
hash@rpm-sequoia = SHA1+
min_dsa_size@rpm-sequoia = 1024
-
-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
-__openssl_block_sha1_signatures = 1
diff -PpuriN
fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
2025-01-24 18:31:31.000000000 +0100
+++
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
2025-03-11 14:10:14.134767876 +0100
@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
alg_section = evp_properties
[evp_properties]
-rh-allow-sha1-signatures = no
+rh-allow-sha1-signatures = yes
diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt
--- fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt
2025-01-24 18:31:31.000000000 +0100
+++
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt
2025-03-11 14:09:55.798784042 +0100
@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1
alg_section = evp_properties
[evp_properties]
-rh-allow-sha1-signatures = no
+rh-allow-sha1-signatures = yes
diff -PpuriN
fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
2025-01-24 18:31:31.000000000 +0100
+++
fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt
2025-03-11 14:10:42.542742833 +0100
@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768
alg_section = evp_properties
[evp_properties]
-rh-allow-sha1-signatures = no
+rh-allow-sha1-signatures = yes
++++++ crypto-policies-no-build-manpages.patch ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.930123837 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.934124003 +0100
@@ -1,21 +1,21 @@
-Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
+Index: fedora-crypto-policies-20250124.4d262e7/Makefile
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
-+++ fedora-crypto-policies-20230420.3d08ae7/Makefile
-@@ -28,9 +28,9 @@ install: $(MANPAGES)
- mkdir -p $(DESTDIR)$(MANDIR)/man7
- mkdir -p $(DESTDIR)$(MANDIR)/man8
+--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile
++++ fedora-crypto-policies-20250124.4d262e7/Makefile
+@@ -34,9 +34,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(BINDIR)
+ mkdir -p $(DESTDIR)$(LIBEXECDIR)
+ mkdir -p $(DESTDIR)$(UNITDIR)
- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR)
+ install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR)
mkdir -p $(DESTDIR)$(DIR)/
- install -p -m 644 default-config $(DESTDIR)$(DIR)
- install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
-@@ -114,8 +114,8 @@ clean:
+@@ -133,8 +133,8 @@ clean:
rm -rf output
%: %.txt
++++++ crypto-policies-nss.patch ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.950124669 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.958125003 +0100
@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
+Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
===================================================================
---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py
-+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py
-@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator):
+--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py
++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py
+@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator):
try:
with os.fdopen(fd, 'w') as f:
f.write(config)
@@ -29,7 +29,7 @@
finally:
os.unlink(path)
-@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator):
+@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator):
cls.eprint("There is a warning in NSS generated policy")
cls.eprint(f'Policy:\n{config}')
return False
@@ -37,7 +37,7 @@
+ cls.eprint('Skipping NSS policy check: '
+ '/usr/bin/nss-policy-check not found')
+ return True
- elif ret:
+ if ret:
cls.eprint("There is an error in NSS generated policy")
cls.eprint(f'Policy:\n{config}')
++++++ crypto-policies-policygenerators.patch ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:10.974125670 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:10.978125836 +0100
@@ -1,44 +1,41 @@
-Index:
fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
+Index:
fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
===================================================================
----
fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py
-+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py
-@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator
+---
fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py
++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py
+@@ -7,7 +7,7 @@ from .bind import BindGenerator
+ from .gnutls import GnuTLSGenerator
from .java import JavaGenerator
- from .java import JavaSystemGenerator
from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
+# from .libreswan import LibreswanGenerator
from .libssh import LibsshGenerator
from .nss import NSSGenerator
- from .openssh import OpenSSHClientGenerator
-@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera
- from .openssl import OpenSSLConfigGenerator
- from .openssl import OpenSSLGenerator
- from .openssl import OpenSSLFIPSGenerator
--from .sequoia import SequoiaGenerator
--from .sequoia import RPMSequoiaGenerator
-+# from .sequoia import SequoiaGenerator
-+# from .sequoia import RPMSequoiaGenerator
+ from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
+@@ -16,14 +16,13 @@ from .openssl import (
+ OpenSSLFIPSGenerator,
+ OpenSSLGenerator,
+ )
+-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
__all__ = [
'BindGenerator',
-@@ -25,7 +25,6 @@ __all__ = [
+ 'GnuTLSGenerator',
'JavaGenerator',
- 'JavaSystemGenerator',
'KRB5Generator',
- 'LibreswanGenerator',
'LibsshGenerator',
'NSSGenerator',
'OpenSSHClientGenerator',
-@@ -33,6 +32,8 @@ __all__ = [
+@@ -31,6 +30,8 @@ __all__ = [
'OpenSSLConfigGenerator',
- 'OpenSSLGenerator',
'OpenSSLFIPSGenerator',
-- 'SequoiaGenerator',
+ 'OpenSSLGenerator',
- 'RPMSequoiaGenerator',
+- 'SequoiaGenerator',
]
+
-+# 'LibreswanGenerator',
-+# 'SequoiaGenerator',
-+# 'RPMSequoiaGenerator',
++ # 'LibreswanGenerator',
++ # 'RPMSequoiaGenerator',
++ # 'SequoiaGenerator',
++++++ crypto-policies-supported.patch ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:11.014127337 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:11.018127503 +0100
@@ -13,25 +13,25 @@
+* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
-* NSS library (NSS, SSL, TLS)
-+* NSS library (NSS, SSL, TLS) (Not supported)
++* NSS library (NSS, SSL, TLS) (Supported)
-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported)
-* Libkrb5 (krb5, kerberos)
-+* Libkrb5 (krb5, kerberos) (Not supported)
++* Libkrb5 (krb5, kerberos) (Supported)
-* BIND (BIND, DNSSec)
-+* BIND (BIND, DNSSec) (Not supported)
++* BIND (BIND, DNSSec) (Supported)
-* OpenSSH (OpenSSH, SSH)
-+* OpenSSH (OpenSSH, SSH) (Not supported)
++* OpenSSH (OpenSSH, SSH) (Supported)
-* Libreswan (libreswan, IKE, IPSec)
-+* Libreswan (libreswan, IKE, IPSec) (Not supported)
++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in
SLE/openSUSE)
-* libssh (libssh, SSH)
-+* libssh (libssh, SSH) (Not supported)
++* libssh (libssh, SSH) (Supported)
Applications and languages which rely on any of these back-ends will follow
the system policies as well. Examples are apache httpd, nginx, php, and
++++++ crypto-policies.7.gz ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:11.050128837 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:11.058129170 +0100
@@ -2,12 +2,12 @@
.\" Title: crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 09/22/2023
+.\" Date: 02/07/2025
.\" Manual: \ \&
.\" Source: crypto-policies
.\" Language: English
.\"
-.TH "CRYPTO\-POLICIES" "7" "09/22/2023" "crypto\-policies" "\ \&"
+.TH "CRYPTO\-POLICIES" "7" "02/07/2025" "crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -131,9 +131,21 @@
.\}
\fBNSS\fR
TLS library (scopes:
-\fBNSS\fR,
+\fBNSS\fR; specific algorithm usage purposes are also affected by
\fBSSL\fR,
-\fBTLS\fR)
+\fBTLS\fR,
+\fBpkcs12\fR,
+\fBpkcs12\-import\fR,
+\fBsmime\fR,
+\fBsmime\-import\fR
+scopes, and internal use
+\fBnss\-tls\fR,
+\fBnss\-pkcs12\fR,
+\fBnss\-pkcs12\-import\fR,
+\fBnss\-smime\fR
+and
+\fBnss\-smime\-import\fR
+scopes\&.)
.RE
.sp
.RS 4
@@ -1170,6 +1182,21 @@
.sp -1
.IP \(bu 2.3
.\}
+\fBmin_ec_size\fR: Integer value of minimum number of bits for
+\fBEC\fR
+keys (Applies to
+\fBJava\fR
+back end only)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
\fBsha1_in_certs\fR: Value of 1 if
\fBSHA1\fR
allowed in certificate signatures, 0 otherwise (Applies to
@@ -1211,9 +1238,11 @@
.sp -1
.IP \(bu 2.3
.\}
-\fBssh_etm\fR: Value of 1 if
-\fBOpenSSH\fR
-EtM (encrypt\-then\-mac) extension is allowed, 0 otherwise
+\fBetm\fR:
+\fBANY\fR/\fBDISABLE_ETM\fR/\fBDISABLE_NON_ETM\fR
+allows both EtM (Encrypt\-then\-Mac) and E&M (Encrypt\-and\-Mac), disables
EtM, and disables E&M respectively\&. (Currently only implemented for SSH, do
not use without
+\fB@SSH\fR
+scope\&.)
.RE
.sp
Full policy definition files have suffix \&.pol, subpolicy files have suffix
\&.pmod\&. Subpolicies do not have to have values set for all the keys listed
above\&.
@@ -1655,6 +1684,30 @@
\fBgroup\fR
values is ignored and built\-in order is used instead\&.
.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNSS\fR: currently is the only one respecting the
+\fBpkcs12\fR
+/
+\fBpkcs12\-import\fR
+scopes\&.
+\fBpkcs12\fR
+implies
+\fBpkcs12\-import\fR, it\(cqs not possible to allow exporting without allowing
importing\&. The same applies to
+\fBsmime\fR
+/
+\fBsmime\-import\fR
+scopes, and their
+\fBnss\-\fR
+prefixed internal\-use variants\&. These scopes cannot be used for enabling
signature algorithms that weren\(cqt otherwise enabled\&.
+.RE
.SH "HISTORY"
.sp
The \fBECDHE\-GSS\fR and \fBDHE\-GSS\fR algorithms are newly introduced and
must be specified in the base policy for the SSH GSSAPI key exchange methods to
be enabled\&. Previously the legacy SSH GSSAPI key exchange methods were
automatically enabled when the \fBSHA1\fR hash and \fBDH\fR parameters of at
least 2048 bits were enabled\&.
@@ -1763,6 +1816,21 @@
\fBhash@DNSSec\fR,
\fBsign@DNSSec\fR)\&.
.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBssh_etm\fR: Value of 1 if
+\fBOpenSSH\fR
+EtM (encrypt\-then\-mac) extension is allowed, 0 otherwise\&. Use
+\fBetm@SSH\fR
+instead\&.
+.RE
.SH "FILES"
.PP
/etc/crypto\-policies/back\-ends
++++++ fedora-crypto-policies-20230920.570ea89.tar.gz ->
fedora-crypto-policies-20250124.4d262e7.tar.gz ++++++
++++ 7975 lines of diff (skipped)
++++++ fips-finish-install.8.gz ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:11.290138837 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:11.310139671 +0100
@@ -2,12 +2,12 @@
.\" Title: fips-finish-install
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 09/22/2023
+.\" Date: 02/07/2025
.\" Manual: \ \&
.\" Source: fips-finish-install
.\" Language: English
.\"
-.TH "FIPS\-FINISH\-INSTAL" "8" "09/22/2023" "fips\-finish\-install" "\ \&"
+.TH "FIPS\-FINISH\-INSTAL" "8" "02/07/2025" "fips\-finish\-install" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ fips-mode-setup.8.gz ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:11.334140671 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:11.350141337 +0100
@@ -2,12 +2,12 @@
.\" Title: fips-mode-setup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 09/22/2023
+.\" Date: 02/07/2025
.\" Manual: \ \&
.\" Source: fips-mode-setup
.\" Language: English
.\"
-.TH "FIPS\-MODE\-SETUP" "8" "09/22/2023" "fips\-mode\-setup" "\ \&"
+.TH "FIPS\-MODE\-SETUP" "8" "02/07/2025" "fips\-mode\-setup" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ update-crypto-policies.8.gz ++++++
--- /var/tmp/diff_new_pack.SZsVSB/_old 2025-03-24 13:25:11.382142670 +0100
+++ /var/tmp/diff_new_pack.SZsVSB/_new 2025-03-24 13:25:11.394143171 +0100
@@ -2,12 +2,12 @@
.\" Title: update-crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 09/22/2023
+.\" Date: 02/07/2025
.\" Manual: \ \&
.\" Source: update-crypto-policies
.\" Language: English
.\"
-.TH "UPDATE\-CRYPTO\-POLI" "8" "09/22/2023" "update\-crypto\-policies" "\ \&"
+.TH "UPDATE\-CRYPTO\-POLI" "8" "02/07/2025" "update\-crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -74,7 +74,7 @@
.sp -1
.IP \(bu 2.3
.\}
-NSS library (NSS, SSL, TLS) (Not supported)
+NSS library (NSS, SSL, TLS) (Supported)
.RE
.sp
.RS 4
@@ -96,7 +96,7 @@
.sp -1
.IP \(bu 2.3
.\}
-Libkrb5 (krb5, kerberos) (Not supported)
+Libkrb5 (krb5, kerberos) (Supported)
.RE
.sp
.RS 4
@@ -107,7 +107,7 @@
.sp -1
.IP \(bu 2.3
.\}
-BIND (BIND, DNSSec) (Not supported)
+BIND (BIND, DNSSec) (Supported)
.RE
.sp
.RS 4
@@ -118,7 +118,7 @@
.sp -1
.IP \(bu 2.3
.\}
-OpenSSH (OpenSSH, SSH) (Not supported)
+OpenSSH (OpenSSH, SSH) (Supported)
.RE
.sp
.RS 4
@@ -140,7 +140,7 @@
.sp -1
.IP \(bu 2.3
.\}
-libssh (libssh, SSH) (Not supported)
+libssh (libssh, SSH) (Supported)
.RE
.sp
Applications and languages which rely on any of these back\-ends will follow
the system policies as well\&. Examples are apache httpd, nginx, php, and
others\&.
