From b59bbd02a8e1080e2a0bdc814dbf0cf898e09d876b788e15daacfc9104352a71 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Fri, 29 Sep 2023 08:48:54 +0000 Subject: [PATCH] Accepting request 1114283 from home:pmonrealgonzalez:branches:security:tls Update to latest version and update jira tracking number from jsc#PED-4578 to jsc#PED-5041 OBS-URL: https://build.opensuse.org/request/show/1114283 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=23 --- BSI.pol | 87 --------- _service | 2 +- _servicedata | 2 +- crypto-policies-FIPS.patch | 60 +++--- crypto-policies-nss.patch | 42 +++++ crypto-policies-policygenerators.patch | 22 ++- ...cies-revert-rh-allow-sha1-signatures.patch | 177 ++++++++++-------- crypto-policies.7.gz | 4 +- crypto-policies.changes | 38 +++- crypto-policies.spec | 17 +- ...ra-crypto-policies-20230614.5f3458e.tar.gz | 3 - ...ra-crypto-policies-20230920.570ea89.tar.gz | 3 + fips-finish-install.8.gz | 4 +- fips-mode-setup.8.gz | 4 +- update-crypto-policies.8.gz | 2 +- 15 files changed, 248 insertions(+), 219 deletions(-) delete mode 100644 BSI.pol create mode 100644 crypto-policies-nss.patch delete mode 100644 fedora-crypto-policies-20230614.5f3458e.tar.gz create mode 100644 fedora-crypto-policies-20230920.570ea89.tar.gz diff --git a/BSI.pol b/BSI.pol deleted file mode 100644 index fa37515..0000000 --- a/BSI.pol +++ /dev/null @@ -1,87 +0,0 @@ -# This policy follows the BSI TR-02102-2 "Kryptographische Verfahren: Verwendung von Transport Layer Security (TLS)" -# Generic:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html -# TLS: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html -# IPSEC: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-3.html -# Note that currently crypto-policies do not adjust ipsec configs, but only openssl or nss. -# SSH: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-4.html -# Note that the SUSE openssh is not yet reading crypto policies. -# Author: Marcus Meissner 2023 -# -# Based on NEXT.pol - -# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen." -# HMAC-SHA1 is not valid anymore -# UMAC is for SSH... check TODO -mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 - -# BSI TR 02102-2 / revision 2023.1, Table 4 "Empfohlene Diffie-Hellman-Gruppen für TLS 1.2" -# not listed in BSI TR, but could be included: FFDHE-6144 FFDHE-8192 -group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 BRAINPOOL-P512R1 BRAINPOOL-P384R1 BRAINPOOL-P256R1 - -# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen." -hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 - -hash@DNSSec = SHA1+ # SHA1 is still prevalent in DNSSec - -# BSI TR 02102-2 / revision 2023.1, Table 5 "Empfohlene Signaturverfahren für TLS 1.2" and -# Table 6 "Empfohlene Hashfunktionen für Signaturverfahren in TLS 1.2" -# BSI TR 02102 / revision 2023.1 Section 5 "Hashfunktionen" -# 224 bit SHA parts not recommended by BSI: ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA3-224 RSA-PSS-SHA3-224 RSA-SHA3-224 -sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \ - ECDSA-SHA3-384 ECDSA-SHA2-384 \ - ECDSA-SHA3-512 ECDSA-SHA2-512 \ - EDDSA-ED25519 EDDSA-ED25519-FIDO EDDSA-ED448 \ - RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 \ - RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 \ - RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 \ - RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 \ - RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 \ - RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 \ - RSA-SHA3-256 RSA-SHA2-256 \ - RSA-SHA3-384 RSA-SHA2-384 \ - RSA-SHA3-512 RSA-SHA2-512 -sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+ # SHA1 is still prevalent in DNSSec - -# BSI TR 02102 / revision 2023.1 -# Not listed in BSI TR: CHACHA20-POLY1305 CAMELLIA-256-GCM CAMELLIA-128-CBC CAMELLIA-256-CBC CAMELLIA-128-GCM -cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC - -# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2 -# CHACHA20-POLY1305 not listed in TR -cipher@TLS = AES-256-GCM AES-256-CCM AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC - -cipher@sequoia = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB -cipher@RPM = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB - -# CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks -# and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). -cipher@SSH = -*-CBC - -# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2 -# Note this goes to all ciphers. DHE-GSS is not valid for TLS, but used in SSH. -# TLS: ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK are ok, GSS is not used in TLS, will not be used for TLS -key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK ECDHE-GSS DHE-GSS - -# BSI TR 02102-2 / revision 2023.1, Section 3.2 "SSL/TLS Versionen" -protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 - -protocol@IKE = IKEv2 - -# Parameter sizes -min_dh_size = 3072 -min_dsa_size = 3072 -# BSI TR 02102-2 / revision 2023.1: 2k still allowed until end of 2023. -min_rsa_size = 2048 - -# GnuTLS only for now -sha1_in_certs = 0 - -arbitrary_dh_groups = 1 -ssh_certs = 1 -ssh_etm = 1 - -# https://pagure.io/fesco/issue/2960 -# "RPM must accept SHA-1 hashes and DSA keys for Fedora 38" -sign@RPM = DSA-SHA1+ -hash@RPM = SHA1+ -min_dsa_size@RPM = 1024 diff --git a/_service b/_service index aa62ea2..714f6a9 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git %cd.%h enable - 5f3458e619628288883f22695f3311f1ccd6a39f + 570ea89092555c6c289f226bb48c2d8c1f332b0f *.tar diff --git a/_servicedata b/_servicedata index 85a7737..2be1946 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.com/redhat-crypto/fedora-crypto-policies.git - 5f3458e619628288883f22695f3311f1ccd6a39f \ No newline at end of file + 570ea89092555c6c289f226bb48c2d8c1f332b0f \ No newline at end of file diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index 6e1b524..b955c4c 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -1,7 +1,7 @@ -Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup +Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/fips-mode-setup -+++ fedora-crypto-policies-20230614.5f3458e/fips-mode-setup +--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup ++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup @@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then exit 1 fi @@ -22,7 +22,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup # Detect 1: kernel FIPS flag fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) -@@ -203,9 +216,22 @@ else +@@ -204,9 +217,22 @@ else fi fi @@ -48,7 +48,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup fi echo "FIPS mode will be $(enable2txt $enable_fips)." -@@ -216,15 +242,19 @@ if test $boot_config = 0 ; then +@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" echo "and reboot the system for the setting to take effect." else @@ -77,37 +77,40 @@ Index: fedora-crypto-policies-20230614.5f3458e/fips-mode-setup echo "Please reboot the system for the setting to take effect." fi -Index: fedora-crypto-policies-20230614.5f3458e/fips-finish-install +Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/fips-finish-install -+++ fedora-crypto-policies-20230614.5f3458e/fips-finish-install -@@ -23,7 +23,16 @@ fi +--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install ++++ fedora-crypto-policies-20230920.570ea89/fips-finish-install +@@ -24,6 +24,15 @@ fi umask 022 --trap "rm -f $dracut_cfg" ERR -+# trap "rm -f $dracut_cfg" ERR -+ +# Install required packages: patterns-base-fips and perl-Bootloader +if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then -+ zypper -n install patterns-base-fips perl-Bootloader ++ zypper -n install patterns-base-fips perl-Bootloader +elif test ! -f $dracut_cfg ; then -+ zypper -n install patterns-base-fips ++ zypper -n install patterns-base-fips +elif test ! -x "$(command -v pbl)" ; then -+ zypper -n install perl-Bootloader ++ zypper -n install perl-Bootloader +fi - ++ if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then # No dracut configuration or boot directory present, do not try to modify it. -@@ -32,23 +41,23 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot exit 0 fi --cat >$dracut_cfg <$dracut_cfg <$dracut_cfg <$dracut_cfg </dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + elif ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch index c4f8a21..4fc811c 100644 --- a/crypto-policies-policygenerators.patch +++ b/crypto-policies-policygenerators.patch @@ -1,8 +1,8 @@ -Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/__init__.py -+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__.py -@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator from .java import JavaGenerator from .java import JavaSystemGenerator from .krb5 import KRB5Generator @@ -11,9 +11,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__. from .libssh import LibsshGenerator from .nss import NSSGenerator from .openssh import OpenSSHClientGenerator - from .openssh import OpenSSHServerGenerator +@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera from .openssl import OpenSSLConfigGenerator from .openssl import OpenSSLGenerator + from .openssl import OpenSSLFIPSGenerator -from .sequoia import SequoiaGenerator -from .sequoia import RPMSequoiaGenerator +# from .sequoia import SequoiaGenerator @@ -21,7 +22,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__. __all__ = [ 'BindGenerator', -@@ -24,13 +24,14 @@ __all__ = [ +@@ -25,7 +25,6 @@ __all__ = [ 'JavaGenerator', 'JavaSystemGenerator', 'KRB5Generator', @@ -29,13 +30,14 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/__init__. 'LibsshGenerator', 'NSSGenerator', 'OpenSSHClientGenerator', - 'OpenSSHServerGenerator', +@@ -33,6 +32,8 @@ __all__ = [ 'OpenSSLConfigGenerator', 'OpenSSLGenerator', + 'OpenSSLFIPSGenerator', - 'SequoiaGenerator', - 'RPMSequoiaGenerator', ] + -+# 'LibreswanGenerator', -+# 'SequoiaGenerator', -+# 'RPMSequoiaGenerator', ++# 'LibreswanGenerator', ++# 'SequoiaGenerator', ++# 'RPMSequoiaGenerator', diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch index abd2732..854fb09 100644 --- a/crypto-policies-revert-rh-allow-sha1-signatures.patch +++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch @@ -4,11 +4,11 @@ Date: Fri, 8 Apr 2022 13:47:29 +0200 Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 -Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol +Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/policies/FUTURE.pol -+++ fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol -@@ -65,7 +65,3 @@ sha1_in_certs = 0 +--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol ++++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol +@@ -66,7 +66,3 @@ sha1_in_certs = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 @@ -16,10 +16,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only -__openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod +Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/policies/modules/NO-SHA1.pmod -+++ fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod +--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod ++++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod @@ -3,7 +3,3 @@ hash = -SHA1 sign = -*-SHA1 @@ -28,23 +28,23 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only -__openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py +Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/python/cryptopolicies/cryptopolicies.py -+++ fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py -@@ -19,7 +19,6 @@ from . import validation # moved out of +--- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py ++++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py +@@ -24,7 +24,6 @@ from . import validation # moved out of INT_DEFAULTS = {k: 0 for k in ( 'arbitrary_dh_groups', 'min_dh_size', 'min_dsa_size', 'min_rsa_size', -- '__openssl_block_sha1_signatures', +- '__openssl_block_sha1_signatures', # FUTURE/TEST-FEDORA39/NO-SHA1 'sha1_in_certs', 'ssh_certs', 'ssh_etm', )} -Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/openssl.py -+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py -@@ -7,14 +7,6 @@ from subprocess import check_output, Cal +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py +@@ -7,13 +7,6 @@ from subprocess import check_output, Cal from .configgenerator import ConfigGenerator @@ -55,13 +55,12 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.p -[evp_properties] -rh-allow-sha1-signatures = {} -''' -- - class OpenSSLGenerator(ConfigGenerator): - CONFIG_NAME = 'openssl' -@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene - groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map] - s += 'Groups = ' + ':'.join(groups) + '\n' + FIPS_MODULE_CONFIG = ''' + [fips_sect] +@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene + if policy.enums['__ems'] == 'RELAX': + s += 'Options = RHNoEnforceEMSinFIPS\n' - # In the future it'll be just - # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no') @@ -72,11 +71,11 @@ Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.p return s @classmethod -Index: fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol +Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/alternative-policies/FUTURE.pol -+++ fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol -@@ -71,7 +71,3 @@ sha1_in_dnssec = 0 +--- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol ++++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol +@@ -73,7 +73,3 @@ sha1_in_dnssec = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 @@ -84,10 +83,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 -# SHA-1 signatures are blocked in OpenSSL in FUTURE only -__openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -98,10 +97,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf. - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 @@ -112,10 +111,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-op - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -126,10 +125,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-openss - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/EMPTY-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt @@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS Ciphersuites = SignatureAlgorithms = @@ -140,10 +139,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.tx - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -154,10 +153,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -168,10 +167,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-ope - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FUTURE-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 @@ -182,10 +181,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.t - -[evp_properties] -rh-allow-sha1-signatures = no -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/GOST-ONLY-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt @@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1 TLS.MaxProtocol = TLSv1.3 SignatureAlgorithms = @@ -196,10 +195,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcn - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 @@ -210,10 +209,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.t - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 @@ -224,10 +223,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-o - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py +Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/unit/test_cryptopolicy.py -+++ fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py +--- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py ++++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py @@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm min_dh_size = 0 min_dsa_size = 0 @@ -236,7 +235,7 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py sha1_in_certs = 0 ssh_certs = 0 ssh_etm = 0 -@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted( +@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted( min_dh_size = 0 min_dsa_size = 0 min_rsa_size = 0 @@ -244,11 +243,11 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py sha1_in_certs = 0 ssh_certs = 0 ssh_etm = 0 -Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol +Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/policies/TEST-FEDORA39.pol -+++ fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol -@@ -67,7 +67,3 @@ sha1_in_certs = 0 +--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol ++++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol +@@ -68,7 +68,3 @@ sha1_in_certs = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 @@ -256,10 +255,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol -# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 -# SHA-1 signatures will blocked in OpenSSL -__openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FEDORA38-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -270,10 +269,10 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf - -[evp_properties] -rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 @@ -284,14 +283,42 @@ Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opens - -[evp_properties] -rh-allow-sha1-signatures = no -Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt =================================================================== ---- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt -+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt @@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 - Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 + SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 + Options = RHNoEnforceEMSinFIPS - -[openssl_init] -alg_section = evp_properties diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz index aa32641..08f79e3 100644 --- a/crypto-policies.7.gz +++ b/crypto-policies.7.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6071a2f41678232b63d27d3f1bbd73915f85159fda78f71ae8a63d8bdce388e0 -size 6937 +oid sha256:e827416a5fcfaad62e92def75aba69413f66c0e8b15d87db492629152838f097 +size 7322 diff --git a/crypto-policies.changes b/crypto-policies.changes index 0de8af0..6deb932 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + ------------------------------------------------------------------- Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal @@ -11,7 +47,7 @@ Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal - FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note - for transactional systems [jsc#PED-4578]. + for transactional systems [jsc#PED-5041]. * Rebase crypto-policies-FIPS.patch ------------------------------------------------------------------- diff --git a/crypto-policies.spec b/crypto-policies.spec index 0116b1b..831b37f 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -22,7 +22,7 @@ %bcond_with manbuild %global _python_bytecompile_extra 0 Name: crypto-policies -Version: 20230614.5f3458e +Version: 20230920.570ea89 Release: 0 Summary: System-wide crypto policies License: LGPL-2.1-or-later @@ -35,8 +35,6 @@ Source3: update-crypto-policies.8.gz Source4: fips-mode-setup.8.gz Source5: fips-finish-install.8.gz Source6: crypto-policies-rpmlintrc -# BSI TR-02102 encoded for jsc#PED-4933 (customer request to have BSI TR-02102 policies) -Source7: BSI.pol %if %{without manbuild} #PATCH-FIX-OPENSUSE Manpages build cycles and dependencies # To reduce the build dependencies in Ring0, we have to compile the @@ -55,6 +53,8 @@ Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch Patch5: crypto-policies-pylint.patch #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch BuildRequires: python3-base >= 3.6 # The sequoia stuff needs python3-toml, removed until needed # BuildRequires: python3-toml @@ -69,7 +69,7 @@ BuildRequires: gnutls >= 3.6.0 BuildRequires: java-devel BuildRequires: krb5-devel BuildRequires: libxslt -#BuildRequires: mozilla-nss-tools +BuildRequires: mozilla-nss-tools BuildRequires: openssl BuildRequires: perl BuildRequires: python3-coverage @@ -82,7 +82,9 @@ BuildRequires: perl(File::Temp) BuildRequires: perl(File::Which) BuildRequires: perl(File::pushd) %endif +%if 0%{?primary_python:1} Recommends: crypto-policies-scripts +%endif Conflicts: gnutls < 3.7.3 #Conflicts: libreswan < 3.28 Conflicts: nss < 3.90.0 @@ -138,9 +140,6 @@ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install -# BSI.pol -install -c -m 644 %{SOURCE7} %{buildroot}/%{_datarootdir}/crypto-policies/policies/ - install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -166,7 +165,7 @@ rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* # Create back-end configs for mounting with read-only /etc/ -for d in LEGACY DEFAULT FUTURE FIPS ; do +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config @@ -241,6 +240,7 @@ end %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config @@ -262,6 +262,7 @@ end %{_datarootdir}/crypto-policies/DEFAULT %{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI %{_datarootdir}/crypto-policies/EMPTY %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config diff --git a/fedora-crypto-policies-20230614.5f3458e.tar.gz b/fedora-crypto-policies-20230614.5f3458e.tar.gz deleted file mode 100644 index 1f5117b..0000000 --- a/fedora-crypto-policies-20230614.5f3458e.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:40cb4cf8f865336b269fdad5d3f5ab81c8dd8c823cb2b2282f6a96252a529dae -size 85187 diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..033597b --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz index 3767c05..64ae646 100644 --- a/fips-finish-install.8.gz +++ b/fips-finish-install.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3036b9fde1e86342746075d825d23eab12ee54228ebae9b6746e93bd51e3ada8 -size 825 +oid sha256:af99d2b749bd8276adcf4579a71411b7c028031e0c68d13702b7ef19bced7e89 +size 950 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz index e73a349..e30c8cf 100644 --- a/fips-mode-setup.8.gz +++ b/fips-mode-setup.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b29d2ba880077b33ef73932ca13ef88581e66288c4277a610aff9afa3a354b59 -size 1648 +oid sha256:67c8f9d38bcfdf2ecc265245d88138c46444bee5883a14fb2c7d520af6c0078e +size 1783 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz index 6d4a2e2..0d49668 100644 --- a/update-crypto-policies.8.gz +++ b/update-crypto-policies.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:950fcd3d9729c215baaa0dddb9434b01f02addca6aa4a4404a8d2ad65ef53598 +oid sha256:aeca399e889653394e5016ad57333c55a9a2cb0ed4ae2e7538700ffea5b7089b size 4154