4ac1e9ad7b
- Update the update-crypto-policies(8) man pages and README.SUSE
to mention the supported back-end policies. [bsc#1209998]
* Add crypto-policies-supported.patch
- Update to version 20230420.3d08ae7:
* openssl, alg_lists: add brainpool support
* openssl: set Groups explicitly
* codespell: ignore aNULL
* rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
* sequoia: add separate rpm-sequoia backend
* crypto-policies.7: state upfront that FUTURE is not so interoperable
* Makefile: update for asciidoc 10
* Skip the LibreswanGenerator and SequoiaGenerator:
- Add crypto-policies-policygenerators.patch
* Remove crypto-policies-test_supported_modules_only.patch
* Rebase crypto-policies-no-build-manpages.patch
- Update to version 20221214.a4c31a3:
* bind: expand the list of disableable algorithms
* libssh: Add support for openssh fido keys
* .gitlab-ci.yml: install krb5-devel for krb5-config
* sequoia: check using sequoia-policy-config-check
* sequoia: introduce new back-end
* Makefile: support overriding asciidoc executable name
* openssh: make none and auto explicit and different
* openssh: autodetect and allow forcing RequiredRSASize presence/name
* openssh: remove _pre_8_5_ssh
* pylintrc: update
* Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
* disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
OBS-URL: https://build.opensuse.org/request/show/1086482
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=15
73 lines
3.0 KiB
Diff
73 lines
3.0 KiB
Diff
Index: fedora-crypto-policies-20221214.a4c31a3/Makefile
|
|
===================================================================
|
|
--- fedora-crypto-policies-20221214.a4c31a3.orig/Makefile
|
|
+++ fedora-crypto-policies-20221214.a4c31a3/Makefile
|
|
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
|
|
CONFDIR?=/etc/crypto-policies
|
|
DESTDIR?=
|
|
MAN7PAGES=crypto-policies.7
|
|
-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
|
|
-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
|
|
+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
|
|
+SCRIPTS=update-crypto-policies fips-finish-install
|
|
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
|
|
PYVERSION = -3
|
|
DIFFTOOL?=meld
|
|
Index: fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
|
|
===================================================================
|
|
--- fedora-crypto-policies-20221214.a4c31a3.orig/crypto-policies.7.txt
|
|
+++ fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
|
|
@@ -153,9 +153,6 @@ PROVIDED POLICIES
|
|
|
|
*FIPS*::
|
|
A policy to aid conformance to the *FIPS 140-2* requirements.
|
|
- This policy is used internally by the *fips-mode-setup(8)* tool
|
|
- which can switch the system into the *FIPS 140-2* mode.
|
|
- This policy provides at least 112-bit security.
|
|
|
|
* MACs: all *HMAC* with *SHA1* or better
|
|
* Curves: all prime >= 256 bits
|
|
@@ -264,12 +261,6 @@ COMMANDS
|
|
back ends and allows the system administrator to change the active
|
|
cryptographic policy.
|
|
|
|
-*fips-mode-setup(8)*::
|
|
- This command allows the system administrator to enable, or disable the
|
|
- system FIPS mode and also apply the *FIPS* cryptographic policy
|
|
- which limits the allowed algorithms and protocols to these allowed by
|
|
- the FIPS 140-2 requirements.
|
|
-
|
|
|
|
NOTES
|
|
-----
|
|
@@ -447,7 +438,7 @@ FILES
|
|
|
|
SEE ALSO
|
|
--------
|
|
-update-crypto-policies(8), fips-mode-setup(8)
|
|
+update-crypto-policies(8)
|
|
|
|
|
|
AUTHOR
|
|
Index: fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
|
|
===================================================================
|
|
--- fedora-crypto-policies-20221214.a4c31a3.orig/python/update-crypto-policies.py
|
|
+++ fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
|
|
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
|
|
eprint("Warning: Using 'update-crypto-policies --set FIPS' "
|
|
"is not sufficient for")
|
|
eprint(" FIPS compliance.")
|
|
- eprint(" Use 'fips-mode-setup --enable' "
|
|
- "command instead.")
|
|
elif fips_mode():
|
|
eprint("Warning: Using 'update-crypto-policies --set' "
|
|
"in FIPS mode will make the system")
|
|
eprint(" non-compliant with FIPS.")
|
|
eprint(" It can also break "
|
|
"the ssh access to the system.")
|
|
- eprint(" Use 'fips-mode-setup --disable' "
|
|
- "to disable the system FIPS mode.")
|
|
|
|
if base_dir == DEFAULT_BASE_DIR:
|
|
if not os.geteuid() == 0:
|