rpm/crypto-policies
SHA256
1
0
Fork 0
forked from pool/crypto-policies
Code Pull Requests Activity

Accepting request 1099072 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- Update to version 20230614.5f3458e:
  * policies: impose old OpenSSL groups order for all back-ends
  * Rebase patches:
    - crypto-policies-revert-rh-allow-sha1-signatures.patch
    - crypto-policies-supported.patch

OBS-URL: https://build.opensuse.org/request/show/1099072
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=19
This commit is contained in:
Pedro Monreal Gonzalez 2023-07-17 10:01:21 +00:00 committed by Git OBS Bridge
parent aaa823e0a2
commit c840e031b3
13 changed files with 135 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.SUSE
View File

@ -1,6 +1,6 @@
Currently, the supported back-end policies are:
* OpenSSL library
* GnuTLS library
* OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
* OpenJDK
The rest of the modules ignore the policy settings for the time being.

2
_service
View File

@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
<param name="revision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param>
<param name="revision">5f3458e619628288883f22695f3311f1ccd6a39f</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
<param name="changesrevision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param></service></servicedata>
<param name="changesrevision">5f3458e619628288883f22695f3311f1ccd6a39f</param></service></servicedata>

174
crypto-policies-revert-rh-allow-sha1-signatures.patch
View File

@ -4,10 +4,10 @@ Date: Fri, 8 Apr 2022 13:47:29 +0200
Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
@@ -65,7 +65,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@ -16,10 +16,10 @@ Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
@@ -3,7 +3,3 @@
hash = -SHA1
sign = -*-SHA1
@ -28,10 +28,10 @@ Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index: fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
Index: fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/python/cryptopolicies/cryptopolicies.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
--- fedora-crypto-policies-20230614.5f3458e.orig/python/cryptopolicies/cryptopolicies.py
+++ fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
@@ -19,7 +19,6 @@ from . import validation # moved out of
INT_DEFAULTS = {k: 0 for k in (
'arbitrary_dh_groups',
@ -40,10 +40,10 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolic
'sha1_in_certs',
'ssh_certs', 'ssh_etm',
)}
Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
Index: fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
--- fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
from .configgenerator import ConfigGenerator
@ -72,10 +72,10 @@ Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.p
return s
@classmethod
Index: fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
Index: fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/alternative-policies/FUTURE.pol
+++ fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/alternative-policies/FUTURE.pol
+++ fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@ -84,52 +84,52 @@ Index: fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
Ciphersuites =
SignatureAlgorithms =
@ -140,66 +140,52 @@ Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.tx
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = secp256r1:secp384r1:secp521r1
Groups = secp256r1:secp521r1:secp384r1
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = no
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
TLS.MaxProtocol = TLSv1.3
SignatureAlgorithms =
@ -210,38 +196,38 @@ Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcn
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
min_dh_size = 0
min_dsa_size = 0
@ -258,10 +244,10 @@ Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
--- fedora-crypto-policies-20230614.5f3458e.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
@@ -67,7 +67,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@ -270,3 +256,45 @@ Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures will blocked in OpenSSL
-__openssl_block_sha1_signatures = 1
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FEDORA38-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = no
Index: fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes

2
crypto-policies-supported.patch
View File

@ -16,7 +16,7 @@ Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+* NSS library (NSS, SSL, TLS) (Not supported)
-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and java-11-openjdk)
+* OpenJDK (java-tls, SSL, TLS) (Supported)
-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)

4
crypto-policies.7.gz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:08e4778d0c659ec3d5f408ba889634255f462b5fe6ee0d22194347103da69a7e
size 6896
oid sha256:5eceb5b5a5360d08e1f85163bea95bdb84c748e1e3836765b400773d42bba1c9
size 6937

9
crypto-policies.changes
View File

@ -4,6 +4,15 @@ Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner <meissner@suse.com>
- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933)
derived from NEXT.pol
-------------------------------------------------------------------
Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to version 20230614.5f3458e:
* policies: impose old OpenSSL groups order for all back-ends
* Rebase patches:
- crypto-policies-revert-rh-allow-sha1-signatures.patch
- crypto-policies-supported.patch
-------------------------------------------------------------------
Thu May 25 11:28:12 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

13
crypto-policies.spec
View File

@ -22,7 +22,7 @@
%bcond_with manbuild
%global _python_bytecompile_extra 0
Name: crypto-policies
Version: 20230420.3d08ae7
Version: 20230614.5f3458e
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@ -60,7 +60,7 @@ BuildRequires: python3-base >= 3.6
BuildRequires: asciidoc
%endif
%if %{with testsuite}
# The following buildrequires are needed for the testsuite
# The following packages are needed for the testsuite
BuildRequires: bind
BuildRequires: gnutls >= 3.6.0
BuildRequires: java-devel
@ -94,6 +94,7 @@ such as SSL/TLS libraries.
%package scripts
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
Recommends: grubby
%description scripts
This package provides a tool update-crypto-policies, which applies
@ -101,6 +102,9 @@ the policies provided by the crypto-policies package. These can be
either the pre-built policies from the base package or custom policies
defined in simple policy definition files.
The package also provides a tool fips-mode-setup, which can be used
to enable or disable the system FIPS mode.
%prep
%autosetup -p1 -n fedora-%{name}-%{version}
@ -113,6 +117,9 @@ find -name sequoia.py -delete
%build
export OPENSSL_CONF=''
sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
python/policygenerators/openssh.py
grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
%make_build
%install
@ -174,7 +181,7 @@ install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
%if %{with testsuite}
export OPENSSL_CONF=''
%make_build test || :
%make_build test test-install test-fips-setup || :
%endif
%post -p <lua>

3
fedora-crypto-policies-20230420.3d08ae7.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0554a9e3965970a2233dee8770fe414527e073b80106db89a1170fa845c3903b
size 85811

3
fedora-crypto-policies-20230614.5f3458e.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:40cb4cf8f865336b269fdad5d3f5ab81c8dd8c823cb2b2282f6a96252a529dae
size 85187

4
fips-finish-install.8.gz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c127272faa0580e5969d1a1b33ea4a8811a60da45d23fe50a782eaaf8c0c9075
size 824
oid sha256:b0c4844eb573ddb5517d78c0e2e663066413ef3807dfa63df5ee43c0fefe1582
size 825

4
fips-mode-setup.8.gz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7a427092b98f11bf8bb0606afd71dbe1d153362f9c3a15ed53e479436f45e43b
size 1541
oid sha256:af453be70b0971f4e4139eec3b669bee3b5195df2d7c28853d3fd4c4006cbb1b
size 1542

4
update-crypto-policies.8.gz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3530ed7a871a3b9c72ea761ff45f9a80ab2720f76bb223e58debad848b8aa7a1
size 4178
oid sha256:cad2a9da340059b6ba7b84c9646a85f113cb8781d55c0ea5c8aa0422ea632c3c
size 4154