1
0
Commit Graph

16 Commits

Author SHA256 Message Date
743dc266bd Accepting request 1089054 from home:pmonrealgonzalez:branches:security:tls
- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
  and fips-finish-install commands, add also the man pages. The
  required FIPS modules are left to be installed by the user.
  * Rebase crypto-policies-FIPS.patch

- Revert a breaking change that introduces the config option
  rh-allow-sha1-signatures that is unkown to OpenSSL and fails
  on startup. We will consider adding this option to openssl.
  * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
  * Add crypto-policies-revert-rh-allow-sha1-signatures.patch

  * Skip not needed LibreswanGenerator and SequoiaGenerator:

OBS-URL: https://build.opensuse.org/request/show/1089054
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=16
2023-05-25 16:40:03 +00:00
Martin Pluskal
4ac1e9ad7b Accepting request 1086482 from home:pmonrealgonzalez:branches:security:tls
- Update the update-crypto-policies(8) man pages and README.SUSE
  to mention the supported back-end policies. [bsc#1209998]
  * Add crypto-policies-supported.patch

- Update to version 20230420.3d08ae7:
  * openssl, alg_lists: add brainpool support
  * openssl: set Groups explicitly
  * codespell: ignore aNULL
  * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
  * sequoia: add separate rpm-sequoia backend
  * crypto-policies.7: state upfront that FUTURE is not so interoperable
  * Makefile: update for asciidoc 10
  * Skip the LibreswanGenerator and SequoiaGenerator:
    - Add crypto-policies-policygenerators.patch
  * Remove crypto-policies-test_supported_modules_only.patch
  * Rebase crypto-policies-no-build-manpages.patch

- Update to version 20221214.a4c31a3:
  * bind: expand the list of disableable algorithms
  * libssh: Add support for openssh fido keys
  * .gitlab-ci.yml: install krb5-devel for krb5-config
  * sequoia: check using sequoia-policy-config-check
  * sequoia: introduce new back-end
  * Makefile: support overriding asciidoc executable name
  * openssh: make none and auto explicit and different
  * openssh: autodetect and allow forcing RequiredRSASize presence/name
  * openssh: remove _pre_8_5_ssh
  * pylintrc: update
  * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
  * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...

OBS-URL: https://build.opensuse.org/request/show/1086482
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=15
2023-05-14 10:09:24 +00:00
64434f6b7a Accepting request 921336 from home:pmonrealgonzalez:branches:security:tls
- Remove the scripts and documentation regarding
  fips-finish-install and test-fips-setup
  * Add crypto-policies-FIPS.patch

- Update to version 20210917.c9d86d1:
  * openssl: fix disabling ChaCha20
  * pacify pylint 2.11: use format strings
  * pacify pylint 2.11: specify explicit encoding
  * fix minor things found by new pylint
  * update-crypto-policies: --check against regenerated
  * update-crypto-policies: fix --check's walking order
  * policygenerators/gnutls: revert disabling DTLS0.9...
  * policygenerators/java: add javasystem backend
  * LEGACY: bump 1023 key size to 1024
  * cryptopolicies: fix 'and' in deprecation warnings
  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
  * nss: hopefully the last fix for nss sigalgs check
  * cryptopolicies: Python 3.10 compatibility
  * nss: postponing check + testing at least something
  * Rename 'policy modules' to 'subpolicies'
  * validation.rules: fix a missing word in error
  * cryptopolicies: raise errors right after warnings
  * update-crypto-policies: capitalize warnings
  * cryptopolicies: syntax-precheck scope errors
  * .gitlab-ci.yml, Makefile: enable codespell
  * all: fix several typos
  * docs: don't leave zero TLS/DTLS protocols on
  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
  * alg_lists: order protocols new-to-old for consistency
  * alg_lists: max_{d,}tls_version

OBS-URL: https://build.opensuse.org/request/show/921336
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=14
2021-09-27 08:09:29 +00:00
Richard Brown
220a4c63a6 Accepting request 875109 from security:tls
To be evaluated in Staging:O

OBS-URL: https://build.opensuse.org/request/show/875109
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crypto-policies?expand=0&rev=1
2021-03-03 17:33:30 +00:00
14fe68fa46 Accepting request 875107 from home:pmonrealgonzalez:branches:security:tls
To be evaluated in Staging:O

OBS-URL: https://build.opensuse.org/request/show/875107
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=12
2021-02-25 12:26:13 +00:00
cd0fe31e45 Accepting request 873431 from home:pmonrealgonzalez:branches:security:tls
- Update to version 20210213.5c710c0: [bsc#1180938]
  * setup_directories(): perform safer creation of directories
  * save_config(): avoid re-opening output file for each iteration
  * save_config(): break after first match to avoid unnecessary stat() calls
  * CryptoPolicy.parse(): actually stop parsing line on syntax error
  * ProfileConfig.parse_string(): correctly extended subpolicies
  * Exclude RC4 from LEGACY
  * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT
  * code style: fix 'not in' membership testing
  * pylintrc: tighten up a bit
  * formatting: avoid long lines
  * formatting: use f-strings instead of format()
  * formatting: reformat all python code with autopep8
  * nss: postponing the version check again, to 3.61
  * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"

OBS-URL: https://build.opensuse.org/request/show/873431
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=11
2021-02-18 15:02:02 +00:00
ee902fbb42 Accepting request 870817 from home:dimstar:Factory
- Use tar_scm service, not obs_scm: With crypto-policies entering
  Ring0 (distro bootstrap) we want to be sure to keep the buildtime
  deps as low as possible.
- Add python3-base BuildRequires: previously, OBS' tar service
  pulled this in for us.

- Add a BuildIgnore for crypto-policies

OBS-URL: https://build.opensuse.org/request/show/870817
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=10
2021-02-10 11:03:59 +00:00
2a5b6fad42 - Add a BuildIgnore for crypto-policies
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=9
2021-02-08 11:47:47 +00:00
6a038c8b4b Accepting request 870258 from home:pmonrealgonzalez:branches:security:tls
- Use gzip instead of xz in obscpio and sources

- Do not build the manpages to avoid build cycles
- Add crypto-policies-no-build-manpages.patch

OBS-URL: https://build.opensuse.org/request/show/870258
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=8
2021-02-08 11:33:22 +00:00
45bd4ac122 Accepting request 868718 from home:dimstar:Factory
Let's use a real _service file.

NOTE: the version is a small downgrade, but that's because I use %cd (aka commit date) as version identifier.
in the _service file I used the same commit date, so in fact this is the same source.


- Convert to use a proper git source _service:
  + To update, one just needs to update the commit/revision in the
    _service file and run `osc service dr`.
  + The version of the package is defined by the commit date of the
    revision, followed by the abbreviated git hash (The same
    revision used before results thus in a downgrade to 20210118,
    but as this is a alltime new package, this is acceptable.

OBS-URL: https://build.opensuse.org/request/show/868718
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=7
2021-02-02 17:53:21 +00:00
8761902799 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=6 2021-02-02 17:19:45 +00:00
9afe54a2ba OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=5 2021-02-02 16:59:41 +00:00
33b21d2a36 fix lua syntax in post section and add group tag
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=4
2021-02-02 13:17:12 +00:00
cc90f5ddb4 - Update to git version 20210127
* Bump Python requirement to 3.6
  * Output sigalgs required by nss >=3.59
  * Do not require bind during build
  * Break build cycles with openssl and gnutls

OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=3
2021-02-02 12:43:48 +00:00
c78ee41234 Accepting request 865444 from home:pmonrealgonzalez:branches:security:tls
- Update to git version 20210118
  * Output sigalgs required by nss >=3.59
  * Bump Python requirement to 3.6
  * Kerberos 5: Fix policy generator to account for macs
  * Add AES-192 support (non-TLS scenarios)
  * Add documentation of the --check option

- Fix the man pages generation
- Add crypto-policies-asciidoc.patch

- Test only supported modules
- Add crypto-policies-test_supported_modules_only.patch

- Add crypto-policies-typos.patch to fix some typos

OBS-URL: https://build.opensuse.org/request/show/865444
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=2
2021-01-21 14:53:23 +00:00
Martin Pluskal
af8d3f38d5 Accepting request 850540 from home:vitezslav_cizek
System crypto policies from Fedora.

https://jira.suse.com/browse/SLE-15832
https://fedoraproject.org/wiki/Changes/CryptoPolicy

OBS-URL: https://build.opensuse.org/request/show/850540
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=1
2020-11-25 11:15:23 +00:00