From 61d6cd0906d3e3fd18a1c4172181400f35922ed0b52bb8fa4d54ab6470eca904 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 7 Mar 2024 07:48:27 +0000 Subject: [PATCH 01/11] Accepting request 1154669 from home:pmonrealgonzalez:branches:security:tls - Update to version 20240201.9f501f3: * .gitlab-ci.yml: install sequoia-policy-config * java: disable ChaCha20-Poly1305 where applicable * fips-mode-setup: make sure ostree is detected in chroot * fips-finish-install: make sure ostree is detected in chroot * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl * TEST-PQ: add a no-op subpolicy * update-crypto-policies: Keep mid-sentence upper case * fips-mode-setup: Write error messages to stderr * fips-mode-setup: Fix some shellcheck warnings * fips-mode-setup: Fix test for empty /boot * fips-mode-setup: Avoid 'boot=UUID=' if /boot == / * Update man pages * Rebase patches: - crypto-policies-FIPS.patch - crypto-policies-revert-rh-allow-sha1-signatures.patch - Update to version 20231108.adb5572b: * Print matches in syntax deprecation warnings * Restore support for scoped ssh_etm directives * fips-mode-setup: Fix usage with --no-bootcfg * turn ssh_etm into an etm@SSH tri-state * fips-mode-setup: increase chroot-friendliness * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx * pylintrc: use-implicit-booleaness-not-comparison-to-* OBS-URL: https://build.opensuse.org/request/show/1154669 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=31 --- .gitattributes | 23 ++ .gitignore | 1 + README.SUSE | 6 + _service | 14 + _servicedata | 4 + crypto-policies-FIPS.patch | 193 +++++++++ crypto-policies-no-build-manpages.patch | 28 ++ crypto-policies-nss.patch | 42 ++ crypto-policies-policygenerators.patch | 43 ++ crypto-policies-pylint.patch | 15 + ...cies-revert-rh-allow-sha1-signatures.patch | 333 ++++++++++++++++ crypto-policies-rpmlintrc | 3 + crypto-policies-supported.patch | 37 ++ crypto-policies.7.gz | 3 + crypto-policies.changes | 369 ++++++++++++++++++ crypto-policies.spec | 292 ++++++++++++++ ...ra-crypto-policies-20230920.570ea89.tar.gz | 3 + ...ra-crypto-policies-20240201.9f501f3.tar.gz | 3 + fips-finish-install.8.gz | 3 + fips-mode-setup.8.gz | 3 + update-crypto-policies.8.gz | 3 + 21 files changed, 1421 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SUSE create mode 100644 _service create mode 100644 _servicedata create mode 100644 crypto-policies-FIPS.patch create mode 100644 crypto-policies-no-build-manpages.patch create mode 100644 crypto-policies-nss.patch create mode 100644 crypto-policies-policygenerators.patch create mode 100644 crypto-policies-pylint.patch create mode 100644 crypto-policies-revert-rh-allow-sha1-signatures.patch create mode 100644 crypto-policies-rpmlintrc create mode 100644 crypto-policies-supported.patch create mode 100644 crypto-policies.7.gz create mode 100644 crypto-policies.changes create mode 100644 crypto-policies.spec create mode 100644 fedora-crypto-policies-20230920.570ea89.tar.gz create mode 100644 fedora-crypto-policies-20240201.9f501f3.tar.gz create mode 100644 fips-finish-install.8.gz create mode 100644 fips-mode-setup.8.gz create mode 100644 update-crypto-policies.8.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..3cc4b70 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,6 @@ +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK + +The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service new file mode 100644 index 0000000..9e881b3 --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + git + %cd.%h + enable + 9f501f30f2a0a92e82e224cbd1b031c042e96386 + + + *.tar + gz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..f1a2b5f --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + 9f501f30f2a0a92e82e224cbd1b031c042e96386 \ No newline at end of file diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..83a3fa3 --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,193 @@ +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 + fi + ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -167,10 +180,10 @@ if test $check = 1 ; then + fi + + # Boot configuration +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo >&2 "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 +-fi ++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then ++# echo >&2 "The grubby command is missing, please configure the bootloader manually." ++# boot_config=0 ++# fi + + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." +@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then + fi + fi + ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 ++ fi ++fi ++ + echo "FIPS mode will be $(enable2txt $enable_fips)." + + fipsopts="fips=$enable_fips$boot_device_opt" + + if test "$boot_config" = 1 ; then +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl +- else +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi +- fi ++ pbl --add-option "$fipsopts" ++ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install ++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install +@@ -24,6 +24,15 @@ fi + + umask 022 + ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi ++ + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + exit 0 + fi + +-if test x"$1" == x--complete; then +- trap "rm -f $dracut_cfg" ERR +- cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# if test x"$1" == x--complete; then ++# trap "rm -f $dracut_cfg" ERR ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..7e09857 --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/Makefile +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile ++++ fedora-crypto-policies-20230420.3d08ae7/Makefile +@@ -28,9 +28,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(MANDIR)/man7 + mkdir -p $(DESTDIR)$(MANDIR)/man8 + mkdir -p $(DESTDIR)$(BINDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(DIR)/ + install -p -m 644 default-config $(DESTDIR)$(DIR) + install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) +@@ -114,8 +114,8 @@ clean: + rm -rf output + + %: %.txt +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch new file mode 100644 index 0000000..e498d4a --- /dev/null +++ b/crypto-policies-nss.patch @@ -0,0 +1,42 @@ +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py +@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator): + try: + with os.fdopen(fd, 'w') as f: + f.write(config) +- try: +- ret = call(f'/usr/bin/nss-policy-check {options} {path}' +- '>/dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + elif ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..4fc811c --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,43 @@ +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .java import JavaSystemGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator +@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera + from .openssl import OpenSSLConfigGenerator + from .openssl import OpenSSLGenerator + from .openssl import OpenSSLFIPSGenerator +-from .sequoia import SequoiaGenerator +-from .sequoia import RPMSequoiaGenerator ++# from .sequoia import SequoiaGenerator ++# from .sequoia import RPMSequoiaGenerator + + __all__ = [ + 'BindGenerator', +@@ -25,7 +25,6 @@ __all__ = [ + 'JavaGenerator', + 'JavaSystemGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', +@@ -33,6 +32,8 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLGenerator', + 'OpenSSLFIPSGenerator', +- 'SequoiaGenerator', +- 'RPMSequoiaGenerator', + ] ++ ++# 'LibreswanGenerator', ++# 'SequoiaGenerator', ++# 'RPMSequoiaGenerator', diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..717f30a --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..69cbe12 --- /dev/null +++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch @@ -0,0 +1,333 @@ +From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 8 Apr 2022 13:47:29 +0200 +Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + + +Index: fedora-crypto-policies-20240201.9f501f3/policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/policies/FUTURE.pol ++++ fedora-crypto-policies-20240201.9f501f3/policies/FUTURE.pol +@@ -69,4 +69,4 @@ etm@ssh = ANY + + # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 + # SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 ++# __openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20240201.9f501f3/policies/modules/NO-SHA1.pmod +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/policies/modules/NO-SHA1.pmod ++++ fedora-crypto-policies-20240201.9f501f3/policies/modules/NO-SHA1.pmod +@@ -6,4 +6,4 @@ sha1_in_certs = 0 + + # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 + # SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 ++# __openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20240201.9f501f3/python/cryptopolicies/cryptopolicies.py +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/python/cryptopolicies/cryptopolicies.py ++++ fedora-crypto-policies-20240201.9f501f3/python/cryptopolicies/cryptopolicies.py +@@ -24,7 +24,6 @@ from . import validation # moved out of + INT_DEFAULTS = {k: 0 for k in ( + 'arbitrary_dh_groups', + 'min_dh_size', 'min_dsa_size', 'min_rsa_size', +- '__openssl_block_sha1_signatures', # FUTURE/TEST-FEDORA39/NO-SHA1 + 'sha1_in_certs', + 'ssh_certs', + )} +Index: fedora-crypto-policies-20240201.9f501f3/python/policygenerators/openssl.py +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/python/policygenerators/openssl.py ++++ fedora-crypto-policies-20240201.9f501f3/python/policygenerators/openssl.py +@@ -7,13 +7,6 @@ from subprocess import check_output, Cal + + from .configgenerator import ConfigGenerator + +-RH_SHA1_SECTION = ''' +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = {} +-''' + + FIPS_MODULE_CONFIG = ''' + [fips_sect] +@@ -265,11 +258,8 @@ class OpenSSLConfigGenerator(OpenSSLGene + if policy.enums['__ems'] == 'RELAX': + s += 'Options = RHNoEnforceEMSinFIPS\n' + +- # In the future it'll be just +- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no') +- # but for now we slow down the roll-out and we have +- sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] +- s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') ++ # sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] ++ # s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') + + return s + +Index: fedora-crypto-policies-20240201.9f501f3/tests/alternative-policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/alternative-policies/FUTURE.pol ++++ fedora-crypto-policies-20240201.9f501f3/tests/alternative-policies/FUTURE.pol +@@ -76,4 +76,4 @@ ssh_etm = 1 + + # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 + # SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 ++# __openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:GOST-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:GOST-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/EMPTY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/EMPTY-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/EMPTY-opensslcnf.txt +@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS + Ciphersuites = + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FUTURE-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FUTURE-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FUTURE-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = no +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/GOST-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/GOST-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/GOST-ONLY-opensslcnf.txt +@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1 + TLS.MaxProtocol = TLSv1.3 + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/LEGACY-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/unit/test_cryptopolicy.py +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/unit/test_cryptopolicy.py ++++ fedora-crypto-policies-20240201.9f501f3/tests/unit/test_cryptopolicy.py +@@ -284,7 +284,6 @@ def test_cryptopolicy_to_string_empty(tm + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + etm = ANY +@@ -316,7 +315,6 @@ def test_cryptopolicy_to_string_twisted( + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + etm = ANY +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FEDORA38-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FEDORA38-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FEDORA38-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/TEST-FEDORA39-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/TEST-FEDORA39-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = no +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:OSPP-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:OSPP-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/BSI-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/BSI-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/BSI-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 + Options = RHNoEnforceEMSinFIPS +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20240201.9f501f3/policies/TEST-FEDORA39.pol +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/policies/TEST-FEDORA39.pol ++++ fedora-crypto-policies-20240201.9f501f3/policies/TEST-FEDORA39.pol +@@ -71,4 +71,4 @@ etm@SSH = ANY + + # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 + # SHA-1 signatures will blocked in OpenSSL +-__openssl_block_sha1_signatures = 1 ++# __openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt ++++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +@@ -7,8 +7,2 @@ DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = x25519_kyber768:p384_kyber768:X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..6fdbe70 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..1ce9e4c --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Not supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Not supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Not supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Not supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Not supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz new file mode 100644 index 0000000..03d8d8a --- /dev/null +++ b/crypto-policies.7.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9783973c2381957cc53a2b9a46ffe148cbd9c6fb9c78f16f86346568a7dc6c6 +size 7435 diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..f3a7821 --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,369 @@ +------------------------------------------------------------------- +Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal + +- Update to version 20240201.9f501f3: + * .gitlab-ci.yml: install sequoia-policy-config + * java: disable ChaCha20-Poly1305 where applicable + * fips-mode-setup: make sure ostree is detected in chroot + * fips-finish-install: make sure ostree is detected in chroot + * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl + * TEST-PQ: add a no-op subpolicy + * update-crypto-policies: Keep mid-sentence upper case + * fips-mode-setup: Write error messages to stderr + * fips-mode-setup: Fix some shellcheck warnings + * fips-mode-setup: Fix test for empty /boot + * fips-mode-setup: Avoid 'boot=UUID=' if /boot == / + * Update man pages + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal + +- Update to version 20231108.adb5572b: + * Print matches in syntax deprecation warnings + * Restore support for scoped ssh_etm directives + * fips-mode-setup: Fix usage with --no-bootcfg + * turn ssh_etm into an etm@SSH tri-state + * fips-mode-setup: increase chroot-friendliness + * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx + * pylintrc: use-implicit-booleaness-not-comparison-to-* + +------------------------------------------------------------------- +Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller + +- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros: + we only need python3-base here, we don't need the python + macros as no module is being built + +------------------------------------------------------------------- +Thu Oct 5 12:35:57 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-5041]. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner + +- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) + derived from NEXT.pol + +------------------------------------------------------------------- +Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal + +- Update to version 20230614.5f3458e: + * policies: impose old OpenSSL groups order for all back-ends + * Rebase patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-supported.patch + +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip not needed LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + +------------------------------------------------------------------- +Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal + +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal + +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal + +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 + +------------------------------------------------------------------- +Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal + +- Remove not needed scripts: fips-finish-install fips-mode-setup + +------------------------------------------------------------------- +Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal + +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e + +------------------------------------------------------------------- +Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal + +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" + +------------------------------------------------------------------- +Tue Feb 9 10:50:47 UTC 2021 - Dominique Leuenberger + +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. + +------------------------------------------------------------------- +Mon Feb 8 11:45:38 UTC 2021 - Pedro Monreal + +- Add a BuildIgnore for crypto-policies + +------------------------------------------------------------------- +Mon Feb 8 11:22:31 UTC 2021 - Pedro Monreal + +- Use gzip instead of xz in obscpio and sources + +------------------------------------------------------------------- +Fri Feb 5 10:57:46 UTC 2021 - Pedro Monreal + +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Tue Feb 2 17:38:27 UTC 2021 - Dominique Leuenberger + +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. + +------------------------------------------------------------------- +Tue Feb 2 12:33:19 UTC 2021 - Pedro Monreal + +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls + +------------------------------------------------------------------- +Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal + +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option + +------------------------------------------------------------------- +Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal + +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch + +------------------------------------------------------------------- +Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal + +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch + +------------------------------------------------------------------- +Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal + +- Add crypto-policies-typos.patch to fix some typos + +------------------------------------------------------------------- +Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek + +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..d82cb1d --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,292 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild +%global _python_bytecompile_extra 0 +Name: crypto-policies +Version: 20240201.9f501f3 +Release: 0 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc +%if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. +Patch1: crypto-policies-no-build-manpages.patch +%endif +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures +Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch +BuildRequires: python3-base >= 3.6 +# The sequoia stuff needs python3-toml, removed until needed +# BuildRequires: python3-toml +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following packages are needed for the testsuite +BuildRequires: bind +BuildRequires: codespell +BuildRequires: crypto-policies-scripts +BuildRequires: gnutls >= 3.6.0 +BuildRequires: java-devel +BuildRequires: krb5-devel +BuildRequires: libxslt +BuildRequires: mozilla-nss-tools +BuildRequires: openssl +BuildRequires: perl +BuildRequires: python-rpm-macros +BuildRequires: python3-coverage +BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-flake8 +BuildRequires: python3-pylint +BuildRequires: python3-pytest +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Temp) +BuildRequires: perl(File::Which) +BuildRequires: perl(File::pushd) +%else +# Avoid cycle with python-rpm-macros +#!BuildIgnore: python-rpm-packaging python-rpm-macros +%endif +%if 0%{?primary_python:1} +Recommends: crypto-policies-scripts +%endif +Conflicts: gnutls < 3.7.3 +#Conflicts: libreswan < 3.28 +Conflicts: nss < 3.90.0 +#Conflicts: openssh < 8.2p1 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} +Recommends: perl-Bootloader + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +The package also provides a tool fips-mode-setup, which can be used +to enable or disable the system FIPS mode. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +# Remove not needed policy generators +find -name libreswan.py -delete +find -name sequoia.py -delete + +%build +export OPENSSL_CONF='' +sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ + python/policygenerators/openssh.py +grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ +%endif + +# Install the executable scripts +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ + +# Drop pre-generated GOST-ONLY policy, we do not need to ship them +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY + +# Drop FEDORA policies +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +# Fix shebang in scripts +for f in %{buildroot}%{_datadir}/crypto-policies/python/* +do + [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%if %{with testsuite} +export OPENSSL_CONF='' +%make_build test +%make_build test-install test-fips-setup || : +%endif + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%license COPYING.LESSER +%doc README.md NEWS CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%files scripts +%{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..033597b --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fedora-crypto-policies-20240201.9f501f3.tar.gz b/fedora-crypto-policies-20240201.9f501f3.tar.gz new file mode 100644 index 0000000..b54b471 --- /dev/null +++ b/fedora-crypto-policies-20240201.9f501f3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c1eed7a1843035fc9d109f921065370d58b5ad38729ebe154744889d9641c368 +size 91940 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..c5535e2 --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da44abb81d96485c14161f1b977c2688738c72fc0c2155b6326bdaf0ee452054 +size 949 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..3650c3a --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1bc1ff43190995561b186f5f55e63decb8203a8c829e75ad7867193c30237214 +size 1781 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz new file mode 100644 index 0000000..b93f3c4 --- /dev/null +++ b/update-crypto-policies.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:445e4c996c60d4a11c556590d9cfcb3036d344a056367328ff2d4f0be304eab6 +size 4153 -- 2.51.1 From a82b210eff8b929a25cc2663ccd5a8e2019445235451671331991eb963041e28 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 13 Feb 2025 14:07:46 +0000 Subject: [PATCH 02/11] Accepting request 1245664 from home:pmonrealgonzalez:branches:security:tls - Remove dangling symlink for the libreswan config [bsc#1236858] - Remove also sequoia config and generator files - Update to version 20250124.4d262e7: * openssl: stricter enabling of Ciphersuites * openssl: make use of -CBC and -AESGCM keywords * openssl: add TLS 1.3 Brainpool identifiers * fix warning on using experimental key_exchanges * update-crypto-policies: don't output FIPS warning in fips mode * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 * openssh, libssh: refactor kx maps to use tuples * alg_lists: mark MLKEM768/SNTRUP kex experimental * nss: revert enabling mlkem768secp256r1 * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... * python/update-crypto-policies: pacify pylint * fips-mode-setup: tolerate fips dracut module presence w/o FIPS * fips-mode-setup: small Argon2 detection fix * SHA1: add __openssl_block_sha1_signatures = 0 * fips-mode-setup: block if LUKS devices using Argon2 are detected * update-crypto-policies: skip warning on --set=FIPS if bootc * fips-setup-helper: skip warning, BTW * fips-mode-setup: force --no-bootcfg when UKI is detected * fips-setup-helper: add a libexec helper for anaconda * fips-crypto-policy-overlay: automount FIPS policy * openssh: make dss no longer enableble, support is dropped OBS-URL: https://build.opensuse.org/request/show/1245664 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=32 --- _service | 2 +- _servicedata | 2 +- crypto-policies-no-build-manpages.patch | 18 +- crypto-policies-nss.patch | 12 +- crypto-policies-policygenerators.patch | 41 +-- ...cies-revert-rh-allow-sha1-signatures.patch | 333 ------------------ crypto-policies-supported.patch | 12 +- crypto-policies.7.gz | 4 +- crypto-policies.changes | 102 ++++++ crypto-policies.spec | 164 +++++++-- ...ra-crypto-policies-20240201.9f501f3.tar.gz | 3 - ...ra-crypto-policies-20250124.4d262e7.tar.gz | 3 + fips-finish-install.8.gz | 2 +- fips-mode-setup.8.gz | 4 +- update-crypto-policies.8.gz | 4 +- 15 files changed, 280 insertions(+), 426 deletions(-) delete mode 100644 crypto-policies-revert-rh-allow-sha1-signatures.patch delete mode 100644 fedora-crypto-policies-20240201.9f501f3.tar.gz create mode 100644 fedora-crypto-policies-20250124.4d262e7.tar.gz diff --git a/_service b/_service index 9e881b3..c304113 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git %cd.%h enable - 9f501f30f2a0a92e82e224cbd1b031c042e96386 + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 *.tar diff --git a/_servicedata b/_servicedata index f1a2b5f..5ed3ec5 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.com/redhat-crypto/fedora-crypto-policies.git - 9f501f30f2a0a92e82e224cbd1b031c042e96386 \ No newline at end of file + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 \ No newline at end of file diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch index 7e09857..005a9a8 100644 --- a/crypto-policies-no-build-manpages.patch +++ b/crypto-policies-no-build-manpages.patch @@ -1,21 +1,21 @@ -Index: fedora-crypto-policies-20230420.3d08ae7/Makefile +Index: fedora-crypto-policies-20250124.4d262e7/Makefile =================================================================== ---- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile -+++ fedora-crypto-policies-20230420.3d08ae7/Makefile -@@ -28,9 +28,9 @@ install: $(MANPAGES) - mkdir -p $(DESTDIR)$(MANDIR)/man7 - mkdir -p $(DESTDIR)$(MANDIR)/man8 +--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile ++++ fedora-crypto-policies-20250124.4d262e7/Makefile +@@ -34,9 +34,9 @@ install: $(MANPAGES) mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(UNITDIR) - install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 - install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 - install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 + # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 + # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR) + install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) mkdir -p $(DESTDIR)$(DIR)/ - install -p -m 644 default-config $(DESTDIR)$(DIR) - install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) -@@ -114,8 +114,8 @@ clean: +@@ -133,8 +133,8 @@ clean: rm -rf output %: %.txt diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch index e498d4a..a00acba 100644 --- a/crypto-policies-nss.patch +++ b/crypto-policies-nss.patch @@ -1,8 +1,8 @@ -Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py =================================================================== ---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py -+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py -@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator): +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator): try: with os.fdopen(fd, 'w') as f: f.write(config) @@ -29,7 +29,7 @@ Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py finally: os.unlink(path) -@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator): +@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator): cls.eprint("There is a warning in NSS generated policy") cls.eprint(f'Policy:\n{config}') return False @@ -37,6 +37,6 @@ Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py + cls.eprint('Skipping NSS policy check: ' + '/usr/bin/nss-policy-check not found') + return True - elif ret: + if ret: cls.eprint("There is an error in NSS generated policy") cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch index 4fc811c..d2b0a9c 100644 --- a/crypto-policies-policygenerators.patch +++ b/crypto-policies-policygenerators.patch @@ -1,43 +1,40 @@ -Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py =================================================================== ---- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py -+++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py -@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +@@ -7,7 +7,7 @@ from .bind import BindGenerator + from .gnutls import GnuTLSGenerator from .java import JavaGenerator - from .java import JavaSystemGenerator from .krb5 import KRB5Generator -from .libreswan import LibreswanGenerator +# from .libreswan import LibreswanGenerator from .libssh import LibsshGenerator from .nss import NSSGenerator - from .openssh import OpenSSHClientGenerator -@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera - from .openssl import OpenSSLConfigGenerator - from .openssl import OpenSSLGenerator - from .openssl import OpenSSLFIPSGenerator --from .sequoia import SequoiaGenerator --from .sequoia import RPMSequoiaGenerator -+# from .sequoia import SequoiaGenerator -+# from .sequoia import RPMSequoiaGenerator + from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator +@@ -16,14 +16,13 @@ from .openssl import ( + OpenSSLFIPSGenerator, + OpenSSLGenerator, + ) +-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator ++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator __all__ = [ 'BindGenerator', -@@ -25,7 +25,6 @@ __all__ = [ + 'GnuTLSGenerator', 'JavaGenerator', - 'JavaSystemGenerator', 'KRB5Generator', - 'LibreswanGenerator', 'LibsshGenerator', 'NSSGenerator', 'OpenSSHClientGenerator', -@@ -33,6 +32,8 @@ __all__ = [ +@@ -31,6 +30,8 @@ __all__ = [ 'OpenSSLConfigGenerator', - 'OpenSSLGenerator', 'OpenSSLFIPSGenerator', -- 'SequoiaGenerator', + 'OpenSSLGenerator', - 'RPMSequoiaGenerator', +- 'SequoiaGenerator', ] + -+# 'LibreswanGenerator', -+# 'SequoiaGenerator', -+# 'RPMSequoiaGenerator', ++ # 'LibreswanGenerator', ++ # 'RPMSequoiaGenerator', ++ # 'SequoiaGenerator', diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch deleted file mode 100644 index 69cbe12..0000000 --- a/crypto-policies-revert-rh-allow-sha1-signatures.patch +++ /dev/null @@ -1,333 +0,0 @@ -From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001 -From: Alexander Sosedkin -Date: Fri, 8 Apr 2022 13:47:29 +0200 -Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 - - -Index: fedora-crypto-policies-20240201.9f501f3/policies/FUTURE.pol -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/policies/FUTURE.pol -+++ fedora-crypto-policies-20240201.9f501f3/policies/FUTURE.pol -@@ -69,4 +69,4 @@ etm@ssh = ANY - - # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 - # SHA-1 signatures are blocked in OpenSSL in FUTURE only --__openssl_block_sha1_signatures = 1 -+# __openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20240201.9f501f3/policies/modules/NO-SHA1.pmod -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/policies/modules/NO-SHA1.pmod -+++ fedora-crypto-policies-20240201.9f501f3/policies/modules/NO-SHA1.pmod -@@ -6,4 +6,4 @@ sha1_in_certs = 0 - - # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 - # SHA-1 signatures are blocked in OpenSSL in FUTURE only --__openssl_block_sha1_signatures = 1 -+# __openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20240201.9f501f3/python/cryptopolicies/cryptopolicies.py -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/python/cryptopolicies/cryptopolicies.py -+++ fedora-crypto-policies-20240201.9f501f3/python/cryptopolicies/cryptopolicies.py -@@ -24,7 +24,6 @@ from . import validation # moved out of - INT_DEFAULTS = {k: 0 for k in ( - 'arbitrary_dh_groups', - 'min_dh_size', 'min_dsa_size', 'min_rsa_size', -- '__openssl_block_sha1_signatures', # FUTURE/TEST-FEDORA39/NO-SHA1 - 'sha1_in_certs', - 'ssh_certs', - )} -Index: fedora-crypto-policies-20240201.9f501f3/python/policygenerators/openssl.py -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/python/policygenerators/openssl.py -+++ fedora-crypto-policies-20240201.9f501f3/python/policygenerators/openssl.py -@@ -7,13 +7,6 @@ from subprocess import check_output, Cal - - from .configgenerator import ConfigGenerator - --RH_SHA1_SECTION = ''' --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = {} --''' - - FIPS_MODULE_CONFIG = ''' - [fips_sect] -@@ -265,11 +258,8 @@ class OpenSSLConfigGenerator(OpenSSLGene - if policy.enums['__ems'] == 'RELAX': - s += 'Options = RHNoEnforceEMSinFIPS\n' - -- # In the future it'll be just -- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no') -- # but for now we slow down the roll-out and we have -- sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] -- s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') -+ # sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] -+ # s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') - - return s - -Index: fedora-crypto-policies-20240201.9f501f3/tests/alternative-policies/FUTURE.pol -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/alternative-policies/FUTURE.pol -+++ fedora-crypto-policies-20240201.9f501f3/tests/alternative-policies/FUTURE.pol -@@ -76,4 +76,4 @@ ssh_etm = 1 - - # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 - # SHA-1 signatures are blocked in OpenSSL in FUTURE only --__openssl_block_sha1_signatures = 1 -+# __openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:GOST-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:GOST-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/EMPTY-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/EMPTY-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/EMPTY-opensslcnf.txt -@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS - Ciphersuites = - SignatureAlgorithms = - Groups = -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = secp256r1:secp521r1:secp384r1 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FUTURE-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FUTURE-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FUTURE-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = no -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/GOST-ONLY-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/GOST-ONLY-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/GOST-ONLY-opensslcnf.txt -@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1 - TLS.MaxProtocol = TLSv1.3 - SignatureAlgorithms = - Groups = -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/LEGACY-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/unit/test_cryptopolicy.py -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/unit/test_cryptopolicy.py -+++ fedora-crypto-policies-20240201.9f501f3/tests/unit/test_cryptopolicy.py -@@ -284,7 +284,6 @@ def test_cryptopolicy_to_string_empty(tm - min_dh_size = 0 - min_dsa_size = 0 - min_rsa_size = 0 -- __openssl_block_sha1_signatures = 0 - sha1_in_certs = 0 - ssh_certs = 0 - etm = ANY -@@ -316,7 +315,6 @@ def test_cryptopolicy_to_string_twisted( - min_dh_size = 0 - min_dsa_size = 0 - min_rsa_size = 0 -- __openssl_block_sha1_signatures = 0 - sha1_in_certs = 0 - ssh_certs = 0 - etm = ANY -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FEDORA38-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FEDORA38-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FEDORA38-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/TEST-FEDORA39-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/TEST-FEDORA39-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = no -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:OSPP-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:OSPP-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 - Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/BSI-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/BSI-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/BSI-opensslcnf.txt -@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 - DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 - Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt -@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 - Options = RHNoEnforceEMSinFIPS -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes -Index: fedora-crypto-policies-20240201.9f501f3/policies/TEST-FEDORA39.pol -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/policies/TEST-FEDORA39.pol -+++ fedora-crypto-policies-20240201.9f501f3/policies/TEST-FEDORA39.pol -@@ -71,4 +71,4 @@ etm@SSH = ANY - - # https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 - # SHA-1 signatures will blocked in OpenSSL --__openssl_block_sha1_signatures = 1 -+# __openssl_block_sha1_signatures = 1 -Index: fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt -=================================================================== ---- fedora-crypto-policies-20240201.9f501f3.orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt -+++ fedora-crypto-policies-20240201.9f501f3/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt -@@ -7,8 +7,2 @@ DTLS.MaxProtocol = DTLSv1.2 - SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 - Groups = x25519_kyber768:p384_kyber768:X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -- --[openssl_init] --alg_section = evp_properties -- --[evp_properties] --rh-allow-sha1-signatures = yes diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch index 1ce9e4c..bf29719 100644 --- a/crypto-policies-supported.patch +++ b/crypto-policies-supported.patch @@ -13,25 +13,25 @@ Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +* OpenSSL library (OpenSSL, SSL, TLS) (Supported) -* NSS library (NSS, SSL, TLS) -+* NSS library (NSS, SSL, TLS) (Not supported) ++* NSS library (NSS, SSL, TLS) (Supported) -* OpenJDK (java-tls, SSL, TLS) +* OpenJDK (java-tls, SSL, TLS) (Supported) -* Libkrb5 (krb5, kerberos) -+* Libkrb5 (krb5, kerberos) (Not supported) ++* Libkrb5 (krb5, kerberos) (Supported) -* BIND (BIND, DNSSec) -+* BIND (BIND, DNSSec) (Not supported) ++* BIND (BIND, DNSSec) (Supported) -* OpenSSH (OpenSSH, SSH) -+* OpenSSH (OpenSSH, SSH) (Not supported) ++* OpenSSH (OpenSSH, SSH) (Supported) -* Libreswan (libreswan, IKE, IPSec) -+* Libreswan (libreswan, IKE, IPSec) (Not supported) ++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE) -* libssh (libssh, SSH) -+* libssh (libssh, SSH) (Not supported) ++* libssh (libssh, SSH) (Supported) Applications and languages which rely on any of these back-ends will follow the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz index 03d8d8a..1f0f2a3 100644 --- a/crypto-policies.7.gz +++ b/crypto-policies.7.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a9783973c2381957cc53a2b9a46ffe148cbd9c6fb9c78f16f86346568a7dc6c6 -size 7435 +oid sha256:8a455bfe2ea82738a0237e3ab8c11256f78219436a1dbcc9c3ff0cb7f6a2019b +size 7675 diff --git a/crypto-policies.changes b/crypto-policies.changes index f3a7821..5c100d1 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,105 @@ +------------------------------------------------------------------- +Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal + +- Remove dangling symlink for the libreswan config [bsc#1236858] +- Remove also sequoia config and generator files + +------------------------------------------------------------------- +Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal + +- Update to version 20250124.4d262e7: + * openssl: stricter enabling of Ciphersuites + * openssl: make use of -CBC and -AESGCM keywords + * openssl: add TLS 1.3 Brainpool identifiers + * fix warning on using experimental key_exchanges + * update-crypto-policies: don't output FIPS warning in fips mode + * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 + * openssh, libssh: refactor kx maps to use tuples + * alg_lists: mark MLKEM768/SNTRUP kex experimental + * nss: revert enabling mlkem768secp256r1 + * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber + * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 + * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 + * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 + * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 + * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... + * python/update-crypto-policies: pacify pylint + * fips-mode-setup: tolerate fips dracut module presence w/o FIPS + * fips-mode-setup: small Argon2 detection fix + * SHA1: add __openssl_block_sha1_signatures = 0 + * fips-mode-setup: block if LUKS devices using Argon2 are detected + * update-crypto-policies: skip warning on --set=FIPS if bootc + * fips-setup-helper: skip warning, BTW + * fips-mode-setup: force --no-bootcfg when UKI is detected + * fips-setup-helper: add a libexec helper for anaconda + * fips-crypto-policy-overlay: automount FIPS policy + * openssh: make dss no longer enableble, support is dropped + * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 + * DEFAULT: switch to rh-allow-sha1-signatures = no... + * java: drop unused javasystem backend + * java: stop specifying jdk.tls.namedGroups in javasystem + * ec_min_size: introduce and use in java, default to 256 + * java: use and include jdk.disabled.namedCurves + * BSI: Update BSI policy for new 2024 minimum recommendations + * fips-mode-setup: flashy ticking warning upon use + * fips-mode-setup: add another scary "unsupported" + * CONTRIBUTING.md: add a small section on updating policies + * CONTRIBUTING.md: remove trailing punctuation from headers + * BSI: switch to 3072 minimum RSA key size + * java: make hash, mac and sign more orthogonal + * java: specify jdk.tls.namedGroups system property + * java: respect more key size restrictions + * java: disable anon ciphersuites, tying them to NULL... + * java: start controlling / disable DTLSv1.0 + * nss: wire KYBER768 to XYBER768D00 + * nss: unconditionally load p11-kit-proxy.so + * gnutls: make DTLS0.9 controllable again + * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH + * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE + * gnutls: remove extraneous newline + * sequoia: move away from subprocess.getstatusoutput + * python/cryptopolicies/cryptopolicies.py: add trailing commas + * python, tests: rename MalformedLine to MalformedLineError + * Makefile: introduce SKIP_LINTING flag for packagers to use + * Makefile: run ruff + * tests: use pathlib + * tests: run(check=True) + CalledProcessError where convenient + * tests: use subprocess.run + * tests/krb5.py: check all generated policies + * tests: print to stderr on error paths + * tests/nss.py: also use encoding='utf-8' + * tests/nss.py: also use removesuffix + * tests/nss.py: skip creating tempfiles + * tests/java.pl -> tests/java.py + * tests/gnutls.pl -> tests/gnutls.py + * tests/openssl.pl -> tests/openssl.py + * tests/verify-output.pl: remove + * libreswan: do not use up pfs= / ikev2= keywords for default behaviour + * Rebase patches: + - crypto-policies-no-build-manpages.patch + - crypto-policies-policygenerators.patch + - crypto-policies-supported.patch + - crypto-policies-nss.patch + +------------------------------------------------------------------- +Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal + +- Update to version 20241010.5930b9a: + * LEGACY: enable 192-bit ciphers for nss pkcs12/smime + * nss: be stricter with new purposes + * nss: rewrite backend for 3.101 + * cryptopolicies: parent scopes for dumping purposes + * policygenerators: move scoping inside generators + * TEST-PQ: disable pure Kyber768 + * nss: wire XYBER768D00 to X25519-KYBER768 + * TEST-PQ: update + * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com + * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values + * TEST-PQ, python: add more groups, mark experimental + * openssl: mark liboqsprovider groups optional with ? + * Remove patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + ------------------------------------------------------------------- Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal diff --git a/crypto-policies.spec b/crypto-policies.spec index d82cb1d..4cb0df0 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,7 +1,7 @@ # # spec file for package crypto-policies # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,8 +21,14 @@ # manbuild is disabled by default %bcond_with manbuild %global _python_bytecompile_extra 0 + +# File used as marker to preserve the auto-bindmount of the FIPS policy across +# upgrades while temporarily removing it for the RPM transaction. +%define rpmstatedir %{_localstatedir}/lib/%{name} +%define rpmstate_autopolicy %{rpmstatedir}/autopolicy-reapplication-needed + Name: crypto-policies -Version: 20240201.9f501f3 +Version: 20250124.4d262e7 Release: 0 Summary: System-wide crypto policies License: LGPL-2.1-or-later @@ -47,42 +53,30 @@ Patch1: crypto-policies-no-build-manpages.patch Patch2: crypto-policies-policygenerators.patch #PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies Patch3: crypto-policies-supported.patch -#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures -Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch #PATCH-FIX-OPENSUSE Remove version for pylint from Makefile Patch5: crypto-policies-pylint.patch #PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] Patch6: crypto-policies-FIPS.patch #PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] Patch7: crypto-policies-nss.patch -BuildRequires: python3-base >= 3.6 -# The sequoia stuff needs python3-toml, removed until needed -# BuildRequires: python3-toml +BuildRequires: python3-base >= 3.11 %if %{with manbuild} BuildRequires: asciidoc %endif %if %{with testsuite} # The following packages are needed for the testsuite BuildRequires: bind -BuildRequires: codespell BuildRequires: crypto-policies-scripts -BuildRequires: gnutls >= 3.6.0 +BuildRequires: gnutls BuildRequires: java-devel -BuildRequires: krb5-devel BuildRequires: libxslt BuildRequires: mozilla-nss-tools +BuildRequires: openssh-clients BuildRequires: openssl -BuildRequires: perl BuildRequires: python-rpm-macros -BuildRequires: python3-coverage -BuildRequires: python3-devel >= 3.6 -BuildRequires: python3-flake8 -BuildRequires: python3-pylint +BuildRequires: python3-devel >= 3.11 BuildRequires: python3-pytest -BuildRequires: perl(File::Copy) -BuildRequires: perl(File::Temp) -BuildRequires: perl(File::Which) -BuildRequires: perl(File::pushd) +BuildRequires: systemd-rpm-macros %else # Avoid cycle with python-rpm-macros #!BuildIgnore: python-rpm-packaging python-rpm-macros @@ -90,10 +84,10 @@ BuildRequires: perl(File::pushd) %if 0%{?primary_python:1} Recommends: crypto-policies-scripts %endif -Conflicts: gnutls < 3.7.3 -#Conflicts: libreswan < 3.28 -Conflicts: nss < 3.90.0 -#Conflicts: openssh < 8.2p1 +Conflicts: gnutls < 3.8.8 +Conflicts: nss < 3.105 +Conflicts: openssh < 9.9p1 +Conflicts: openssl < 3.0.2 #!BuildIgnore: crypto-policies BuildArch: noarch @@ -106,6 +100,7 @@ such as SSL/TLS libraries. Summary: Tool to switch between crypto policies Requires: %{name} = %{version}-%{release} Recommends: perl-Bootloader +Provides: fips-mode-setup = %{version}-%{release} %description scripts This package provides a tool update-crypto-policies, which applies @@ -122,15 +117,11 @@ to enable or disable the system FIPS mode. # Make README.SUSE available for %%doc cp -p %{SOURCE1} . -# Remove not needed policy generators -find -name libreswan.py -delete -find -name sequoia.py -delete - %build export OPENSSL_CONF='' -sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ - python/policygenerators/openssh.py -grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py + +find -type f -name build-crypto-policies.py + %make_build %install @@ -146,6 +137,7 @@ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +install -p -m 644 default-fips-config %{buildroot}%{_datarootdir}/crypto-policies/default-fips-config touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -163,12 +155,14 @@ install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ -# Drop pre-generated GOST-ONLY policy, we do not need to ship them +# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY - -# Drop FEDORA policies rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* +# Drop libreswan and sequoia config files +find %{buildroot} -type f -name 'libreswan.*' -print -delete +find %{buildroot} -type f -name 'sequoia.*' -print -delete + # Create back-end configs for mounting with read-only /etc/ for d in LEGACY DEFAULT FUTURE FIPS BSI ; do mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d @@ -199,6 +193,83 @@ export OPENSSL_CONF='' %make_build test-install test-fips-setup || : %endif +# Migrate away from removed policies; can be dropped 3 releases later +%pretrans -p +if posix.access("%{_sysconfdir}/crypto-policies/config") then + local cf = io.open("%{_sysconfdir}/crypto-policies/config", "r") + if cf then + local prev = cf:read() + cf:close() + local new + if prev == "TEST-FEDORA39" or prev:sub(1, 14) == "TEST-FEDORA39:" then + new = "DEFAULT" .. prev:sub(14) + elseif prev == "FEDORA38" or prev:sub(1, 9) == "FEDORA38:" then + new = "DEFAULT" .. prev:sub(9) + else + new = prev + end + while new:find(":FEDORA32:") ~= nil do + new = new:gsub(":FEDORA32:", ":") + end + new = new:gsub(":FEDORA32$", "") + if new ~= prev then + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(new) + cf:close() + end + end + end +end + +if arg[2] == 2 then + posix.unlink("%{rpmstate_autopolicy}") + + local mountinfo = io.open("/proc/self/mountinfo", "r"); + if mountinfo then + local mountpoints = {} + for mount in mountinfo:lines() do + -- See proc_pid_mountinfo(5) for the format + local pos, _, _, _, _, mountroot, mountpoint = string.find(mount, "^(%d+) (%d+) (%d+:%d+) ([^ ]+) ([^ ]+) ") + if pos == nil then + print("Failed to parse /proc/self/mountinfo line, ignoring:", mount) + else + mountpoints[mountpoint] = mountroot + end + end + mountinfo:close() + + local expected_backend_suffix = "/%{name}/back-ends/FIPS" + local expected_config_suffix = "/%{name}/default-fips-config" + + local backends_automount = + mountpoints["%{_sysconfdir}/%{name}/back-ends"] and + string.sub(mountpoints["%{_sysconfdir}/%{name}/back-ends"], string.len(expected_backend_suffix) * -1, -1) == expected_backend_suffix + local config_automount = + mountpoints["%{_sysconfdir}/%{name}/config"] and + string.sub(mountpoints["%{_sysconfdir}/%{name}/config"], string.len(expected_config_suffix) * -1, -1) == expected_config_suffix + + if backends_automount and config_automount then + if posix.access("%{_bindir}/umount", "x") then + rpm.execute("%{_bindir}/umount", "%{_sysconfdir}/%{name}/config") + rpm.execute("%{_bindir}/umount", "%{_sysconfdir}/%{name}/back-ends") + end + + local res, msg, errno = posix.mkdir("%{rpmstatedir}") + if res ~= 0 and errno ~= 17 then -- 17 is EEXIST + print("Failed to create state directory: " .. msg) + else + local marker, err = io.open("%{rpmstate_autopolicy}", "w+") + if not marker then + print("Failed to create marker file %{rpmstate_autopolicy} for automatic FIPS policy bind-mount: " .. err) + else + marker:close() + end + end + end + end +end + %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then local policy = "DEFAULT" @@ -228,14 +299,30 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then posix.symlink(policypath.."/"..fn, cfgfn) end end +else + if posix.access("%{rpmstate_autopolicy}") then + os.execute("%{_libexecdir}/fips-crypto-policy-overlay >/dev/null 2>/dev/null || :") + posix.unlink("%{rpmstate_autopolicy}") + end end +cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config" +st = posix.stat(cfg_path_libreswan) +if st and st.type == "link" then + posix.unlink(cfg_path_libreswan) +end + +%pre +# Drop removed javasystem backend +rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" 2>/dev/null || : +exit 0 + %posttrans scripts %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : %files %license COPYING.LESSER -%doc README.md NEWS CONTRIBUTING.md +%doc README.md CONTRIBUTING.md %doc %{_sysconfdir}/crypto-policies/README.SUSE %dir %{_sysconfdir}/crypto-policies/ @@ -257,17 +344,17 @@ end %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config # %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. %ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol +%{_libexecdir}/fips-setup-helper +%{_libexecdir}/fips-crypto-policy-overlay +%{_unitdir}/fips-crypto-policy-overlay.service + %{_mandir}/man7/crypto-policies.7%{?ext_man} %{_datarootdir}/crypto-policies/LEGACY %{_datarootdir}/crypto-policies/DEFAULT @@ -277,6 +364,7 @@ end %{_datarootdir}/crypto-policies/EMPTY %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/default-fips-config %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies diff --git a/fedora-crypto-policies-20240201.9f501f3.tar.gz b/fedora-crypto-policies-20240201.9f501f3.tar.gz deleted file mode 100644 index b54b471..0000000 --- a/fedora-crypto-policies-20240201.9f501f3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c1eed7a1843035fc9d109f921065370d58b5ad38729ebe154744889d9641c368 -size 91940 diff --git a/fedora-crypto-policies-20250124.4d262e7.tar.gz b/fedora-crypto-policies-20250124.4d262e7.tar.gz new file mode 100644 index 0000000..e427784 --- /dev/null +++ b/fedora-crypto-policies-20250124.4d262e7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33d72a26ed1543702fc5c8aca8cea0b71667fa2fb9040ed9850480fe3235dfbf +size 102444 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz index c5535e2..a882f5e 100644 --- a/fips-finish-install.8.gz +++ b/fips-finish-install.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:da44abb81d96485c14161f1b977c2688738c72fc0c2155b6326bdaf0ee452054 +oid sha256:93e6dcce6491836df86af048bd0e800868e818359ad4749f7441817e5f11891e size 949 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz index 3650c3a..219903c 100644 --- a/fips-mode-setup.8.gz +++ b/fips-mode-setup.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1bc1ff43190995561b186f5f55e63decb8203a8c829e75ad7867193c30237214 -size 1781 +oid sha256:a9d4ded30f73bf76626f79f507c164a82fac54bed8daa6e9e40d3af46f276a67 +size 1782 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz index b93f3c4..adbc707 100644 --- a/update-crypto-policies.8.gz +++ b/update-crypto-policies.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:445e4c996c60d4a11c556590d9cfcb3036d344a056367328ff2d4f0be304eab6 -size 4153 +oid sha256:492615feef5d98e42ca928ddc05114ef7a93df1752afbf5a0db8cf0625071b59 +size 4149 -- 2.51.1 From 9c7dcb10f0f6c7cf1b94d2049b3a435c45fa4d1a77f94e6e791ae3bec2460aac Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 13 Feb 2025 16:19:09 +0000 Subject: [PATCH 03/11] Accepting request 1245722 from home:pmonrealgonzalez:branches:security:tls OBS-URL: https://build.opensuse.org/request/show/1245722 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=33 --- crypto-policies.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto-policies.spec b/crypto-policies.spec index 4cb0df0..f2edf68 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -120,8 +120,6 @@ cp -p %{SOURCE1} . %build export OPENSSL_CONF='' -find -type f -name build-crypto-policies.py - %make_build %install -- 2.51.1 From 663edb6cd9fee3088c0bbadb34616bec2a71e9a55c3861be3199f47864c09799 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 11 Mar 2025 13:25:33 +0000 Subject: [PATCH 04/11] - Enable SHA1 sigver in the DEFAULT policy. * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=34 --- ...licies-enable-SHA1-sigver-in-DEFAULT.patch | 55 +++++++++++++++++++ crypto-policies.changes | 6 ++ crypto-policies.spec | 5 +- 3 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch diff --git a/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch new file mode 100644 index 0000000..2809b12 --- /dev/null +++ b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch @@ -0,0 +1,55 @@ +diff -PpuriN fedora-crypto-policies-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-11 14:09:01.796831654 +0100 +@@ -1,7 +1,6 @@ + # A reasonable default for today's standards. It should provide + # 112-bit security with the exception of SHA1 signatures in DNSSec. + # SHA1 is allowed in HMAC where collision attacks do not matter. +-# OpenSSL distrusts signatures using SHA-1 (Changes/OpenSSLDistrustSHA1SigVer). + + # MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc) + # Curves: all prime >= 255 bits (including Bernstein curves) +@@ -88,6 +87,3 @@ etm@SSH = ANY + sign@RPM = DSA-SHA1+ + hash@RPM = SHA1+ + min_dsa_size@RPM = 1024 +- +-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 +diff -PpuriN fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol +--- fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol 2025-03-11 13:53:52.231005482 +0100 +@@ -91,6 +91,3 @@ ssh_etm = 1 + sign@rpm-sequoia = DSA-SHA1+ + hash@rpm-sequoia = SHA1+ + min_dsa_size@rpm-sequoia = 1024 +- +-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-03-11 14:10:14.134767876 +0100 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt 2025-03-11 14:09:55.798784042 +0100 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-03-11 14:10:42.542742833 +0100 +@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes diff --git a/crypto-policies.changes b/crypto-policies.changes index 5c100d1..d387e66 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal + +- Enable SHA1 sigver in the DEFAULT policy. + * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + ------------------------------------------------------------------- Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal diff --git a/crypto-policies.spec b/crypto-policies.spec index f2edf68..5a95a09 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -59,6 +59,8 @@ Patch5: crypto-policies-pylint.patch Patch6: crypto-policies-FIPS.patch #PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] Patch7: crypto-policies-nss.patch +#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT +Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch BuildRequires: python3-base >= 3.11 %if %{with manbuild} BuildRequires: asciidoc @@ -119,7 +121,6 @@ cp -p %{SOURCE1} . %build export OPENSSL_CONF='' - %make_build %install @@ -191,7 +192,7 @@ export OPENSSL_CONF='' %make_build test-install test-fips-setup || : %endif -# Migrate away from removed policies; can be dropped 3 releases later +# Migrate away from removed policies; can be dropped later %pretrans -p if posix.access("%{_sysconfdir}/crypto-policies/config") then local cf = io.open("%{_sysconfdir}/crypto-policies/config", "r") -- 2.51.1 From afd2ac0d9c3e2148679c35fa64ff1466c514e751269d0db92c3fba6d4896abb0 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 11 Mar 2025 17:37:42 +0000 Subject: [PATCH 05/11] - Update to version 20250124.4d262e7: [bsc#1239009] OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=35 --- crypto-policies.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto-policies.changes b/crypto-policies.changes index d387e66..05a6989 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -13,7 +13,7 @@ Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal ------------------------------------------------------------------- Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal -- Update to version 20250124.4d262e7: +- Update to version 20250124.4d262e7: [bsc#1239009] * openssl: stricter enabling of Ciphersuites * openssl: make use of -CBC and -AESGCM keywords * openssl: add TLS 1.3 Brainpool identifiers -- 2.51.1 From 1515971d29e0389b757171cbbc3242c28cc06883dc002e3bb389b54f689e9464 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 13 Mar 2025 08:17:07 +0000 Subject: [PATCH 06/11] - Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] * Rebase crypto-policies-FIPS.patch - Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=36 --- crypto-policies-FIPS.patch | 2 +- crypto-policies.changes | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index 83a3fa3..d0036cb 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -74,7 +74,7 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup - fi - fi + pbl --add-option "$fipsopts" -+ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all ++ pbl --config; pbl --install && dracut -f --regenerate-all + + # grubby --update-kernel=ALL --args="$fipsopts" + # if test x"$(uname -m)" = xs390x; then diff --git a/crypto-policies.changes b/crypto-policies.changes index 05a6989..b6ee8e4 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -4,6 +4,12 @@ Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal - Enable SHA1 sigver in the DEFAULT policy. * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch +------------------------------------------------------------------- +Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal + +- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] + * Rebase crypto-policies-FIPS.patch + ------------------------------------------------------------------- Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal @@ -13,7 +19,7 @@ Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal ------------------------------------------------------------------- Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal -- Update to version 20250124.4d262e7: [bsc#1239009] +- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] * openssl: stricter enabling of Ciphersuites * openssl: make use of -CBC and -AESGCM keywords * openssl: add TLS 1.3 Brainpool identifiers -- 2.51.1 From 06c618d49b55f9229d0f42efd193a450c7304b02f557d20a61af5dfb624ad71a Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 18 Mar 2025 14:46:56 +0000 Subject: [PATCH 07/11] - Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=37 --- ...llow-sshd-in-FIPS-mode-using-DEFAULT.patch | 50 +++++++ crypto-policies-FIPS.patch | 126 ++++++++++++++++++ crypto-policies.changes | 6 + crypto-policies.spec | 98 +------------- 4 files changed, 189 insertions(+), 91 deletions(-) create mode 100644 crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch diff --git a/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch new file mode 100644 index 0000000..c7c3e96 --- /dev/null +++ b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch @@ -0,0 +1,50 @@ +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-18 14:39:54.565216139 +0100 +@@ -15,9 +15,11 @@ + + mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 + mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 ++mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512 + + group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \ + FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 ++group@SSH = -X25519 + + hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \ + SHAKE-256 +@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM + + # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks + # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). +-cipher@SSH = -*-CBC ++# disable also chachapoly, as we might run DEFAULT in FIPS mode too. ++cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR + + # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have + # interoperability issues in TLS. +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt 2025-03-18 14:40:54.831266197 +0100 +@@ -1,5 +1,5 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt 2025-03-18 15:41:32.234673018 +0100 +@@ -1,7 +1,8 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index d0036cb..c30993a 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -191,3 +191,129 @@ Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt [[options]] OPTIONS +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -8,7 +8,6 @@ check=0 + boot_config=1 + err_if_disabled=0 + output_text=1 +-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + + is_ostree_system=0 + if test -f /run/ostree-booted -o -d /ostree; then +@@ -61,18 +60,13 @@ while test $# -ge 1 ; do + done + + if test $usage = 1 -o x$enable_fips = x ; then +- echo "Check, enable, or disable (unsupported) the system FIPS mode." ++ echo "Check, enable, or disable the system FIPS mode." + echo "usage: $0 --enable|--disable [--no-bootcfg]" + echo "usage: $0 --check" + echo "usage: $0 --is-enabled" + exit 2 + fi + +-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then +- echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg." +- boot_config=0 +-fi +- + # We don't handle the boot config on OSTree systems for now; it is assumed to be + # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is + # intrinsically tied to the firstboot procedure. +@@ -186,12 +180,6 @@ if test $check = 1 ; then + exit 0 + fi + +-# Boot configuration +-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +-# echo >&2 "The grubby command is missing, please configure the bootloader manually." +-# boot_config=0 +-# fi +- + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." + echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg." +@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$ + exit 1 + fi + +-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \ +- test -x "$(command -v cryptsetup)" ; then +- # Best-effort detection of LUKS Argon2 usage +- argon2_found='' +- # two redundant ways to list device names +- devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \ +- dmsetup ls --target crypt | cut -f1) \ +- | sort -u) +- while IFS= read -r devname; do +- back=$(cryptsetup status "$devname" | \ +- grep -F device: | +- sed -E 's/.*device:\s+//') +- if ! test -b "$back"; then +- echo >&2 -n "Warning: detected device '$back' " +- echo >&2 -n 'is not a valid block device. ' +- echo >&2 'Cannot check whether it uses Argon2.' +- continue +- fi +- dump=$(cryptsetup luksDump "$back") +- if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then +- argon2_found+=" $back($devname)" +- fi +- done <<<"$devs" +- if test -n "$argon2_found" ; then +- echo >&2 -n "The following encrypted devices use Argon2 PBKDF:" +- echo >&2 "$argon2_found" +- echo >&2 'Aborting fips-mode-setup because of that.' +- echo >&2 -n 'Please refer to the ' +- echo >&2 'cryptsetup-luksConvertKey(8) manpage.' +- exit 76 +- fi +-fi +- + if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then + if test $enable_fips = 1 ; then + echo >&2 "*****************************************************************" +@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING" + echo >&2 "* *" + echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* REINSTALL WITH fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + elif test $enable_fips = 0 ; then + echo >&2 "*****************************************************************" + echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT... *" + echo >&2 "* *" +- echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED. *" ++ echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + fi + for i in {15..1}; do +@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_ + if test "$boot_config" = 1 ; then + pbl --add-option "$fipsopts" + pbl --config; pbl --install && dracut -f --regenerate-all +- +- # grubby --update-kernel=ALL --args="$fipsopts" +- # if test x"$(uname -m)" = xs390x; then +- # if command -v zipl >/dev/null; then +- # zipl +- # else +- # echo -n '`zipl` execution has been skipped: ' +- # echo '`zipl` not found.' +- # fi +- # fi +- +- echo "Please reboot the system for the setting to take effect." ++ echo "Please reboot the system for the settings to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +- echo "and reboot the system for the setting to take effect." ++ echo "and reboot the system for the settings to take effect." + fi + + exit 0 diff --git a/crypto-policies.changes b/crypto-policies.changes index b6ee8e4..e4968ee 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal + +- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] + * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch + ------------------------------------------------------------------- Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal diff --git a/crypto-policies.spec b/crypto-policies.spec index 5a95a09..68843c3 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -22,11 +22,6 @@ %bcond_with manbuild %global _python_bytecompile_extra 0 -# File used as marker to preserve the auto-bindmount of the FIPS policy across -# upgrades while temporarily removing it for the RPM transaction. -%define rpmstatedir %{_localstatedir}/lib/%{name} -%define rpmstate_autopolicy %{rpmstatedir}/autopolicy-reapplication-needed - Name: crypto-policies Version: 20250124.4d262e7 Release: 0 @@ -61,6 +56,8 @@ Patch6: crypto-policies-FIPS.patch Patch7: crypto-policies-nss.patch #PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch +#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] +Patch9: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch BuildRequires: python3-base >= 3.11 %if %{with manbuild} BuildRequires: asciidoc @@ -192,83 +189,6 @@ export OPENSSL_CONF='' %make_build test-install test-fips-setup || : %endif -# Migrate away from removed policies; can be dropped later -%pretrans -p -if posix.access("%{_sysconfdir}/crypto-policies/config") then - local cf = io.open("%{_sysconfdir}/crypto-policies/config", "r") - if cf then - local prev = cf:read() - cf:close() - local new - if prev == "TEST-FEDORA39" or prev:sub(1, 14) == "TEST-FEDORA39:" then - new = "DEFAULT" .. prev:sub(14) - elseif prev == "FEDORA38" or prev:sub(1, 9) == "FEDORA38:" then - new = "DEFAULT" .. prev:sub(9) - else - new = prev - end - while new:find(":FEDORA32:") ~= nil do - new = new:gsub(":FEDORA32:", ":") - end - new = new:gsub(":FEDORA32$", "") - if new ~= prev then - cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") - if cf then - cf:write(new) - cf:close() - end - end - end -end - -if arg[2] == 2 then - posix.unlink("%{rpmstate_autopolicy}") - - local mountinfo = io.open("/proc/self/mountinfo", "r"); - if mountinfo then - local mountpoints = {} - for mount in mountinfo:lines() do - -- See proc_pid_mountinfo(5) for the format - local pos, _, _, _, _, mountroot, mountpoint = string.find(mount, "^(%d+) (%d+) (%d+:%d+) ([^ ]+) ([^ ]+) ") - if pos == nil then - print("Failed to parse /proc/self/mountinfo line, ignoring:", mount) - else - mountpoints[mountpoint] = mountroot - end - end - mountinfo:close() - - local expected_backend_suffix = "/%{name}/back-ends/FIPS" - local expected_config_suffix = "/%{name}/default-fips-config" - - local backends_automount = - mountpoints["%{_sysconfdir}/%{name}/back-ends"] and - string.sub(mountpoints["%{_sysconfdir}/%{name}/back-ends"], string.len(expected_backend_suffix) * -1, -1) == expected_backend_suffix - local config_automount = - mountpoints["%{_sysconfdir}/%{name}/config"] and - string.sub(mountpoints["%{_sysconfdir}/%{name}/config"], string.len(expected_config_suffix) * -1, -1) == expected_config_suffix - - if backends_automount and config_automount then - if posix.access("%{_bindir}/umount", "x") then - rpm.execute("%{_bindir}/umount", "%{_sysconfdir}/%{name}/config") - rpm.execute("%{_bindir}/umount", "%{_sysconfdir}/%{name}/back-ends") - end - - local res, msg, errno = posix.mkdir("%{rpmstatedir}") - if res ~= 0 and errno ~= 17 then -- 17 is EEXIST - print("Failed to create state directory: " .. msg) - else - local marker, err = io.open("%{rpmstate_autopolicy}", "w+") - if not marker then - print("Failed to create marker file %{rpmstate_autopolicy} for automatic FIPS policy bind-mount: " .. err) - else - marker:close() - end - end - end - end -end - %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then local policy = "DEFAULT" @@ -298,11 +218,6 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then posix.symlink(policypath.."/"..fn, cfgfn) end end -else - if posix.access("%{rpmstate_autopolicy}") then - os.execute("%{_libexecdir}/fips-crypto-policy-overlay >/dev/null 2>/dev/null || :") - posix.unlink("%{rpmstate_autopolicy}") - end end cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config" @@ -311,10 +226,11 @@ if st and st.type == "link" then posix.unlink(cfg_path_libreswan) end -%pre -# Drop removed javasystem backend -rm -f "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" 2>/dev/null || : -exit 0 +cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" +st = posix.stat(cfg_path_javasystem) +if st and st.type == "link" then + posix.unlink(cfg_path_javasystem) +end %posttrans scripts %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : -- 2.51.1 From 433658502ea519c9de9556b1fa80fc8b06704e71496af7c7e4b82faf00aab89c Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Fri, 21 Mar 2025 13:53:24 +0000 Subject: [PATCH 08/11] - Remove not needed fips bind mount service OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=38 --- crypto-policies.changes | 1 + crypto-policies.spec | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto-policies.changes b/crypto-policies.changes index e4968ee..e589ebc 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -21,6 +21,7 @@ Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal - Remove dangling symlink for the libreswan config [bsc#1236858] - Remove also sequoia config and generator files +- Remove not needed fips bind mount service ------------------------------------------------------------------- Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal diff --git a/crypto-policies.spec b/crypto-policies.spec index 68843c3..8eeaf2b 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -133,7 +133,6 @@ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config -install -p -m 644 default-fips-config %{buildroot}%{_datarootdir}/crypto-policies/default-fips-config touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -159,6 +158,11 @@ rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* find %{buildroot} -type f -name 'libreswan.*' -print -delete find %{buildroot} -type f -name 'sequoia.*' -print -delete +# Drop not needed fips bind mount service +find %{buildroot} -type f -name 'default-fips-config' -print -delete +find %{buildroot} -type f -name 'fips-setup-helper' -print -delete +find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete + # Create back-end configs for mounting with read-only /etc/ for d in LEGACY DEFAULT FUTURE FIPS BSI ; do mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d @@ -266,10 +270,6 @@ end %ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol -%{_libexecdir}/fips-setup-helper -%{_libexecdir}/fips-crypto-policy-overlay -%{_unitdir}/fips-crypto-policy-overlay.service - %{_mandir}/man7/crypto-policies.7%{?ext_man} %{_datarootdir}/crypto-policies/LEGACY %{_datarootdir}/crypto-policies/DEFAULT @@ -279,7 +279,6 @@ end %{_datarootdir}/crypto-policies/EMPTY %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config -%{_datarootdir}/crypto-policies/default-fips-config %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies -- 2.51.1 From 352cf7737385535326f5ac831e3494477a86f07f585d666c721b822c3a065b85 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 27 Mar 2025 10:46:22 +0000 Subject: [PATCH 09/11] - Relax the nss version requirement since the mlkem768secp256r1 enablement has been reverted. OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=40 --- .gitattributes | 23 + .gitignore | 1 + README.SUSE | 6 + _service | 14 + _servicedata | 4 + ...llow-sshd-in-FIPS-mode-using-DEFAULT.patch | 50 ++ crypto-policies-FIPS.patch | 319 +++++++++++ ...licies-enable-SHA1-sigver-in-DEFAULT.patch | 55 ++ crypto-policies-no-build-manpages.patch | 28 + crypto-policies-nss.patch | 42 ++ crypto-policies-policygenerators.patch | 40 ++ crypto-policies-pylint.patch | 15 + crypto-policies-rpmlintrc | 3 + crypto-policies-supported.patch | 37 ++ crypto-policies.7.gz | 3 + crypto-policies.changes | 496 ++++++++++++++++++ crypto-policies.spec | 294 +++++++++++ ...ra-crypto-policies-20230920.570ea89.tar.gz | 3 + ...ra-crypto-policies-20250124.4d262e7.tar.gz | 3 + fips-finish-install.8.gz | 3 + fips-mode-setup.8.gz | 3 + update-crypto-policies.8.gz | 3 + 22 files changed, 1445 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SUSE create mode 100644 _service create mode 100644 _servicedata create mode 100644 crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch create mode 100644 crypto-policies-FIPS.patch create mode 100644 crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch create mode 100644 crypto-policies-no-build-manpages.patch create mode 100644 crypto-policies-nss.patch create mode 100644 crypto-policies-policygenerators.patch create mode 100644 crypto-policies-pylint.patch create mode 100644 crypto-policies-rpmlintrc create mode 100644 crypto-policies-supported.patch create mode 100644 crypto-policies.7.gz create mode 100644 crypto-policies.changes create mode 100644 crypto-policies.spec create mode 100644 fedora-crypto-policies-20230920.570ea89.tar.gz create mode 100644 fedora-crypto-policies-20250124.4d262e7.tar.gz create mode 100644 fips-finish-install.8.gz create mode 100644 fips-mode-setup.8.gz create mode 100644 update-crypto-policies.8.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..3cc4b70 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,6 @@ +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK + +The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service new file mode 100644 index 0000000..c304113 --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + git + %cd.%h + enable + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 + + + *.tar + gz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..5ed3ec5 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 \ No newline at end of file diff --git a/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch new file mode 100644 index 0000000..c7c3e96 --- /dev/null +++ b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch @@ -0,0 +1,50 @@ +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-18 14:39:54.565216139 +0100 +@@ -15,9 +15,11 @@ + + mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 + mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 ++mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512 + + group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \ + FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 ++group@SSH = -X25519 + + hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \ + SHAKE-256 +@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM + + # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks + # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). +-cipher@SSH = -*-CBC ++# disable also chachapoly, as we might run DEFAULT in FIPS mode too. ++cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR + + # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have + # interoperability issues in TLS. +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt 2025-03-18 14:40:54.831266197 +0100 +@@ -1,5 +1,5 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt 2025-03-18 15:41:32.234673018 +0100 +@@ -1,7 +1,8 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..c30993a --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,319 @@ +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 + fi + ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -167,10 +180,10 @@ if test $check = 1 ; then + fi + + # Boot configuration +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo >&2 "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 +-fi ++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then ++# echo >&2 "The grubby command is missing, please configure the bootloader manually." ++# boot_config=0 ++# fi + + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." +@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then + fi + fi + ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 ++ fi ++fi ++ + echo "FIPS mode will be $(enable2txt $enable_fips)." + + fipsopts="fips=$enable_fips$boot_device_opt" + + if test "$boot_config" = 1 ; then +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl +- else +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi +- fi ++ pbl --add-option "$fipsopts" ++ pbl --config; pbl --install && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install ++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install +@@ -24,6 +24,15 @@ fi + + umask 022 + ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi ++ + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + exit 0 + fi + +-if test x"$1" == x--complete; then +- trap "rm -f $dracut_cfg" ERR +- cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# if test x"$1" == x--complete; then ++# trap "rm -f $dracut_cfg" ERR ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -8,7 +8,6 @@ check=0 + boot_config=1 + err_if_disabled=0 + output_text=1 +-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + + is_ostree_system=0 + if test -f /run/ostree-booted -o -d /ostree; then +@@ -61,18 +60,13 @@ while test $# -ge 1 ; do + done + + if test $usage = 1 -o x$enable_fips = x ; then +- echo "Check, enable, or disable (unsupported) the system FIPS mode." ++ echo "Check, enable, or disable the system FIPS mode." + echo "usage: $0 --enable|--disable [--no-bootcfg]" + echo "usage: $0 --check" + echo "usage: $0 --is-enabled" + exit 2 + fi + +-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then +- echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg." +- boot_config=0 +-fi +- + # We don't handle the boot config on OSTree systems for now; it is assumed to be + # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is + # intrinsically tied to the firstboot procedure. +@@ -186,12 +180,6 @@ if test $check = 1 ; then + exit 0 + fi + +-# Boot configuration +-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +-# echo >&2 "The grubby command is missing, please configure the bootloader manually." +-# boot_config=0 +-# fi +- + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." + echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg." +@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$ + exit 1 + fi + +-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \ +- test -x "$(command -v cryptsetup)" ; then +- # Best-effort detection of LUKS Argon2 usage +- argon2_found='' +- # two redundant ways to list device names +- devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \ +- dmsetup ls --target crypt | cut -f1) \ +- | sort -u) +- while IFS= read -r devname; do +- back=$(cryptsetup status "$devname" | \ +- grep -F device: | +- sed -E 's/.*device:\s+//') +- if ! test -b "$back"; then +- echo >&2 -n "Warning: detected device '$back' " +- echo >&2 -n 'is not a valid block device. ' +- echo >&2 'Cannot check whether it uses Argon2.' +- continue +- fi +- dump=$(cryptsetup luksDump "$back") +- if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then +- argon2_found+=" $back($devname)" +- fi +- done <<<"$devs" +- if test -n "$argon2_found" ; then +- echo >&2 -n "The following encrypted devices use Argon2 PBKDF:" +- echo >&2 "$argon2_found" +- echo >&2 'Aborting fips-mode-setup because of that.' +- echo >&2 -n 'Please refer to the ' +- echo >&2 'cryptsetup-luksConvertKey(8) manpage.' +- exit 76 +- fi +-fi +- + if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then + if test $enable_fips = 1 ; then + echo >&2 "*****************************************************************" +@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING" + echo >&2 "* *" + echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* REINSTALL WITH fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + elif test $enable_fips = 0 ; then + echo >&2 "*****************************************************************" + echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT... *" + echo >&2 "* *" +- echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED. *" ++ echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + fi + for i in {15..1}; do +@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_ + if test "$boot_config" = 1 ; then + pbl --add-option "$fipsopts" + pbl --config; pbl --install && dracut -f --regenerate-all +- +- # grubby --update-kernel=ALL --args="$fipsopts" +- # if test x"$(uname -m)" = xs390x; then +- # if command -v zipl >/dev/null; then +- # zipl +- # else +- # echo -n '`zipl` execution has been skipped: ' +- # echo '`zipl` not found.' +- # fi +- # fi +- +- echo "Please reboot the system for the setting to take effect." ++ echo "Please reboot the system for the settings to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +- echo "and reboot the system for the setting to take effect." ++ echo "and reboot the system for the settings to take effect." + fi + + exit 0 diff --git a/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch new file mode 100644 index 0000000..2809b12 --- /dev/null +++ b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch @@ -0,0 +1,55 @@ +diff -PpuriN fedora-crypto-policies-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-11 14:09:01.796831654 +0100 +@@ -1,7 +1,6 @@ + # A reasonable default for today's standards. It should provide + # 112-bit security with the exception of SHA1 signatures in DNSSec. + # SHA1 is allowed in HMAC where collision attacks do not matter. +-# OpenSSL distrusts signatures using SHA-1 (Changes/OpenSSLDistrustSHA1SigVer). + + # MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc) + # Curves: all prime >= 255 bits (including Bernstein curves) +@@ -88,6 +87,3 @@ etm@SSH = ANY + sign@RPM = DSA-SHA1+ + hash@RPM = SHA1+ + min_dsa_size@RPM = 1024 +- +-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 +diff -PpuriN fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol +--- fedora-crypto-policies-orig/tests/alternative-policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/alternative-policies/DEFAULT.pol 2025-03-11 13:53:52.231005482 +0100 +@@ -91,6 +91,3 @@ ssh_etm = 1 + sign@rpm-sequoia = DSA-SHA1+ + hash@rpm-sequoia = SHA1+ + min_dsa_size@rpm-sequoia = 1024 +- +-# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-03-11 14:10:14.134767876 +0100 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensslcnf.txt 2025-03-11 14:09:55.798784042 +0100 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +--- fedora-crypto-policies-orig/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-03-11 14:10:42.542742833 +0100 +@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..005a9a8 --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies-20250124.4d262e7/Makefile +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile ++++ fedora-crypto-policies-20250124.4d262e7/Makefile +@@ -34,9 +34,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(UNITDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR) + install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(DIR)/ +@@ -133,8 +133,8 @@ clean: + rm -rf output + + %: %.txt +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch new file mode 100644 index 0000000..a00acba --- /dev/null +++ b/crypto-policies-nss.patch @@ -0,0 +1,42 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator): + try: + with os.fdopen(fd, 'w') as f: + f.write(config) +- try: +- ret = call(f'/usr/bin/nss-policy-check {options} {path}' +- '>/dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + if ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..d2b0a9c --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,40 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +@@ -7,7 +7,7 @@ from .bind import BindGenerator + from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator +@@ -16,14 +16,13 @@ from .openssl import ( + OpenSSLFIPSGenerator, + OpenSSLGenerator, + ) +-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator ++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator + + __all__ = [ + 'BindGenerator', + 'GnuTLSGenerator', + 'JavaGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', +@@ -31,6 +30,8 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLFIPSGenerator', + 'OpenSSLGenerator', +- 'RPMSequoiaGenerator', +- 'SequoiaGenerator', + ] ++ ++ # 'LibreswanGenerator', ++ # 'RPMSequoiaGenerator', ++ # 'SequoiaGenerator', diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..717f30a --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..6fdbe70 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..bf29719 --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz new file mode 100644 index 0000000..1f0f2a3 --- /dev/null +++ b/crypto-policies.7.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a455bfe2ea82738a0237e3ab8c11256f78219436a1dbcc9c3ff0cb7f6a2019b +size 7675 diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..d50505f --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,496 @@ +------------------------------------------------------------------- +Thu Mar 27 10:37:18 UTC 2025 - Pedro Monreal + +- Relax the nss version requirement since the mlkem768secp256r1 + enablement has been reverted. + +------------------------------------------------------------------- +Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal + +- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] + * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch + +------------------------------------------------------------------- +Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal + +- Enable SHA1 sigver in the DEFAULT policy. + * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + +------------------------------------------------------------------- +Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal + +- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal + +- Remove dangling symlink for the libreswan config [bsc#1236858] +- Remove also sequoia config and generator files +- Remove not needed fips bind mount service + +------------------------------------------------------------------- +Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal + +- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] + * openssl: stricter enabling of Ciphersuites + * openssl: make use of -CBC and -AESGCM keywords + * openssl: add TLS 1.3 Brainpool identifiers + * fix warning on using experimental key_exchanges + * update-crypto-policies: don't output FIPS warning in fips mode + * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 + * openssh, libssh: refactor kx maps to use tuples + * alg_lists: mark MLKEM768/SNTRUP kex experimental + * nss: revert enabling mlkem768secp256r1 + * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber + * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 + * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 + * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 + * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 + * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... + * python/update-crypto-policies: pacify pylint + * fips-mode-setup: tolerate fips dracut module presence w/o FIPS + * fips-mode-setup: small Argon2 detection fix + * SHA1: add __openssl_block_sha1_signatures = 0 + * fips-mode-setup: block if LUKS devices using Argon2 are detected + * update-crypto-policies: skip warning on --set=FIPS if bootc + * fips-setup-helper: skip warning, BTW + * fips-mode-setup: force --no-bootcfg when UKI is detected + * fips-setup-helper: add a libexec helper for anaconda + * fips-crypto-policy-overlay: automount FIPS policy + * openssh: make dss no longer enableble, support is dropped + * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 + * DEFAULT: switch to rh-allow-sha1-signatures = no... + * java: drop unused javasystem backend + * java: stop specifying jdk.tls.namedGroups in javasystem + * ec_min_size: introduce and use in java, default to 256 + * java: use and include jdk.disabled.namedCurves + * BSI: Update BSI policy for new 2024 minimum recommendations + * fips-mode-setup: flashy ticking warning upon use + * fips-mode-setup: add another scary "unsupported" + * CONTRIBUTING.md: add a small section on updating policies + * CONTRIBUTING.md: remove trailing punctuation from headers + * BSI: switch to 3072 minimum RSA key size + * java: make hash, mac and sign more orthogonal + * java: specify jdk.tls.namedGroups system property + * java: respect more key size restrictions + * java: disable anon ciphersuites, tying them to NULL... + * java: start controlling / disable DTLSv1.0 + * nss: wire KYBER768 to XYBER768D00 + * nss: unconditionally load p11-kit-proxy.so + * gnutls: make DTLS0.9 controllable again + * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH + * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE + * gnutls: remove extraneous newline + * sequoia: move away from subprocess.getstatusoutput + * python/cryptopolicies/cryptopolicies.py: add trailing commas + * python, tests: rename MalformedLine to MalformedLineError + * Makefile: introduce SKIP_LINTING flag for packagers to use + * Makefile: run ruff + * tests: use pathlib + * tests: run(check=True) + CalledProcessError where convenient + * tests: use subprocess.run + * tests/krb5.py: check all generated policies + * tests: print to stderr on error paths + * tests/nss.py: also use encoding='utf-8' + * tests/nss.py: also use removesuffix + * tests/nss.py: skip creating tempfiles + * tests/java.pl -> tests/java.py + * tests/gnutls.pl -> tests/gnutls.py + * tests/openssl.pl -> tests/openssl.py + * tests/verify-output.pl: remove + * libreswan: do not use up pfs= / ikev2= keywords for default behaviour + * Rebase patches: + - crypto-policies-no-build-manpages.patch + - crypto-policies-policygenerators.patch + - crypto-policies-supported.patch + - crypto-policies-nss.patch + +------------------------------------------------------------------- +Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal + +- Update to version 20241010.5930b9a: + * LEGACY: enable 192-bit ciphers for nss pkcs12/smime + * nss: be stricter with new purposes + * nss: rewrite backend for 3.101 + * cryptopolicies: parent scopes for dumping purposes + * policygenerators: move scoping inside generators + * TEST-PQ: disable pure Kyber768 + * nss: wire XYBER768D00 to X25519-KYBER768 + * TEST-PQ: update + * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com + * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values + * TEST-PQ, python: add more groups, mark experimental + * openssl: mark liboqsprovider groups optional with ? + * Remove patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal + +- Update to version 20240201.9f501f3: + * .gitlab-ci.yml: install sequoia-policy-config + * java: disable ChaCha20-Poly1305 where applicable + * fips-mode-setup: make sure ostree is detected in chroot + * fips-finish-install: make sure ostree is detected in chroot + * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl + * TEST-PQ: add a no-op subpolicy + * update-crypto-policies: Keep mid-sentence upper case + * fips-mode-setup: Write error messages to stderr + * fips-mode-setup: Fix some shellcheck warnings + * fips-mode-setup: Fix test for empty /boot + * fips-mode-setup: Avoid 'boot=UUID=' if /boot == / + * Update man pages + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal + +- Update to version 20231108.adb5572b: + * Print matches in syntax deprecation warnings + * Restore support for scoped ssh_etm directives + * fips-mode-setup: Fix usage with --no-bootcfg + * turn ssh_etm into an etm@SSH tri-state + * fips-mode-setup: increase chroot-friendliness + * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx + * pylintrc: use-implicit-booleaness-not-comparison-to-* + +------------------------------------------------------------------- +Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller + +- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros: + we only need python3-base here, we don't need the python + macros as no module is being built + +------------------------------------------------------------------- +Thu Oct 5 12:35:57 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-5041]. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner + +- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) + derived from NEXT.pol + +------------------------------------------------------------------- +Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal + +- Update to version 20230614.5f3458e: + * policies: impose old OpenSSL groups order for all back-ends + * Rebase patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-supported.patch + +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip not needed LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + +------------------------------------------------------------------- +Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal + +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal + +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal + +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 + +------------------------------------------------------------------- +Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal + +- Remove not needed scripts: fips-finish-install fips-mode-setup + +------------------------------------------------------------------- +Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal + +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e + +------------------------------------------------------------------- +Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal + +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" + +------------------------------------------------------------------- +Tue Feb 9 10:50:47 UTC 2021 - Dominique Leuenberger + +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. + +------------------------------------------------------------------- +Mon Feb 8 11:45:38 UTC 2021 - Pedro Monreal + +- Add a BuildIgnore for crypto-policies + +------------------------------------------------------------------- +Mon Feb 8 11:22:31 UTC 2021 - Pedro Monreal + +- Use gzip instead of xz in obscpio and sources + +------------------------------------------------------------------- +Fri Feb 5 10:57:46 UTC 2021 - Pedro Monreal + +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Tue Feb 2 17:38:27 UTC 2021 - Dominique Leuenberger + +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. + +------------------------------------------------------------------- +Tue Feb 2 12:33:19 UTC 2021 - Pedro Monreal + +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls + +------------------------------------------------------------------- +Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal + +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option + +------------------------------------------------------------------- +Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal + +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch + +------------------------------------------------------------------- +Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal + +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch + +------------------------------------------------------------------- +Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal + +- Add crypto-policies-typos.patch to fix some typos + +------------------------------------------------------------------- +Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek + +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..735be09 --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,294 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild +%global _python_bytecompile_extra 0 + +Name: crypto-policies +Version: 20250124.4d262e7 +Release: 0 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc +%if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. +Patch1: crypto-policies-no-build-manpages.patch +%endif +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch +#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT +Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch +#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] +Patch9: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch +BuildRequires: python3-base >= 3.11 +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following packages are needed for the testsuite +BuildRequires: bind +BuildRequires: crypto-policies-scripts +BuildRequires: gnutls +BuildRequires: java-devel +BuildRequires: libxslt +BuildRequires: mozilla-nss-tools +BuildRequires: openssh-clients +BuildRequires: openssl +BuildRequires: python-rpm-macros +BuildRequires: python3-devel >= 3.11 +BuildRequires: python3-pytest +BuildRequires: systemd-rpm-macros +%else +# Avoid cycle with python-rpm-macros +#!BuildIgnore: python-rpm-packaging python-rpm-macros +%endif +%if 0%{?primary_python:1} +Recommends: crypto-policies-scripts +%endif +Conflicts: gnutls < 3.8.8 +Conflicts: nss < 3.101 +Conflicts: openssh < 9.9p1 +Conflicts: openssl < 3.0.2 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} +Recommends: perl-Bootloader +Provides: fips-mode-setup = %{version}-%{release} + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +The package also provides a tool fips-mode-setup, which can be used +to enable or disable the system FIPS mode. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +%build +export OPENSSL_CONF='' +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ +%endif + +# Install the executable scripts +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ + +# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* + +# Drop libreswan and sequoia config files +find %{buildroot} -type f -name 'libreswan.*' -print -delete +find %{buildroot} -type f -name 'sequoia.*' -print -delete + +# Drop not needed fips bind mount service +find %{buildroot} -type f -name 'default-fips-config' -print -delete +find %{buildroot} -type f -name 'fips-setup-helper' -print -delete +find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +# Fix shebang in scripts +for f in %{buildroot}%{_datadir}/crypto-policies/python/* +do + [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%if %{with testsuite} +export OPENSSL_CONF='' +%make_build test +%make_build test-install test-fips-setup || : +%endif + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config" +st = posix.stat(cfg_path_libreswan) +if st and st.type == "link" then + posix.unlink(cfg_path_libreswan) +end + +cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" +st = posix.stat(cfg_path_javasystem) +if st and st.type == "link" then + posix.unlink(cfg_path_javasystem) +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%license COPYING.LESSER +%doc README.md CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%files scripts +%{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..033597b --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fedora-crypto-policies-20250124.4d262e7.tar.gz b/fedora-crypto-policies-20250124.4d262e7.tar.gz new file mode 100644 index 0000000..e427784 --- /dev/null +++ b/fedora-crypto-policies-20250124.4d262e7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33d72a26ed1543702fc5c8aca8cea0b71667fa2fb9040ed9850480fe3235dfbf +size 102444 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..a882f5e --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93e6dcce6491836df86af048bd0e800868e818359ad4749f7441817e5f11891e +size 949 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..219903c --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9d4ded30f73bf76626f79f507c164a82fac54bed8daa6e9e40d3af46f276a67 +size 1782 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz new file mode 100644 index 0000000..adbc707 --- /dev/null +++ b/update-crypto-policies.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:492615feef5d98e42ca928ddc05114ef7a93df1752afbf5a0db8cf0625071b59 +size 4149 -- 2.51.1 From 0a2c75c4df2426f395b8544301042fd525ce0891d0ff585f80e92cbced1bcfe0 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 9 Apr 2025 14:39:36 +0000 Subject: [PATCH 10/11] OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=42 --- .gitattributes | 23 + .gitignore | 1 + README.SUSE | 6 + _service | 14 + _servicedata | 4 + ...llow-sshd-in-FIPS-mode-using-DEFAULT.patch | 50 ++ crypto-policies-FIPS.patch | 319 +++++++++++ ...licies-enable-SHA1-sigver-in-DEFAULT.patch | 78 +++ crypto-policies-no-build-manpages.patch | 28 + crypto-policies-nss.patch | 42 ++ crypto-policies-policygenerators.patch | 40 ++ crypto-policies-pylint.patch | 15 + crypto-policies-rpmlintrc | 3 + crypto-policies-supported.patch | 37 ++ crypto-policies.7.gz | 3 + crypto-policies.changes | 501 ++++++++++++++++++ crypto-policies.spec | 294 ++++++++++ ...ra-crypto-policies-20230920.570ea89.tar.gz | 3 + ...ra-crypto-policies-20250124.4d262e7.tar.gz | 3 + fips-finish-install.8.gz | 3 + fips-mode-setup.8.gz | 3 + update-crypto-policies.8.gz | 3 + 22 files changed, 1473 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SUSE create mode 100644 _service create mode 100644 _servicedata create mode 100644 crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch create mode 100644 crypto-policies-FIPS.patch create mode 100644 crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch create mode 100644 crypto-policies-no-build-manpages.patch create mode 100644 crypto-policies-nss.patch create mode 100644 crypto-policies-policygenerators.patch create mode 100644 crypto-policies-pylint.patch create mode 100644 crypto-policies-rpmlintrc create mode 100644 crypto-policies-supported.patch create mode 100644 crypto-policies.7.gz create mode 100644 crypto-policies.changes create mode 100644 crypto-policies.spec create mode 100644 fedora-crypto-policies-20230920.570ea89.tar.gz create mode 100644 fedora-crypto-policies-20250124.4d262e7.tar.gz create mode 100644 fips-finish-install.8.gz create mode 100644 fips-mode-setup.8.gz create mode 100644 update-crypto-policies.8.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..3cc4b70 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,6 @@ +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK + +The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service new file mode 100644 index 0000000..c304113 --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + git + %cd.%h + enable + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 + + + *.tar + gz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..5ed3ec5 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 \ No newline at end of file diff --git a/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch new file mode 100644 index 0000000..c7c3e96 --- /dev/null +++ b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch @@ -0,0 +1,50 @@ +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-18 14:39:54.565216139 +0100 +@@ -15,9 +15,11 @@ + + mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 + mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 ++mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512 + + group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \ + FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 ++group@SSH = -X25519 + + hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \ + SHAKE-256 +@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM + + # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks + # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). +-cipher@SSH = -*-CBC ++# disable also chachapoly, as we might run DEFAULT in FIPS mode too. ++cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR + + # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have + # interoperability issues in TLS. +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt 2025-03-18 14:40:54.831266197 +0100 +@@ -1,5 +1,5 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt 2025-03-18 15:41:32.234673018 +0100 +@@ -1,7 +1,8 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..c30993a --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,319 @@ +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 + fi + ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -167,10 +180,10 @@ if test $check = 1 ; then + fi + + # Boot configuration +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo >&2 "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 +-fi ++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then ++# echo >&2 "The grubby command is missing, please configure the bootloader manually." ++# boot_config=0 ++# fi + + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." +@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then + fi + fi + ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 ++ fi ++fi ++ + echo "FIPS mode will be $(enable2txt $enable_fips)." + + fipsopts="fips=$enable_fips$boot_device_opt" + + if test "$boot_config" = 1 ; then +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl +- else +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi +- fi ++ pbl --add-option "$fipsopts" ++ pbl --config; pbl --install && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install ++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install +@@ -24,6 +24,15 @@ fi + + umask 022 + ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi ++ + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + exit 0 + fi + +-if test x"$1" == x--complete; then +- trap "rm -f $dracut_cfg" ERR +- cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# if test x"$1" == x--complete; then ++# trap "rm -f $dracut_cfg" ERR ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -8,7 +8,6 @@ check=0 + boot_config=1 + err_if_disabled=0 + output_text=1 +-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + + is_ostree_system=0 + if test -f /run/ostree-booted -o -d /ostree; then +@@ -61,18 +60,13 @@ while test $# -ge 1 ; do + done + + if test $usage = 1 -o x$enable_fips = x ; then +- echo "Check, enable, or disable (unsupported) the system FIPS mode." ++ echo "Check, enable, or disable the system FIPS mode." + echo "usage: $0 --enable|--disable [--no-bootcfg]" + echo "usage: $0 --check" + echo "usage: $0 --is-enabled" + exit 2 + fi + +-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then +- echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg." +- boot_config=0 +-fi +- + # We don't handle the boot config on OSTree systems for now; it is assumed to be + # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is + # intrinsically tied to the firstboot procedure. +@@ -186,12 +180,6 @@ if test $check = 1 ; then + exit 0 + fi + +-# Boot configuration +-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +-# echo >&2 "The grubby command is missing, please configure the bootloader manually." +-# boot_config=0 +-# fi +- + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." + echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg." +@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$ + exit 1 + fi + +-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \ +- test -x "$(command -v cryptsetup)" ; then +- # Best-effort detection of LUKS Argon2 usage +- argon2_found='' +- # two redundant ways to list device names +- devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \ +- dmsetup ls --target crypt | cut -f1) \ +- | sort -u) +- while IFS= read -r devname; do +- back=$(cryptsetup status "$devname" | \ +- grep -F device: | +- sed -E 's/.*device:\s+//') +- if ! test -b "$back"; then +- echo >&2 -n "Warning: detected device '$back' " +- echo >&2 -n 'is not a valid block device. ' +- echo >&2 'Cannot check whether it uses Argon2.' +- continue +- fi +- dump=$(cryptsetup luksDump "$back") +- if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then +- argon2_found+=" $back($devname)" +- fi +- done <<<"$devs" +- if test -n "$argon2_found" ; then +- echo >&2 -n "The following encrypted devices use Argon2 PBKDF:" +- echo >&2 "$argon2_found" +- echo >&2 'Aborting fips-mode-setup because of that.' +- echo >&2 -n 'Please refer to the ' +- echo >&2 'cryptsetup-luksConvertKey(8) manpage.' +- exit 76 +- fi +-fi +- + if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then + if test $enable_fips = 1 ; then + echo >&2 "*****************************************************************" +@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING" + echo >&2 "* *" + echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* REINSTALL WITH fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + elif test $enable_fips = 0 ; then + echo >&2 "*****************************************************************" + echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT... *" + echo >&2 "* *" +- echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED. *" ++ echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + fi + for i in {15..1}; do +@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_ + if test "$boot_config" = 1 ; then + pbl --add-option "$fipsopts" + pbl --config; pbl --install && dracut -f --regenerate-all +- +- # grubby --update-kernel=ALL --args="$fipsopts" +- # if test x"$(uname -m)" = xs390x; then +- # if command -v zipl >/dev/null; then +- # zipl +- # else +- # echo -n '`zipl` execution has been skipped: ' +- # echo '`zipl` not found.' +- # fi +- # fi +- +- echo "Please reboot the system for the setting to take effect." ++ echo "Please reboot the system for the settings to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +- echo "and reboot the system for the setting to take effect." ++ echo "and reboot the system for the settings to take effect." + fi + + exit 0 diff --git a/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch new file mode 100644 index 0000000..fd1821e --- /dev/null +++ b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch @@ -0,0 +1,78 @@ +diff -PpuriN a/policies/DEFAULT.pol b/policies/DEFAULT.pol +--- a/policies/DEFAULT.pol 2025-04-09 14:18:34.954692496 +0200 ++++ b/policies/DEFAULT.pol 2025-04-09 14:19:26.564391482 +0200 +@@ -90,4 +90,4 @@ hash@RPM = SHA1+ + min_dsa_size@RPM = 1024 + + # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 ++__openssl_block_sha1_signatures = 0 +diff -PpuriN a/policies/LEGACY.pol b/policies/LEGACY.pol +--- a/policies/LEGACY.pol 2025-04-09 14:18:34.955756041 +0200 ++++ b/policies/LEGACY.pol 2025-04-09 14:22:03.873723462 +0200 +@@ -82,6 +82,8 @@ min_rsa_size = 1024 + + # GnuTLS only for now + sha1_in_certs = 1 ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer ++__openssl_block_sha1_signatures = 0 + + arbitrary_dh_groups = 1 + ssh_certs = 1 +diff -PpuriN a/policies/modules/SHA1.pmod b/policies/modules/SHA1.pmod +--- a/policies/modules/SHA1.pmod 2025-04-09 14:18:34.957749606 +0200 ++++ b/policies/modules/SHA1.pmod 2025-04-09 14:23:41.203919619 +0200 +@@ -6,4 +6,5 @@ sign = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA + + sha1_in_certs = 1 + ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer + __openssl_block_sha1_signatures = 0 +diff -PpuriN a/tests/alternative-policies/DEFAULT.pol b/tests/alternative-policies/DEFAULT.pol +--- a/tests/alternative-policies/DEFAULT.pol 2025-04-09 14:18:34.963027557 +0200 ++++ b/tests/alternative-policies/DEFAULT.pol 2025-04-09 14:24:34.158026329 +0200 +@@ -93,4 +93,4 @@ hash@rpm-sequoia = SHA1+ + min_dsa_size@rpm-sequoia = 1024 + + # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 ++__openssl_block_sha1_signatures = 0 +diff -PpuriN a/tests/alternative-policies/LEGACY.pol b/tests/alternative-policies/LEGACY.pol +--- a/tests/alternative-policies/LEGACY.pol 2025-04-09 14:18:34.963615512 +0200 ++++ b/tests/alternative-policies/LEGACY.pol 2025-04-09 14:25:11.675101933 +0200 +@@ -90,6 +90,8 @@ min_rsa_size = 1024 + + # GnuTLS only for now + sha1_in_certs = 1 ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer ++__openssl_block_sha1_signatures = 0 + + # SHA1 is still prevalent in DNSSec + sha1_in_dnssec = 1 +diff -PpuriN a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt +--- a/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-04-09 14:18:34.968542814 +0200 ++++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-04-09 16:23:01.596169638 +0200 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN a/tests/outputs/DEFAULT-opensslcnf.txt b/tests/outputs/DEFAULT-opensslcnf.txt +--- a/tests/outputs/DEFAULT-opensslcnf.txt 2025-04-09 14:18:34.967607477 +0200 ++++ b/tests/outputs/DEFAULT-opensslcnf.txt 2025-04-09 16:21:21.456007296 +0200 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +--- a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-04-09 14:18:34.969495452 +0200 ++++ b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-04-09 16:21:54.571054558 +0200 +@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..005a9a8 --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies-20250124.4d262e7/Makefile +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile ++++ fedora-crypto-policies-20250124.4d262e7/Makefile +@@ -34,9 +34,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(UNITDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR) + install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(DIR)/ +@@ -133,8 +133,8 @@ clean: + rm -rf output + + %: %.txt +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch new file mode 100644 index 0000000..a00acba --- /dev/null +++ b/crypto-policies-nss.patch @@ -0,0 +1,42 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator): + try: + with os.fdopen(fd, 'w') as f: + f.write(config) +- try: +- ret = call(f'/usr/bin/nss-policy-check {options} {path}' +- '>/dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + if ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..d2b0a9c --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,40 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +@@ -7,7 +7,7 @@ from .bind import BindGenerator + from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator +@@ -16,14 +16,13 @@ from .openssl import ( + OpenSSLFIPSGenerator, + OpenSSLGenerator, + ) +-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator ++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator + + __all__ = [ + 'BindGenerator', + 'GnuTLSGenerator', + 'JavaGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', +@@ -31,6 +30,8 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLFIPSGenerator', + 'OpenSSLGenerator', +- 'RPMSequoiaGenerator', +- 'SequoiaGenerator', + ] ++ ++ # 'LibreswanGenerator', ++ # 'RPMSequoiaGenerator', ++ # 'SequoiaGenerator', diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..717f30a --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..6fdbe70 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..bf29719 --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz new file mode 100644 index 0000000..1f0f2a3 --- /dev/null +++ b/crypto-policies.7.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a455bfe2ea82738a0237e3ab8c11256f78219436a1dbcc9c3ff0cb7f6a2019b +size 7675 diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..f7510b0 --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,501 @@ +------------------------------------------------------------------- +Wed Apr 9 12:32:47 UTC 2025 - Pedro Monreal + +- Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + +------------------------------------------------------------------- +Thu Mar 27 10:37:18 UTC 2025 - Pedro Monreal + +- Relax the nss version requirement since the mlkem768secp256r1 + enablement has been reverted. + +------------------------------------------------------------------- +Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal + +- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] + * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch + +------------------------------------------------------------------- +Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal + +- Enable SHA1 sigver in the DEFAULT policy. + * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + +------------------------------------------------------------------- +Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal + +- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal + +- Remove dangling symlink for the libreswan config [bsc#1236858] +- Remove also sequoia config and generator files +- Remove not needed fips bind mount service + +------------------------------------------------------------------- +Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal + +- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] + * openssl: stricter enabling of Ciphersuites + * openssl: make use of -CBC and -AESGCM keywords + * openssl: add TLS 1.3 Brainpool identifiers + * fix warning on using experimental key_exchanges + * update-crypto-policies: don't output FIPS warning in fips mode + * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 + * openssh, libssh: refactor kx maps to use tuples + * alg_lists: mark MLKEM768/SNTRUP kex experimental + * nss: revert enabling mlkem768secp256r1 + * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber + * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 + * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 + * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 + * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 + * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... + * python/update-crypto-policies: pacify pylint + * fips-mode-setup: tolerate fips dracut module presence w/o FIPS + * fips-mode-setup: small Argon2 detection fix + * SHA1: add __openssl_block_sha1_signatures = 0 + * fips-mode-setup: block if LUKS devices using Argon2 are detected + * update-crypto-policies: skip warning on --set=FIPS if bootc + * fips-setup-helper: skip warning, BTW + * fips-mode-setup: force --no-bootcfg when UKI is detected + * fips-setup-helper: add a libexec helper for anaconda + * fips-crypto-policy-overlay: automount FIPS policy + * openssh: make dss no longer enableble, support is dropped + * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 + * DEFAULT: switch to rh-allow-sha1-signatures = no... + * java: drop unused javasystem backend + * java: stop specifying jdk.tls.namedGroups in javasystem + * ec_min_size: introduce and use in java, default to 256 + * java: use and include jdk.disabled.namedCurves + * BSI: Update BSI policy for new 2024 minimum recommendations + * fips-mode-setup: flashy ticking warning upon use + * fips-mode-setup: add another scary "unsupported" + * CONTRIBUTING.md: add a small section on updating policies + * CONTRIBUTING.md: remove trailing punctuation from headers + * BSI: switch to 3072 minimum RSA key size + * java: make hash, mac and sign more orthogonal + * java: specify jdk.tls.namedGroups system property + * java: respect more key size restrictions + * java: disable anon ciphersuites, tying them to NULL... + * java: start controlling / disable DTLSv1.0 + * nss: wire KYBER768 to XYBER768D00 + * nss: unconditionally load p11-kit-proxy.so + * gnutls: make DTLS0.9 controllable again + * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH + * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE + * gnutls: remove extraneous newline + * sequoia: move away from subprocess.getstatusoutput + * python/cryptopolicies/cryptopolicies.py: add trailing commas + * python, tests: rename MalformedLine to MalformedLineError + * Makefile: introduce SKIP_LINTING flag for packagers to use + * Makefile: run ruff + * tests: use pathlib + * tests: run(check=True) + CalledProcessError where convenient + * tests: use subprocess.run + * tests/krb5.py: check all generated policies + * tests: print to stderr on error paths + * tests/nss.py: also use encoding='utf-8' + * tests/nss.py: also use removesuffix + * tests/nss.py: skip creating tempfiles + * tests/java.pl -> tests/java.py + * tests/gnutls.pl -> tests/gnutls.py + * tests/openssl.pl -> tests/openssl.py + * tests/verify-output.pl: remove + * libreswan: do not use up pfs= / ikev2= keywords for default behaviour + * Rebase patches: + - crypto-policies-no-build-manpages.patch + - crypto-policies-policygenerators.patch + - crypto-policies-supported.patch + - crypto-policies-nss.patch + +------------------------------------------------------------------- +Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal + +- Update to version 20241010.5930b9a: + * LEGACY: enable 192-bit ciphers for nss pkcs12/smime + * nss: be stricter with new purposes + * nss: rewrite backend for 3.101 + * cryptopolicies: parent scopes for dumping purposes + * policygenerators: move scoping inside generators + * TEST-PQ: disable pure Kyber768 + * nss: wire XYBER768D00 to X25519-KYBER768 + * TEST-PQ: update + * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com + * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values + * TEST-PQ, python: add more groups, mark experimental + * openssl: mark liboqsprovider groups optional with ? + * Remove patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal + +- Update to version 20240201.9f501f3: + * .gitlab-ci.yml: install sequoia-policy-config + * java: disable ChaCha20-Poly1305 where applicable + * fips-mode-setup: make sure ostree is detected in chroot + * fips-finish-install: make sure ostree is detected in chroot + * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl + * TEST-PQ: add a no-op subpolicy + * update-crypto-policies: Keep mid-sentence upper case + * fips-mode-setup: Write error messages to stderr + * fips-mode-setup: Fix some shellcheck warnings + * fips-mode-setup: Fix test for empty /boot + * fips-mode-setup: Avoid 'boot=UUID=' if /boot == / + * Update man pages + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal + +- Update to version 20231108.adb5572b: + * Print matches in syntax deprecation warnings + * Restore support for scoped ssh_etm directives + * fips-mode-setup: Fix usage with --no-bootcfg + * turn ssh_etm into an etm@SSH tri-state + * fips-mode-setup: increase chroot-friendliness + * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx + * pylintrc: use-implicit-booleaness-not-comparison-to-* + +------------------------------------------------------------------- +Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller + +- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros: + we only need python3-base here, we don't need the python + macros as no module is being built + +------------------------------------------------------------------- +Thu Oct 5 12:35:57 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-5041]. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner + +- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) + derived from NEXT.pol + +------------------------------------------------------------------- +Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal + +- Update to version 20230614.5f3458e: + * policies: impose old OpenSSL groups order for all back-ends + * Rebase patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-supported.patch + +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip not needed LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + +------------------------------------------------------------------- +Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal + +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal + +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal + +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 + +------------------------------------------------------------------- +Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal + +- Remove not needed scripts: fips-finish-install fips-mode-setup + +------------------------------------------------------------------- +Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal + +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e + +------------------------------------------------------------------- +Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal + +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" + +------------------------------------------------------------------- +Tue Feb 9 10:50:47 UTC 2021 - Dominique Leuenberger + +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. + +------------------------------------------------------------------- +Mon Feb 8 11:45:38 UTC 2021 - Pedro Monreal + +- Add a BuildIgnore for crypto-policies + +------------------------------------------------------------------- +Mon Feb 8 11:22:31 UTC 2021 - Pedro Monreal + +- Use gzip instead of xz in obscpio and sources + +------------------------------------------------------------------- +Fri Feb 5 10:57:46 UTC 2021 - Pedro Monreal + +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Tue Feb 2 17:38:27 UTC 2021 - Dominique Leuenberger + +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. + +------------------------------------------------------------------- +Tue Feb 2 12:33:19 UTC 2021 - Pedro Monreal + +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls + +------------------------------------------------------------------- +Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal + +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option + +------------------------------------------------------------------- +Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal + +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch + +------------------------------------------------------------------- +Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal + +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch + +------------------------------------------------------------------- +Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal + +- Add crypto-policies-typos.patch to fix some typos + +------------------------------------------------------------------- +Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek + +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..735be09 --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,294 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild +%global _python_bytecompile_extra 0 + +Name: crypto-policies +Version: 20250124.4d262e7 +Release: 0 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc +%if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. +Patch1: crypto-policies-no-build-manpages.patch +%endif +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch +#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT +Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch +#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] +Patch9: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch +BuildRequires: python3-base >= 3.11 +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following packages are needed for the testsuite +BuildRequires: bind +BuildRequires: crypto-policies-scripts +BuildRequires: gnutls +BuildRequires: java-devel +BuildRequires: libxslt +BuildRequires: mozilla-nss-tools +BuildRequires: openssh-clients +BuildRequires: openssl +BuildRequires: python-rpm-macros +BuildRequires: python3-devel >= 3.11 +BuildRequires: python3-pytest +BuildRequires: systemd-rpm-macros +%else +# Avoid cycle with python-rpm-macros +#!BuildIgnore: python-rpm-packaging python-rpm-macros +%endif +%if 0%{?primary_python:1} +Recommends: crypto-policies-scripts +%endif +Conflicts: gnutls < 3.8.8 +Conflicts: nss < 3.101 +Conflicts: openssh < 9.9p1 +Conflicts: openssl < 3.0.2 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} +Recommends: perl-Bootloader +Provides: fips-mode-setup = %{version}-%{release} + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +The package also provides a tool fips-mode-setup, which can be used +to enable or disable the system FIPS mode. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +%build +export OPENSSL_CONF='' +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ +%endif + +# Install the executable scripts +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ + +# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* + +# Drop libreswan and sequoia config files +find %{buildroot} -type f -name 'libreswan.*' -print -delete +find %{buildroot} -type f -name 'sequoia.*' -print -delete + +# Drop not needed fips bind mount service +find %{buildroot} -type f -name 'default-fips-config' -print -delete +find %{buildroot} -type f -name 'fips-setup-helper' -print -delete +find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +# Fix shebang in scripts +for f in %{buildroot}%{_datadir}/crypto-policies/python/* +do + [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%if %{with testsuite} +export OPENSSL_CONF='' +%make_build test +%make_build test-install test-fips-setup || : +%endif + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config" +st = posix.stat(cfg_path_libreswan) +if st and st.type == "link" then + posix.unlink(cfg_path_libreswan) +end + +cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" +st = posix.stat(cfg_path_javasystem) +if st and st.type == "link" then + posix.unlink(cfg_path_javasystem) +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%license COPYING.LESSER +%doc README.md CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%files scripts +%{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..033597b --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fedora-crypto-policies-20250124.4d262e7.tar.gz b/fedora-crypto-policies-20250124.4d262e7.tar.gz new file mode 100644 index 0000000..e427784 --- /dev/null +++ b/fedora-crypto-policies-20250124.4d262e7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33d72a26ed1543702fc5c8aca8cea0b71667fa2fb9040ed9850480fe3235dfbf +size 102444 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..a882f5e --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93e6dcce6491836df86af048bd0e800868e818359ad4749f7441817e5f11891e +size 949 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..219903c --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9d4ded30f73bf76626f79f507c164a82fac54bed8daa6e9e40d3af46f276a67 +size 1782 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz new file mode 100644 index 0000000..adbc707 --- /dev/null +++ b/update-crypto-policies.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:492615feef5d98e42ca928ddc05114ef7a93df1752afbf5a0db8cf0625071b59 +size 4149 -- 2.51.1 From c8ef763331c37f238fe13377d2bb43c82474b4505f9029e9f63550cc339da3a3 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 30 Jun 2025 09:24:21 +0000 Subject: [PATCH 11/11] - Allow openssl to load when using the DEFAULT policy, and also other policies, in FIPS mode. [bsc#1243830, bsc#1242233] * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=44 --- .gitattributes | 23 + .gitignore | 1 + README.SUSE | 6 + _service | 14 + _servicedata | 4 + ...-openssl-other-policies-in-FIPS-mode.patch | 15 + ...llow-sshd-in-FIPS-mode-using-DEFAULT.patch | 50 ++ crypto-policies-FIPS.patch | 319 +++++++++++ ...licies-enable-SHA1-sigver-in-DEFAULT.patch | 78 +++ crypto-policies-no-build-manpages.patch | 28 + crypto-policies-nss.patch | 42 ++ crypto-policies-policygenerators.patch | 40 ++ crypto-policies-pylint.patch | 15 + crypto-policies-rpmlintrc | 3 + crypto-policies-supported.patch | 37 ++ crypto-policies.7.gz | 3 + crypto-policies.changes | 508 ++++++++++++++++++ crypto-policies.spec | 296 ++++++++++ ...ra-crypto-policies-20230920.570ea89.tar.gz | 3 + ...ra-crypto-policies-20250124.4d262e7.tar.gz | 3 + fips-finish-install.8.gz | 3 + fips-mode-setup.8.gz | 3 + update-crypto-policies.8.gz | 3 + 23 files changed, 1497 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.SUSE create mode 100644 _service create mode 100644 _servicedata create mode 100644 crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch create mode 100644 crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch create mode 100644 crypto-policies-FIPS.patch create mode 100644 crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch create mode 100644 crypto-policies-no-build-manpages.patch create mode 100644 crypto-policies-nss.patch create mode 100644 crypto-policies-policygenerators.patch create mode 100644 crypto-policies-pylint.patch create mode 100644 crypto-policies-rpmlintrc create mode 100644 crypto-policies-supported.patch create mode 100644 crypto-policies.7.gz create mode 100644 crypto-policies.changes create mode 100644 crypto-policies.spec create mode 100644 fedora-crypto-policies-20230920.570ea89.tar.gz create mode 100644 fedora-crypto-policies-20250124.4d262e7.tar.gz create mode 100644 fips-finish-install.8.gz create mode 100644 fips-mode-setup.8.gz create mode 100644 update-crypto-policies.8.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..3cc4b70 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,6 @@ +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK + +The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service new file mode 100644 index 0000000..c304113 --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + git + %cd.%h + enable + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 + + + *.tar + gz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..5ed3ec5 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + 4d262e79be1cd15c84cad55ad88c53a2d7712e85 \ No newline at end of file diff --git a/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch b/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch new file mode 100644 index 0000000..fa07f44 --- /dev/null +++ b/crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/openssl.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/openssl.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/openssl.py +@@ -312,8 +312,8 @@ class OpenSSLConfigGenerator(OpenSSLGene + 'SECP256R1': 'secp256r1', + 'SECP384R1': 'secp384r1', + 'SECP521R1': 'secp521r1', +- 'X25519': 'X25519', +- 'X448': 'X448', ++ 'X25519': '?X25519', ++ 'X448': '?X448', + 'FFDHE-2048': 'ffdhe2048', + 'FFDHE-3072': 'ffdhe3072', + 'FFDHE-4096': 'ffdhe4096', diff --git a/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch new file mode 100644 index 0000000..c7c3e96 --- /dev/null +++ b/crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch @@ -0,0 +1,50 @@ +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol +--- fedora-crypto-policies-20250124.4d262e7-orig/policies/DEFAULT.pol 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/policies/DEFAULT.pol 2025-03-18 14:39:54.565216139 +0100 +@@ -15,9 +15,11 @@ + + mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 + mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 ++mac@SSH = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512 + + group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \ + FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 ++group@SSH = -X25519 + + hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224 \ + SHAKE-256 +@@ -53,7 +55,8 @@ cipher@RPM = AES-256-CFB AES-128-CFB CAM + + # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks + # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). +-cipher@SSH = -*-CBC ++# disable also chachapoly, as we might run DEFAULT in FIPS mode too. ++cipher@SSH = AES-256-GCM AES-256-CCM CAMELLIA-256-GCM AES-256-CTR AES-128-GCM AES-128-CCM CAMELLIA-128-GCM AES-128-CTR + + # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have + # interoperability issues in TLS. +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-opensshserver.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-opensshserver.txt 2025-03-18 14:40:54.831266197 +0100 +@@ -1,5 +1,5 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff -PpuriN fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt +--- fedora-crypto-policies-20250124.4d262e7-orig/tests/outputs/DEFAULT-openssh.txt 2025-01-24 18:31:31.000000000 +0100 ++++ fedora-crypto-policies-20250124.4d262e7/tests/outputs/DEFAULT-openssh.txt 2025-03-18 15:41:32.234673018 +0100 +@@ -1,7 +1,8 @@ +-Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +-MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 + GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com + CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..c30993a --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,319 @@ +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 + fi + ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -167,10 +180,10 @@ if test $check = 1 ; then + fi + + # Boot configuration +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo >&2 "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 +-fi ++# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then ++# echo >&2 "The grubby command is missing, please configure the bootloader manually." ++# boot_config=0 ++# fi + + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." +@@ -236,20 +249,42 @@ if test "$boot_config" = 1 ; then + fi + fi + ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 ++ fi ++fi ++ + echo "FIPS mode will be $(enable2txt $enable_fips)." + + fipsopts="fips=$enable_fips$boot_device_opt" + + if test "$boot_config" = 1 ; then +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl +- else +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi +- fi ++ pbl --add-option "$fipsopts" ++ pbl --config; pbl --install && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +Index: fedora-crypto-policies-20240201.9f501f3/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-finish-install ++++ fedora-crypto-policies-20240201.9f501f3/fips-finish-install +@@ -24,6 +24,15 @@ fi + + umask 022 + ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi ++ + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + exit 0 + fi + +-if test x"$1" == x--complete; then +- trap "rm -f $dracut_cfg" ERR +- cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# if test x"$1" == x--complete; then ++# trap "rm -f $dracut_cfg" ERR ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS +Index: fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20240201.9f501f3.orig/fips-mode-setup ++++ fedora-crypto-policies-20240201.9f501f3/fips-mode-setup +@@ -8,7 +8,6 @@ check=0 + boot_config=1 + err_if_disabled=0 + output_text=1 +-uki_file=/sys/firmware/efi/efivars/StubInfo-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f + + is_ostree_system=0 + if test -f /run/ostree-booted -o -d /ostree; then +@@ -61,18 +60,13 @@ while test $# -ge 1 ; do + done + + if test $usage = 1 -o x$enable_fips = x ; then +- echo "Check, enable, or disable (unsupported) the system FIPS mode." ++ echo "Check, enable, or disable the system FIPS mode." + echo "usage: $0 --enable|--disable [--no-bootcfg]" + echo "usage: $0 --check" + echo "usage: $0 --is-enabled" + exit 2 + fi + +-if test -e "$uki_file" && test "$FIPS_MODE_SETUP_SKIP_UKI_CHECK" != 1; then +- echo >&2 "UKI detected ($uki_file is present), forcing --no-bootcfg." +- boot_config=0 +-fi +- + # We don't handle the boot config on OSTree systems for now; it is assumed to be + # handled at a higher level. E.g. in Fedora CoreOS and RHEL CoreOS, it is + # intrinsically tied to the firstboot procedure. +@@ -186,12 +180,6 @@ if test $check = 1 ; then + exit 0 + fi + +-# Boot configuration +-# if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +-# echo >&2 "The grubby command is missing, please configure the bootloader manually." +-# boot_config=0 +-# fi +- + if test "$boot_config" = 1 && test ! -d /boot ; then + echo >&2 "/boot directory is missing, FIPS mode cannot be $(enable2txt $enable_fips)." + echo >&2 "If you want to configure the bootloader manually, re-run with --no-bootcfg." +@@ -204,39 +192,6 @@ if test "$boot_config" = 1 && test -z "$ + exit 1 + fi + +-if test "$FIPS_MODE_SETUP_SKIP_ARGON2_CHECK" != 1 && \ +- test -x "$(command -v cryptsetup)" ; then +- # Best-effort detection of LUKS Argon2 usage +- argon2_found='' +- # two redundant ways to list device names +- devs=$( (find /dev/mapper/ -type l -printf '%f\n'; \ +- dmsetup ls --target crypt | cut -f1) \ +- | sort -u) +- while IFS= read -r devname; do +- back=$(cryptsetup status "$devname" | \ +- grep -F device: | +- sed -E 's/.*device:\s+//') +- if ! test -b "$back"; then +- echo >&2 -n "Warning: detected device '$back' " +- echo >&2 -n 'is not a valid block device. ' +- echo >&2 'Cannot check whether it uses Argon2.' +- continue +- fi +- dump=$(cryptsetup luksDump "$back") +- if grep -qEi 'PBKDF:.*argon' <<<"$dump"; then +- argon2_found+=" $back($devname)" +- fi +- done <<<"$devs" +- if test -n "$argon2_found" ; then +- echo >&2 -n "The following encrypted devices use Argon2 PBKDF:" +- echo >&2 "$argon2_found" +- echo >&2 'Aborting fips-mode-setup because of that.' +- echo >&2 -n 'Please refer to the ' +- echo >&2 'cryptsetup-luksConvertKey(8) manpage.' +- exit 76 +- fi +-fi +- + if test "$FIPS_MODE_SETUP_SKIP_WARNING" != 1 ; then + if test $enable_fips = 1 ; then + echo >&2 "*****************************************************************" +@@ -244,15 +199,13 @@ if test "$FIPS_MODE_SETUP_SKIP_WARNING" + echo >&2 "* *" + echo >&2 "* ENABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED. *" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* REINSTALL WITH fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + elif test $enable_fips = 0 ; then + echo >&2 "*****************************************************************" + echo >&2 "* PRESS CONTROL-C WITHIN 15 SECONDS TO ABORT... *" + echo >&2 "* *" +- echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT SUPPORTED. *" ++ echo >&2 "* DISABLING FIPS MODE AFTER THE INSTALLATION IS NOT RECOMMENDED.*" + echo >&2 "* THIS OPERATION CANNOT BE UNDONE. *" +- echo >&2 "* WIPE ALL MEDIA AND REINSTALL WITHOUT fips=1 INSTEAD. *" + echo >&2 "*****************************************************************" + fi + for i in {15..1}; do +@@ -339,21 +292,10 @@ fipsopts="fips=$enable_fips$boot_device_ + if test "$boot_config" = 1 ; then + pbl --add-option "$fipsopts" + pbl --config; pbl --install && dracut -f --regenerate-all +- +- # grubby --update-kernel=ALL --args="$fipsopts" +- # if test x"$(uname -m)" = xs390x; then +- # if command -v zipl >/dev/null; then +- # zipl +- # else +- # echo -n '`zipl` execution has been skipped: ' +- # echo '`zipl` not found.' +- # fi +- # fi +- +- echo "Please reboot the system for the setting to take effect." ++ echo "Please reboot the system for the settings to take effect." + else + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" +- echo "and reboot the system for the setting to take effect." ++ echo "and reboot the system for the settings to take effect." + fi + + exit 0 diff --git a/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch new file mode 100644 index 0000000..fd1821e --- /dev/null +++ b/crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch @@ -0,0 +1,78 @@ +diff -PpuriN a/policies/DEFAULT.pol b/policies/DEFAULT.pol +--- a/policies/DEFAULT.pol 2025-04-09 14:18:34.954692496 +0200 ++++ b/policies/DEFAULT.pol 2025-04-09 14:19:26.564391482 +0200 +@@ -90,4 +90,4 @@ hash@RPM = SHA1+ + min_dsa_size@RPM = 1024 + + # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 ++__openssl_block_sha1_signatures = 0 +diff -PpuriN a/policies/LEGACY.pol b/policies/LEGACY.pol +--- a/policies/LEGACY.pol 2025-04-09 14:18:34.955756041 +0200 ++++ b/policies/LEGACY.pol 2025-04-09 14:22:03.873723462 +0200 +@@ -82,6 +82,8 @@ min_rsa_size = 1024 + + # GnuTLS only for now + sha1_in_certs = 1 ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer ++__openssl_block_sha1_signatures = 0 + + arbitrary_dh_groups = 1 + ssh_certs = 1 +diff -PpuriN a/policies/modules/SHA1.pmod b/policies/modules/SHA1.pmod +--- a/policies/modules/SHA1.pmod 2025-04-09 14:18:34.957749606 +0200 ++++ b/policies/modules/SHA1.pmod 2025-04-09 14:23:41.203919619 +0200 +@@ -6,4 +6,5 @@ sign = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA + + sha1_in_certs = 1 + ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer + __openssl_block_sha1_signatures = 0 +diff -PpuriN a/tests/alternative-policies/DEFAULT.pol b/tests/alternative-policies/DEFAULT.pol +--- a/tests/alternative-policies/DEFAULT.pol 2025-04-09 14:18:34.963027557 +0200 ++++ b/tests/alternative-policies/DEFAULT.pol 2025-04-09 14:24:34.158026329 +0200 +@@ -93,4 +93,4 @@ hash@rpm-sequoia = SHA1+ + min_dsa_size@rpm-sequoia = 1024 + + # https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer +-__openssl_block_sha1_signatures = 1 ++__openssl_block_sha1_signatures = 0 +diff -PpuriN a/tests/alternative-policies/LEGACY.pol b/tests/alternative-policies/LEGACY.pol +--- a/tests/alternative-policies/LEGACY.pol 2025-04-09 14:18:34.963615512 +0200 ++++ b/tests/alternative-policies/LEGACY.pol 2025-04-09 14:25:11.675101933 +0200 +@@ -90,6 +90,8 @@ min_rsa_size = 1024 + + # GnuTLS only for now + sha1_in_certs = 1 ++# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer ++__openssl_block_sha1_signatures = 0 + + # SHA1 is still prevalent in DNSSec + sha1_in_dnssec = 1 +diff -PpuriN a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt +--- a/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-04-09 14:18:34.968542814 +0200 ++++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt 2025-04-09 16:23:01.596169638 +0200 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN a/tests/outputs/DEFAULT-opensslcnf.txt b/tests/outputs/DEFAULT-opensslcnf.txt +--- a/tests/outputs/DEFAULT-opensslcnf.txt 2025-04-09 14:18:34.967607477 +0200 ++++ b/tests/outputs/DEFAULT-opensslcnf.txt 2025-04-09 16:21:21.456007296 +0200 +@@ -11,4 +11,4 @@ Groups = X25519:secp256r1:X448:secp521r1 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes +diff -PpuriN a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt +--- a/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-04-09 14:18:34.969495452 +0200 ++++ b/tests/outputs/DEFAULT:TEST-PQ-opensslcnf.txt 2025-04-09 16:21:54.571054558 +0200 +@@ -11,4 +11,4 @@ Groups = ?x25519_kyber768:?p256_kyber768 + alg_section = evp_properties + + [evp_properties] +-rh-allow-sha1-signatures = no ++rh-allow-sha1-signatures = yes diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..005a9a8 --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies-20250124.4d262e7/Makefile +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/Makefile ++++ fedora-crypto-policies-20250124.4d262e7/Makefile +@@ -34,9 +34,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(UNITDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + install -p -m 644 $(UNITS) $(DESTDIR)$(UNITDIR) + install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(DIR)/ +@@ -133,8 +133,8 @@ clean: + rm -rf output + + %: %.txt +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch new file mode 100644 index 0000000..a00acba --- /dev/null +++ b/crypto-policies-nss.patch @@ -0,0 +1,42 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/nss.py +@@ -422,12 +422,20 @@ class NSSGenerator(ConfigGenerator): + try: + with os.fdopen(fd, 'w') as f: + f.write(config) +- try: +- ret = call(f'/usr/bin/nss-policy-check {options} {path}' +- '>/dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -435,6 +443,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + if ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..d2b0a9c --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,40 @@ +Index: fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20250124.4d262e7.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20250124.4d262e7/python/policygenerators/__init__.py +@@ -7,7 +7,7 @@ from .bind import BindGenerator + from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator +@@ -16,14 +16,13 @@ from .openssl import ( + OpenSSLFIPSGenerator, + OpenSSLGenerator, + ) +-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator ++#from .sequoia import RPMSequoiaGenerator, SequoiaGenerator + + __all__ = [ + 'BindGenerator', + 'GnuTLSGenerator', + 'JavaGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', +@@ -31,6 +30,8 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLFIPSGenerator', + 'OpenSSLGenerator', +- 'RPMSequoiaGenerator', +- 'SequoiaGenerator', + ] ++ ++ # 'LibreswanGenerator', ++ # 'RPMSequoiaGenerator', ++ # 'SequoiaGenerator', diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..717f30a --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..6fdbe70 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..bf29719 --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported as its not available in SLE/openSUSE) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz new file mode 100644 index 0000000..1f0f2a3 --- /dev/null +++ b/crypto-policies.7.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a455bfe2ea82738a0237e3ab8c11256f78219436a1dbcc9c3ff0cb7f6a2019b +size 7675 diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..1792654 --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,508 @@ +------------------------------------------------------------------- +Mon Jun 30 08:01:55 UTC 2025 - Pedro Monreal + +- Allow openssl to load when using the DEFAULT policy, and also + other policies, in FIPS mode. [bsc#1243830, bsc#1242233] + * Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch + +------------------------------------------------------------------- +Wed Apr 9 12:32:47 UTC 2025 - Pedro Monreal + +- Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + +------------------------------------------------------------------- +Thu Mar 27 10:37:18 UTC 2025 - Pedro Monreal + +- Relax the nss version requirement since the mlkem768secp256r1 + enablement has been reverted. + +------------------------------------------------------------------- +Tue Mar 18 13:45:44 UTC 2025 - Pedro Monreal + +- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] + * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch + +------------------------------------------------------------------- +Tue Mar 11 12:40:44 UTC 2025 - Pedro Monreal + +- Enable SHA1 sigver in the DEFAULT policy. + * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch + +------------------------------------------------------------------- +Fri Feb 28 13:18:00 UTC 2025 - Pedro Monreal + +- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed Feb 12 11:45:57 UTC 2025 - Pedro Monreal + +- Remove dangling symlink for the libreswan config [bsc#1236858] +- Remove also sequoia config and generator files +- Remove not needed fips bind mount service + +------------------------------------------------------------------- +Tue Feb 04 10:18:07 UTC 2025 - Pedro Monreal + +- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] + * openssl: stricter enabling of Ciphersuites + * openssl: make use of -CBC and -AESGCM keywords + * openssl: add TLS 1.3 Brainpool identifiers + * fix warning on using experimental key_exchanges + * update-crypto-policies: don't output FIPS warning in fips mode + * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 + * openssh, libssh: refactor kx maps to use tuples + * alg_lists: mark MLKEM768/SNTRUP kex experimental + * nss: revert enabling mlkem768secp256r1 + * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber + * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 + * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 + * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 + * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 + * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... + * python/update-crypto-policies: pacify pylint + * fips-mode-setup: tolerate fips dracut module presence w/o FIPS + * fips-mode-setup: small Argon2 detection fix + * SHA1: add __openssl_block_sha1_signatures = 0 + * fips-mode-setup: block if LUKS devices using Argon2 are detected + * update-crypto-policies: skip warning on --set=FIPS if bootc + * fips-setup-helper: skip warning, BTW + * fips-mode-setup: force --no-bootcfg when UKI is detected + * fips-setup-helper: add a libexec helper for anaconda + * fips-crypto-policy-overlay: automount FIPS policy + * openssh: make dss no longer enableble, support is dropped + * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 + * DEFAULT: switch to rh-allow-sha1-signatures = no... + * java: drop unused javasystem backend + * java: stop specifying jdk.tls.namedGroups in javasystem + * ec_min_size: introduce and use in java, default to 256 + * java: use and include jdk.disabled.namedCurves + * BSI: Update BSI policy for new 2024 minimum recommendations + * fips-mode-setup: flashy ticking warning upon use + * fips-mode-setup: add another scary "unsupported" + * CONTRIBUTING.md: add a small section on updating policies + * CONTRIBUTING.md: remove trailing punctuation from headers + * BSI: switch to 3072 minimum RSA key size + * java: make hash, mac and sign more orthogonal + * java: specify jdk.tls.namedGroups system property + * java: respect more key size restrictions + * java: disable anon ciphersuites, tying them to NULL... + * java: start controlling / disable DTLSv1.0 + * nss: wire KYBER768 to XYBER768D00 + * nss: unconditionally load p11-kit-proxy.so + * gnutls: make DTLS0.9 controllable again + * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH + * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE + * gnutls: remove extraneous newline + * sequoia: move away from subprocess.getstatusoutput + * python/cryptopolicies/cryptopolicies.py: add trailing commas + * python, tests: rename MalformedLine to MalformedLineError + * Makefile: introduce SKIP_LINTING flag for packagers to use + * Makefile: run ruff + * tests: use pathlib + * tests: run(check=True) + CalledProcessError where convenient + * tests: use subprocess.run + * tests/krb5.py: check all generated policies + * tests: print to stderr on error paths + * tests/nss.py: also use encoding='utf-8' + * tests/nss.py: also use removesuffix + * tests/nss.py: skip creating tempfiles + * tests/java.pl -> tests/java.py + * tests/gnutls.pl -> tests/gnutls.py + * tests/openssl.pl -> tests/openssl.py + * tests/verify-output.pl: remove + * libreswan: do not use up pfs= / ikev2= keywords for default behaviour + * Rebase patches: + - crypto-policies-no-build-manpages.patch + - crypto-policies-policygenerators.patch + - crypto-policies-supported.patch + - crypto-policies-nss.patch + +------------------------------------------------------------------- +Wed Nov 06 12:27:56 UTC 2024 - Pedro Monreal + +- Update to version 20241010.5930b9a: + * LEGACY: enable 192-bit ciphers for nss pkcs12/smime + * nss: be stricter with new purposes + * nss: rewrite backend for 3.101 + * cryptopolicies: parent scopes for dumping purposes + * policygenerators: move scoping inside generators + * TEST-PQ: disable pure Kyber768 + * nss: wire XYBER768D00 to X25519-KYBER768 + * TEST-PQ: update + * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com + * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values + * TEST-PQ, python: add more groups, mark experimental + * openssl: mark liboqsprovider groups optional with ? + * Remove patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Tue Feb 06 10:29:11 UTC 2024 - Pedro Monreal + +- Update to version 20240201.9f501f3: + * .gitlab-ci.yml: install sequoia-policy-config + * java: disable ChaCha20-Poly1305 where applicable + * fips-mode-setup: make sure ostree is detected in chroot + * fips-finish-install: make sure ostree is detected in chroot + * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl + * TEST-PQ: add a no-op subpolicy + * update-crypto-policies: Keep mid-sentence upper case + * fips-mode-setup: Write error messages to stderr + * fips-mode-setup: Fix some shellcheck warnings + * fips-mode-setup: Fix test for empty /boot + * fips-mode-setup: Avoid 'boot=UUID=' if /boot == / + * Update man pages + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon Feb 02 08:34:40 UTC 2024 - Pedro Monreal + +- Update to version 20231108.adb5572b: + * Print matches in syntax deprecation warnings + * Restore support for scoped ssh_etm directives + * fips-mode-setup: Fix usage with --no-bootcfg + * turn ssh_etm into an etm@SSH tri-state + * fips-mode-setup: increase chroot-friendliness + * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx + * pylintrc: use-implicit-booleaness-not-comparison-to-* + +------------------------------------------------------------------- +Tue Jan 30 18:36:34 UTC 2024 - Dirk Müller + +- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros: + we only need python3-base here, we don't need the python + macros as no module is being built + +------------------------------------------------------------------- +Thu Oct 5 12:35:57 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-5041]. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner + +- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) + derived from NEXT.pol + +------------------------------------------------------------------- +Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal + +- Update to version 20230614.5f3458e: + * policies: impose old OpenSSL groups order for all back-ends + * Rebase patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-supported.patch + +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip not needed LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + +------------------------------------------------------------------- +Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal + +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal + +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal + +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 + +------------------------------------------------------------------- +Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal + +- Remove not needed scripts: fips-finish-install fips-mode-setup + +------------------------------------------------------------------- +Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal + +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e + +------------------------------------------------------------------- +Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal + +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" + +------------------------------------------------------------------- +Tue Feb 9 10:50:47 UTC 2021 - Dominique Leuenberger + +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. + +------------------------------------------------------------------- +Mon Feb 8 11:45:38 UTC 2021 - Pedro Monreal + +- Add a BuildIgnore for crypto-policies + +------------------------------------------------------------------- +Mon Feb 8 11:22:31 UTC 2021 - Pedro Monreal + +- Use gzip instead of xz in obscpio and sources + +------------------------------------------------------------------- +Fri Feb 5 10:57:46 UTC 2021 - Pedro Monreal + +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Tue Feb 2 17:38:27 UTC 2021 - Dominique Leuenberger + +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. + +------------------------------------------------------------------- +Tue Feb 2 12:33:19 UTC 2021 - Pedro Monreal + +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls + +------------------------------------------------------------------- +Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal + +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option + +------------------------------------------------------------------- +Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal + +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch + +------------------------------------------------------------------- +Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal + +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch + +------------------------------------------------------------------- +Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal + +- Add crypto-policies-typos.patch to fix some typos + +------------------------------------------------------------------- +Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek + +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..5a372f8 --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,296 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild +%global _python_bytecompile_extra 0 + +Name: crypto-policies +Version: 20250124.4d262e7 +Release: 0 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc +%if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. +Patch1: crypto-policies-no-build-manpages.patch +%endif +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch +#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT +Patch8: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch +#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] +Patch9: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch +#PATCH-FIX-OPENSUSE Allow openssl to load when using any policy in FIPS mode [bsc#1243830, bsc#1242233] +Patch10: crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch +BuildRequires: python3-base >= 3.11 +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following packages are needed for the testsuite +BuildRequires: bind +BuildRequires: crypto-policies-scripts +BuildRequires: gnutls +BuildRequires: java-devel +BuildRequires: libxslt +BuildRequires: mozilla-nss-tools +BuildRequires: openssh-clients +BuildRequires: openssl +BuildRequires: python-rpm-macros +BuildRequires: python3-devel >= 3.11 +BuildRequires: python3-pytest +BuildRequires: systemd-rpm-macros +%else +# Avoid cycle with python-rpm-macros +#!BuildIgnore: python-rpm-packaging python-rpm-macros +%endif +%if 0%{?primary_python:1} +Recommends: crypto-policies-scripts +%endif +Conflicts: gnutls < 3.8.8 +Conflicts: nss < 3.101 +Conflicts: openssh < 9.9p1 +Conflicts: openssl < 3.0.2 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} +Recommends: perl-Bootloader +Provides: fips-mode-setup = %{version}-%{release} + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +The package also provides a tool fips-mode-setup, which can be used +to enable or disable the system FIPS mode. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +%build +export OPENSSL_CONF='' +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ +%endif + +# Install the executable scripts +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ + +# Drop pre-generated GOST-ONLY and FEDORA policies, we do not need to ship them +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* + +# Drop libreswan and sequoia config files +find %{buildroot} -type f -name 'libreswan.*' -print -delete +find %{buildroot} -type f -name 'sequoia.*' -print -delete + +# Drop not needed fips bind mount service +find %{buildroot} -type f -name 'default-fips-config' -print -delete +find %{buildroot} -type f -name 'fips-setup-helper' -print -delete +find %{buildroot} -type f -name 'fips-crypto-policy-overlay*' -print -delete + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +# Fix shebang in scripts +for f in %{buildroot}%{_datadir}/crypto-policies/python/* +do + [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath /usr/bin/python3)@" $f +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%if %{with testsuite} +export OPENSSL_CONF='' +%make_build test +%make_build test-install test-fips-setup || : +%endif + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +cfg_path_libreswan = "%{_sysconfdir}/crypto-policies/back-ends/libreswan.config" +st = posix.stat(cfg_path_libreswan) +if st and st.type == "link" then + posix.unlink(cfg_path_libreswan) +end + +cfg_path_javasystem = "%{_sysconfdir}/crypto-policies/back-ends/javasystem.config" +st = posix.stat(cfg_path_javasystem) +if st and st.type == "link" then + posix.unlink(cfg_path_javasystem) +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%license COPYING.LESSER +%doc README.md CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%files scripts +%{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..033597b --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fedora-crypto-policies-20250124.4d262e7.tar.gz b/fedora-crypto-policies-20250124.4d262e7.tar.gz new file mode 100644 index 0000000..e427784 --- /dev/null +++ b/fedora-crypto-policies-20250124.4d262e7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33d72a26ed1543702fc5c8aca8cea0b71667fa2fb9040ed9850480fe3235dfbf +size 102444 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..a882f5e --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93e6dcce6491836df86af048bd0e800868e818359ad4749f7441817e5f11891e +size 949 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..219903c --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a9d4ded30f73bf76626f79f507c164a82fac54bed8daa6e9e40d3af46f276a67 +size 1782 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz new file mode 100644 index 0000000..adbc707 --- /dev/null +++ b/update-crypto-policies.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:492615feef5d98e42ca928ddc05114ef7a93df1752afbf5a0db8cf0625071b59 +size 4149 -- 2.51.1