* Tue May 16 2023 Camilla Conte <cconte@redhat.com> - 23.1.1-5

- 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch [bz#2187164]
- Resolves: bz#2187164

0001-Add-initial-redhat-changes.patch

@@ -1,7 +1,7 @@
 From c4d66915520554adedff9be7396f877cd1a5525c Mon Sep 17 00:00:00 2001
 From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 Date: Mon, 6 Mar 2023 16:37:20 +0100
-Subject: [PATCH 1/9] Add initial redhat changes
+Subject: [PATCH 01/10] Add initial redhat changes
 
 Adding minimal set of changes necessary for successful build of the package
 on RHEL/CentOS 9 Stream koji.

0002-Do-not-write-NM_CONTROLLED-no-in-generated-interface.patch

@@ -1,7 +1,7 @@
 From b3b96bff187e9d0bfcbfefd5fca05c61bd50d368 Mon Sep 17 00:00:00 2001
 From: Eduardo Otubo <otubo@redhat.com>
 Date: Fri, 7 May 2021 13:36:06 +0200
-Subject: [PATCH 2/9] Do not write NM_CONTROLLED=no in generated interface
+Subject: [PATCH 02/10] Do not write NM_CONTROLLED=no in generated interface
  config files
 
 Conflicts 20.3:

0003-Setting-highest-autoconnect-priority-for-network-scr.patch

@@ -1,7 +1,8 @@
 From c589da20eb92231ef08e10c9724e3e6c663e6ce2 Mon Sep 17 00:00:00 2001
 From: Eduardo Otubo <otubo@redhat.com>
 Date: Thu, 17 Feb 2022 15:32:35 +0100
-Subject: [PATCH 3/9] Setting highest autoconnect priority for network-scripts
+Subject: [PATCH 03/10] Setting highest autoconnect priority for
+ network-scripts
 
 RH-Author: Eduardo Otubo <otubo@redhat.com>
 RH-MergeRequest: 22: Setting highest autoconnect priority for network-scripts

0004-limit-permissions-on-def_log_file.patch

@@ -1,7 +1,7 @@
 From dfff374f66904e84fb07ca157ba010fac6b5f1de Mon Sep 17 00:00:00 2001
 From: Eduardo Otubo <otubo@redhat.com>
 Date: Fri, 7 May 2021 13:36:08 +0200
-Subject: [PATCH 4/9] limit permissions on def_log_file
+Subject: [PATCH 04/10] limit permissions on def_log_file
 
 This sets a default mode of 0600 on def_log_file, and makes this
 configurable via the def_log_file_mode option in cloud.cfg.

0005-Manual-revert-Use-Network-Manager-and-Netplan-as-def.patch

@@ -1,8 +1,8 @@
 From ecae81f98ce230266eb99671b74534a4ede660f0 Mon Sep 17 00:00:00 2001
 From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 Date: Fri, 10 Mar 2023 11:51:48 +0100
-Subject: [PATCH 5/9] Manual revert "Use Network-Manager and Netplan as default
- renderers for RHEL and Fedora (#1465)"
+Subject: [PATCH 05/10] Manual revert "Use Network-Manager and Netplan as
+ default renderers for RHEL and Fedora (#1465)"
 
 This reverts changes done in commit 7703aa98b.
 Done by hand because the doc file affected by that commit has changed.

0006-Revert-Add-native-NetworkManager-support-1224.patch

@@ -1,7 +1,7 @@
 From b1dd14ffafad2d2ca84326c525962b2ca086b292 Mon Sep 17 00:00:00 2001
 From: Ani Sinha <anisinha@redhat.com>
 Date: Wed, 22 Mar 2023 16:31:58 +0530
-Subject: [PATCH 6/9] Revert "Add native NetworkManager support (#1224)"
+Subject: [PATCH 06/10] Revert "Add native NetworkManager support (#1224)"
 
 This reverts commit feda344e6cf9d37b09bc13cf333a717d1654c26c.
 

0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch

@@ -1,7 +1,7 @@
 From ac0cf308318d423162ce3b7be32dcbf88f20ff50 Mon Sep 17 00:00:00 2001
 From: Ani Sinha <anisinha@redhat.com>
 Date: Tue, 4 Apr 2023 19:59:07 +0530
-Subject: [PATCH 7/9] rhel: make sure previous-hostname file ends with a new
+Subject: [PATCH 07/10] rhel: make sure previous-hostname file ends with a new
  line (#2108)
 
 cloud-init strips new line from "/etc/hostname" on rhel distro when processing

0008-Don-t-change-permissions-of-netrules-target-2076.patch

@@ -1,7 +1,7 @@
 From 34ef256dc614c7dcf5b04a431d410030e333d82b Mon Sep 17 00:00:00 2001
 From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 Date: Mon, 17 Apr 2023 10:20:16 +0200
-Subject: [PATCH 8/9] Don't change permissions of netrules target (#2076)
+Subject: [PATCH 08/10] Don't change permissions of netrules target (#2076)
 
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182948
 

0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch

@@ -1,7 +1,7 @@
 From d092efe0f437ad149f6d6e3a9f8b816c0f5c1c2a Mon Sep 17 00:00:00 2001
 From: James Falcon <james.falcon@canonical.com>
 Date: Wed, 26 Apr 2023 15:11:55 -0500
-Subject: [PATCH 9/9] Make user/vendor data sensitive and remove log
+Subject: [PATCH 09/10] Make user/vendor data sensitive and remove log
  permissions (#2144)
 
 Because user data and vendor data may contain sensitive information,

0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch

@@ -0,0 +1,209 @@
+From 6bf6ceab79df97eb1c90b4df61f654bc0b2f598c Mon Sep 17 00:00:00 2001
+From: Ani Sinha <anisinha@redhat.com>
+Date: Tue, 2 May 2023 20:35:45 +0530
+Subject: [PATCH 10/10] Do not generate dsa and ed25519 key types when crypto
+ FIPS mode is enabled (#2142)
+
+DSA and ED25519 key types are not supported when FIPS is enabled in crypto.
+Check if FIPS has been enabled on the system and if so, do not generate those
+key types. Presently the check is only available on Linux systems.
+
+LP: 2017761
+RHBZ: 2187164
+
+Signed-off-by: Ani Sinha <anisinha@redhat.com>
+(cherry picked from commit c53f04aeb2acf9526a2ebf3d3320f149ac46caa6)
+---
+ cloudinit/config/cc_ssh.py            | 21 +++++++++++++++-
+ cloudinit/util.py                     | 12 +++++++++
+ tests/unittests/config/test_cc_ssh.py | 36 +++++++++++++++++++++------
+ tests/unittests/test_util.py          | 25 +++++++++++++++++++
+ 4 files changed, 85 insertions(+), 9 deletions(-)
+
+diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
+index 1ec889f3..5578654a 100644
+--- a/cloudinit/config/cc_ssh.py
++++ b/cloudinit/config/cc_ssh.py
+@@ -172,6 +172,8 @@ meta: MetaSchema = {
+ __doc__ = get_meta_doc(meta)
+ 
+ GENERATE_KEY_NAMES = ["rsa", "dsa", "ecdsa", "ed25519"]
++FIPS_UNSUPPORTED_KEY_NAMES = ["dsa", "ed25519"]
++
+ pattern_unsupported_config_keys = re.compile(
+     "^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$"
+ )
+@@ -259,9 +261,26 @@ def handle(
+         genkeys = util.get_cfg_option_list(
+             cfg, "ssh_genkeytypes", GENERATE_KEY_NAMES
+         )
++        # remove keys that are not supported in fips mode if its enabled
++        key_names = (
++            genkeys
++            if not util.fips_enabled()
++            else [
++                names
++                for names in genkeys
++                if names not in FIPS_UNSUPPORTED_KEY_NAMES
++            ]
++        )
++        skipped_keys = set(genkeys).difference(key_names)
++        if skipped_keys:
++            log.debug(
++                "skipping keys that are not supported in fips mode: %s",
++                ",".join(skipped_keys),
++            )
++
+         lang_c = os.environ.copy()
+         lang_c["LANG"] = "C"
+-        for keytype in genkeys:
++        for keytype in key_names:
+             keyfile = KEY_FILE_TPL % (keytype)
+             if os.path.exists(keyfile):
+                 continue
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index 8ba3e2b6..4a8e3d3b 100644
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -1577,6 +1577,18 @@ def get_cmdline():
+     return _get_cmdline()
+ 
+ 
++def fips_enabled() -> bool:
++    fips_proc = "/proc/sys/crypto/fips_enabled"
++    try:
++        contents = load_file(fips_proc).strip()
++        return contents == "1"
++    except (IOError, OSError):
++        # for BSD systems and Linux systems where the proc entry is not
++        # available, we assume FIPS is disabled to retain the old behavior
++        # for now.
++        return False
++
++
+ def pipe_in_out(in_fh, out_fh, chunk_size=1024, chunk_cb=None):
+     bytes_piped = 0
+     while True:
+diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py
+index 66368d0f..72941a95 100644
+--- a/tests/unittests/config/test_cc_ssh.py
++++ b/tests/unittests/config/test_cc_ssh.py
+@@ -101,11 +101,16 @@ class TestHandleSsh:
+             expected_calls = [mock.call(set(keys), user)] + expected_calls
+         assert expected_calls == m_setup_keys.call_args_list
+ 
++    @pytest.mark.parametrize("fips_enabled", (True, False))
+     @mock.patch(MODPATH + "glob.glob")
+     @mock.patch(MODPATH + "ug_util.normalize_users_groups")
+     @mock.patch(MODPATH + "os.path.exists")
+-    def test_handle_no_cfg(self, m_path_exists, m_nug, m_glob, m_setup_keys):
++    @mock.patch(MODPATH + "util.fips_enabled")
++    def test_handle_no_cfg(
++        self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys, fips_enabled
++    ):
+         """Test handle with no config ignores generating existing keyfiles."""
++        m_fips.return_value = fips_enabled
+         cfg = {}
+         keys = ["key1"]
+         m_glob.return_value = []  # Return no matching keys to prevent removal
+@@ -118,12 +123,22 @@ class TestHandleSsh:
+         options = ssh_util.DISABLE_USER_OPTS.replace("$USER", "NONE")
+         options = options.replace("$DISABLE_USER", "root")
+         m_glob.assert_called_once_with("/etc/ssh/ssh_host_*key*")
+-        assert [
+-            mock.call("/etc/ssh/ssh_host_rsa_key"),
+-            mock.call("/etc/ssh/ssh_host_dsa_key"),
+-            mock.call("/etc/ssh/ssh_host_ecdsa_key"),
+-            mock.call("/etc/ssh/ssh_host_ed25519_key"),
+-        ] in m_path_exists.call_args_list
++        m_fips.assert_called_once()
++
++        if not m_fips():
++            expected_calls = [
++                mock.call("/etc/ssh/ssh_host_rsa_key"),
++                mock.call("/etc/ssh/ssh_host_dsa_key"),
++                mock.call("/etc/ssh/ssh_host_ecdsa_key"),
++                mock.call("/etc/ssh/ssh_host_ed25519_key"),
++            ]
++        else:
++            # Enabled fips doesn't generate dsa or ed25519
++            expected_calls = [
++                mock.call("/etc/ssh/ssh_host_rsa_key"),
++                mock.call("/etc/ssh/ssh_host_ecdsa_key"),
++            ]
++        assert expected_calls in m_path_exists.call_args_list
+         assert [
+             mock.call(set(keys), "root", options=options)
+         ] == m_setup_keys.call_args_list
+@@ -131,8 +146,9 @@ class TestHandleSsh:
+     @mock.patch(MODPATH + "glob.glob")
+     @mock.patch(MODPATH + "ug_util.normalize_users_groups")
+     @mock.patch(MODPATH + "os.path.exists")
++    @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
+     def test_dont_allow_public_ssh_keys(
+-        self, m_path_exists, m_nug, m_glob, m_setup_keys
++        self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys
+     ):
+         """Test allow_public_ssh_keys=False ignores ssh public keys from
+         platform.
+@@ -176,8 +192,10 @@ class TestHandleSsh:
+     @mock.patch(MODPATH + "glob.glob")
+     @mock.patch(MODPATH + "ug_util.normalize_users_groups")
+     @mock.patch(MODPATH + "os.path.exists")
++    @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
+     def test_handle_default_root(
+         self,
++        m_fips,
+         m_path_exists,
+         m_nug,
+         m_glob,
+@@ -241,8 +259,10 @@ class TestHandleSsh:
+     @mock.patch(MODPATH + "glob.glob")
+     @mock.patch(MODPATH + "ug_util.normalize_users_groups")
+     @mock.patch(MODPATH + "os.path.exists")
++    @mock.patch(MODPATH + "util.fips_enabled", return_value=False)
+     def test_handle_publish_hostkeys(
+         self,
++        m_fips,
+         m_path_exists,
+         m_nug,
+         m_glob,
+diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py
+index 07142a86..17182d06 100644
+--- a/tests/unittests/test_util.py
++++ b/tests/unittests/test_util.py
+@@ -1945,6 +1945,31 @@ class TestGetCmdline(helpers.TestCase):
+         self.assertEqual("abcd 123", ret)
+ 
+ 
++class TestFipsEnabled:
++    @pytest.mark.parametrize(
++        "fips_enabled_content,expected",
++        (
++            pytest.param(None, False, id="false_when_no_fips_enabled_file"),
++            pytest.param("0\n", False, id="false_when_fips_disabled"),
++            pytest.param("1\n", True, id="true_when_fips_enabled"),
++            pytest.param("1", True, id="true_when_fips_enabled_no_newline"),
++        ),
++    )
++    @mock.patch(M_PATH + "load_file")
++    def test_fips_enabled_based_on_proc_crypto(
++        self, load_file, fips_enabled_content, expected, tmpdir
++    ):
++        def fake_load_file(path):
++            assert path == "/proc/sys/crypto/fips_enabled"
++            if fips_enabled_content is None:
++                raise IOError("No file exists Bob")
++            return fips_enabled_content
++
++        load_file.side_effect = fake_load_file
++
++        assert expected is util.fips_enabled()
++
++
+ class TestLoadYaml(helpers.CiTestCase):
+     mydefault = "7b03a8ebace993d806255121073fed52"
+     with_logs = True
+-- 
+2.40.0
+

cloud-init.spec

@@ -1,6 +1,6 @@
 Name:           cloud-init
 Version:        23.1.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Cloud instance init scripts
 License:        ASL 2.0 or GPLv3
 URL:            http://launchpad.net/cloud-init
@@ -17,6 +17,7 @@ Patch6: 0006-Revert-Add-native-NetworkManager-support-1224.patch
 Patch7: 0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch
 Patch8: 0008-Don-t-change-permissions-of-netrules-target-2076.patch
 Patch9: 0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch
+Patch10: 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch
 
 BuildArch:      noarch
 
@@ -206,6 +207,10 @@ fi
 %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
 
 %changelog
+* Tue May 16 2023 Camilla Conte <cconte@redhat.com> - 23.1.1-5
+- 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch [bz#2187164]
+- Resolves: bz#2187164
+
 * Fri May 05 2023 Camilla Conte <cconte@redhat.com> - 23.1.1-4
 - 0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch [bz#2190083]
 - Resolves: bz#2190083