Commit Graph

43 Commits

Author SHA1 Message Date
Stanislav Zidek
239b465421 CI plan for RHIVOS 2024-11-22 13:50:27 +01:00
Alexander Sosedkin
cff876574a Version bump to rebuild
Related: RHEL-39026
2024-09-17 17:51:00 +02:00
Alexander Sosedkin
437f82a1f5 Update from upstream (small Argon2 detection fix)
- fips-mode-setup: small Argon2 detection fix

Resolves: RHEL-39026
2024-09-05 10:19:00 +02:00
Alexander Sosedkin
9e958f02bd Update from upstream (fips-mode-setup and Argon2)
- fips-mode-setup: block if LUKS devices using Argon2 are detected

Resolves: RHEL-39026
2024-08-22 12:35:03 +02:00
Alexander Sosedkin
e0a6d022c7 Update from upstream (java, warnings, ...)
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected

Resolves: RHEL-36450
Resolves: RHEL-45618
Resolves: RHEL-45620
Resolves: RHEL-48590
2024-08-15 10:54:35 +02:00
Alexander Sosedkin
ad330f5b47 Update from upstream (de-perl, stop linting)
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds

Resolves: RHEL-27850
2024-03-04 14:49:21 +01:00
Alexander Sosedkin
a950d9ca32 Update from upstream (ostree, java chacha20)
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable

Resolves: RHEL-23494
Resolves: RHEL-18435
2024-02-02 17:39:13 +01:00
Alexander Sosedkin
5008c31677 Build only on %java_arches: limit to RHEL-10+ / ELN 2024-02-01 18:30:57 +01:00
Yaakov Selkowitz
6d56296060 Build only on %java_arches
While the resulting RPM is noarch, this package uses java-devel for
testing purposes, and therefore can only be built on java-enabled arches.
This prevents the build from landing on an i686 builder and failing.
2023-12-14 12:11:49 -05:00
Clemens Lang
f92ae4b1f8 Update from upstream (fips-mode-setup /boot == /, empty /boot)
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)

Resolves: RHEL-11350
2023-11-13 13:05:37 +01:00
Clemens Lang
7480c1a366 Update from upstream (scoped ssh_etm, deprecation warnings)
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)

Resolves: RHEL-15925
2023-11-09 12:46:16 +01:00
Clemens Lang
dc98745bf2 Update from upstream (chroot fips-mode-setup, etm@SSH)
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)

Resolves: RHEL-11350
Resolves: RHEL-15925
2023-11-08 10:09:15 +01:00
Alexander Sosedkin
410783a906 Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx):
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx

Resolves: RHEL-10730
Resolves: RHEL-11346
Resolves: RHEL-11349
2023-10-16 11:19:59 +02:00
Alexander Sosedkin
a8018c1657 Update from upstream (OSPP, --disable):
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported

Resolves: RHEL-2735
Resolves: RHEL-3227
2023-09-20 18:58:00 +02:00
Yaakov Selkowitz
da28b9c5ae Build with default java
Java is used only during the tests.

Resolves: bz2231109
2023-08-10 11:09:01 -04:00
Alexander Sosedkin
97f868f515 Update from upstream (krb5 reorder, EMS...):
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`

Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257
2023-07-31 15:36:25 +02:00
Alexander Sosedkin
5f8e3a70f8 Update from upstream (group order):
- policies: restore group order to old OpenSSL default order

Resolves: RHEL-591
2023-06-14 17:09:40 +02:00
Alexander Sosedkin
2b21b5d600 Update from upstream (openssl Groups and Brainpool curves):
- openssl: specify Groups explicitly
- openssl: add support for Brainpool curves

Resolves: bz2193324
2023-05-05 11:51:46 +02:00
Alexander Sosedkin
681b7d48a9 Update from upstream (new bind algorithms):
- bind: expand the list of disableable algorithms

Resolves: bz2152635
2022-12-15 10:31:48 +01:00
Alexander Sosedkin
a56329e5d8 Update from upstream (RequiredRSASize):
- openssh: rename RSAMinSize option to RequiredRSASize

Resolves: bz2129036
2022-10-03 17:24:09 +02:00
Alexander Sosedkin
a9d73e9782 Update from upstream (RSAMinSize):
- openssh: add RSAMinSize option following min_rsa_size

Resolves: bz2102774
2022-08-15 11:39:21 +02:00
Alexander Sosedkin
a4f00ed857 Update from upstream (bind ED25519/ED448):
- bind: control ED25519/ED448

Resolves: bz2077889
2022-04-27 11:42:38 +02:00
Alexander Sosedkin
9ee1288970 Update from upstream (DNSSEC, SNTRUP):
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com

Resolves: bz2070230
Resolves: bz2070604
2022-04-04 15:05:56 +02:00
Alexander Sosedkin
8fed911d53 Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Resolves: bz2055796
Resolves: bz2056676
2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b Update from upstream (SHAKE, FIPS changes):
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8 Update from upstream (SECLEVEL=2@LEGACY, whitespace):
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Resolves: bz2035249
2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0 Update from upstream (OSPP, zipl):
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Resolves: bz2013195
2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f Update from upstream: openssl Chacha20, pylint 2.11
- openssl: fix disabling ChaCha20
- update for pylint 2.11

Resolves: bz2004207
2021-09-22 20:32:29 +02:00
Alexander Sosedkin
791a1cbfff Fix release number
Related: bz1994097
2021-09-14 15:53:52 +02:00
Alexander Sosedkin
9699a7bbb8 Update from upstream: reorder gnutls sigalgs, fix --check
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Resolves: bz1994097
2021-09-14 15:46:26 +02:00
Mohan Boddu
747e788f75 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 19:43:44 +00:00
Aleksandra Fedorova
132f4bc0f9 Add RHEL gating configuration 2021-07-15 02:43:40 +02:00
Alexander Sosedkin
5466f912c0 Update from upstream: gnutls sigalgs, check
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Resolves: bz1979200, bz1978841
2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
2021-06-28 20:23:25 +02:00
Mohan Boddu
bd79a31b29 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-22 18:36:55 +00:00
Mohan Boddu
cd51490202 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-15 22:59:38 +00:00
Alexander Sosedkin
b15b23030d Tighten policies for RHEL-9 2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
2021-02-13 13:15:21 +00:00
DistroBaker
cfac1122f9 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#37a4fa3b51dd14d8dbaf31fab953ef3e0ffd35da
2021-01-27 15:45:17 +00:00
DistroBaker
7a413d9e46 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#479d7e8c91bce7f65f4e8afce1f1988b81736eb6
2021-01-27 15:33:14 +00:00
DistroBaker
2f238bbfb1 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
2021-01-18 19:06:23 +00:00
Petr Šabata
a435c5ea66 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
2020-10-14 23:21:50 +02:00
Release Configuration Management
a765b647db New branch setup 2020-10-08 11:32:30 +00:00