Commit Graph

55 Commits

Author SHA1 Message Date
Alexander Sosedkin
062becbace Update from upstream (TLS 1.3 Brainpool)
- openssl: add TLS 1.3 Brainpool identifiers

Resolves: RHEL-69296
Resolves: RHEL-69445
2024-11-28 15:09:00 +01:00
Alexander Sosedkin
498a7e7a54 Update from upstream (re-wire mlkem768x25519-sha256, ...)
- alg_lists: mark MLKEM768 kex experimental
- openssh, libssh: refactor kx maps to use tuples
- openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
- update-crypto-policies: skip warning on --set=FIPS if bootc
- update-crypto-policies: don't output FIPS warning in fips mode

Resolves: RHEL-48590
Resolves: RHEL-67398
2024-11-27 09:46:44 +01:00
Clemens Lang
67e22dbc37 Update from upstream (fips-mode-setup: Remove)
- fips-mode-setup: Remove

Resolves: RHEL-65652
Resolves: CRYPTO-14305
2024-11-06 17:56:02 +01:00
Alexander Sosedkin
bb96d210ce Update from upstream (gnutls and nss PQ hybrid groups)
- gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
- nss: add mlkem768x25519 and mlkem768secp256r1

Resolves: RHEL-66149
Resolves: RHEL-66146
2024-11-06 15:23:13 +01:00
Alexander Sosedkin
382dcb0a5e Update from upstream (gnutls allow-rsa-pkcs1-encrypt)
- gnutls: `allow-rsa-pkcs1-encrypt = false` everywhere but in LEGACY

Resolves: RHEL-64746
2024-11-05 13:26:22 +01:00
Alexander Sosedkin
f13f957ea5 Update from upstream (oqs names)
- openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768

Resolves: RHEL-65585
2024-11-05 11:46:09 +01:00
Troy Dawson
6a9514b7a3 Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
2024-10-29 08:19:54 -07:00
Alexander Sosedkin
0d2c5f18dc Update from upstream (mlkem768x25519-sha256)
- TEST-PQ, openssh: add support for mlkem768x25519-sha256 key_exchange
- openssh: remove sntrup761x25519-sha512@openssh.com key_exchange

Resolves: RHEL-63068
2024-10-21 13:34:08 +02:00
Ondrej Moris
b07a7fd1ef Add RHEL-10 CI and gating configuration 2024-10-15 17:11:44 +02:00
Alexander Sosedkin
db441e40e1 Update from upstream (TEST-PQ, nss pkcs12/smime, ...)
- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage
- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
- LEGACY: drop cipher@pkcs12 = SEED-CBC
- fips-mode-setup: tolerate fips dracut module presence w/o FIPS
- nss: be stricter with new purposes

Resolves: RHEL-58241
Resolves: RHEL-59104
Resolves: RHEL-59625
Resolves: RHEL-61275
2024-10-11 08:45:39 +02:00
Alexander Sosedkin
0e572a2e61 Update from upstream (small Argon2 detection fix)
- fips-mode-setup: small Argon2 detection fix

Related: RHEL-39026
2024-09-05 10:14:18 +02:00
Alexander Sosedkin
bf685c8189 Update from upstream (fips-mode-setup & Argon2)
- fips-mode-setup: block if LUKS devices using Argon2 are detected

Related: RHEL-39026
2024-08-22 12:33:04 +02:00
Alexander Sosedkin
ef8e09a7e4 Update from upstream (fips-crypto-policy-overlay, ...)
- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected

Related: CRYPTO-14303
Related: RHEL-36450
2024-08-08 18:52:29 +02:00
Alexander Sosedkin
401c4827c4 Update from upstream (nss 3.101)
- nss: rewrite backend for nss 3.101

Resolves: RHEL-50655
2024-08-05 13:58:49 +02:00
Alexander Sosedkin
410734bda5 Update from upstream (java, RSA in DEFAULT, SHA1 in LEGACY...)
- nss: wire KYBER768 to XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
- openssh: make dss no longer enableble, support is dropped
- LEGACY: disable sign = *-SHA1
- DEFAULT: disable RSA key exchange
- nss: TLS-REQUIRE-EMS in FIPS

Resolves: RHEL-36300
Resolves: RHEL-50106
Resolves: RHEL-50464
Related: RHEL-18442
Related: RHEL-28848
Related: RHEL-45618
Related: RHEL-45620
Related: RHEL-5206
2024-07-26 11:38:30 +02:00
Troy Dawson
7a25b6676a Bump release for June 2024 mass rebuild 2024-06-24 08:39:33 -07:00
Alexander Sosedkin
79781382b2 Switch upstream to rhel10 branch
- Switch to a version based on Fedora 41 crypto-policies
  (20240521-1.gitf71d135.fc41),
  and replace the changelog with Fedora changelog
- Shape up RHEL-10: remove GOST-ONLY policy and GOST subpolicy
- Shape up RHEL-10: remove NEXT policy
- Shape up RHEL-10: remove BSI policy
- Shape up RHEL-10: remove TEST-FEDORA41 policy
- Shape up RHEL-10: remove NO-SHA1 subpolicy
- Shape up RHEL-10: remove SHA1 subpolicy
- Shape up RHEL-10: remove TEST-PQ policy
- Shape up RHEL-10: disable CAMELLIA in all policies...
- Shape up RHEL-10: drop FFDHE-1024 from LEGACY
- Shape up RHEL-10: DEFAULT: remove Fedora-only DSA-SHA1 RPM enablement
- Shape up RHEL-10: remove Fedora-specific __openssl_block_sha1_signatures...
- Shape up RHEL-10: disable 3DES in LEGACY
- Shape up RHEL-10: disable DSA
- Shape up RHEL-10: mark LEGACY as 80-bit security (@tomato42)
- Shape up RHEL-10: require TLSv1.2/DTLSv1.2 in all policies
- Shape up RHEL-10: requre 2048 bit params in LEGACY
- Shape up RHEL-10: FUTURE: disable CBC ciphers for all but krb5
- Shape up RHEL-10: disable DHE-DSS even in LEGACY
- Shape up RHEL-10: gnutls: explicit ECDSA-SECPNNNR1-SHANNN + reorder
- Shape up RHEL-10: openssh: disable DHE-FFDHE-1024-SHA1 server config hack
- Shape up RHEL-10: FIPS: disable SHA-1 HMAC in FIPS policy
- Shape up RHEL-10: FIPS: disable CBC ciphers except in Kerberos
- Shape up RHEL-10: policies/modules: update AD-SUPPORT away from RC4/MD5
- Shape up RHEL-10: drop DNSSEC SHA-1 exception from DEFAULT
2024-05-21 20:09:03 +02:00
Alexander Sosedkin
ad330f5b47 Update from upstream (de-perl, stop linting)
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds

Resolves: RHEL-27850
2024-03-04 14:49:21 +01:00
Alexander Sosedkin
a950d9ca32 Update from upstream (ostree, java chacha20)
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable

Resolves: RHEL-23494
Resolves: RHEL-18435
2024-02-02 17:39:13 +01:00
Alexander Sosedkin
5008c31677 Build only on %java_arches: limit to RHEL-10+ / ELN 2024-02-01 18:30:57 +01:00
Yaakov Selkowitz
6d56296060 Build only on %java_arches
While the resulting RPM is noarch, this package uses java-devel for
testing purposes, and therefore can only be built on java-enabled arches.
This prevents the build from landing on an i686 builder and failing.
2023-12-14 12:11:49 -05:00
Clemens Lang
f92ae4b1f8 Update from upstream (fips-mode-setup /boot == /, empty /boot)
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)

Resolves: RHEL-11350
2023-11-13 13:05:37 +01:00
Clemens Lang
7480c1a366 Update from upstream (scoped ssh_etm, deprecation warnings)
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)

Resolves: RHEL-15925
2023-11-09 12:46:16 +01:00
Clemens Lang
dc98745bf2 Update from upstream (chroot fips-mode-setup, etm@SSH)
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)

Resolves: RHEL-11350
Resolves: RHEL-15925
2023-11-08 10:09:15 +01:00
Alexander Sosedkin
410783a906 Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx):
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx

Resolves: RHEL-10730
Resolves: RHEL-11346
Resolves: RHEL-11349
2023-10-16 11:19:59 +02:00
Alexander Sosedkin
a8018c1657 Update from upstream (OSPP, --disable):
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported

Resolves: RHEL-2735
Resolves: RHEL-3227
2023-09-20 18:58:00 +02:00
Yaakov Selkowitz
da28b9c5ae Build with default java
Java is used only during the tests.

Resolves: bz2231109
2023-08-10 11:09:01 -04:00
Alexander Sosedkin
97f868f515 Update from upstream (krb5 reorder, EMS...):
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`

Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257
2023-07-31 15:36:25 +02:00
Alexander Sosedkin
5f8e3a70f8 Update from upstream (group order):
- policies: restore group order to old OpenSSL default order

Resolves: RHEL-591
2023-06-14 17:09:40 +02:00
Alexander Sosedkin
2b21b5d600 Update from upstream (openssl Groups and Brainpool curves):
- openssl: specify Groups explicitly
- openssl: add support for Brainpool curves

Resolves: bz2193324
2023-05-05 11:51:46 +02:00
Alexander Sosedkin
681b7d48a9 Update from upstream (new bind algorithms):
- bind: expand the list of disableable algorithms

Resolves: bz2152635
2022-12-15 10:31:48 +01:00
Alexander Sosedkin
a56329e5d8 Update from upstream (RequiredRSASize):
- openssh: rename RSAMinSize option to RequiredRSASize

Resolves: bz2129036
2022-10-03 17:24:09 +02:00
Alexander Sosedkin
a9d73e9782 Update from upstream (RSAMinSize):
- openssh: add RSAMinSize option following min_rsa_size

Resolves: bz2102774
2022-08-15 11:39:21 +02:00
Alexander Sosedkin
a4f00ed857 Update from upstream (bind ED25519/ED448):
- bind: control ED25519/ED448

Resolves: bz2077889
2022-04-27 11:42:38 +02:00
Alexander Sosedkin
9ee1288970 Update from upstream (DNSSEC, SNTRUP):
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com

Resolves: bz2070230
Resolves: bz2070604
2022-04-04 15:05:56 +02:00
Alexander Sosedkin
8fed911d53 Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Resolves: bz2055796
Resolves: bz2056676
2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b Update from upstream (SHAKE, FIPS changes):
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8 Update from upstream (SECLEVEL=2@LEGACY, whitespace):
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Resolves: bz2035249
2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0 Update from upstream (OSPP, zipl):
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Resolves: bz2013195
2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f Update from upstream: openssl Chacha20, pylint 2.11
- openssl: fix disabling ChaCha20
- update for pylint 2.11

Resolves: bz2004207
2021-09-22 20:32:29 +02:00
Alexander Sosedkin
791a1cbfff Fix release number
Related: bz1994097
2021-09-14 15:53:52 +02:00
Alexander Sosedkin
9699a7bbb8 Update from upstream: reorder gnutls sigalgs, fix --check
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Resolves: bz1994097
2021-09-14 15:46:26 +02:00
Mohan Boddu
747e788f75 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 19:43:44 +00:00
Aleksandra Fedorova
132f4bc0f9 Add RHEL gating configuration 2021-07-15 02:43:40 +02:00
Alexander Sosedkin
5466f912c0 Update from upstream: gnutls sigalgs, check
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Resolves: bz1979200, bz1978841
2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
2021-06-28 20:23:25 +02:00
Mohan Boddu
bd79a31b29 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-22 18:36:55 +00:00
Mohan Boddu
cd51490202 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-15 22:59:38 +00:00
Alexander Sosedkin
b15b23030d Tighten policies for RHEL-9 2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
2021-02-13 13:15:21 +00:00