Commit Graph

29 Commits

Author SHA1 Message Date
Alexander Sosedkin
410734bda5 Update from upstream (java, RSA in DEFAULT, SHA1 in LEGACY...)
- nss: wire KYBER768 to XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
- openssh: make dss no longer enableble, support is dropped
- LEGACY: disable sign = *-SHA1
- DEFAULT: disable RSA key exchange
- nss: TLS-REQUIRE-EMS in FIPS

Resolves: RHEL-36300
Resolves: RHEL-50106
Resolves: RHEL-50464
Related: RHEL-18442
Related: RHEL-28848
Related: RHEL-45618
Related: RHEL-45620
Related: RHEL-5206
2024-07-26 11:38:30 +02:00
Alexander Sosedkin
79781382b2 Switch upstream to rhel10 branch
- Switch to a version based on Fedora 41 crypto-policies
  (20240521-1.gitf71d135.fc41),
  and replace the changelog with Fedora changelog
- Shape up RHEL-10: remove GOST-ONLY policy and GOST subpolicy
- Shape up RHEL-10: remove NEXT policy
- Shape up RHEL-10: remove BSI policy
- Shape up RHEL-10: remove TEST-FEDORA41 policy
- Shape up RHEL-10: remove NO-SHA1 subpolicy
- Shape up RHEL-10: remove SHA1 subpolicy
- Shape up RHEL-10: remove TEST-PQ policy
- Shape up RHEL-10: disable CAMELLIA in all policies...
- Shape up RHEL-10: drop FFDHE-1024 from LEGACY
- Shape up RHEL-10: DEFAULT: remove Fedora-only DSA-SHA1 RPM enablement
- Shape up RHEL-10: remove Fedora-specific __openssl_block_sha1_signatures...
- Shape up RHEL-10: disable 3DES in LEGACY
- Shape up RHEL-10: disable DSA
- Shape up RHEL-10: mark LEGACY as 80-bit security (@tomato42)
- Shape up RHEL-10: require TLSv1.2/DTLSv1.2 in all policies
- Shape up RHEL-10: requre 2048 bit params in LEGACY
- Shape up RHEL-10: FUTURE: disable CBC ciphers for all but krb5
- Shape up RHEL-10: disable DHE-DSS even in LEGACY
- Shape up RHEL-10: gnutls: explicit ECDSA-SECPNNNR1-SHANNN + reorder
- Shape up RHEL-10: openssh: disable DHE-FFDHE-1024-SHA1 server config hack
- Shape up RHEL-10: FIPS: disable SHA-1 HMAC in FIPS policy
- Shape up RHEL-10: FIPS: disable CBC ciphers except in Kerberos
- Shape up RHEL-10: policies/modules: update AD-SUPPORT away from RC4/MD5
- Shape up RHEL-10: drop DNSSEC SHA-1 exception from DEFAULT
2024-05-21 20:09:03 +02:00
Alexander Sosedkin
ad330f5b47 Update from upstream (de-perl, stop linting)
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds

Resolves: RHEL-27850
2024-03-04 14:49:21 +01:00
Alexander Sosedkin
a950d9ca32 Update from upstream (ostree, java chacha20)
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable

Resolves: RHEL-23494
Resolves: RHEL-18435
2024-02-02 17:39:13 +01:00
Clemens Lang
f92ae4b1f8 Update from upstream (fips-mode-setup /boot == /, empty /boot)
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)

Resolves: RHEL-11350
2023-11-13 13:05:37 +01:00
Clemens Lang
7480c1a366 Update from upstream (scoped ssh_etm, deprecation warnings)
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)

Resolves: RHEL-15925
2023-11-09 12:46:16 +01:00
Clemens Lang
dc98745bf2 Update from upstream (chroot fips-mode-setup, etm@SSH)
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)

Resolves: RHEL-11350
Resolves: RHEL-15925
2023-11-08 10:09:15 +01:00
Alexander Sosedkin
410783a906 Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx):
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx

Resolves: RHEL-10730
Resolves: RHEL-11346
Resolves: RHEL-11349
2023-10-16 11:19:59 +02:00
Alexander Sosedkin
a8018c1657 Update from upstream (OSPP, --disable):
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported

Resolves: RHEL-2735
Resolves: RHEL-3227
2023-09-20 18:58:00 +02:00
Alexander Sosedkin
97f868f515 Update from upstream (krb5 reorder, EMS...):
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`

Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257
2023-07-31 15:36:25 +02:00
Alexander Sosedkin
5f8e3a70f8 Update from upstream (group order):
- policies: restore group order to old OpenSSL default order

Resolves: RHEL-591
2023-06-14 17:09:40 +02:00
Alexander Sosedkin
2b21b5d600 Update from upstream (openssl Groups and Brainpool curves):
- openssl: specify Groups explicitly
- openssl: add support for Brainpool curves

Resolves: bz2193324
2023-05-05 11:51:46 +02:00
Alexander Sosedkin
681b7d48a9 Update from upstream (new bind algorithms):
- bind: expand the list of disableable algorithms

Resolves: bz2152635
2022-12-15 10:31:48 +01:00
Alexander Sosedkin
a56329e5d8 Update from upstream (RequiredRSASize):
- openssh: rename RSAMinSize option to RequiredRSASize

Resolves: bz2129036
2022-10-03 17:24:09 +02:00
Alexander Sosedkin
a9d73e9782 Update from upstream (RSAMinSize):
- openssh: add RSAMinSize option following min_rsa_size

Resolves: bz2102774
2022-08-15 11:39:21 +02:00
Alexander Sosedkin
a4f00ed857 Update from upstream (bind ED25519/ED448):
- bind: control ED25519/ED448

Resolves: bz2077889
2022-04-27 11:42:38 +02:00
Alexander Sosedkin
9ee1288970 Update from upstream (DNSSEC, SNTRUP):
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com

Resolves: bz2070230
Resolves: bz2070604
2022-04-04 15:05:56 +02:00
Alexander Sosedkin
8fed911d53 Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Resolves: bz2055796
Resolves: bz2056676
2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b Update from upstream (SHAKE, FIPS changes):
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8 Update from upstream (SECLEVEL=2@LEGACY, whitespace):
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Resolves: bz2035249
2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0 Update from upstream (OSPP, zipl):
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Resolves: bz2013195
2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f Update from upstream: openssl Chacha20, pylint 2.11
- openssl: fix disabling ChaCha20
- update for pylint 2.11

Resolves: bz2004207
2021-09-22 20:32:29 +02:00
Alexander Sosedkin
9699a7bbb8 Update from upstream: reorder gnutls sigalgs, fix --check
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Resolves: bz1994097
2021-09-14 15:46:26 +02:00
Alexander Sosedkin
5466f912c0 Update from upstream: gnutls sigalgs, check
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Resolves: bz1979200, bz1978841
2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
2021-06-28 20:23:25 +02:00
Alexander Sosedkin
b15b23030d Tighten policies for RHEL-9 2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
2021-02-13 13:15:21 +00:00
DistroBaker
2f238bbfb1 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
2021-01-18 19:06:23 +00:00
Petr Šabata
a435c5ea66 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
2020-10-14 23:21:50 +02:00