crypto-policies

Author	SHA1	Message	Date
Clemens Lang	dc98745bf2	Update from upstream (chroot fips-mode-setup, etm@SSH) - turn ssh_etm into an etm@SSH tri-state (RHEL-15925) - fips-mode-setup: increase chroot-friendliness (RHEL-11350) - fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350) Resolves: RHEL-11350 Resolves: RHEL-15925	2023-11-08 10:09:15 +01:00
Alexander Sosedkin	410783a906	Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx): - openssl: fix SHA1 and NO-ENFORCE-EMS interaction - bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx Resolves: RHEL-10730 Resolves: RHEL-11346 Resolves: RHEL-11349	2023-10-16 11:19:59 +02:00
Alexander Sosedkin	a8018c1657	Update from upstream (OSPP, --disable): - OSPP subpolicy: tighten beyond reason for OSPP 4.3 - fips-mode-setup: more thorough --disable, still unsupported Resolves: RHEL-2735 Resolves: RHEL-3227	2023-09-20 18:58:00 +02:00
Yaakov Selkowitz	da28b9c5ae	Build with default java Java is used only during the tests. Resolves: bz2231109	2023-08-10 11:09:01 -04:00
Alexander Sosedkin	97f868f515	Update from upstream (krb5 reorder, EMS...): - krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones - FIPS: enforce EMS in FIPS mode - NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode - nss: implement EMS enforcement in FIPS mode (disabled in ELN) - openssl: implement EMS enforcement in FIPS mode - gnutls: implement EMS enforcement in FIPS mode (disabled in ELN) - docs: replace `FIPS 140-2` with just `FIPS 140` Resolves: bz2225222 Resolves: bz2222734 Resolves: bz2216257	2023-07-31 15:36:25 +02:00
Alexander Sosedkin	5f8e3a70f8	Update from upstream (group order): - policies: restore group order to old OpenSSL default order Resolves: RHEL-591	2023-06-14 17:09:40 +02:00
Alexander Sosedkin	2b21b5d600	Update from upstream (openssl Groups and Brainpool curves): - openssl: specify Groups explicitly - openssl: add support for Brainpool curves Resolves: bz2193324	2023-05-05 11:51:46 +02:00
Alexander Sosedkin	681b7d48a9	Update from upstream (new bind algorithms): - bind: expand the list of disableable algorithms Resolves: bz2152635	2022-12-15 10:31:48 +01:00
Alexander Sosedkin	a56329e5d8	Update from upstream (RequiredRSASize): - openssh: rename RSAMinSize option to RequiredRSASize Resolves: bz2129036	2022-10-03 17:24:09 +02:00
Alexander Sosedkin	a9d73e9782	Update from upstream (RSAMinSize): - openssh: add RSAMinSize option following min_rsa_size Resolves: bz2102774	2022-08-15 11:39:21 +02:00
Alexander Sosedkin	a4f00ed857	Update from upstream (bind ED25519/ED448): - bind: control ED25519/ED448 Resolves: bz2077889	2022-04-27 11:42:38 +02:00
Alexander Sosedkin	9ee1288970	Update from upstream (DNSSEC, SNTRUP): - DEFAULT: drop DNSSEC SHA-1 exception - openssh: add support for sntrup761x25519-sha512@openssh.com Resolves: bz2070230 Resolves: bz2070604	2022-04-04 15:05:56 +02:00
Alexander Sosedkin	8fed911d53	Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...): - openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY - update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY - fips-mode-setup: catch more inconsistencies, clarify --check Resolves: bz2055796 Resolves: bz2056676	2022-02-23 17:49:50 +01:00
Alexander Sosedkin	e69bea495b	Update from upstream (SHAKE, FIPS changes): - gnutls: enable SHAKE, needed for Ed448 - fips-mode-setup: improve handling FIPS plus subpolicies - FIPS: disable SHA-1 HMAC - FIPS: disable CBC ciphers except in Kerberos Resolves: bz2005021 Resolves: bz2026657 Resolves: bz2006843 Resolves: bz2006844	2022-02-03 18:49:41 +01:00
Alexander Sosedkin	b0d95fe7a8	Update from upstream (SECLEVEL=2@LEGACY, whitespace): - openssl: revert to SECLEVEL=2 in LEGACY - openssl: add newlines at the end of the output Resolves: bz2035249	2022-02-01 18:05:39 +01:00
Alexander Sosedkin	80e3dac1e0	Update from upstream (OSPP, zipl): - OSPP: relax -ECDSA-SHA2-512, -FFDHE-* - fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific) Resolves: bz2013195	2021-11-15 21:02:45 +01:00
Alexander Sosedkin	9d96f6f88f	Update from upstream: openssl Chacha20, pylint 2.11 - openssl: fix disabling ChaCha20 - update for pylint 2.11 Resolves: bz2004207	2021-09-22 20:32:29 +02:00
Alexander Sosedkin	791a1cbfff	Fix release number Related: bz1994097	2021-09-14 15:53:52 +02:00
Alexander Sosedkin	9699a7bbb8	Update from upstream: reorder gnutls sigalgs, fix --check - gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN - fix several issues with update-crypto-policies --check Resolves: bz1994097	2021-09-14 15:46:26 +02:00
Mohan Boddu	747e788f75	Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-08-09 19:43:44 +00:00
Alexander Sosedkin	5466f912c0	Update from upstream: gnutls sigalgs, check - gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN - packaging: adapt to the RHEL-9 %check-time testing tools availability Resolves: bz1979200, bz1978841	2021-07-07 15:59:15 +02:00
Alexander Sosedkin	7c076748f3	Update from upstream: scoped policies, gnutls allowlisting, ... implement scoped policies, e.g., cipher@SSH = ... implement algorithm globbing, e.g., cipher@SSH = --CBC deprecate derived properties: tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec deprecate unscoped form of protocol property openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes libssh: respect ssh_certs restrict FIPS:OSPP further improve Python 3.10 compatibility update documentation expand upstream test coverage FUTURE: disable CBC ciphers for all backends but krb5 openssl: LEGACY must have SECLEVEL=1, enabling SHA1 disable DHE-DSS in LEGACY bump LEGACY key size requirements from 1023 to 1024 add javasystem backend ssh: condition ecdh-sha2-nistp384 on SECP384R1 set %verify(not mode) for backend sometimes-symlinks-sometimes-not gnutls: use allowlisting Resolves: bz1975854	2021-06-28 20:23:25 +02:00
Mohan Boddu	bd79a31b29	Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-06-22 18:36:55 +00:00
Mohan Boddu	cd51490202	- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-04-15 22:59:38 +00:00
Alexander Sosedkin	b15b23030d	Tighten policies for RHEL-9	2021-02-18 18:38:39 +01:00
DistroBaker	705dc9cc64	Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a	2021-02-13 13:15:21 +00:00
DistroBaker	cfac1122f9	Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crypto-policies.git#37a4fa3b51dd14d8dbaf31fab953ef3e0ffd35da	2021-01-27 15:45:17 +00:00
DistroBaker	7a413d9e46	Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crypto-policies.git#479d7e8c91bce7f65f4e8afce1f1988b81736eb6	2021-01-27 15:33:14 +00:00
DistroBaker	2f238bbfb1	Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c	2021-01-18 19:06:23 +00:00
Petr Šabata	a435c5ea66	RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc	2020-10-14 23:21:50 +02:00

30 Commits