Alexander Sosedkin
e0a6d022c7
Update from upstream (java, warnings, ...)
...
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected
Resolves: RHEL-36450
Resolves: RHEL-45618
Resolves: RHEL-45620
Resolves: RHEL-48590
2024-08-15 10:54:35 +02:00
Alexander Sosedkin
ad330f5b47
Update from upstream (de-perl, stop linting)
...
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds
Resolves: RHEL-27850
2024-03-04 14:49:21 +01:00
Alexander Sosedkin
a950d9ca32
Update from upstream (ostree, java chacha20)
...
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable
Resolves: RHEL-23494
Resolves: RHEL-18435
2024-02-02 17:39:13 +01:00
Alexander Sosedkin
5008c31677
Build only on %java_arches: limit to RHEL-10+ / ELN
2024-02-01 18:30:57 +01:00
Yaakov Selkowitz
6d56296060
Build only on %java_arches
...
While the resulting RPM is noarch, this package uses java-devel for
testing purposes, and therefore can only be built on java-enabled arches.
This prevents the build from landing on an i686 builder and failing.
2023-12-14 12:11:49 -05:00
Clemens Lang
f92ae4b1f8
Update from upstream (fips-mode-setup /boot == /, empty /boot)
...
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)
Resolves: RHEL-11350
2023-11-13 13:05:37 +01:00
Clemens Lang
7480c1a366
Update from upstream (scoped ssh_etm, deprecation warnings)
...
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)
Resolves: RHEL-15925
2023-11-09 12:46:16 +01:00
Clemens Lang
dc98745bf2
Update from upstream (chroot fips-mode-setup, etm@SSH)
...
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)
Resolves: RHEL-11350
Resolves: RHEL-15925
2023-11-08 10:09:15 +01:00
Alexander Sosedkin
410783a906
Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx):
...
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
Resolves: RHEL-10730
Resolves: RHEL-11346
Resolves: RHEL-11349
2023-10-16 11:19:59 +02:00
Alexander Sosedkin
a8018c1657
Update from upstream (OSPP, --disable):
...
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported
Resolves: RHEL-2735
Resolves: RHEL-3227
2023-09-20 18:58:00 +02:00
Yaakov Selkowitz
da28b9c5ae
Build with default java
...
Java is used only during the tests.
Resolves: bz2231109
2023-08-10 11:09:01 -04:00
Alexander Sosedkin
97f868f515
Update from upstream (krb5 reorder, EMS...):
...
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
- FIPS: enforce EMS in FIPS mode
- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode
- nss: implement EMS enforcement in FIPS mode (disabled in ELN)
- openssl: implement EMS enforcement in FIPS mode
- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)
- docs: replace `FIPS 140-2` with just `FIPS 140`
Resolves: bz2225222
Resolves: bz2222734
Resolves: bz2216257
2023-07-31 15:36:25 +02:00
Alexander Sosedkin
5f8e3a70f8
Update from upstream (group order):
...
- policies: restore group order to old OpenSSL default order
Resolves: RHEL-591
2023-06-14 17:09:40 +02:00
Alexander Sosedkin
2b21b5d600
Update from upstream (openssl Groups and Brainpool curves):
...
- openssl: specify Groups explicitly
- openssl: add support for Brainpool curves
Resolves: bz2193324
2023-05-05 11:51:46 +02:00
Alexander Sosedkin
681b7d48a9
Update from upstream (new bind algorithms):
...
- bind: expand the list of disableable algorithms
Resolves: bz2152635
2022-12-15 10:31:48 +01:00
Alexander Sosedkin
a56329e5d8
Update from upstream (RequiredRSASize):
...
- openssh: rename RSAMinSize option to RequiredRSASize
Resolves: bz2129036
2022-10-03 17:24:09 +02:00
Alexander Sosedkin
a9d73e9782
Update from upstream (RSAMinSize):
...
- openssh: add RSAMinSize option following min_rsa_size
Resolves: bz2102774
2022-08-15 11:39:21 +02:00
Alexander Sosedkin
a4f00ed857
Update from upstream (bind ED25519/ED448):
...
- bind: control ED25519/ED448
Resolves: bz2077889
2022-04-27 11:42:38 +02:00
Alexander Sosedkin
9ee1288970
Update from upstream (DNSSEC, SNTRUP):
...
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com
Resolves: bz2070230
Resolves: bz2070604
2022-04-04 15:05:56 +02:00
Alexander Sosedkin
8fed911d53
Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
...
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check
Resolves: bz2055796
Resolves: bz2056676
2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b
Update from upstream (SHAKE, FIPS changes):
...
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos
Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8
Update from upstream (SECLEVEL=2@LEGACY, whitespace):
...
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output
Resolves: bz2035249
2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0
Update from upstream (OSPP, zipl):
...
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)
Resolves: bz2013195
2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f
Update from upstream: openssl Chacha20, pylint 2.11
...
- openssl: fix disabling ChaCha20
- update for pylint 2.11
Resolves: bz2004207
2021-09-22 20:32:29 +02:00
Alexander Sosedkin
791a1cbfff
Fix release number
...
Related: bz1994097
2021-09-14 15:53:52 +02:00
Alexander Sosedkin
9699a7bbb8
Update from upstream: reorder gnutls sigalgs, fix --check
...
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check
Resolves: bz1994097
2021-09-14 15:46:26 +02:00
Mohan Boddu
747e788f75
Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
...
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 19:43:44 +00:00
Aleksandra Fedorova
132f4bc0f9
Add RHEL gating configuration
2021-07-15 02:43:40 +02:00
Alexander Sosedkin
5466f912c0
Update from upstream: gnutls sigalgs, check
...
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability
Resolves: bz1979200, bz1978841
2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3
Update from upstream: scoped policies, gnutls allowlisting, ...
...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting
Resolves: bz1975854
2021-06-28 20:23:25 +02:00
Mohan Boddu
bd79a31b29
Rebuilt for RHEL 9 BETA for openssl 3.0
...
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-22 18:36:55 +00:00
Mohan Boddu
cd51490202
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
...
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-15 22:59:38 +00:00
Alexander Sosedkin
b15b23030d
Tighten policies for RHEL-9
2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
2021-02-13 13:15:21 +00:00
DistroBaker
cfac1122f9
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#37a4fa3b51dd14d8dbaf31fab953ef3e0ffd35da
2021-01-27 15:45:17 +00:00
DistroBaker
7a413d9e46
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#479d7e8c91bce7f65f4e8afce1f1988b81736eb6
2021-01-27 15:33:14 +00:00
DistroBaker
2f238bbfb1
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
2021-01-18 19:06:23 +00:00
Petr Šabata
a435c5ea66
RHEL 9.0.0 Alpha bootstrap
...
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
2020-10-14 23:21:50 +02:00
Release Configuration Management
a765b647db
New branch setup
2020-10-08 11:32:30 +00:00