| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: crypto-policies-scripts | Distribution: openSUSE Tumbleweed |
| Version: 20250124.4d262e7 | Vendor: openSUSE |
| Release: 4.1 | Build date: Mon Jun 30 10:01:55 2025 |
| Group: Productivity/Networking/Security | Build host: reproducible |
| Size: 309046 | Source RPM: crypto-policies-20250124.4d262e7-4.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://gitlab.com/redhat-crypto/fedora-crypto-policies | |
| Summary: Tool to switch between crypto policies | |
This package provides a tool update-crypto-policies, which applies the policies provided by the crypto-policies package. These can be either the pre-built policies from the base package or custom policies defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode.
LGPL-2.1-or-later
* Mon Jun 30 2025 Pedro Monreal <pmonreal@suse.com>
- Allow openssl to load when using the DEFAULT policy, and also
other policies, in FIPS mode. [bsc#1243830, bsc#1242233]
* Add crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
* Wed Apr 09 2025 Pedro Monreal <pmonreal@suse.com>
- Update crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
* Thu Mar 27 2025 Pedro Monreal <pmonreal@suse.com>
- Relax the nss version requirement since the mlkem768secp256r1
enablement has been reverted.
* Tue Mar 18 2025 Pedro Monreal <pmonreal@suse.com>
- Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370]
* Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
* Tue Mar 11 2025 Pedro Monreal <pmonreal@suse.com>
- Enable SHA1 sigver in the DEFAULT policy.
* Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
* Fri Feb 28 2025 Pedro Monreal <pmonreal@suse.com>
- Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637]
* Rebase crypto-policies-FIPS.patch
* Wed Feb 12 2025 Pedro Monreal <pmonreal@suse.com>
- Remove dangling symlink for the libreswan config [bsc#1236858]
- Remove also sequoia config and generator files
- Remove not needed fips bind mount service
* Tue Feb 04 2025 Pedro Monreal <pmonreal@suse.com>
- Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165]
* openssl: stricter enabling of Ciphersuites
* openssl: make use of -CBC and -AESGCM keywords
* openssl: add TLS 1.3 Brainpool identifiers
* fix warning on using experimental key_exchanges
* update-crypto-policies: don't output FIPS warning in fips mode
* openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
* openssh, libssh: refactor kx maps to use tuples
* alg_lists: mark MLKEM768/SNTRUP kex experimental
* nss: revert enabling mlkem768secp256r1
* nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber
* gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
* openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
* openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768
* openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
* openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384...
* python/update-crypto-policies: pacify pylint
* fips-mode-setup: tolerate fips dracut module presence w/o FIPS
* fips-mode-setup: small Argon2 detection fix
* SHA1: add __openssl_block_sha1_signatures = 0
* fips-mode-setup: block if LUKS devices using Argon2 are detected
* update-crypto-policies: skip warning on --set=FIPS if bootc
* fips-setup-helper: skip warning, BTW
* fips-mode-setup: force --no-bootcfg when UKI is detected
* fips-setup-helper: add a libexec helper for anaconda
* fips-crypto-policy-overlay: automount FIPS policy
* openssh: make dss no longer enableble, support is dropped
* gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768
* DEFAULT: switch to rh-allow-sha1-signatures = no...
* java: drop unused javasystem backend
* java: stop specifying jdk.tls.namedGroups in javasystem
* ec_min_size: introduce and use in java, default to 256
* java: use and include jdk.disabled.namedCurves
* BSI: Update BSI policy for new 2024 minimum recommendations
* fips-mode-setup: flashy ticking warning upon use
* fips-mode-setup: add another scary "unsupported"
* CONTRIBUTING.md: add a small section on updating policies
* CONTRIBUTING.md: remove trailing punctuation from headers
* BSI: switch to 3072 minimum RSA key size
* java: make hash, mac and sign more orthogonal
* java: specify jdk.tls.namedGroups system property
* java: respect more key size restrictions
* java: disable anon ciphersuites, tying them to NULL...
* java: start controlling / disable DTLSv1.0
* nss: wire KYBER768 to XYBER768D00
* nss: unconditionally load p11-kit-proxy.so
* gnutls: make DTLS0.9 controllable again
* gnutls: retire GNUTLS_NO_TLS_SESSION_HASH
* openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE
* gnutls: remove extraneous newline
* sequoia: move away from subprocess.getstatusoutput
* python/cryptopolicies/cryptopolicies.py: add trailing commas
* python, tests: rename MalformedLine to MalformedLineError
* Makefile: introduce SKIP_LINTING flag for packagers to use
* Makefile: run ruff
* tests: use pathlib
* tests: run(check=True) + CalledProcessError where convenient
* tests: use subprocess.run
* tests/krb5.py: check all generated policies
* tests: print to stderr on error paths
* tests/nss.py: also use encoding='utf-8'
* tests/nss.py: also use removesuffix
* tests/nss.py: skip creating tempfiles
* tests/java.pl -> tests/java.py
* tests/gnutls.pl -> tests/gnutls.py
* tests/openssl.pl -> tests/openssl.py
* tests/verify-output.pl: remove
* libreswan: do not use up pfs= / ikev2= keywords for default behaviour
* Rebase patches:
- crypto-policies-no-build-manpages.patch
- crypto-policies-policygenerators.patch
- crypto-policies-supported.patch
- crypto-policies-nss.patch
* Wed Nov 06 2024 Pedro Monreal <pmonreal@suse.com>
- Update to version 20241010.5930b9a:
* LEGACY: enable 192-bit ciphers for nss pkcs12/smime
* nss: be stricter with new purposes
* nss: rewrite backend for 3.101
* cryptopolicies: parent scopes for dumping purposes
* policygenerators: move scoping inside generators
* TEST-PQ: disable pure Kyber768
* nss: wire XYBER768D00 to X25519-KYBER768
* TEST-PQ: update
* TEST-PQ: also enable sntrup761x25519-sha512@openssh.com
* TEST-PQ, alg_lists, openssl: enable more experimental `sign` values
* TEST-PQ, python: add more groups, mark experimental
* openssl: mark liboqsprovider groups optional with ?
* Remove patches:
- crypto-policies-revert-rh-allow-sha1-signatures.patch
* Tue Feb 06 2024 Pedro Monreal <pmonreal@suse.com>
- Update to version 20240201.9f501f3:
* .gitlab-ci.yml: install sequoia-policy-config
* java: disable ChaCha20-Poly1305 where applicable
* fips-mode-setup: make sure ostree is detected in chroot
* fips-finish-install: make sure ostree is detected in chroot
* TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl
* TEST-PQ: add a no-op subpolicy
* update-crypto-policies: Keep mid-sentence upper case
* fips-mode-setup: Write error messages to stderr
* fips-mode-setup: Fix some shellcheck warnings
* fips-mode-setup: Fix test for empty /boot
* fips-mode-setup: Avoid 'boot=UUID=' if /boot == /
* Update man pages
* Rebase patches:
- crypto-policies-FIPS.patch
- crypto-policies-revert-rh-allow-sha1-signatures.patch
* Fri Feb 02 2024 Pedro Monreal <pmonreal@suse.com>
- Update to version 20231108.adb5572b:
* Print matches in syntax deprecation warnings
* Restore support for scoped ssh_etm directives
* fips-mode-setup: Fix usage with --no-bootcfg
* turn ssh_etm into an etm@SSH tri-state
* fips-mode-setup: increase chroot-friendliness
* bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
* pylintrc: use-implicit-booleaness-not-comparison-to-*
* Tue Jan 30 2024 Dirk Müller <dmueller@suse.com>
- avoid the cycle rpm/cmake/crypto-policies/python-rpm-macros:
we only need python3-base here, we don't need the python
macros as no module is being built
* Thu Oct 05 2023 Daniel Garcia <daniel.garcia@suse.com>
- Remove dependency on /usr/bin/python3, making scripts to depends on
the real python3 binary, not the link. bsc#1212476
* Wed Sep 27 2023 Pedro Monreal <pmonreal@suse.com>
- nss: Skip the NSS policy check if the mozilla-nss-tools package
is not installed. This avoids adding more dependencies in ring0.
* Add crypto-policies-nss.patch [bsc#1211301]
* Fri Sep 22 2023 Pedro Monreal <pmonreal@suse.com>
- Update to version 20230920.570ea89:
* fips-mode-setup: more thorough --disable, still unsupported
* FIPS:OSPP: tighten beyond reason for OSPP 4.3
* krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
* openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS)
* gnutls: prepare for tls-session-hash option coming
* nss: prepare for TLS-REQUIRE-EMS option coming
* NO-ENFORCE-EMS: add subpolicy
* FIPS: set __ems = ENFORCE
* cryptopolicies: add enums and __ems tri-state
* docs: replace `FIPS 140-2` with just `FIPS 140`
* .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE
* cryptopolicies: add comments on dunder options
* nss: retire NSS_OLD and replace with NSS_LAX 3.80 check
* BSI: start a BSI TR 02102 policy [jsc#PED-4933]
* Rebase patches:
- crypto-policies-policygenerators.patch
- crypto-policies-revert-rh-allow-sha1-signatures.patch
- crypto-policies-FIPS.patch
* Fri Sep 15 2023 Pedro Monreal <pmonreal@suse.com>
- Conditionally recommend the crypto-policies-scripts package
when python is not installed in the system [bsc#1215201]
* Thu Aug 31 2023 Pedro Monreal <pmonreal@suse.com>
- Tests: Fix pylint versioning for TW and fix the parsing of the
policygenerators to account for the commented lines correctly.
* Add crypto-policies-pylint.patch
* Rebase crypto-policies-policygenerators.patch
* Tue Aug 01 2023 Pedro Monreal <pmonreal@suse.com>
- FIPS: Adapt the fips-mode-setup script to use the pbl command
from the perl-Bootloader package to replace grubby. Add a note
for transactional systems [jsc#PED-5041].
* Rebase crypto-policies-FIPS.patch
* Fri Jul 14 2023 Marcus Meissner <meissner@suse.com>
- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933)
derived from NEXT.pol
* Thu Jul 13 2023 Pedro Monreal <pmonreal@suse.com>
- Update to version 20230614.5f3458e:
* policies: impose old OpenSSL groups order for all back-ends
* Rebase patches:
- crypto-policies-revert-rh-allow-sha1-signatures.patch
- crypto-policies-supported.patch
* Thu May 25 2023 Pedro Monreal <pmonreal@suse.com>
- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
and fips-finish-install commands, add also the man pages. The
required FIPS modules are left to be installed by the user.
* Rebase crypto-policies-FIPS.patch
* Wed May 24 2023 Pedro Monreal <pmonreal@suse.com>
- Revert a breaking change that introduces the config option
rh-allow-sha1-signatures that is unkown to OpenSSL and fails
on startup. We will consider adding this option to openssl.
* https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
* Add crypto-policies-revert-rh-allow-sha1-signatures.patch
* Mon May 08 2023 Pedro Monreal <pmonreal@suse.com>
- Update the update-crypto-policies(8) man pages and README.SUSE
to mention the supported back-end policies. [bsc#1209998]
* Add crypto-policies-supported.patch
* Mon May 08 2023 Pedro Monreal <pmonreal@suse.com>
- Update to version 20230420.3d08ae7:
* openssl, alg_lists: add brainpool support
* openssl: set Groups explicitly
* codespell: ignore aNULL
* rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
* sequoia: add separate rpm-sequoia backend
* crypto-policies.7: state upfront that FUTURE is not so interoperable
* Makefile: update for asciidoc 10
* Skip not needed LibreswanGenerator and SequoiaGenerator:
- Add crypto-policies-policygenerators.patch
* Remove crypto-policies-test_supported_modules_only.patch
* Rebase crypto-policies-no-build-manpages.patch
* Fri Jan 20 2023 Pedro Monreal <pmonreal@suse.com>
- Update to version 20221214.a4c31a3:
* bind: expand the list of disableable algorithms
* libssh: Add support for openssh fido keys
* .gitlab-ci.yml: install krb5-devel for krb5-config
* sequoia: check using sequoia-policy-config-check
* sequoia: introduce new back-end
* Makefile: support overriding asciidoc executable name
* openssh: make none and auto explicit and different
* openssh: autodetect and allow forcing RequiredRSASize presence/name
* openssh: remove _pre_8_5_ssh
* pylintrc: update
* Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
* disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
* Makefile: exclude built manpages from codespell
* add openssh HostbasedAcceptedAlgorithms
* openssh: add RSAMinSize option following min_rsa_size
* Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
* docs: add customization recommendation
* tests/java: fix java.security.disableSystemPropertiesFile=true
* policies: add FEDORA38 and TEST-FEDORA39
* bind: control ED25519/ED448
* openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
* .gitlab-ci.yml: skip pylint (bz2069837)
* openssh: add support for sntrup761x25519-sha512@openssh.com
* fips-mode-setup: fix one unrelated check to intended state
* fips-mode-setup, fips-finish-install: abandon /etc/system-fips
* Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
* fips-mode-setup: catch more inconsistencies, clarify --check
* fips-mode-setup: improve handling FIPS plus subpolicies
* .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
* gnutls: enable SHAKE, needed for Ed448
* gnutls: use allowlisting
* openssl: add newlines at the end of the output
* FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
* fips-mode-setup, fips-finish-install: call zipl more often
* Add crypto-policies-rpmlintrc file to avoid files-duplicate,
zero-length and non-conffile-in-etc warnings.
* Rebase patches:
- crypto-policies-FIPS.patch
- crypto-policies-no-build-manpages.patch
* Update README.SUSE
/usr/bin/fips-finish-install /usr/bin/fips-mode-setup /usr/bin/update-crypto-policies /usr/share/crypto-policies/python /usr/share/crypto-policies/python/__pycache__ /usr/share/crypto-policies/python/__pycache__/build-crypto-policies.cpython-313.pyc /usr/share/crypto-policies/python/__pycache__/update-crypto-policies.cpython-313.pyc /usr/share/crypto-policies/python/build-crypto-policies.py /usr/share/crypto-policies/python/cryptopolicies /usr/share/crypto-policies/python/cryptopolicies/__init__.py /usr/share/crypto-policies/python/cryptopolicies/__pycache__ /usr/share/crypto-policies/python/cryptopolicies/__pycache__/__init__.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/__pycache__/alg_lists.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/__pycache__/cryptopolicies.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/alg_lists.py /usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py /usr/share/crypto-policies/python/cryptopolicies/validation /usr/share/crypto-policies/python/cryptopolicies/validation/__init__.py /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__ /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/__init__.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/alg_lists.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/general.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/rules.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/scope.cpython-313.pyc /usr/share/crypto-policies/python/cryptopolicies/validation/alg_lists.py /usr/share/crypto-policies/python/cryptopolicies/validation/general.py /usr/share/crypto-policies/python/cryptopolicies/validation/rules.py /usr/share/crypto-policies/python/cryptopolicies/validation/scope.py /usr/share/crypto-policies/python/policygenerators /usr/share/crypto-policies/python/policygenerators/__init__.py /usr/share/crypto-policies/python/policygenerators/__pycache__ /usr/share/crypto-policies/python/policygenerators/__pycache__/__init__.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/bind.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/configgenerator.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/gnutls.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/java.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/krb5.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/libssh.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/nss.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/openssh.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/__pycache__/openssl.cpython-313.pyc /usr/share/crypto-policies/python/policygenerators/bind.py /usr/share/crypto-policies/python/policygenerators/configgenerator.py /usr/share/crypto-policies/python/policygenerators/gnutls.py /usr/share/crypto-policies/python/policygenerators/java.py /usr/share/crypto-policies/python/policygenerators/krb5.py /usr/share/crypto-policies/python/policygenerators/libssh.py /usr/share/crypto-policies/python/policygenerators/nss.py /usr/share/crypto-policies/python/policygenerators/openssh.py /usr/share/crypto-policies/python/policygenerators/openssl.py /usr/share/crypto-policies/python/update-crypto-policies.py /usr/share/man/man8/fips-finish-install.8.gz /usr/share/man/man8/fips-mode-setup.8.gz /usr/share/man/man8/update-crypto-policies.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 22:37:43 2025