Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2026-05-21 18:26:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.2084 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Thu May 21 18:26:02 2026 rev:16 rq:1354219 version:20250714.cd6043a
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2026-04-25 21:35:05.904222327 +0200
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.2084/crypto-policies.changes
2026-05-21 18:27:21.702616415 +0200
@@ -1,0 +2,15 @@
+Wed May 20 09:26:21 UTC 2026 - Pedro Monreal <[email protected]>
+
+- Remove crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
+ to allow X25519 as required for [email protected]
+ and sntrup761x25519-sha512 in the DEFAULT policy. (bsc#1259825)
+ Rebase crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
+
+-------------------------------------------------------------------
+Mon May 4 11:24:37 UTC 2026 - Pedro Monreal <[email protected]>
+
+- Add PQC support for OpenSSH (bsc#1258311, bsc#1259825)
+ * Enable sntrup761x25519-sha512 for OpenSSH by default
+ * Add crypto-policies-OpenSSH-PQC.patch
+
+-------------------------------------------------------------------
Old:
----
crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
New:
----
crypto-policies-OpenSSH-PQC.patch
----------(Old B)----------
Old:
- Remove crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
to allow X25519 as required for [email protected]
----------(Old E)----------
----------(New B)----------
New: * Enable sntrup761x25519-sha512 for OpenSSH by default
* Add crypto-policies-OpenSSH-PQC.patch
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.dooXVy/_old 2026-05-21 18:27:22.566651911 +0200
+++ /var/tmp/diff_new_pack.dooXVy/_new 2026-05-21 18:27:22.570652076 +0200
@@ -49,14 +49,14 @@
Patch3: crypto-policies-nss.patch
#PATCH-FIX-OPENSUSE enable SHA1 sigver in DEFAULT
Patch4: crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch
-#PATCH-FIX-OPENSUSE Allow sshd in FIPS mode when using the DEFAULT policy
[bsc#1227370]
-Patch5: crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch
#PATCH-FIX-OPENSUSE Fix the output comments around setting the FIPS mode
-Patch6: crypto-policies-FIPS-output.patch
+Patch5: crypto-policies-FIPS-output.patch
#PATCH-FIX-OPENSUSE Adapt the manpages to SUSE/openSUSE
-Patch7: crypto-policies-SUSE-manpages.patch
+Patch6: crypto-policies-SUSE-manpages.patch
#PATCH-FIX-OPENSUSE Allow openssl to load when using any policy in FIPS mode
[bsc#1243830, bsc#1242233]
-Patch8: crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
+Patch7: crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch
+#PATCH-FIX-UPSTREAM Add PQC support for OpenSSH (bsc#1258311, bsc#1259825)
+Patch8: crypto-policies-OpenSSH-PQC.patch
BuildRequires: python3-base >= 3.11
%if %{with manbuild}
BuildRequires: asciidoc
++++++ crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch ++++++
--- /var/tmp/diff_new_pack.dooXVy/_old 2026-05-21 18:27:22.646655198 +0200
+++ /var/tmp/diff_new_pack.dooXVy/_new 2026-05-21 18:27:22.650655362 +0200
@@ -62,12 +62,11 @@
===================================================================
---
fedora-crypto-policies-20250714.cd6043a.orig/tests/outputs/DEFAULT-openssh.txt
+++ fedora-crypto-policies-20250714.cd6043a/tests/outputs/DEFAULT-openssh.txt
-@@ -1,8 +1,7 @@
- Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr
- MACs
[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512
+@@ -1,7 +1,7 @@
+ Ciphers
[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
+ MACs
[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
-GSSAPIKexAlgorithms
gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
-KexAlgorithms
mlkem768x25519-sha256,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
--HostKeyAlgorithms
ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected]
+GSSAPIKexAlgorithms
gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms
mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
PubkeyAcceptedAlgorithms
ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected]
@@ -78,11 +77,10 @@
---
fedora-crypto-policies-20250714.cd6043a.orig/tests/outputs/DEFAULT-opensshserver.txt
+++
fedora-crypto-policies-20250714.cd6043a/tests/outputs/DEFAULT-opensshserver.txt
@@ -1,7 +1,7 @@
- Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr
- MACs
[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512
--GSSAPIKexAlgorithms
gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+ Ciphers
[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
+ MACs
[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
+ GSSAPIKexAlgorithms
gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
-KexAlgorithms
mlkem768x25519-sha256,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
-+GSSAPIKexAlgorithms
gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms
mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms
ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected]
PubkeyAcceptedAlgorithms
ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected]
++++++ crypto-policies-OpenSSH-PQC.patch ++++++
Index: fedora-crypto-policies-20250714.cd6043a/policies/DEFAULT.pol
===================================================================
--- fedora-crypto-policies-20250714.cd6043a.orig/policies/DEFAULT.pol
+++ fedora-crypto-policies-20250714.cd6043a/policies/DEFAULT.pol
@@ -65,6 +65,9 @@ cipher@SSH = AES-256-GCM AES-256-CCM CAM
# interoperability issues in TLS.
key_exchange = KEM-ECDH ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK
ECDHE-GSS DHE-GSS
+# Enable SNTRUP by default for OpenSSH
+key_exchange@ssh = +SNTRUP
+
protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
protocol@IKE = IKEv2
Index: fedora-crypto-policies-20250714.cd6043a/policies/FUTURE.pol
===================================================================
--- fedora-crypto-policies-20250714.cd6043a.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20250714.cd6043a/policies/FUTURE.pol
@@ -54,6 +54,9 @@ cipher@SSH = -*-CBC
key_exchange = KEM-ECDH ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS
DHE-GSS
+# Enable SNTRUP by default for OpenSSH
+key_exchange@ssh = +SNTRUP
+
protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
protocol@IKE = IKEv2
Index: fedora-crypto-policies-20250714.cd6043a/policies/LEGACY.pol
===================================================================
--- fedora-crypto-policies-20250714.cd6043a.orig/policies/LEGACY.pol
+++ fedora-crypto-policies-20250714.cd6043a/policies/LEGACY.pol
@@ -66,6 +66,9 @@ cipher@{sequoia,RPM} = AES-256-CFB AES-2
# interoperability issues in TLS.
key_exchange = KEM-ECDH ECDHE RSA DHE DHE-RSA DHE-DSS PSK DHE-PSK ECDHE-PSK
RSA-PSK ECDHE-GSS DHE-GSS
+# Enable SNTRUP by default for OpenSSH
+key_exchange@ssh = +SNTRUP
+
protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 DTLS1.2 DTLS1.0
protocol@IKE = IKEv2
