crypto-policies/backport-policygenerators-nss-output-sigalgs-nss-3-59.patch

From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 18 Jan 2021 17:58:45 +0100
Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)

Actually, checking for 3.60 because Fedora has reverted the change.
---
 python/policygenerators/nss.py        | 36 ++++++++++++++++++++++++++++++++---
 tests/nss.py                          | 15 +++++++++++++++
 tests/outputs/DEFAULT-nss.txt         |  2 +-
 tests/outputs/FIPS-nss.txt            |  2 +-
 tests/outputs/FIPS:ECDHE-ONLY-nss.txt |  2 +-
 tests/outputs/FIPS:OSPP-nss.txt       |  2 +-
 tests/outputs/FUTURE-nss.txt          |  2 +-
 tests/outputs/LEGACY-nss.txt          |  2 +-
 9 files changed, 55 insertions(+), 10 deletions(-)

diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
index ee10025..00935a2 100644
--- a/python/policygenerators/nss.py
+++ b/python/policygenerators/nss.py
@@ -6,6 +6,8 @@
 from subprocess import call, CalledProcessError
 from tempfile import mkstemp
 
+import ctypes
+import ctypes.util
 import os
 
 from .configgenerator import ConfigGenerator
@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
 		'DTLS1.2':'dtls1.2'
 	}
 
+	# Depends on a dict being ordered,
+	# impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
+	sign_prefix_ordmap = {
+		'RSA-PSS-':'RSA-PSS',  # must come before RSA-
+		'RSA-':'RSA-PKCS',
+		'ECDSA-':'ECDSA',
+		'DSA-':'DSA',
+	}
+
 	@classmethod
 	def generate_config(cls, policy):
 		p = policy.props
@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
 			except KeyError:
 				pass
 
-		dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
-		if dsa:
-			s = cls.append(s, 'DSA')
+		enabled_sigalgs = set()
+		for i in p['sign']:
+			for prefix, sigalg in cls.sign_prefix_ordmap.items():
+				if i.startswith(prefix):
+					if sigalg not in enabled_sigalgs:
+						enabled_sigalgs.add(sigalg)
+						s = cls.append(s, sigalg)
+					break  # limit to first match
 
 		try:
 			minver = cls.protocol_map[p['min_tls_version']]
@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
 
 	@classmethod
 	def test_config(cls, config):
+		try:
+			nss_path = ctypes.util.find_library('nss3')
+			nss_lib = ctypes.CDLL(nss_path)
+			if not nss_lib.NSS_VersionCheck(b'3.60'):
+				# Cannot validate with pre-3.59 NSS
+				# that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+				# identifiers yet.
+				# 3.60 because Fedora's 3.59 has that reverted
+				cls.eprint('Skipping nss-policy-check due to '
+				           'nss being older than 3.60')
+				return True
+		except AttributeError:
+			cls.eprint('Cannot determine nss version with ctypes')
+
 		if not os.access('/usr/bin/nss-policy-check', os.X_OK):
 			return True
 
diff --git a/tests/nss.py b/tests/nss.py
index 4d2cee1..a16d984 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -1,5 +1,7 @@
 #!/usr/bin/python3
 
+import ctypes
+import ctypes.util
 import glob
 import os
 import shutil
@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
     sys.exit(0)
 
 
+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
+try:
+    nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
+    if not nss.NSS_VersionCheck(b'3.60'):
+        print('Skipping nss-policy-check verification '
+              'due to nss being older than 3.60', file=sys.stderr)
+        sys.exit(0)
+except AttributeError:
+    print('Cannot determine nss version with ctypes, hoping for >=3.59',
+          file=sys.stderr)
+
+
 print('Checking the NSS configuration')
 
 for policy_path in glob.glob('tests/outputs/*-nss.txt'):
diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
index 6a93308..500cd70 100644
--- a/tests/outputs/DEFAULT-nss.txt
+++ b/tests/outputs/DEFAULT-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
index c9809b9..4fdf6bc 100644
--- a/tests/outputs/FIPS-nss.txt
+++ b/tests/outputs/FIPS-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
index 78f4844..399bc5c 100644
--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
index 0ca1ab0..d172a83 100644
--- a/tests/outputs/FIPS:OSPP-nss.txt
+++ b/tests/outputs/FIPS:OSPP-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
index 23d1ce8..9cea0a4 100644
--- a/tests/outputs/FUTURE-nss.txt
+++ b/tests/outputs/FUTURE-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
 
 
diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
index e16b6ce..8bf8bd1 100644
--- a/tests/outputs/LEGACY-nss.txt
+++ b/tests/outputs/LEGACY-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
 
 
-- 
1.8.3.1
Add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS) (cherry picked from commit a5fe243acd68b2053a3b5a7bb844c818378462c2) 2022-01-07 15:57:07 +08:00			`From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001`
			`From: Alexander Sosedkin <asosedkin@redhat.com>`
			`Date: Mon, 18 Jan 2021 17:58:45 +0100`
			`Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)`

			`Actually, checking for 3.60 because Fedora has reverted the change.`
			`---`
			`python/policygenerators/nss.py \| 36 ++++++++++++++++++++++++++++++++---`
			`tests/nss.py \| 15 +++++++++++++++`
			`tests/outputs/DEFAULT-nss.txt \| 2 +-`
			`tests/outputs/FIPS-nss.txt \| 2 +-`
			`tests/outputs/FIPS:ECDHE-ONLY-nss.txt \| 2 +-`
			`tests/outputs/FIPS:OSPP-nss.txt \| 2 +-`
			`tests/outputs/FUTURE-nss.txt \| 2 +-`
			`tests/outputs/LEGACY-nss.txt \| 2 +-`
			`9 files changed, 55 insertions(+), 10 deletions(-)`

			`diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py`
			`index ee10025..00935a2 100644`
			`--- a/python/policygenerators/nss.py`
			`+++ b/python/policygenerators/nss.py`
			`@@ -6,6 +6,8 @@`
			`from subprocess import call, CalledProcessError`
			`from tempfile import mkstemp`

			`+import ctypes`
			`+import ctypes.util`
			`import os`

			`from .configgenerator import ConfigGenerator`
			`@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):`
			`'DTLS1.2':'dtls1.2'`
			`}`

			`+ # Depends on a dict being ordered,`
			`+ # impl. detail in CPython 3.6, guaranteed starting from Python 3.7.`
			`+ sign_prefix_ordmap = {`
			`+ 'RSA-PSS-':'RSA-PSS', # must come before RSA-`
			`+ 'RSA-':'RSA-PKCS',`
			`+ 'ECDSA-':'ECDSA',`
			`+ 'DSA-':'DSA',`
			`+ }`
			`+`
			`@classmethod`
			`def generate_config(cls, policy):`
			`p = policy.props`
			`@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):`
			`except KeyError:`
			`pass`

			`- dsa = [i for i in p['sign'] if i.find('DSA-') == 0]`
			`- if dsa:`
			`- s = cls.append(s, 'DSA')`
			`+ enabled_sigalgs = set()`
			`+ for i in p['sign']:`
			`+ for prefix, sigalg in cls.sign_prefix_ordmap.items():`
			`+ if i.startswith(prefix):`
			`+ if sigalg not in enabled_sigalgs:`
			`+ enabled_sigalgs.add(sigalg)`
			`+ s = cls.append(s, sigalg)`
			`+ break # limit to first match`

			`try:`
			`minver = cls.protocol_map[p['min_tls_version']]`
			`@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):`

			`@classmethod`
			`def test_config(cls, config):`
			`+ try:`
			`+ nss_path = ctypes.util.find_library('nss3')`
			`+ nss_lib = ctypes.CDLL(nss_path)`
			`+ if not nss_lib.NSS_VersionCheck(b'3.60'):`
			`+ # Cannot validate with pre-3.59 NSS`
			`+ # that doesn't know ECDSA/RSA-PSS/RSA-PKCS`
			`+ # identifiers yet.`
			`+ # 3.60 because Fedora's 3.59 has that reverted`
			`+ cls.eprint('Skipping nss-policy-check due to '`
			`+ 'nss being older than 3.60')`
			`+ return True`
			`+ except AttributeError:`
			`+ cls.eprint('Cannot determine nss version with ctypes')`
			`+`
			`if not os.access('/usr/bin/nss-policy-check', os.X_OK):`
			`return True`

			`diff --git a/tests/nss.py b/tests/nss.py`
			`index 4d2cee1..a16d984 100755`
			`--- a/tests/nss.py`
			`+++ b/tests/nss.py`
			`@@ -1,5 +1,7 @@`
			`#!/usr/bin/python3`

			`+import ctypes`
			`+import ctypes.util`
			`import glob`
			`import os`
			`import shutil`
			`@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:`
			`sys.exit(0)`


			`+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS`
			`+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.`
			`+try:`
			`+ nss = ctypes.CDLL(ctypes.util.find_library('nss3'))`
			`+ if not nss.NSS_VersionCheck(b'3.60'):`
			`+ print('Skipping nss-policy-check verification '`
			`+ 'due to nss being older than 3.60', file=sys.stderr)`
			`+ sys.exit(0)`
			`+except AttributeError:`
			`+ print('Cannot determine nss version with ctypes, hoping for >=3.59',`
			`+ file=sys.stderr)`
			`+`
			`+`
			`print('Checking the NSS configuration')`

			`for policy_path in glob.glob('tests/outputs/*-nss.txt'):`
			`diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt`
			`index 6a93308..500cd70 100644`
			`--- a/tests/outputs/DEFAULT-nss.txt`
			`+++ b/tests/outputs/DEFAULT-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"`


			`diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt`
			`index c9809b9..4fdf6bc 100644`
			`--- a/tests/outputs/FIPS-nss.txt`
			`+++ b/tests/outputs/FIPS-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`


			`diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt`
			`index 78f4844..399bc5c 100644`
			`--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt`
			`+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`


			`diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt`
			`index 0ca1ab0..d172a83 100644`
			`--- a/tests/outputs/FIPS:OSPP-nss.txt`
			`+++ b/tests/outputs/FIPS:OSPP-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"`


			`diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt`
			`index 23d1ce8..9cea0a4 100644`
			`--- a/tests/outputs/FUTURE-nss.txt`
			`+++ b/tests/outputs/FUTURE-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"`


			`diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt`
			`index e16b6ce..8bf8bd1 100644`
			`--- a/tests/outputs/LEGACY-nss.txt`
			`+++ b/tests/outputs/LEGACY-nss.txt`
			`@@ -1,6 +1,6 @@`
			`library=`
			`name=Policy`
			`NSS=flags=policyOnly,moduleDB`
			`-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"`
			`+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"`


			`--`
			`1.8.3.1`