193 lines
8.8 KiB
Diff
193 lines
8.8 KiB
Diff
From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
|
|
From: Alexander Sosedkin <asosedkin@redhat.com>
|
|
Date: Mon, 18 Jan 2021 17:58:45 +0100
|
|
Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)
|
|
|
|
Actually, checking for 3.60 because Fedora has reverted the change.
|
|
---
|
|
python/policygenerators/nss.py | 36 ++++++++++++++++++++++++++++++++---
|
|
tests/nss.py | 15 +++++++++++++++
|
|
tests/outputs/DEFAULT-nss.txt | 2 +-
|
|
tests/outputs/FIPS-nss.txt | 2 +-
|
|
tests/outputs/FIPS:ECDHE-ONLY-nss.txt | 2 +-
|
|
tests/outputs/FIPS:OSPP-nss.txt | 2 +-
|
|
tests/outputs/FUTURE-nss.txt | 2 +-
|
|
tests/outputs/LEGACY-nss.txt | 2 +-
|
|
9 files changed, 55 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
|
|
index ee10025..00935a2 100644
|
|
--- a/python/policygenerators/nss.py
|
|
+++ b/python/policygenerators/nss.py
|
|
@@ -6,6 +6,8 @@
|
|
from subprocess import call, CalledProcessError
|
|
from tempfile import mkstemp
|
|
|
|
+import ctypes
|
|
+import ctypes.util
|
|
import os
|
|
|
|
from .configgenerator import ConfigGenerator
|
|
@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
|
|
'DTLS1.2':'dtls1.2'
|
|
}
|
|
|
|
+ # Depends on a dict being ordered,
|
|
+ # impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
|
|
+ sign_prefix_ordmap = {
|
|
+ 'RSA-PSS-':'RSA-PSS', # must come before RSA-
|
|
+ 'RSA-':'RSA-PKCS',
|
|
+ 'ECDSA-':'ECDSA',
|
|
+ 'DSA-':'DSA',
|
|
+ }
|
|
+
|
|
@classmethod
|
|
def generate_config(cls, policy):
|
|
p = policy.props
|
|
@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
|
|
except KeyError:
|
|
pass
|
|
|
|
- dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
|
|
- if dsa:
|
|
- s = cls.append(s, 'DSA')
|
|
+ enabled_sigalgs = set()
|
|
+ for i in p['sign']:
|
|
+ for prefix, sigalg in cls.sign_prefix_ordmap.items():
|
|
+ if i.startswith(prefix):
|
|
+ if sigalg not in enabled_sigalgs:
|
|
+ enabled_sigalgs.add(sigalg)
|
|
+ s = cls.append(s, sigalg)
|
|
+ break # limit to first match
|
|
|
|
try:
|
|
minver = cls.protocol_map[p['min_tls_version']]
|
|
@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
|
|
|
|
@classmethod
|
|
def test_config(cls, config):
|
|
+ try:
|
|
+ nss_path = ctypes.util.find_library('nss3')
|
|
+ nss_lib = ctypes.CDLL(nss_path)
|
|
+ if not nss_lib.NSS_VersionCheck(b'3.60'):
|
|
+ # Cannot validate with pre-3.59 NSS
|
|
+ # that doesn't know ECDSA/RSA-PSS/RSA-PKCS
|
|
+ # identifiers yet.
|
|
+ # 3.60 because Fedora's 3.59 has that reverted
|
|
+ cls.eprint('Skipping nss-policy-check due to '
|
|
+ 'nss being older than 3.60')
|
|
+ return True
|
|
+ except AttributeError:
|
|
+ cls.eprint('Cannot determine nss version with ctypes')
|
|
+
|
|
if not os.access('/usr/bin/nss-policy-check', os.X_OK):
|
|
return True
|
|
|
|
diff --git a/tests/nss.py b/tests/nss.py
|
|
index 4d2cee1..a16d984 100755
|
|
--- a/tests/nss.py
|
|
+++ b/tests/nss.py
|
|
@@ -1,5 +1,7 @@
|
|
#!/usr/bin/python3
|
|
|
|
+import ctypes
|
|
+import ctypes.util
|
|
import glob
|
|
import os
|
|
import shutil
|
|
@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
|
|
sys.exit(0)
|
|
|
|
|
|
+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
|
|
+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
|
|
+try:
|
|
+ nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
|
|
+ if not nss.NSS_VersionCheck(b'3.60'):
|
|
+ print('Skipping nss-policy-check verification '
|
|
+ 'due to nss being older than 3.60', file=sys.stderr)
|
|
+ sys.exit(0)
|
|
+except AttributeError:
|
|
+ print('Cannot determine nss version with ctypes, hoping for >=3.59',
|
|
+ file=sys.stderr)
|
|
+
|
|
+
|
|
print('Checking the NSS configuration')
|
|
|
|
for policy_path in glob.glob('tests/outputs/*-nss.txt'):
|
|
diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
|
|
index 6a93308..500cd70 100644
|
|
--- a/tests/outputs/DEFAULT-nss.txt
|
|
+++ b/tests/outputs/DEFAULT-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
|
|
|
|
|
|
diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
|
|
index c9809b9..4fdf6bc 100644
|
|
--- a/tests/outputs/FIPS-nss.txt
|
|
+++ b/tests/outputs/FIPS-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
|
|
|
|
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
|
|
index 78f4844..399bc5c 100644
|
|
--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
|
|
+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
|
|
|
|
diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
|
|
index 0ca1ab0..d172a83 100644
|
|
--- a/tests/outputs/FIPS:OSPP-nss.txt
|
|
+++ b/tests/outputs/FIPS:OSPP-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
|
|
|
|
diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
|
|
index 23d1ce8..9cea0a4 100644
|
|
--- a/tests/outputs/FUTURE-nss.txt
|
|
+++ b/tests/outputs/FUTURE-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
|
|
|
|
|
|
diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
|
|
index e16b6ce..8bf8bd1 100644
|
|
--- a/tests/outputs/LEGACY-nss.txt
|
|
+++ b/tests/outputs/LEGACY-nss.txt
|
|
@@ -1,6 +1,6 @@
|
|
library=
|
|
name=Policy
|
|
NSS=flags=policyOnly,moduleDB
|
|
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
|
|
|
|
|
|
--
|
|
1.8.3.1
|
|
|