File _service:tar_scm:backport-policygenerators-nss-... of Package crypto-policies

File _service:tar_scm:backport-policygenerators-nss-output-sigalgs-nss-3-59.patch of Package crypto-policies

From b21c8114995e07965c2ccde5f5767d0618d854bf Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 18 Jan 2021 17:58:45 +0100
Subject: [PATCH] policygenerators/nss: output sigalgs (nss >=3.59)

Actually, checking for 3.60 because Fedora has reverted the change.
---
 python/policygenerators/nss.py        | 36 ++++++++++++++++++++++++++++++++---
 tests/nss.py                          | 15 +++++++++++++++
 tests/outputs/DEFAULT-nss.txt         |  2 +-
 tests/outputs/FIPS-nss.txt            |  2 +-
 tests/outputs/FIPS:ECDHE-ONLY-nss.txt |  2 +-
 tests/outputs/FIPS:OSPP-nss.txt       |  2 +-
 tests/outputs/FUTURE-nss.txt          |  2 +-
 tests/outputs/LEGACY-nss.txt          |  2 +-
 9 files changed, 55 insertions(+), 10 deletions(-)

diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
index ee10025..00935a2 100644
--- a/python/policygenerators/nss.py
+++ b/python/policygenerators/nss.py
@@ -6,6 +6,8 @@
 from subprocess import call, CalledProcessError
 from tempfile import mkstemp
 
+import ctypes
+import ctypes.util
 import os
 
 from .configgenerator import ConfigGenerator
@@ -86,6 +88,15 @@ class NSSGenerator(ConfigGenerator):
 		'DTLS1.2':'dtls1.2'
 	}
 
+	# Depends on a dict being ordered,
+	# impl. detail in CPython 3.6, guaranteed starting from Python 3.7.
+	sign_prefix_ordmap = {
+		'RSA-PSS-':'RSA-PSS',  # must come before RSA-
+		'RSA-':'RSA-PKCS',
+		'ECDSA-':'ECDSA',
+		'DSA-':'DSA',
+	}
+
 	@classmethod
 	def generate_config(cls, policy):
 		p = policy.props
@@ -126,9 +137,14 @@ class NSSGenerator(ConfigGenerator):
 			except KeyError:
 				pass
 
-		dsa = [i for i in p['sign'] if i.find('DSA-') == 0]
-		if dsa:
-			s = cls.append(s, 'DSA')
+		enabled_sigalgs = set()
+		for i in p['sign']:
+			for prefix, sigalg in cls.sign_prefix_ordmap.items():
+				if i.startswith(prefix):
+					if sigalg not in enabled_sigalgs:
+						enabled_sigalgs.add(sigalg)
+						s = cls.append(s, sigalg)
+					break  # limit to first match
 
 		try:
 			minver = cls.protocol_map[p['min_tls_version']]
@@ -151,6 +167,20 @@ class NSSGenerator(ConfigGenerator):
 
 	@classmethod
 	def test_config(cls, config):
+		try:
+			nss_path = ctypes.util.find_library('nss3')
+			nss_lib = ctypes.CDLL(nss_path)
+			if not nss_lib.NSS_VersionCheck(b'3.60'):
+				# Cannot validate with pre-3.59 NSS
+				# that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+				# identifiers yet.
+				# 3.60 because Fedora's 3.59 has that reverted
+				cls.eprint('Skipping nss-policy-check due to '
+				           'nss being older than 3.60')
+				return True
+		except AttributeError:
+			cls.eprint('Cannot determine nss version with ctypes')
+
 		if not os.access('/usr/bin/nss-policy-check', os.X_OK):
 			return True
 
diff --git a/tests/nss.py b/tests/nss.py
index 4d2cee1..a16d984 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -1,5 +1,7 @@
 #!/usr/bin/python3
 
+import ctypes
+import ctypes.util
 import glob
 import os
 import shutil
@@ -12,6 +14,19 @@ if shutil.which('nss-policy-check') is None:
     sys.exit(0)
 
 
+# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS
+# identifiers yet. Checking for 3.60 because Fedora has reverted the change.
+try:
+    nss = ctypes.CDLL(ctypes.util.find_library('nss3'))
+    if not nss.NSS_VersionCheck(b'3.60'):
+        print('Skipping nss-policy-check verification '
+              'due to nss being older than 3.60', file=sys.stderr)
+        sys.exit(0)
+except AttributeError:
+    print('Cannot determine nss version with ctypes, hoping for >=3.59',
+          file=sys.stderr)
+
+
 print('Checking the NSS configuration')
 
 for policy_path in glob.glob('tests/outputs/*-nss.txt'):
diff --git a/tests/outputs/DEFAULT-nss.txt b/tests/outputs/DEFAULT-nss.txt
index 6a93308..500cd70 100644
--- a/tests/outputs/DEFAULT-nss.txt
+++ b/tests/outputs/DEFAULT-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS-nss.txt b/tests/outputs/FIPS-nss.txt
index c9809b9..4fdf6bc 100644
--- a/tests/outputs/FIPS-nss.txt
+++ b/tests/outputs/FIPS-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
index 78f4844..399bc5c 100644
--- a/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
+++ b/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FIPS:OSPP-nss.txt b/tests/outputs/FIPS:OSPP-nss.txt
index 0ca1ab0..d172a83 100644
--- a/tests/outputs/FIPS:OSPP-nss.txt
+++ b/tests/outputs/FIPS:OSPP-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
 
 
diff --git a/tests/outputs/FUTURE-nss.txt b/tests/outputs/FUTURE-nss.txt
index 23d1ce8..9cea0a4 100644
--- a/tests/outputs/FUTURE-nss.txt
+++ b/tests/outputs/FUTURE-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
 
 
diff --git a/tests/outputs/LEGACY-nss.txt b/tests/outputs/LEGACY-nss.txt
index e16b6ce..8bf8bd1 100644
--- a/tests/outputs/LEGACY-nss.txt
+++ b/tests/outputs/LEGACY-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
 
 
-- 
1.8.3.1