From f9298fff0f03b0d6a2d9422a4b937b1970dfd3ec Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Wed, 3 Sep 2025 14:54:51 +0800 Subject: [PATCH] retire NSS_OLD and replace with NSS_LAX 3.80 check (cherry picked from commit 5dbaef1cbdccf39056a0c9fb66b12129ac669bef) --- ...LD-and-replace-with-NSS_LAX-3.80-che.patch | 140 ++++++++++++++++++ crypto-policies.spec | 11 +- 2 files changed, 149 insertions(+), 2 deletions(-) create mode 100644 backport-nss-retire-NSS_OLD-and-replace-with-NSS_LAX-3.80-che.patch diff --git a/backport-nss-retire-NSS_OLD-and-replace-with-NSS_LAX-3.80-che.patch b/backport-nss-retire-NSS_OLD-and-replace-with-NSS_LAX-3.80-che.patch new file mode 100644 index 0000000..f10f3f5 --- /dev/null +++ b/backport-nss-retire-NSS_OLD-and-replace-with-NSS_LAX-3.80-che.patch @@ -0,0 +1,140 @@ +From d6a1cf34313a51734e19fac09339dd3c997432de Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 26 Jun 2023 13:25:00 +0200 +Subject: [PATCH] nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + +--- + python/policygenerators/nss.py | 45 +++++++++++++++------------------- + tests/nss.py | 34 ++++++++++++------------- + 2 files changed, 36 insertions(+), 43 deletions(-) + +diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py +index f9d7dc4..8928ef8 100644 +--- a/python/policygenerators/nss.py ++++ b/python/policygenerators/nss.py +@@ -170,47 +170,42 @@ class NSSGenerator(ConfigGenerator): + + @classmethod + def test_config(cls, config): +- old_nss = os.getenv('OLD_NSS', None) ++ nss_path = ctypes.util.find_library('nss3') ++ nss_lib = ctypes.CDLL(nss_path) ++ ++ nss_lax = os.getenv('NSS_LAX', '0') == '1' ++ nss_is_lax_by_default = True + try: +- nss_path = ctypes.util.find_library('nss3') +- nss_lib = ctypes.CDLL(nss_path) +- if not nss_lib.NSS_VersionCheck(b'3.65'): +- # Cannot validate with pre-3.59 NSS +- # that doesn't know ECDSA/RSA-PSS/RSA-PKCS/DSA +- # identifiers yet. +- # Fedora has them reverted even in F33's 3.65, +- # the first one without a revert is F34's 3.65 +- cls.eprint('Working around nss-policy-check due to ' +- 'nss being older than 3.65') +- old_nss = True ++ if not nss_lib.NSS_VersionCheck(b'3.80'): ++ # NSS older than 3.80 uses strict config checking. ++ # 3.80 and newer ignores new keywords by default ++ # and needs extra switches to be strict. ++ nss_is_lax_by_default = False + except AttributeError: +- cls.eprint('Cannot determine nss version with ctypes') +- +- if not os.access('/usr/bin/nss-policy-check', os.X_OK): +- return True ++ cls.eprint('Cannot determine nss version with ctypes, ' ++ 'assuming >=3.80') ++ options = ('-f value -f identifier' ++ if nss_is_lax_by_default and not nss_lax else '') + + fd, path = mkstemp() + + ret = 255 + try: + with os.fdopen(fd, 'w') as f: +- f.write(config +- if not old_nss else +- config.replace(':ECDSA:', ':') +- .replace(':RSA-PSS:', ':') +- .replace(':RSA-PKCS:', ':') +- .replace(':DSA:', ':')) ++ f.write(config) + try: +- ret = call(f'/usr/bin/nss-policy-check {path} >/dev/null', ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', + shell=True) + except CalledProcessError: + cls.eprint("/usr/bin/nss-policy-check: Execution failed") + finally: + os.unlink(path) + +- if ret == 2 and old_nss: ++ if ret == 2: + cls.eprint("There is a warning in NSS generated policy") +- cls.eprint("Ignoring it because we're using old NSS") ++ cls.eprint(f'Policy:\n{config}') ++ return False + elif ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') +diff --git a/tests/nss.py b/tests/nss.py +index d21faea..f30f48e 100755 +--- a/tests/nss.py ++++ b/tests/nss.py +@@ -15,19 +15,22 @@ if shutil.which('nss-policy-check') is None: + sys.exit(0) + + +-# Cannot validate with pre-3.59 NSS that doesn't know ECDSA/RSA-PSS/RSA-PKCS +-# identifiers yet. Checking for 3.65 because Fedora keeps reverting the change. +-# First one with unreverted is F34's 3.65 (but not F33's 3.65!) +-old_nss = os.getenv('OLD_NSS', None) ++nss_path = ctypes.util.find_library('nss3') ++nss_lib = ctypes.CDLL(nss_path) ++ ++nss_lax = os.getenv('NSS_LAX', '0') == '1' ++nss_is_lax_by_default = True + try: +- nss = ctypes.CDLL(ctypes.util.find_library('nss3')) +- if not nss.NSS_VersionCheck(b'3.65'): +- print('Working around nss-policy-check verification ' +- 'due to nss being older than 3.65', file=sys.stderr) +- old_nss = True ++ if not nss_lib.NSS_VersionCheck(b'3.80'): ++ # NSS older than 3.80 uses strict config checking. ++ # 3.80 and newer ignores new keywords by default ++ # and needs extra switches to be strict. ++ nss_is_lax_by_default = False + except AttributeError: +- print('Cannot determine nss version with ctypes, hoping for >=3.59', ++ print('Cannot determine nss version with ctypes, assuming >=3.80', + file=sys.stderr) ++options = (['-f', 'value', '-f', 'identifier'] ++ if nss_is_lax_by_default and not nss_lax else []) + + + print('Checking the NSS configuration') +@@ -39,14 +42,9 @@ for policy_path in glob.glob('tests/outputs/*-nss.txt'): + with open(policy_path, encoding='utf-8') as pf: + config = pf.read() + with tempfile.NamedTemporaryFile('w', delete=False) as tf: +- tf.write(config +- if not old_nss else +- config.replace(':ECDSA:', ':') +- .replace(':RSA-PSS:', ':') +- .replace(':RSA-PKCS:', ':') +- .replace(':DSA:', ':')) +- +- with subprocess.Popen(['nss-policy-check', tf.name], ++ tf.write(config) ++ ++ with subprocess.Popen(['nss-policy-check'] + options + [tf.name], + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) as p: + output, _ = p.communicate() +-- +2.43.0 + diff --git a/crypto-policies.spec b/crypto-policies.spec index 4094e3d..20bdc9e 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -4,7 +4,7 @@ Name: crypto-policies Version: %{git_date} -Release: 2.git%{git_commit_hash} +Release: 3.git%{git_commit_hash} Summary: Crypto policies package for Fedora License: LGPLv2+ @@ -14,6 +14,8 @@ URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # directory. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz +Patch1: backport-nss-retire-NSS_OLD-and-replace-with-NSS_LAX-3.80-che.patch + BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt @@ -27,6 +29,8 @@ BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) BuildRequires: perl(File::Which) BuildRequires: python3-devel BuildRequires: openssh-clients +# for /usr/bin/nss-policy-check +BuildRequires: nss-util Conflicts: openssl-libs < 3.0.2 Conflicts: openssh < 9.0p1 @@ -175,6 +179,9 @@ make check %{?_smp_mflags} %license COPYING.LESSER %changelog +* Wed Sep 3 2025 yixiangzhike - 20230614-3.git5f3458e +- retire NSS_OLD and replace with NSS_LAX 3.80 check + * Thu Mar 21 2024 duyiwei - 20230614-2.git5f3458e - package pruning to minimize dependencies @@ -453,4 +460,4 @@ make check %{?_smp_mflags} - Updated spec based on comments by Petr Lautrbach. * Mon May 19 2014 Nikos Mavrogiannopoulos - 0.9-1-20140519gitf15621a -- Initial package build \ No newline at end of file +- Initial package build -- Gitee