Bug 1954343

Summary: update-crypto-policies does not respect pre-generated policy when local.d policy exists
Product: Red Hat Enterprise Linux 8 Reporter: James Ralston <ralston>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.3CC: jcsible, omoris, pvrabec
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20210617-1.gitc776d3e.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:51:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Ralston 2021-04-27 23:09:36 UTC 
We maintain our own pre-generated crypto-policies policies in /usr/share/crypto-policies/PUPPET:

$ ls -lsa /usr/share/crypto-policies/PUPPET
total 48
0 drwxr-xr-x.  2 root root  229 Apr 27 17:24 ./
0 drwxr-xr-x. 11 root root  179 Apr  9 13:08 ../
4 -rw-r--r--.  1 root root  124 May  4  2020 bind.txt
4 -rw-r--r--.  1 root root  171 Mar  2 20:28 gnutls.txt
4 -rw-r--r--.  1 root root  401 May  4  2020 java.txt
4 -rw-r--r--.  1 root root  400 May  4  2020 krb5.txt
4 -rw-r--r--.  1 root root  216 May  4  2020 libreswan.txt
4 -rw-r--r--.  1 root root  926 Oct 26  2020 libssh.txt
4 -rw-r--r--.  1 root root  363 Oct 26  2020 nss.txt
4 -rw-r--r--.  1 root root 1197 Oct 26  2020 opensshserver.txt
4 -rw-r--r--.  1 root root  984 Oct 26  2020 openssh.txt
4 -rw-r--r--.  1 root root  318 Mar  2 20:51 opensslcnf.txt
4 -rw-r--r--.  1 root root  196 Mar  2 20:51 openssl.txt
4 -rw-r--r--.  1 root root  353 May  4  2020 README.txt

Per BZ#1829669, we tell update-crypto-policies to use our pre-generated policy files by creating an empty /etc/crypto-policies/policies/PUPPET.pol file:

$ cat /etc/crypto-policies/policies/PUPPET.pol
#
# This file is maintained by the Puppet crypto_policies module.
#
# This system has a recent crypto-policies package that wants to use policy
# files, but the policy file language is completely inadequate for the level of
# granularity we need.
#
# Per BZ#1829669, the way to get recent crypto-policies packages to use our
# pre-constructed back-ends is to drop an empty policy file that matches the name
# of the policy file that we want.
#
# So, we maintain an empty PUPPET.pol module so that update-crypto-policies(8)
# will use our pre-generated /usr/share/crypto-policies/PUPPET back-ends.
#

This has worked succesfully:

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ ls -lsa /etc/crypto-policies/back-ends
total 4
0 drwxr-xr-x. 2 root root 244 Apr 27 18:17 ./
0 drwxr-xr-x. 6 root root  81 Apr 27 18:17 ../
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 bind.config -> /usr/share/crypto-policies/PUPPET/bind.txt
0 lrwxrwxrwx. 1 root root  44 Apr 27 18:17 gnutls.config -> /usr/share/crypto-policies/PUPPET/gnutls.txt
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 java.config -> /usr/share/crypto-policies/PUPPET/java.txt
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 krb5.config -> /usr/share/crypto-policies/PUPPET/krb5.txt
0 lrwxrwxrwx. 1 root root  47 Apr 27 18:17 libreswan.config -> /usr/share/crypto-policies/PUPPET/libreswan.txt
0 lrwxrwxrwx. 1 root root  44 Apr 27 18:17 libssh.config -> /usr/share/crypto-policies/PUPPET/libssh.txt
4 -rw-r--r--. 1 root root 193 Apr 27 18:17 nss.config
0 lrwxrwxrwx. 1 root root  45 Apr 27 18:17 openssh.config -> /usr/share/crypto-policies/PUPPET/openssh.txt
0 lrwxrwxrwx. 1 root root  51 Apr 27 18:17 opensshserver.config -> /usr/share/crypto-policies/PUPPET/opensshserver.txt
0 lrwxrwxrwx. 1 root root  48 Apr 27 18:17 opensslcnf.config -> /usr/share/crypto-policies/PUPPET/opensslcnf.txt
0 lrwxrwxrwx. 1 root root  45 Apr 27 18:17 openssl.config -> /usr/share/crypto-policies/PUPPET/openssl.txt

However, nss.config is not a symbolic link, because the nss package drops the /etc/crypto-policies/local.d/nss-p11-kit.config file, which contributes additional configuration for the /etc/crypto-policies/back-ends/nss.config file:

$ rpm -qf /etc/crypto-policies/local.d/nss-p11-kit.config
nss-3.53.1-17.el8_3.x86_64

$ cat /etc/crypto-policies/local.d/nss-p11-kit.config | sed -e 's/^$/# BLANK LINE/g'
name=p11-kit-proxy
library=p11-kit-proxy.so
# BLANK LINE
# BLANK LINE

With crypto-policies-20190807-1.git9b1477b.el8, which used only the pregenerated policy files in /usr/share/crypto-policies, running "update-crypto-policies --set PUPPET" would correctly produce the /etc/crypto-policies/back-ends/nss.config file from the /usr/share/crypto-policies/PUPPET/nss.txt file and the /etc/crypto-policies/local.d/nss-p11-kit.config file:

$ rpm -q crypto-policies
crypto-policies-20190807-1.git9b1477b.el8.noarch

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ diff -U 3 /usr/share/crypto-policies/PUPPET/nss.txt /etc/crypto-policies/back-ends/nss.config
--- /usr/share/crypto-policies/PUPPET/nss.txt   2020-10-26 17:40:15.905317013 -0400
+++ /etc/crypto-policies/back-ends/nss.config   2021-04-27 18:31:49.582190548 -0400
@@ -4,3 +4,7 @@
 config="disallow=ALL allow=CURVE25519:SECP521R1:SECP384R1:SECP256R1:SHA512:SHA384:SHA256:HMAC-SHA512:HMAC-SHA384:HMAC-SHA256:HMAC-SHA1:AES256-GCM:AES192-GCM:AES128-GCM:AES256-CBC:AES192-CBC:AES128-CBC:ECDHE-ECDSA:ECDHE-RSA:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048:TLS-VERSION-MIN=tls1.0:DTLS-VERSION-MIN=dtls1.2"
 
 
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

But moving to crypto-policies-20191128-2.git23e1bf1.el8, "update-crypto-policies --set PUPPET" produces a mangled /etc/crypto-policies/back-ends/nss.config file:

$ rpm -q crypto-policies
crypto-policies-20191128-2.git23e1bf1.el8.noarch

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ --- /usr/share/crypto-policies/PUPPET/nss.txt   2020-10-26 17:40:15.905317013 -0400
+++ /etc/crypto-policies/back-ends/nss.config   2021-04-27 18:36:10.242807326 -0400
@@ -1,6 +1,10 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=CURVE25519:SECP521R1:SECP384R1:SECP256R1:SHA512:SHA384:SHA256:HMAC-SHA512:HMAC-SHA384:HMAC-SHA256:HMAC-SHA1:AES256-GCM:AES192-GCM:AES128-GCM:AES256-CBC:AES192-CBC:AES128-CBC:ECDHE-ECDSA:ECDHE-RSA:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048:TLS-VERSION-MIN=tls1.0:DTLS-VERSION-MIN=dtls1.2"
+config="disallow=ALL allow=tls-version-min=0:dtls-version-min=0:DH-MIN=0:DSA-MIN=0:RSA-MIN=0"
+
+
+name=p11-kit-proxy
+library=p11-kit-proxy.so
 
 

Note that the "config=" line is *not* the contents of /usr/share/crypto-policies/PUPPET/nss.txt.

We finally noticed this because we noticed that recently, whenever the PUPPET policy is in effect, Firefox is completely broken: it fails connecting to all sites with an SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM error code.

What we suspect happen is that the "config=" line has been broken since crypto-policies-20191128-2.git23e1bf1.el8, but older versions of Firefox tolerated the broken configuration (perhaps falling back to a sane default configuration?), while a recent Firefox update caused Firefox to stop tolerating the broken config= line and simply fail entirely.

For now, we can work around this bug by having Puppet detect whenever the contents of /etc/crypto-policies/back-ends/nss.config differs from the contents produced by concatenating the /usr/share/crypto-policies/PUPPET/nss.txt and /etc/crypto-policies/local.d/nss-p11-kit.config files (in that order), and take corrective action.

But this is a bug that should be fixed: if a system administer has indicated (via an empty /etc/crypto-policies/policies/POLICYNAME.pol file) that POLICYNAME is provided pre-generated in /usr/share/crypto-policies/POLICYNAME, then update-crypto-policies *must* use the pre-generated policy files in /usr/share/crypto-policies/POLICYNAME, even for policy modules where the presence of /etc/crypto-policies/local.d/*.config files requires update-crypto-policies to construct /etc/crypto-policies/back-ends/*.config files instead of simply creating symbolic links to the corresponding files in /usr/share/crypto-policies/POLICYNAME.
Comment 7 errata-xmlrpc 2021-11-09 19:51:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4460