1954343 – update-crypto-policies does not respect pre-generated policy when local.d policy exists

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1954343 - update-crypto-policies does not respect pre-generated policy when local.d policy exists

Summary: update-crypto-policies does not respect pre-generated policy when local.d pol...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	crypto-policies
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Alexander Sosedkin
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-27 23:09 UTC by James Ralston
Modified:	2021-11-10 09:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:	crypto-policies-20210617-1.gitc776d3e.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:51:36 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gitlab	redhat-crypto fedora-crypto-policies merge_requests 95	0	None	None	None	2021-05-15 11:12:51 UTC
Red Hat Product Errata	RHBA-2021:4460	0	None	None	None	2021-11-09 19:51:46 UTC

Description James Ralston 2021-04-27 23:09:36 UTC

We maintain our own pre-generated crypto-policies policies in /usr/share/crypto-policies/PUPPET:

$ ls -lsa /usr/share/crypto-policies/PUPPET
total 48
0 drwxr-xr-x.  2 root root  229 Apr 27 17:24 ./
0 drwxr-xr-x. 11 root root  179 Apr  9 13:08 ../
4 -rw-r--r--.  1 root root  124 May  4  2020 bind.txt
4 -rw-r--r--.  1 root root  171 Mar  2 20:28 gnutls.txt
4 -rw-r--r--.  1 root root  401 May  4  2020 java.txt
4 -rw-r--r--.  1 root root  400 May  4  2020 krb5.txt
4 -rw-r--r--.  1 root root  216 May  4  2020 libreswan.txt
4 -rw-r--r--.  1 root root  926 Oct 26  2020 libssh.txt
4 -rw-r--r--.  1 root root  363 Oct 26  2020 nss.txt
4 -rw-r--r--.  1 root root 1197 Oct 26  2020 opensshserver.txt
4 -rw-r--r--.  1 root root  984 Oct 26  2020 openssh.txt
4 -rw-r--r--.  1 root root  318 Mar  2 20:51 opensslcnf.txt
4 -rw-r--r--.  1 root root  196 Mar  2 20:51 openssl.txt
4 -rw-r--r--.  1 root root  353 May  4  2020 README.txt

Per BZ#1829669, we tell update-crypto-policies to use our pre-generated policy files by creating an empty /etc/crypto-policies/policies/PUPPET.pol file:

$ cat /etc/crypto-policies/policies/PUPPET.pol
#
# This file is maintained by the Puppet crypto_policies module.
#
# This system has a recent crypto-policies package that wants to use policy
# files, but the policy file language is completely inadequate for the level of
# granularity we need.
#
# Per BZ#1829669, the way to get recent crypto-policies packages to use our
# pre-constructed back-ends is to drop an empty policy file that matches the name
# of the policy file that we want.
#
# So, we maintain an empty PUPPET.pol module so that update-crypto-policies(8)
# will use our pre-generated /usr/share/crypto-policies/PUPPET back-ends.
#

This has worked succesfully:

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ ls -lsa /etc/crypto-policies/back-ends
total 4
0 drwxr-xr-x. 2 root root 244 Apr 27 18:17 ./
0 drwxr-xr-x. 6 root root  81 Apr 27 18:17 ../
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 bind.config -> /usr/share/crypto-policies/PUPPET/bind.txt
0 lrwxrwxrwx. 1 root root  44 Apr 27 18:17 gnutls.config -> /usr/share/crypto-policies/PUPPET/gnutls.txt
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 java.config -> /usr/share/crypto-policies/PUPPET/java.txt
0 lrwxrwxrwx. 1 root root  42 Apr 27 18:17 krb5.config -> /usr/share/crypto-policies/PUPPET/krb5.txt
0 lrwxrwxrwx. 1 root root  47 Apr 27 18:17 libreswan.config -> /usr/share/crypto-policies/PUPPET/libreswan.txt
0 lrwxrwxrwx. 1 root root  44 Apr 27 18:17 libssh.config -> /usr/share/crypto-policies/PUPPET/libssh.txt
4 -rw-r--r--. 1 root root 193 Apr 27 18:17 nss.config
0 lrwxrwxrwx. 1 root root  45 Apr 27 18:17 openssh.config -> /usr/share/crypto-policies/PUPPET/openssh.txt
0 lrwxrwxrwx. 1 root root  51 Apr 27 18:17 opensshserver.config -> /usr/share/crypto-policies/PUPPET/opensshserver.txt
0 lrwxrwxrwx. 1 root root  48 Apr 27 18:17 opensslcnf.config -> /usr/share/crypto-policies/PUPPET/opensslcnf.txt
0 lrwxrwxrwx. 1 root root  45 Apr 27 18:17 openssl.config -> /usr/share/crypto-policies/PUPPET/openssl.txt

However, nss.config is not a symbolic link, because the nss package drops the /etc/crypto-policies/local.d/nss-p11-kit.config file, which contributes additional configuration for the /etc/crypto-policies/back-ends/nss.config file:

$ rpm -qf /etc/crypto-policies/local.d/nss-p11-kit.config
nss-3.53.1-17.el8_3.x86_64

$ cat /etc/crypto-policies/local.d/nss-p11-kit.config | sed -e 's/^$/# BLANK LINE/g'
name=p11-kit-proxy
library=p11-kit-proxy.so
# BLANK LINE
# BLANK LINE

With crypto-policies-20190807-1.git9b1477b.el8, which used only the pregenerated policy files in /usr/share/crypto-policies, running "update-crypto-policies --set PUPPET" would correctly produce the /etc/crypto-policies/back-ends/nss.config file from the /usr/share/crypto-policies/PUPPET/nss.txt file and the /etc/crypto-policies/local.d/nss-p11-kit.config file:

$ rpm -q crypto-policies
crypto-policies-20190807-1.git9b1477b.el8.noarch

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ diff -U 3 /usr/share/crypto-policies/PUPPET/nss.txt /etc/crypto-policies/back-ends/nss.config
--- /usr/share/crypto-policies/PUPPET/nss.txt   2020-10-26 17:40:15.905317013 -0400
+++ /etc/crypto-policies/back-ends/nss.config   2021-04-27 18:31:49.582190548 -0400
@@ -4,3 +4,7 @@
 config="disallow=ALL allow=CURVE25519:SECP521R1:SECP384R1:SECP256R1:SHA512:SHA384:SHA256:HMAC-SHA512:HMAC-SHA384:HMAC-SHA256:HMAC-SHA1:AES256-GCM:AES192-GCM:AES128-GCM:AES256-CBC:AES192-CBC:AES128-CBC:ECDHE-ECDSA:ECDHE-RSA:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048:TLS-VERSION-MIN=tls1.0:DTLS-VERSION-MIN=dtls1.2"
 
 
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

But moving to crypto-policies-20191128-2.git23e1bf1.el8, "update-crypto-policies --set PUPPET" produces a mangled /etc/crypto-policies/back-ends/nss.config file:

$ rpm -q crypto-policies
crypto-policies-20191128-2.git23e1bf1.el8.noarch

$ update-crypto-policies --set PUPPET
Setting system policy to PUPPET
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

$ --- /usr/share/crypto-policies/PUPPET/nss.txt   2020-10-26 17:40:15.905317013 -0400
+++ /etc/crypto-policies/back-ends/nss.config   2021-04-27 18:36:10.242807326 -0400
@@ -1,6 +1,10 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=CURVE25519:SECP521R1:SECP384R1:SECP256R1:SHA512:SHA384:SHA256:HMAC-SHA512:HMAC-SHA384:HMAC-SHA256:HMAC-SHA1:AES256-GCM:AES192-GCM:AES128-GCM:AES256-CBC:AES192-CBC:AES128-CBC:ECDHE-ECDSA:ECDHE-RSA:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048:TLS-VERSION-MIN=tls1.0:DTLS-VERSION-MIN=dtls1.2"
+config="disallow=ALL allow=tls-version-min=0:dtls-version-min=0:DH-MIN=0:DSA-MIN=0:RSA-MIN=0"
+
+
+name=p11-kit-proxy
+library=p11-kit-proxy.so
 
 

Note that the "config=" line is *not* the contents of /usr/share/crypto-policies/PUPPET/nss.txt.

We finally noticed this because we noticed that recently, whenever the PUPPET policy is in effect, Firefox is completely broken: it fails connecting to all sites with an SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM error code.

What we suspect happen is that the "config=" line has been broken since crypto-policies-20191128-2.git23e1bf1.el8, but older versions of Firefox tolerated the broken configuration (perhaps falling back to a sane default configuration?), while a recent Firefox update caused Firefox to stop tolerating the broken config= line and simply fail entirely.

For now, we can work around this bug by having Puppet detect whenever the contents of /etc/crypto-policies/back-ends/nss.config differs from the contents produced by concatenating the /usr/share/crypto-policies/PUPPET/nss.txt and /etc/crypto-policies/local.d/nss-p11-kit.config files (in that order), and take corrective action.

But this is a bug that should be fixed: if a system administer has indicated (via an empty /etc/crypto-policies/policies/POLICYNAME.pol file) that POLICYNAME is provided pre-generated in /usr/share/crypto-policies/POLICYNAME, then update-crypto-policies *must* use the pre-generated policy files in /usr/share/crypto-policies/POLICYNAME, even for policy modules where the presence of /etc/crypto-policies/local.d/*.config files requires update-crypto-policies to construct /etc/crypto-policies/back-ends/*.config files instead of simply creating symbolic links to the corresponding files in /usr/share/crypto-policies/POLICYNAME.

Comment 7 errata-xmlrpc 2021-11-09 19:51:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4460

Note You need to log in before you can comment on or make changes to this bug.