a if@sTddlZddlZddlZddlmZmZddlmZddlm Z Gddde Z dS)N)CalledProcessErrorcall)mkstemp)ConfigGeneratorc@seZdZdZhdZddddddd Zd d d d ddddddddd ZddddddZddddddddddddddddd Zddddd!d"d#d$d%d&d' Z d(d)d*d+d,d-d.d/Z d0d1d2d3d4Z e d5d6Z e d7d8Zd9S): NSSGeneratornss>rZsslZtls HMAC-SHA1HMAC-MD5z HMAC-SHA256z HMAC-SHA384z HMAC-SHA512)ZAEADr r z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512SHA1MD5ZSHA224ZSHA256ZSHA384ZSHA512) r r zSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512z SHAKE-128z SHAKE-256ZGOSTR94Z CURVE25519 SECP256R1 SECP384R1 SECP521R1)ZX25519ZX448rrrZrc2Zrc4z aes256-gcmz aes128-gcmz aes256-cbcz aes128-cbczcamellia256-cbczcamellia128-cbczchacha20-poly1305z des-ede3-cbc)z AES-256-CTRz AES-128-CTRzRC2-CBCzRC4-128z AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMz AES-256-CCMz AES-128-CCMzCHACHA20-POLY1305z3DES-CBCRSADHE-RSADHE-DSSzECDHE-RSA:ECDHE-ECDSAzECDH-RSA:ECDH-ECDSAz DH-RSA:DH-DSS) ZPSKzDHE-PSKz ECDHE-PSKzRSA-PSKrrrZECDHEZECDHZDHzssl3.0ztls1.0ztls1.1ztls1.2ztls1.3zdtls1.0zdtls1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA-PSSzRSA-PKCSZECDSAZDSA)zRSA-PSS-zRSA-zECDSA-zDSA-c Cs|j}d}|d7}|d7}|d7}d}|dD].}z|||j|}Wq.tyZYq.0q.|dD].}z|||j|}WqftyYqf0qf|dD].}z|||j|}WqtyYq0q|d D]0}z|||j|}WqtyYq0q|d D]2}z|||j|}Wnty>Yn0qt d d d k}|j ddkrv|sv||d}t }|dD]N}|j D]<\}} ||r| |vr|| ||| }qqq|jr|j|j} ||d| }n ||d}|jr,|j|j} ||d| }n ||d}||dt|jd}||dt|jd}||dt|jd}||d7}|S)Nz library= z name=Policy zNSS=flags=policyOnly,moduleDB zconfig="disallow=ALL allow=r ZmacgroupZcipherhashZ key_exchangeZNSS_NO_TLS_REQUIRE_EMS01Z__emsZENFORCEzTLS-REQUIRE-EMSsignztls-version-min=ztls-version-min=0zdtls-version-min=zdtls-version-min=0zDH-MIN=Z min_dh_sizezDSA-MIN=Z min_dsa_sizezRSA-MIN=Z min_rsa_sizez" )Zenabledappendmac_mapKeyError curve_map cipher_maphash_mapkey_exchange_maposgetenvZenumssetsign_prefix_ordmapitems startswithaddZmin_tls_version protocol_mapZmin_dtls_versionstrZintegers) clsZpolicypZcfgsiZno_tls_require_emsZenabled_sigalgsprefixZsigalgZminverr.9/usr/share/crypto-policies/python/policygenerators/nss.pygenerate_configfsn                    zNSSGenerator.generate_configc CsVtjd}t|}tdddk}d}z|ds:d}WntyX|dYn0|rf|sfd nd }t \}}d } zt |d } | |Wdn1s0Yzt d |d|ddd} Wnt y|dYn0Wt|n t|0| dkr.|d|d|dS| rR|d|d|dSdS)NZnss3ZNSS_LAXrrTs3.80Fz9Cannot determine nss version with ctypes, assuming >=3.80z-f value -f identifierr wz/usr/bin/nss-policy-check  z >/dev/null)shellz+/usr/bin/nss-policy-check: Execution failedz*There is a warning in NSS generated policyzPolicy: z)There is an error in NSS generated policy)ctypesutilZ find_libraryZCDLLr r!ZNSS_VersionCheckAttributeErrorZeprintrfdopenwriterrunlink) r)ZconfigZnss_pathZnss_libZnss_laxZnss_is_lax_by_defaultoptionsfdpathretfr.r.r/ test_configsH     (     zNSSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrr'r# classmethodr0rAr.r.r.r/rs    Gr) r6Z ctypes.utilr subprocessrrZtempfilerZconfiggeneratorrrr.r.r.r/s