shell bypass 403
3
."�d$������������������@���sT���d�dl�mZmZ�d�dlmZ�d�dlZd�dlZd�dlZddlm Z �G�dd��de �Z
dS�)�����)�call�CalledProcessError)�mkstempN����)�ConfigGeneratorc���������������@���s����e�Zd�ZdZdddhZdddddd d
�Zd
d
d
dddddddd�
Zdddddd�Zdddddddd
d
d
ddddd d d!�Zdddd"d#d$d%d&d'd(� Z d)d*d+d,d-d.d/d0�Z
d1d2d3d4d5�Z
e
d6d7���Z
e
d8d9���Zd:S�);�
NSSGeneratorZnssZtlsZssl��z HMAC-SHA1zHMAC-MD5z
HMAC-SHA256z
HMAC-SHA384z
HMAC-SHA512)ZAEADz HMAC-SHA1zHMAC-MD5z
HMAC-SHA2-256z
HMAC-SHA2-384z
HMAC-SHA2-512�SHA1�MD5ZSHA224ZSHA256ZSHA384ZSHA512)
r ���r
���zSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512ZGOSTZ
CURVE25519� SECP256R1� SECP384R1� SECP521R1)ZX25519ZX448r
���r
���r
���Zrc2Zrc4z
aes256-gcmz
aes128-gcmz
aes256-cbcz
aes128-cbczcamellia256-cbczcamellia128-cbczchacha20-poly1305z
des-ede3-cbc)z
AES-256-CTRz
AES-128-CTRzRC2-CBCzRC4-128z
AES-256-GCMz
AES-128-GCMz
AES-256-CBCz
AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMz
AES-256-CCMz
AES-128-CCMzCHACHA20-POLY1305z3DES-CBC�RSAzDHE-RSAzDHE-DSSzECDHE-RSA:ECDHE-ECDSAzECDH-RSA:ECDH-ECDSAz
DH-RSA:DH-DSS) ZPSKzDHE-PSKz ECDHE-PSKr���zDHE-RSAzDHE-DSSZECDHEZECDHZDHzssl3.0ztls1.0ztls1.1ztls1.2ztls1.3zdtls1.0zdtls1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA-PSSzRSA-PKCSZECDSA�DSA)zRSA-PSS-zRSA-zECDSA-zDSA-c�������
���
���C���s���|j�}d}|d7�}|d7�}|d7�}d}x<|d�D�]0}y|�j||�j|��}W�q0�tk
r^���Y�q0X�q0W�x<|d�D�]0}y|�j||�j|��}W�qn�tk
r����Y�qnX�qnW�x<|d�D�]0}y|�j||�j|��}W�q��tk
r����Y�q�X�q�W�x>|d �D�]2}y|�j||�j|��}W�q��tk
�r���Y�q�X�q�W�x@|d
�D�]4}y|�j||�j|��}W�n�tk
�rZ���Y�nX��q*W�d
d
��|d
�D��}|�r�|�j|d�}t��}xZ|d
�D�]N}xF|�j j
��D�]8\}} |j
|��r�| |k�r�|j
| ��|�j|| �}P��q�W��q�W�|j
�r|�j|j
�}
|�j|d|
��}n
|�j|d�}|j�r@|�j|j�}
|�j|d|
��}n
|�j|d�}|�j|dt|jd����}|�j|dt|jd����}|�j|dt|jd����}||d�7�}|S�)Nz library=
z
name=Policy
z
NSS=flags=policyOnly,moduleDB
zconfig="disallow=ALL allow=r���Zmac�groupZcipher�hashZ
key_exchangec�������������S���s
���g�|�]}|j�d��dkr|�qS�)zDSA-r���)�find)�.0�i��r����:./usr/share/crypto-policies/python/policygenerators/nss.py�
<listcomp>����s����z0NSSGenerator.generate_config.<locals>.<listcomp>Zsignr���ztls-version-min=ztls-version-min=0zdtls-version-min=zdtls-version-min=0zDH-MIN=Z
min_dh_sizezDSA-MIN=Z
min_dsa_sizezRSA-MIN=Z
min_rsa_sizez"
)Zenabled�append�mac_map�KeyError� curve_map�
cipher_map�hash_map�key_exchange_map�set�sign_prefix_ordmap�items�
startswith�addZmin_tls_version�
protocol_mapZmin_dtls_version�strZintegers)
�clsZpolicy�pZcfg�sr���ZdsaZenabled_sigalgs�prefixZsigalgZminverr���r���r����generate_configd���sn����
z
NSSGenerator.generate_configc���������� ���C���s��y2t�jjd�}t�j|�}|jd�s0|�jd��dS�W�n
�tk
rP���|�jd��Y�nX�tjdtj �sddS�t
��\}}d}z^tj
|d��}|j
|��W�d�Q�R�X�yt
d |�d
�dd
�}W�n
�tk
r����|�jd
��Y�nX�W�d�tj|��X�|�r�|�jd
��|�jd|���dS�dS�)NZnss3s���3.66z:Skipping nss-policy-check due to nss being older than 3.66Tz(Cannot determine nss version with ctypesz/usr/bin/nss-policy-check�����wz/usr/bin/nss-policy-check z
>/dev/null)�shellz+/usr/bin/nss-policy-check: Execution failedz)There is an error in NSS generated policyz
Policy:
%sF)�ctypes�utilZ
find_libraryZCDLLZNSS_VersionCheckZeprint�AttributeError�os�access�X_OKr����fdopen�writer���r����unlink)r&����configZnss_pathZnss_lib�fd�pathZret�fr���r���r����
test_config����s6����
zNSSGenerator.test_configN)�__name__�
__module__�
__qualname__Z
CONFIG_NAMEZSCOPESr���r
���r���r
���r
���r$���r ����
classmethodr*���r;���r���r���r���r���r������sz���
Hr���)
�
subprocessr���r���Ztempfiler���r.���Z
ctypes.utilr1���Zconfiggeneratorr���r���r���r���r���r����<module>���s
���