commit
00b2dfac6d
@ -0,0 +1 @@
|
|||||||
|
p_crypto-policies
|
@ -0,0 +1,32 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
echo "Тест наличия файлов"
|
||||||
|
|
||||||
|
source library/sh_lib.sh
|
||||||
|
|
||||||
|
check=0
|
||||||
|
|
||||||
|
files=(
|
||||||
|
/usr/share/crypto-policies/policies/GOST-ONLY-PAM.pol
|
||||||
|
/usr/share/crypto-policies/policies/GOST-ONLY.pol
|
||||||
|
/usr/share/crypto-policies/policies/modules/GOST.pmod
|
||||||
|
/usr/share/crypto-policies/policies/modules/PAM-GOST.pmod
|
||||||
|
)
|
||||||
|
|
||||||
|
count=${#files[@]}
|
||||||
|
for (( i=0; i<count; i++ ))
|
||||||
|
do
|
||||||
|
ls -l ${files[$i]}
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
filesize=$(stat -c%s ${files[$i]})
|
||||||
|
if [ $filesize -eq 0 ]; then
|
||||||
|
echo "File ${files[$i]} length == 0 -- Error"
|
||||||
|
let check+=1
|
||||||
|
else
|
||||||
|
echo "File ${files[$i]} length == ${filesize} -- OK"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
check_test_status ${check} "$0"
|
||||||
|
exit ${check}
|
@ -0,0 +1,100 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# set +e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
echo "Тест на применимость политики DEFAULT:GOST"
|
||||||
|
|
||||||
|
source library/sh_lib.sh
|
||||||
|
|
||||||
|
check=0
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Test 1. Current policy
|
||||||
|
echo "Test 1. Check current policy is DEFAULT"
|
||||||
|
current_policy=$(/usr/bin/update-crypto-policies --show)
|
||||||
|
if [[ "$current_policy" == "DEFAULT" ]]; then
|
||||||
|
echo "Current policy: ${current_policy} -- OK"
|
||||||
|
else
|
||||||
|
echo "Current policy: ${current_policy} -- Error, should be DEFAULT"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Test 2.
|
||||||
|
echo "Test 2. Default files test"
|
||||||
|
cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл
|
||||||
|
ls -l /etc/crypto-policies/back-ends/auth.config
|
||||||
|
filename="/etc/crypto-policies/back-ends/auth.config"
|
||||||
|
filesize=$(stat -Lc%s ${filename})
|
||||||
|
if [ $filesize -eq 0 ]; then
|
||||||
|
echo "File ${filename} length == 0 -- OK"
|
||||||
|
else
|
||||||
|
echo "File ${filename} length == ${filesize} -- Error, should be empty"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/password-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/system-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Test 3.
|
||||||
|
echo "Test 3. Set GOST policy"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT:GOST
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Test 4.
|
||||||
|
echo "Test 4. Files test after set GOST policy"
|
||||||
|
|
||||||
|
cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - пустой
|
||||||
|
ls -l /etc/crypto-policies/back-ends/auth.config
|
||||||
|
filename="/etc/crypto-policies/back-ends/auth.config"
|
||||||
|
filesize=$(stat -c%s ${filename})
|
||||||
|
if [ $filesize -eq 0 ]; then
|
||||||
|
echo "File ${filename} length == 0 -- OK"
|
||||||
|
else
|
||||||
|
echo "File ${filename} length == ${filesize} -- Error, should be empty"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/password-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/system-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
# Test 5.
|
||||||
|
echo "Test 5. Check current policy is GOST"
|
||||||
|
current_policy=$(/usr/bin/update-crypto-policies --show)
|
||||||
|
if [[ "$current_policy" == "DEFAULT:GOST" ]]; then
|
||||||
|
echo "Current policy: ${current_policy} -- OK"
|
||||||
|
else
|
||||||
|
echo "Current policy: ${current_policy} -- Error, should be DEFAULT:GOST"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
echo "Reset policy to default"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
check_test_status ${check} "$0"
|
||||||
|
exit ${check}
|
@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# set +e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
echo "Тест на корректность формирования команд политик"
|
||||||
|
|
||||||
|
source library/sh_lib.sh
|
||||||
|
|
||||||
|
check=0
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 1. Files presence test"
|
||||||
|
ls -l /usr/share/crypto-policies/reload-cmds.sh
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 2. Command test"
|
||||||
|
|
||||||
|
# cat /usr/share/crypto-policies/reload-cmds.sh | grep auth_apply.sh
|
||||||
|
# /usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :
|
||||||
|
s_cmd=$(cat /usr/share/crypto-policies/reload-cmds.sh | grep auth_apply.sh)
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
cat "$s_cmd"
|
||||||
|
if [[ "$s_cmd" == "/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :" ]]; then
|
||||||
|
echo "Command OK"
|
||||||
|
else
|
||||||
|
echo "Error: command not found"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_test_status ${check} "$0"
|
||||||
|
exit ${check}
|
@ -0,0 +1,75 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# set +e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
echo "Тест что gost engine подключен к openssl"
|
||||||
|
|
||||||
|
source library/sh_lib.sh
|
||||||
|
|
||||||
|
check=0
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "1. Reset policy to default"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 2. Files test"
|
||||||
|
|
||||||
|
# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep gost
|
||||||
|
# данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - пустой
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл
|
||||||
|
ls -l /etc/crypto-policies/back-ends/auth.config
|
||||||
|
filename="/etc/crypto-policies/back-ends/auth.config"
|
||||||
|
filesize=$(stat -Lc%s ${filename})
|
||||||
|
if [ $filesize -eq 0 ]; then
|
||||||
|
echo "File ${filename} length == 0 -- OK"
|
||||||
|
else
|
||||||
|
echo "File ${filename} length == ${filesize} -- Error, should be empty"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/password-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/system-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 3. Set GOST policy"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT:GOST
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 4. Test openssl"
|
||||||
|
openssl_expected_output="TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
|
||||||
|
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
||||||
|
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
|
||||||
|
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
|
||||||
|
LEGACY-GOST2012-GOST8912-GOST8912 TLSv1 Kx=GOST Au=GOST12 Enc=GOST89(256) Mac=GOST89
|
||||||
|
IANA-GOST2012-GOST8912-GOST8912 TLSv1 Kx=GOST Au=GOST12 Enc=GOST89(256) Mac=GOST89
|
||||||
|
GOST2001-GOST89-GOST89 TLSv1 Kx=GOST Au=GOST01 Enc=GOST89(256) Mac=GOST89
|
||||||
|
GOST2012-NULL-GOST12 TLSv1 Kx=GOST Au=GOST12 Enc=None Mac=GOST2012
|
||||||
|
GOST2001-NULL-GOST94 TLSv1 Kx=GOST Au=GOST01 Enc=None Mac=GOST94"
|
||||||
|
openssl_out=$(/usr/bin/openssl ciphers -v 'kGOST')
|
||||||
|
echo "openssl out:"
|
||||||
|
echo "${openssl_out}"
|
||||||
|
if [[ $openssl_out == $openssl_expected_output ]]; then
|
||||||
|
echo "openssl out is valid"
|
||||||
|
else
|
||||||
|
echo "ERROR: openssl out is invalid"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
check_test_status ${check} "$0"
|
||||||
|
exit ${check}
|
@ -0,0 +1,81 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# set +e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
echo "Тест шифрования пароля по ГОСТ"
|
||||||
|
|
||||||
|
source library/sh_lib.sh
|
||||||
|
|
||||||
|
check=0
|
||||||
|
USER='testusr'
|
||||||
|
USER_PASS='test123_PaSs!Word'
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "1. Reset policy to default"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 2. Files test"
|
||||||
|
# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep gost
|
||||||
|
# данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - пустой
|
||||||
|
# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл
|
||||||
|
ls -l /etc/crypto-policies/back-ends/auth.config
|
||||||
|
filename="/etc/crypto-policies/back-ends/auth.config"
|
||||||
|
filesize=$(stat -Lc%s ${filename})
|
||||||
|
if [ $filesize -eq 0 ]; then
|
||||||
|
echo "File ${filename} length == 0 -- OK"
|
||||||
|
else
|
||||||
|
echo "File ${filename} length == ${filesize} -- Error, should be empty"
|
||||||
|
let check+=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/password-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1
|
||||||
|
cat /etc/pam.d/system-auth | /bin/grep gost
|
||||||
|
check=$(not_eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "Test 3. Set GOST policy"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT:PAM-GOST
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "4. Add user, set password"
|
||||||
|
/usr/bin/update-crypto-policies --show
|
||||||
|
useradd ${USER}
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
|
||||||
|
# ВНИМАНИЕ!
|
||||||
|
# chpasswd не поддерживает PAM-профили - см. https://inferitos.asproagile.ru/_module/agile/view/issue/1063
|
||||||
|
# поэтому здесь пока нельзя использовать эту команду
|
||||||
|
# chpasswd <<< "${USER}:${USER_PASS}"
|
||||||
|
|
||||||
|
echo "${USER_PASS}" | passwd "${USER}" --stdin
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
######################################
|
||||||
|
echo "5. Check is password encrypted"
|
||||||
|
passwd -S ${USER} | grep "GOST Yescrypt"
|
||||||
|
check=$(eq_is_success ${check} 0)
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
echo "Cleanup. Remove user, reset policy to default"
|
||||||
|
/usr/bin/update-crypto-policies --set DEFAULT
|
||||||
|
userdel -f -r ${USER}
|
||||||
|
echo "---------------------------------------"
|
||||||
|
|
||||||
|
|
||||||
|
check_test_status ${check} "$0"
|
||||||
|
exit ${check}
|
@ -0,0 +1,11 @@
|
|||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = RU
|
||||||
|
ST = Moscow
|
||||||
|
L = Moscow
|
||||||
|
O = YourOrganization
|
||||||
|
OU = YourOU
|
||||||
|
CN = dns_name.com
|
Loading…
Reference in new issue