From 862ec3130737aa3b95c549d54d5ceae98618c8f5 Mon Sep 17 00:00:00 2001 From: Pavel Negrobov Date: Thu, 8 Feb 2024 12:56:22 +0300 Subject: [PATCH 1/2] =?UTF-8?q?INF-1010:=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?= =?UTF-8?q?=D0=B8=D1=82=D1=8C=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D0=93=D0=9E=D0=A1=D0=A2=20=D0=BF=D0=B0=D0=BA?= =?UTF-8?q?=D0=B5=D1=82=D0=B0=20crypto-policies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tests/p_crypto-policies-scripts | 1 + .../001-prepare_environment.sh | 14 +++ tests/p_crypto-policies/01-file-presence.sh | 32 ++++++ .../02-default_gost-policy-accept.sh | 100 ++++++++++++++++++ tests/p_crypto-policies/03-pam-gost.sh | 97 +++++++++++++++++ tests/p_crypto-policies/04-policy-cmds.sh | 35 ++++++ .../05-gost_engine-openssl.sh | 75 +++++++++++++ .../06-generate-gost-certificate.sh | 78 ++++++++++++++ .../07-passwd-gost-crypting.sh | 81 ++++++++++++++ tests/p_crypto-policies/files/req.conf | 11 ++ 10 files changed, 524 insertions(+) create mode 120000 tests/p_crypto-policies-scripts create mode 100755 tests/p_crypto-policies/001-prepare_environment.sh create mode 100755 tests/p_crypto-policies/01-file-presence.sh create mode 100755 tests/p_crypto-policies/02-default_gost-policy-accept.sh create mode 100755 tests/p_crypto-policies/03-pam-gost.sh create mode 100755 tests/p_crypto-policies/04-policy-cmds.sh create mode 100755 tests/p_crypto-policies/05-gost_engine-openssl.sh create mode 100755 tests/p_crypto-policies/06-generate-gost-certificate.sh create mode 100755 tests/p_crypto-policies/07-passwd-gost-crypting.sh create mode 100644 tests/p_crypto-policies/files/req.conf diff --git a/tests/p_crypto-policies-scripts b/tests/p_crypto-policies-scripts new file mode 120000 index 0000000..b8938a2 --- /dev/null +++ b/tests/p_crypto-policies-scripts @@ -0,0 +1 @@ +p_crypto-policies \ No newline at end of file diff --git a/tests/p_crypto-policies/001-prepare_environment.sh b/tests/p_crypto-policies/001-prepare_environment.sh new file mode 100755 index 0000000..78ff10e --- /dev/null +++ b/tests/p_crypto-policies/001-prepare_environment.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +echo "Подготовка окружения для тестирования пакета ${TEST_PACKAGE_NAME}" + +# в пакете crypto-policies слабай зависимость на этот пакет, +# поэтому для надёжности устанавливаем его вручную +/bin/yum -y install openssl-gost-engine + +# Обновляем passwd, чтобы он показывал, что пароль пользователя использует GOST crypt +# Старый пакет passwd не понимает GOST crypt и выводит "unknown crypt". +# В этом случае рухнет тесткейс 5 теста 07-passwd-gost-crypting.sh +/bin/yum -y update passwd + +exit 0 diff --git a/tests/p_crypto-policies/01-file-presence.sh b/tests/p_crypto-policies/01-file-presence.sh new file mode 100755 index 0000000..5516e21 --- /dev/null +++ b/tests/p_crypto-policies/01-file-presence.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +echo "Тест наличия файлов" + +source library/sh_lib.sh + +check=0 + +files=( +/usr/share/crypto-policies/policies/GOST-ONLY-PAM.pol +/usr/share/crypto-policies/policies/GOST-ONLY.pol +/usr/share/crypto-policies/policies/modules/GOST.pmod +/usr/share/crypto-policies/policies/modules/PAM-GOST.pmod +) + +count=${#files[@]} +for (( i=0; i/dev/null || : +s_cmd=$(cat /usr/share/crypto-policies/reload-cmds.sh | grep auth_apply.sh) +check=$(eq_is_success ${check} 0) + +cat "$s_cmd" +if [[ "$s_cmd" == "/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :" ]]; then + echo "Command OK" +else + echo "Error: command not found" + let check+=1 +fi + +check_test_status ${check} "$0" +exit ${check} diff --git a/tests/p_crypto-policies/05-gost_engine-openssl.sh b/tests/p_crypto-policies/05-gost_engine-openssl.sh new file mode 100755 index 0000000..e8fa88e --- /dev/null +++ b/tests/p_crypto-policies/05-gost_engine-openssl.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# set +e +set -x + +echo "Тест что gost engine подключен к openssl" + +source library/sh_lib.sh + +check=0 + +###################################### +echo "1. Reset policy to default" +/usr/bin/update-crypto-policies --set DEFAULT +echo "---------------------------------------" + +###################################### +echo "Test 2. Files test" + +# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep gost +# данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# файл /etc/crypto-policies/back-ends/auth.config - пустой +# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл +ls -l /etc/crypto-policies/back-ends/auth.config +filename="/etc/crypto-policies/back-ends/auth.config" +filesize=$(stat -Lc%s ${filename}) +if [ $filesize -eq 0 ]; then + echo "File ${filename} length == 0 -- OK" +else + echo "File ${filename} length == ${filesize} -- Error, should be empty" + let check+=1 +fi + +# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/password-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/system-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 3. Set GOST policy" +/usr/bin/update-crypto-policies --set DEFAULT:GOST +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 4. Test openssl" +openssl_expected_output="TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD +TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD +TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD +TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD +LEGACY-GOST2012-GOST8912-GOST8912 TLSv1 Kx=GOST Au=GOST12 Enc=GOST89(256) Mac=GOST89 +IANA-GOST2012-GOST8912-GOST8912 TLSv1 Kx=GOST Au=GOST12 Enc=GOST89(256) Mac=GOST89 +GOST2001-GOST89-GOST89 TLSv1 Kx=GOST Au=GOST01 Enc=GOST89(256) Mac=GOST89 +GOST2012-NULL-GOST12 TLSv1 Kx=GOST Au=GOST12 Enc=None Mac=GOST2012 +GOST2001-NULL-GOST94 TLSv1 Kx=GOST Au=GOST01 Enc=None Mac=GOST94" +openssl_out=$(/usr/bin/openssl ciphers -v 'kGOST') +echo "openssl out:" +echo "${openssl_out}" +if [[ $openssl_out == $openssl_expected_output ]]; then + echo "openssl out is valid" +else + echo "ERROR: openssl out is invalid" + let check+=1 +fi +echo "---------------------------------------" + +check_test_status ${check} "$0" +exit ${check} diff --git a/tests/p_crypto-policies/06-generate-gost-certificate.sh b/tests/p_crypto-policies/06-generate-gost-certificate.sh new file mode 100755 index 0000000..2291f92 --- /dev/null +++ b/tests/p_crypto-policies/06-generate-gost-certificate.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +# set +e +set -x + +echo "Тест генерации сертификата с подключенным ГОСТ" + +source library/sh_lib.sh + +check=0 + +###################################### +echo "1. Reset policy to default" +/usr/bin/update-crypto-policies --set DEFAULT +echo "---------------------------------------" + +###################################### +echo "Test 2. Files test" + +cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл +ls -l /etc/crypto-policies/back-ends/auth.config +filename="/etc/crypto-policies/back-ends/auth.config" +filesize=$(stat -Lc%s ${filename}) +if [ $filesize -eq 0 ]; then + echo "File ${filename} length == 0 -- OK" +else + echo "File ${filename} length == ${filesize} -- Error, should be empty" + let check+=1 +fi + +# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/password-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/system-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 3. Command test" +/usr/bin/openssl req -x509 -newkey gost2012_256 -pkeyopt paramset:A -nodes -keyout key.pem -out cert.pem -md_gost12_256 +check=$(not_eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 4. Set GOST policy" +/usr/bin/update-crypto-policies --set DEFAULT:GOST +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 5. Rerun command from test 3" +# /usr/bin/openssl req -x509 -newkey gost2012_256 -pkeyopt paramset:A -nodes -keyout key.pem -out cert.pem -md_gost12_256 +config_path=$(pwd)/tests/p_crypto-policies/files/req.conf +openssl req -x509 -newkey gost2012_256 -pkeyopt paramset:A -nodes -keyout gost_key.pem -out gost_cert.pem -md_gost12_256 -config "${config_path}" +check=$(eq_is_success ${check} 0) +ls -l gost_key.pem +ls -l gost_cert.pem +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 6. Check new GOST certificate" +# $ openssl x509 -in cert.pem -text -noout | grep GOST + # Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit) + # Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus + # Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit) +# файл cert.pem должен существовать и вывод от grep не должен быть пустым +/usr/bin/openssl x509 -in gost_cert.pem -text -noout | grep GOST +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +check_test_status ${check} "$0" +exit ${check} diff --git a/tests/p_crypto-policies/07-passwd-gost-crypting.sh b/tests/p_crypto-policies/07-passwd-gost-crypting.sh new file mode 100755 index 0000000..e4c7887 --- /dev/null +++ b/tests/p_crypto-policies/07-passwd-gost-crypting.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# set +e +set -x + +echo "Тест шифрования пароля по ГОСТ" + +source library/sh_lib.sh + +check=0 +USER='testusr' +USER_PASS='test123_PaSs!Word' + +###################################### +echo "1. Reset policy to default" +/usr/bin/update-crypto-policies --set DEFAULT +echo "---------------------------------------" + +###################################### +echo "Test 2. Files test" +# cat /etc/crypto-policies/back-ends/opensslcnf.config | grep gost +# данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/crypto-policies/back-ends/opensslcnf.config | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# файл /etc/crypto-policies/back-ends/auth.config - пустой +# файл /etc/crypto-policies/back-ends/auth.config - симлинк на пустой файл +ls -l /etc/crypto-policies/back-ends/auth.config +filename="/etc/crypto-policies/back-ends/auth.config" +filesize=$(stat -Lc%s ${filename}) +if [ $filesize -eq 0 ]; then + echo "File ${filename} length == 0 -- OK" +else + echo "File ${filename} length == ${filesize} -- Error, should be empty" + let check+=1 +fi + +# cat /etc/pam.d/password-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/password-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) + +# cat /etc/pam.d/system-auth | grep gost данная команда должна возвращать пустое значение и результат выполнения echo $? = 1 +cat /etc/pam.d/system-auth | /bin/grep gost +check=$(not_eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "Test 3. Set GOST policy" +/usr/bin/update-crypto-policies --set DEFAULT:PAM-GOST +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "4. Add user, set password" +/usr/bin/update-crypto-policies --show +useradd ${USER} +check=$(eq_is_success ${check} 0) + +# ВНИМАНИЕ! +# chpasswd не поддерживает PAM-профили - см. https://inferitos.asproagile.ru/_module/agile/view/issue/1063 +# поэтому здесь пока нельзя использовать эту команду +# chpasswd <<< "${USER}:${USER_PASS}" + +echo "${USER_PASS}" | passwd "${USER}" --stdin +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +###################################### +echo "5. Check is password encrypted" +passwd -S ${USER} | grep GOST +check=$(eq_is_success ${check} 0) +echo "---------------------------------------" + +echo "Cleanup. Remove user, reset policy to default" +/usr/bin/update-crypto-policies --set DEFAULT +userdel -f -r ${USER} +echo "---------------------------------------" + + +check_test_status ${check} "$0" +exit ${check} diff --git a/tests/p_crypto-policies/files/req.conf b/tests/p_crypto-policies/files/req.conf new file mode 100644 index 0000000..31c1df7 --- /dev/null +++ b/tests/p_crypto-policies/files/req.conf @@ -0,0 +1,11 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no + +[req_distinguished_name] +C = RU +ST = Moscow +L = Moscow +O = YourOrganization +OU = YourOU +CN = dns_name.com -- 2.36.5 From 4896ae344eeb3c6cf081d4f3b45114ee6e0154b3 Mon Sep 17 00:00:00 2001 From: Pavel Negrobov Date: Tue, 13 Feb 2024 12:13:41 +0300 Subject: [PATCH 2/2] =?UTF-8?q?INF-1010:=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?= =?UTF-8?q?=D0=B8=D1=82=D1=8C=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D0=93=D0=9E=D0=A1=D0=A2=20=D0=BF=D0=B0=D0=BA?= =?UTF-8?q?=D0=B5=D1=82=D0=B0=20crypto-policies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tests/p_crypto-policies/07-passwd-gost-crypting.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/p_crypto-policies/07-passwd-gost-crypting.sh b/tests/p_crypto-policies/07-passwd-gost-crypting.sh index e4c7887..afc4be0 100755 --- a/tests/p_crypto-policies/07-passwd-gost-crypting.sh +++ b/tests/p_crypto-policies/07-passwd-gost-crypting.sh @@ -67,7 +67,7 @@ echo "---------------------------------------" ###################################### echo "5. Check is password encrypted" -passwd -S ${USER} | grep GOST +passwd -S ${USER} | grep "GOST Yescrypt" check=$(eq_is_success ${check} 0) echo "---------------------------------------" -- 2.36.5