rpms
/
crypto-policies
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3ed68fe0bd'
${ noResults }
crypto-policies/SOURCES/0001-Added-GOST-9.5-policy-...

3254 lines
156 KiB
Raw Normal View History Unescape

Added spec and patches for 9.5 release
2 months ago
From f929e72a42bd205c933320ec8d4e828ced4a0050 Mon Sep 17 00:00:00 2001
From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
Date: Mon, 14 Oct 2024 18:08:55 +0300
Subject: [PATCH] Added GOST 9.5 policy also added experimental PAM generator
---
Makefile | 12 ++
authselect_policies/minimal_gost/README | 84 ++++++++
authselect_policies/minimal_gost/REQUIREMENTS | 0
authselect_policies/minimal_gost/dconf-db | 3 +
authselect_policies/minimal_gost/dconf-locks | 2 +
.../minimal_gost/fingerprint-auth | 16 ++
.../minimal_gost/nsswitch.conf | 14 ++
.../minimal_gost/password-auth | 15 ++
authselect_policies/minimal_gost/postlogin | 4 +
.../minimal_gost/smartcard-auth | 16 ++
authselect_policies/minimal_gost/system-auth | 15 ++
authselect_policies/sssd_gost/README | 145 +++++++++++++
authselect_policies/sssd_gost/REQUIREMENTS | 29 +++
authselect_policies/sssd_gost/dconf-db | 9 +
authselect_policies/sssd_gost/dconf-locks | 4 +
.../sssd_gost/fingerprint-auth | 28 +++
authselect_policies/sssd_gost/nsswitch.conf | 7 +
authselect_policies/sssd_gost/password-auth | 39 ++++
authselect_policies/sssd_gost/postlogin | 4 +
authselect_policies/sssd_gost/smartcard-auth | 26 +++
authselect_policies/sssd_gost/system-auth | 46 ++++
policies/GOST-ONLY-PAM.pol | 29 +++
policies/GOST-ONLY.pol | 28 +++
policies/modules/GOST.pmod | 18 ++
policies/modules/PAM-GOST.pmod | 3 +
policies/modules/PATCH-PAM-GOST.pmod | 3 +
policies/modules/SSSD-PAM-GOST.pmod | 3 +
python/build-crypto-policies.py | 8 +-
python/cryptopolicies/alg_lists.py | 19 +-
python/cryptopolicies/cryptopolicies.py | 7 +-
python/policygenerators/__init__.py | 2 +
python/policygenerators/auth.py | 36 ++++
.../fedora-crypto-policies.code-workspace | 0
python/policygenerators/openssl.py | 23 ++
scripts/auth_apply.sh | 204 ++++++++++++++++++
tests/alternative-policies/GOST-ONLY.pol | 30 +++
tests/alternative-policies/modules/GOST.pmod | 18 ++
tests/gnutls.py | 3 +-
tests/java.py | 3 +-
tests/nss.py | 2 +-
tests/openssl.py | 2 +-
tests/outputs/DEFAULT-auth.txt | 0
tests/outputs/DEFAULT:GOST-auth.txt | 0
tests/outputs/DEFAULT:GOST-bind.txt | 10 +
tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:GOST-java.txt | 4 +
tests/outputs/DEFAULT:GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:GOST-libreswan.txt | 6 +
tests/outputs/DEFAULT:GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:GOST-nss.txt | 6 +
tests/outputs/DEFAULT:GOST-openssh.txt | 7 +
tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 +
tests/outputs/DEFAULT:GOST-openssl.txt | 1 +
tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 +
tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 +
tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 +
.../DEFAULT:PAM-GOST-opensshserver.txt | 8 +
tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 +
.../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 +
.../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 +
.../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 +
.../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 +
.../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:SHA1-auth.txt | 0
tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 +
.../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 +
.../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/EMPTY-auth.txt | 0
tests/outputs/FIPS-auth.txt | 0
tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0
tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0
tests/outputs/FIPS:OSPP-auth.txt | 0
tests/outputs/FUTURE-auth.txt | 0
tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0
tests/outputs/GOST-ONLY-PAM-auth.txt | 2 +
tests/outputs/GOST-ONLY-PAM-bind.txt | 18 ++
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-PAM-java.txt | 4 +
tests/outputs/GOST-ONLY-PAM-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libssh.txt | 0
tests/outputs/GOST-ONLY-PAM-nss.txt | 6 +
tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 +
tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 +
tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-auth.txt | 0
tests/outputs/GOST-ONLY-bind.txt | 18 ++
tests/outputs/GOST-ONLY-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-java.txt | 4 +
tests/outputs/GOST-ONLY-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-krb5.txt | 2 +
tests/outputs/GOST-ONLY-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-libssh.txt | 0
tests/outputs/GOST-ONLY-nss.txt | 6 +
tests/outputs/GOST-ONLY-openssh.txt | 2 +
tests/outputs/GOST-ONLY-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-openssl.txt | 1 +
tests/outputs/GOST-ONLY-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++
tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++
tests/outputs/LEGACY-auth.txt | 0
.../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0
140 files changed, 2000 insertions(+), 10 deletions(-)
create mode 100644 authselect_policies/minimal_gost/README
create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS
create mode 100644 authselect_policies/minimal_gost/dconf-db
create mode 100644 authselect_policies/minimal_gost/dconf-locks
create mode 100644 authselect_policies/minimal_gost/fingerprint-auth
create mode 100644 authselect_policies/minimal_gost/nsswitch.conf
create mode 100644 authselect_policies/minimal_gost/password-auth
create mode 100644 authselect_policies/minimal_gost/postlogin
create mode 100644 authselect_policies/minimal_gost/smartcard-auth
create mode 100644 authselect_policies/minimal_gost/system-auth
create mode 100644 authselect_policies/sssd_gost/README
create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS
create mode 100644 authselect_policies/sssd_gost/dconf-db
create mode 100644 authselect_policies/sssd_gost/dconf-locks
create mode 100644 authselect_policies/sssd_gost/fingerprint-auth
create mode 100644 authselect_policies/sssd_gost/nsswitch.conf
create mode 100644 authselect_policies/sssd_gost/password-auth
create mode 100644 authselect_policies/sssd_gost/postlogin
create mode 100644 authselect_policies/sssd_gost/smartcard-auth
create mode 100644 authselect_policies/sssd_gost/system-auth
create mode 100644 policies/GOST-ONLY-PAM.pol
create mode 100644 policies/GOST-ONLY.pol
create mode 100644 policies/modules/GOST.pmod
create mode 100644 policies/modules/PAM-GOST.pmod
create mode 100644 policies/modules/PATCH-PAM-GOST.pmod
create mode 100644 policies/modules/SSSD-PAM-GOST.pmod
create mode 100644 python/policygenerators/auth.py
create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace
create mode 100755 scripts/auth_apply.sh
create mode 100644 tests/alternative-policies/GOST-ONLY.pol
create mode 100644 tests/alternative-policies/modules/GOST.pmod
create mode 100644 tests/outputs/DEFAULT-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/EMPTY-auth.txt
create mode 100644 tests/outputs/FIPS-auth.txt
create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt
create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
create mode 100644 tests/outputs/FIPS:OSPP-auth.txt
create mode 100644 tests/outputs/FUTURE-auth.txt
create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-java.txt
create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt
create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt
create mode 100644 tests/outputs/LEGACY-auth.txt
create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
diff --git a/Makefile b/Makefile
index 5b584b3..467807d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,10 @@
VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7)
DIR?=/usr/share/crypto-policies
+DIRSCR?=/usr/share/crypto-policies-scripts
BINDIR?=/usr/bin
MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
+AUTHSELECTDIR?=/etc/authselect/custom
LIBEXECDIR?=/usr/libexec
DESTDIR?=
MAN7PAGES=crypto-policies.7
@@ -30,11 +32,14 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(LIBEXECDIR)
+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR)
install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR)
mkdir -p $(DESTDIR)$(DIR)/
+ mkdir -p $(DESTDIR)$(DIRSCR)/
+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR)
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
@@ -42,6 +47,7 @@ install: $(MANPAGES)
for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py
chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py
+ for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done
runruff:
ruff check
@@ -65,6 +71,11 @@ check:
python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs
tests/openssl.py
tests/gnutls.py
tests/nss.py
@@ -118,6 +129,7 @@ diff-outputs:
python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true
python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true
python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true
+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true
$(DIFFTOOL) tests/outputs output/current
clean:
diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README
new file mode 100644
index 0000000..9839669
--- /dev/null
+++ b/authselect_policies/minimal_gost/README
@@ -0,0 +1,84 @@
+Local users only for minimal installations and gost support
+===========================================================
+
+Selecting this profile will enable local files as the source of identity
+and authentication providers.
+
+This profile can be used on systems that require minimal installation to
+save disk and memory space. It serves only local users and groups directly
+from system files instead of going through other authentication providers.
+Therefore SSSD, winbind and fprintd packages can be safely removed.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
+EXAMPLES
+--------
+
+* Enable minimal profile
+
+ authselect select minimal
+
+SEE ALSO
+--------
+* man passwd(5)
+* man group(5)
diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS
new file mode 100644
index 0000000..e69de29
diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db
new file mode 100644
index 0000000..a3868b7
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-db
@@ -0,0 +1,3 @@
+[org/gnome/login-screen]
+enable-smartcard-authentication=false
+enable-fingerprint-authentication=false
diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks
new file mode 100644
index 0000000..8a36fa9
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-locks
@@ -0,0 +1,2 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth
new file mode 100644
index 0000000..ca152fb
--- /dev/null
+++ b/authselect_policies/minimal_gost/fingerprint-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth sufficient pam_fprintd.so
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf
new file mode 100644
index 0000000..f1f5941
--- /dev/null
+++ b/authselect_policies/minimal_gost/nsswitch.conf
@@ -0,0 +1,14 @@
+passwd: sss files systemd {exclude if "with-custom-passwd"}
+shadow: files {exclude if "with-custom-shadow"}
+group: sss files systemd {exclude if "with-custom-group"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
+services: files sss {exclude if "with-custom-services"}
+netgroup: sss {exclude if "with-custom-netgroup"}
+automount: files sss {exclude if "with-custom-automount"}
+aliases: files {exclude if "with-custom-aliases"}
+ethers: files {exclude if "with-custom-ethers"}
+gshadow: files
+networks: files dns {exclude if "with-custom-networks"}
+protocols: files {exclude if "with-custom-protocols"}
+publickey: files {exclude if "with-custom-publickey"}
+rpc: files {exclude if "with-custom-rpc"}
diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/password-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin
new file mode 100644
index 0000000..8d9bfd0
--- /dev/null
+++ b/authselect_policies/minimal_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth
new file mode 100644
index 0000000..f0843be
--- /dev/null
+++ b/authselect_policies/minimal_gost/smartcard-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/system-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README
new file mode 100644
index 0000000..02daa76
--- /dev/null
+++ b/authselect_policies/sssd_gost/README
@@ -0,0 +1,145 @@
+Enable SSSD with GOST support for system authentication (also for local users only)
+=================================================================
+
+Selecting this profile will enable SSSD with GOST as the source of identity
+and authentication providers.
+
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page:
+https://sssd.io
+
+However, if you do not want to keep SSSD running on your machine, you can
+keep this profile selected and just disable SSSD service. The resulting
+configuration will still work correctly even with SSSD disabled and local users
+and groups will be read from local files directly.
+
+SSSD CONFIGURATION
+------------------
+
+Authselect does not touch SSSD's configuration. Please, read SSSD's
+documentation to see how to configure it manually. Only local users
+will be available on the system if there is no existing SSSD configuration.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+with-faillock::
+ Enable account locking in case of too many consecutive
+ authentication failures.
+
+with-mkhomedir::
+ Enable automatic creation of home directories for users on their
+ first login.
+
+with-smartcard::
+ Enable authentication with smartcards through SSSD. Please note that
+ smartcard support must be also explicitly enabled within
+ SSSD's configuration.
+
+with-smartcard-lock-on-removal::
+ Lock screen when a smartcard is removed.
+
+with-smartcard-required::
+ Smartcard authentication is required. No other means of authentication
+ (including password) will be enabled.
+
+with-fingerprint::
+ Enable authentication with fingerprint reader through *pam_fprintd*.
+
+with-pam-gnome-keyring::
+ Enable pam-gnome-keyring support.
+
+with-pam-u2f::
+ Enable authentication via u2f dongle through *pam_u2f*.
+
+with-pam-u2f-2fa::
+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
+
+without-pam-u2f-nouserok::
+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
+ *WARNING*: Omitting nouserok argument means that users without pam-u2f
+ authentication configured will not be able to log in *INCLUDING* root.
+ Make sure you are able to log in before losing root privileges.
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+with-sudo::
+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
+with-pamaccess::
+ Check access.conf during account authorization.
+
+with-pwhistory::
+ Enable pam_pwhistory module for local users.
+
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
+with-files-access-provider::
+ If set, account management for local users is handled also by pam_sss. This
+ is needed if there is an explicitly configured domain with id_provider=files
+ and non-empty access_provider setting in sssd.conf.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
+with-gssapi::
+ If set, pam_sss_gss module is enabled to perform user authentication over
+ GSSAPI.
+
+with-subid::
+ Enable SSSD as a source of subid database in /etc/nsswitch.conf.
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+EXAMPLES
+--------
+
+* Enable SSSD with sudo and smartcard support
+
+ authselect select sssd with-sudo with-smartcard
+
+* Enable SSSD with sudo support and create home directories for users on their
+ first login
+
+ authselect select sssd with-mkhomedir with-sudo
+
+SEE ALSO
+--------
+* man sssd.conf(5)
diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS
new file mode 100644
index 0000000..396287e
--- /dev/null
+++ b/authselect_policies/sssd_gost/REQUIREMENTS
@@ -0,0 +1,29 @@
+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
+ {include if "with-smartcard"}
+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"}
+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"}
+ {include if "with-fingerprint"}
+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
+ {include if "with-pam-gnome-keyring"}
+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"}
+ is present. {include if "with-pam-gnome-keyring"}
+ {include if "with-pam-u2f"}
+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
+ {include if "with-pam-u2f-2fa"}
+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
+ {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
+ {include if "with-gssapi"}
+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"}
+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"}
+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"}
+ {include if "with-gost"}
+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"}
diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db
new file mode 100644
index 0000000..66c9949
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-db
@@ -0,0 +1,9 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+{imply "with-smartcard" if "with-smartcard-lock-on-removal"}
+[org/gnome/login-screen]
+enable-smartcard-authentication={if "with-smartcard":true|false}
+enable-fingerprint-authentication={if "with-fingerprint":true|false}
+enable-password-authentication={if "with-smartcard-required":false|true}
+
+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks
new file mode 100644
index 0000000..6bf15d0
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-locks
@@ -0,0 +1,4 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
+/org/gnome/login-screen/enable-password-authentication
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth
new file mode 100644
index 0000000..dc7befe
--- /dev/null
+++ b/authselect_policies/sssd_gost/fingerprint-auth
@@ -0,0 +1,28 @@
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"}
+{continue if "with-fingerprint"}
+auth required pam_env.so
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=done default=bad] pam_fprintd.so
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf
new file mode 100644
index 0000000..f9e4e54
--- /dev/null
+++ b/authselect_policies/sssd_gost/nsswitch.conf
@@ -0,0 +1,7 @@
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
+netgroup: sss files {exclude if "with-custom-netgroup"}
+automount: sss files {exclude if "with-custom-automount"}
+services: sss files {exclude if "with-custom-services"}
+sudoers: files sss {include if "with-sudo"}
+subid: sss {include if "with-subid"}
diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth
new file mode 100644
index 0000000..7832fb7
--- /dev/null
+++ b/authselect_policies/sssd_gost/password-auth
@@ -0,0 +1,39 @@
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin
new file mode 100644
index 0000000..04a11f0
--- /dev/null
+++ b/authselect_policies/sssd_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth
new file mode 100644
index 0000000..754847f
--- /dev/null
+++ b/authselect_policies/sssd_gost/smartcard-auth
@@ -0,0 +1,26 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"}
+{continue if "with-smartcard"}
+auth required pam_env.so
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth}
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth
new file mode 100644
index 0000000..31d4ee1
--- /dev/null
+++ b/authselect_policies/sssd_gost/system-auth
@@ -0,0 +1,46 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
+auth sufficient pam_fprintd.so {include if "with-fingerprint"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
+auth sufficient pam_sss_gss.so {include if "with-gssapi"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol
new file mode 100644
index 0000000..fce3bdb
--- /dev/null
+++ b/policies/GOST-ONLY-PAM.pol
@@ -0,0 +1,29 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol
new file mode 100644
index 0000000..37e478b
--- /dev/null
+++ b/policies/GOST-ONLY.pol
@@ -0,0 +1,28 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod
new file mode 100644
index 0000000..b9021ea
--- /dev/null
+++ b/policies/modules/GOST.pmod
@@ -0,0 +1,18 @@
+# Adds GOST algorithms.
+#
+
+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD
+
+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C
+
+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+
+
+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+
+
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
+
+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF
+
+action_do = +GOST
diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod
new file mode 100644
index 0000000..06d92c5
--- /dev/null
+++ b/policies/modules/PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod
new file mode 100644
index 0000000..a79abd0
--- /dev/null
+++ b/policies/modules/PATCH-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = patch
diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod
new file mode 100644
index 0000000..f28939e
--- /dev/null
+++ b/policies/modules/SSSD-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog
diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
index 2853c65..4b3d83c 100755
--- a/python/build-crypto-policies.py
+++ b/python/build-crypto-policies.py
@@ -9,6 +9,7 @@ import argparse
import os
import sys
import warnings
+import platform
import cryptopolicies
import policygenerators
@@ -62,6 +63,11 @@ def save_config(cmdline, policy_name, config_name, config):
try:
with open(path, encoding='utf-8') as f:
old_config = f.read()
+ if '[gost_section]' in config:
+ arch, links = platform.architecture()
+ if arch == '32bit':
+ #Make test expected file same for x86 and x86_64 systems
+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
if old_config != config:
eprint(f'Config for {config_name} for policy {policy_name} '
'differs from the existing one')
@@ -100,7 +106,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None):
gen = cls()
config = gen.generate_config(cp.scoped(gen.SCOPES))
- if policy_name in {'EMPTY', 'GOST-ONLY'} or gen.test_config(config):
+ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config):
try:
name = ':'.join([policy_name, *subpolicy_names])
if not save_config(cmdline, name, gen.CONFIG_NAME, config):
diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py
index 259f61a..c1cf35c 100644
--- a/python/cryptopolicies/alg_lists.py
+++ b/python/cryptopolicies/alg_lists.py
@@ -94,6 +94,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9')
IKE_PROTOCOLS = ('IKEv2', 'IKEv1')
ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS
+# List of action do algoritms, for non standard libraries
+IACTION_OPT = 'action_do'
+ALL_ACTION_DO = ( 'GOST', 'NONE' )
+
+AUTH_PROFILES_OPT = 'authopt'
+ALL_AUTH_PROFILES = ()
ALL = {
'cipher': ALL_CIPHERS,
@@ -103,6 +109,8 @@ ALL = {
'mac': ALL_MACS,
'protocol': ALL_PROTOCOLS,
'sign': ALL_SIGN,
+ IACTION_OPT: ALL_ACTION_DO,
+ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES
}
@@ -116,10 +124,13 @@ def glob(pattern, alg_class):
if alg_class not in ALL:
raise validation.alg_lists.AlgorithmClassUnknownError(alg_class)
- r = fnmatch.filter(ALL[alg_class], pattern)
- if not r:
- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
- return r
+ if alg_class == AUTH_PROFILES_OPT:
+ return [pattern]
+ else:
+ r = fnmatch.filter(ALL[alg_class], pattern)
+ if not r:
+ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
+ return r
def earliest_occurrence(needles, ordered_haystack):
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
index a580ce8..0f50792 100644
--- a/python/cryptopolicies/cryptopolicies.py
+++ b/python/cryptopolicies/cryptopolicies.py
@@ -42,7 +42,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
'ipsec', 'ike', 'libreswan',
'kerberos', 'krb5',
- 'dnssec', 'bind',
+ 'dnssec', 'bind', 'auth'
)
DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'bind': {'bind', 'dnssec'},
@@ -55,6 +55,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'openssh-client': {'openssh-client', 'openssh', 'ssh'},
'openssh-server': {'openssh-server', 'openssh', 'ssh'},
'openssl': {'openssl', 'tls', 'ssl'},
+ 'auth': {'auth'},
}
@@ -466,6 +467,8 @@ class UnscopedCryptoPolicy:
**generic_scoped.integers,
**generic_scoped.enums}
for prop_name, value in generic_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
s += fmt(prop_name, value)
anything_scope_specific = False
for scope_name, scope_set in DUMPABLE_SCOPES.items():
@@ -474,6 +477,8 @@ class UnscopedCryptoPolicy:
**specific_scoped.integers,
**specific_scoped.enums}
for prop_name, value in specific_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
if value != generic_all[prop_name]:
if not anything_scope_specific:
s += ('# Scope-specific properties '
diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py
index be516b2..ae756f0 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -16,6 +16,7 @@ from .openssl import (
OpenSSLFIPSGenerator,
OpenSSLGenerator,
)
+from .auth import AuthGenerator
__all__ = [
'BindGenerator',
@@ -31,4 +32,5 @@ __all__ = [
'OpenSSLConfigGenerator',
'OpenSSLFIPSGenerator',
'OpenSSLGenerator',
+ 'AuthGenerator',
]
diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py
new file mode 100644
index 0000000..eb6bda5
--- /dev/null
+++ b/python/policygenerators/auth.py
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+
+import os.path
+
+from .configgenerator import ConfigGenerator
+
+class AuthGenerator(ConfigGenerator):
+ CONFIG_NAME = 'auth'
+ SCOPES = {'auth'}
+
+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n'
+
+ @classmethod
+ def generate_config(cls, policy):
+ p = policy.enabled
+ sep = '\n'
+ s = ''
+ authopt_data = p['authopt']
+ if len(authopt_data) > 0:
+ auth_profile = authopt_data.pop(0)
+ opt_list = []
+ for item in authopt_data:
+ if item not in opt_list:
+ if item.startswith('with'):
+ opt_list.append(item)
+ s = cls.append(s, auth_profile, sep)
+ for item in opt_list:
+ s = cls.append(s, item, sep)
+ return s
+
+ @classmethod
+ def test_config(cls, config): # pylint: disable=unused-argument
+ return True
diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace
new file mode 100644
index 0000000..e69de29
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
index fcee9ec..a97502a 100644
--- a/python/policygenerators/openssl.py
+++ b/python/policygenerators/openssl.py
@@ -2,6 +2,7 @@
# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+import platform
from subprocess import CalledProcessError, check_output
@@ -21,6 +22,25 @@ tls1-prf-ems-check = {}
activate = 1
'''
+arch, links = platform.architecture()
+library_path = '64'
+if arch == '32bit':
+ library_path = ''
+
+GOST_MODULE_ENABLE = '''
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib%s/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+''' % (library_path)
+
class OpenSSLGenerator(ConfigGenerator):
CONFIG_NAME = 'openssl'
@@ -264,6 +284,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
if 'SHA1' in p['hash']:
s += RH_ALLOW_SHA1
+
+ if 'GOST' in p['action_do']:
+ s += GOST_MODULE_ENABLE
return s
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
new file mode 100755
index 0000000..5b2ecad
--- /dev/null
+++ b/scripts/auth_apply.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/bash
+exec 1> /var/log/crypto-cmc/auth.log 2>&1
+set -x
+# Скрипт настройки профиля authselect для crypto-policy
+# Примеры запуска:
+# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля
+# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp
+# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect
+# и считать, что сгенерированный конфиг лежит в каталоге tmpconf
+
+CONF_PATH=/etc/authselect/
+AUTH_SEL_BAK=authselect.conf.policy
+AUTH_CONFIG=authselect.conf
+EMPTY=0
+TEST=""
+AUTH_BACKUP_NAME="auth_saved_profile"
+USE_PATCH="$CONF_PATH/autheslect.patch"
+
+function set_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth
+
+}
+
+function set_no_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth
+}
+
+function get_auth_options
+{
+ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' '
+}
+
+function save_restored_profile
+{
+ if [ ! -e /etc/authselect/custom/restored ];then
+ /usr/bin/authselect create-profile restored
+ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/
+ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf
+ fi
+}
+
+while getopts ':et:p:h' VAL ; do
+ case $VAL in
+ e ) EMPTY=1 ;;
+ p ) CONF_PATH="$OPTARG" ;;
+ t ) TEST="$OPTARG" ;;
+ : )
+ echo "Необходим параметр - путь к опции $OPTARG"
+ exit 255
+ ;;
+ * )
+ echo "Неизвестный параметр $OPTARG"
+ exit 255
+ ;;
+ esac
+done
+shift $((OPTIND -1))
+
+# Если заданный путь к кинфигурации authselect заканчивается на /
+# то удалим этот символ
+LAST_SYMBOL=${CONF_PATH: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ CONF_PATH=${CONF_PATH%?}
+fi
+LAST_SYMBOL=${TEST: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ TEST=${TEST%?}
+fi
+
+if [ -z "$TEST" ];then
+ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config
+else
+ POLICY_CONFIG="$TEST/auth.config"
+ if [[ "$POLICY_CONFIG" == "/*" ]];then
+ :
+ else
+ CUR_DIR=$(pwd)
+ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG"
+ fi
+fi
+
+PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK"
+PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG"
+
+# Дополнительная проверка, файл authselect.conf не должен быть пустым
+# или соедржать слово empty--data, иначе это признак empty
+if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs)
+ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then
+ EMPTY=1
+ fi
+else
+ EMPTY=2
+fi
+
+# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией
+NEED_PATCH=0
+if [ -e "$POLICY_CONFIG" ];then
+ RES=$(cat "$POLICY_CONFIG")
+ if [ "$RES" = "patch" ];then
+ NEED_PATCH=1
+ fi
+fi
+
+# Если задан параметр empty, это значит, что применяется профиль
+# без настройки для authselect, в этом случае нужно восстановить
+# старый заданный профиль
+# TODO: возможно даже воспользоватьс командой
+# authselect backup-restore auth_saved_profile
+# данный снимок создается при профиля через crypto-policy
+if [ "$EMPTY" = "1" ];then
+# Если есть файл authselect.patch, значит профиль был пропатчен,
+# а не установлен через профиль
+ if [ -e "$USE_PATCH" ];then
+ set_no_gost
+ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed"
+ else
+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then
+# Только root может восстанавливать конфигурацию из резервной копии
+# дабыизбежать подлога и восстановления файла, созданного пользователем
+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK")
+ if [ "$OWNER_UID" = "0" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG"
+ fi
+ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG")
+# Есди файл настроек authselect пустой после восстановления
+# значит он создан ранее скриптом и его нужно убрать
+ if [ -z "$AUTH_CONT" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ else
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ /usr/bin/authselect apply-changes
+ else
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME"
+ else
+ if [ -e /etc/authselect/custom/resored ];then
+ /usr/bin/authselect select custom/restored --force
+ fi
+ fi
+ fi
+ fi
+ exit 0
+fi
+
+# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла
+# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас
+if [ "$EMPTY" = "2" ];then
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+ OPTS_FOR_EXECUTE=$(get_auth_options)
+ if [ -n "$OPTS_FOR_EXECUTE" ];then
+ save_restored_profile
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force
+ else
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile
+ fi
+ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ touch "$PATH_TO_AUTH_SEL_BAK"
+ fi
+ fi
+else
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+# Если не найден файл маркер, то создается файл бэкапа для authselect
+# а так же создается файл маркер
+ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK"
+ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG")
+ if [ -n "$EMPTY_AUTH" ];then
+ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME"
+ fi
+ fi
+ fi
+
+ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG")
+ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then
+ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ #fi
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ fi
+fi
+
+exit 0
\ No newline at end of file
diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol
new file mode 100644
index 0000000..6238020
--- /dev/null
+++ b/tests/alternative-policies/GOST-ONLY.pol
@@ -0,0 +1,30 @@
+# Next generation GOST algorithms
+
+mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST*
+
+group = *GOST*
+
+hash = *GOST* *STREEBOG*
+
+sign = *GOST*
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C*
+
+key_exchange = *GOST*
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+min_tls_version = TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod
new file mode 100644
index 0000000..4280cad
--- /dev/null
+++ b/tests/alternative-policies/modules/GOST.pmod
@@ -0,0 +1,18 @@
+# Adds GOST algorithms.
+# This is an example subpolicy, the algorithm names might differ in reality.
+
+mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD
+
+group = +*GOST*
+
+hash = +*STREEBOG* +*GOST*
+
+sign = +*GOST*
+
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
+
+key_exchange = +*GOST*
+
+action_do = +GOST
\ No newline at end of file
diff --git a/tests/gnutls.py b/tests/gnutls.py
index 5833639..28db664 100755
--- a/tests/gnutls.py
+++ b/tests/gnutls.py
@@ -3,6 +3,7 @@
import os
import subprocess
import sys
+import re
from pathlib import Path
if os.getenv('OLD_GNUTLS') == '1':
@@ -13,7 +14,7 @@ print('Checking the GnuTLS configuration')
for policy_path in Path('tests', 'outputs').glob('*-gnutls.txt'):
policy = policy_path.name.removesuffix('-gnutls.txt')
- if policy == 'GOST-ONLY':
+ if re.match(r'^GOST-ONLY', policy):
continue
print(f'Checking policy {policy}')
diff --git a/tests/java.py b/tests/java.py
index 97968c7..52b2d87 100755
--- a/tests/java.py
+++ b/tests/java.py
@@ -2,6 +2,7 @@
import subprocess
import sys
+import re
from pathlib import Path
print('Checking the Java configuration')
@@ -38,7 +39,7 @@ for policy_path in Path('tests', 'outputs').glob('*-java.txt'):
lines = out.split('\n')
line_count = out.count('\n')
- if policy in {'EMPTY', 'GOST-ONLY'}:
+ if re.match(r'^GOST-ONLY', policy) or policy in {'EMPTY'}:
if line_count >= 2: # we allow SCSV # noqa: PLR2004
print('Empty policy has ciphersuites!', file=sys.stderr)
print(p.stdout, file=sys.stderr)
diff --git a/tests/nss.py b/tests/nss.py
index fda2275..f22c701 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -35,7 +35,7 @@ print('Checking the NSS configuration')
for policy_path in Path('tests', 'outputs').glob('*-nss.txt'):
policy = policy_path.name.removesuffix('-nss.txt')
print(f'Checking policy {policy}')
- if policy not in {'EMPTY', 'GOST-ONLY'}:
+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'):
try:
p = subprocess.run(['nss-policy-check', # noqa: S607
*options, policy_path],
diff --git a/tests/openssl.py b/tests/openssl.py
index c0504f6..69b2468 100755
--- a/tests/openssl.py
+++ b/tests/openssl.py
@@ -8,7 +8,7 @@ print('Checking the OpenSSL configuration')
for policy_path in Path('tests', 'outputs').glob('*-openssl.txt'):
policy = policy_path.name.removesuffix('-openssl.txt')
- if policy in {'EMPTY', 'GOST-ONLY'}:
+ if policy in {'EMPTY', 'GOST-ONLY', "GOST-ONLY-PAM"}:
continue
print(f'Checking policy {policy}')
diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt
new file mode 100644
index 0000000..09fb3f1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-bind.txt
@@ -0,0 +1,10 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+SHA-1;
+};
diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt
new file mode 100644
index 0000000..239566f
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
new file mode 100644
index 0000000..6fe6291
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -0,0 +1,20 @@
+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
new file mode 100644
index 0000000..cec1d15
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt
new file mode 100644
index 0000000..135997c
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
new file mode 100644
index 0000000..dbcae14
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
@@ -0,0 +1 @@
+patch
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
new file mode 100644
index 0000000..4884073
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
@@ -0,0 +1,4 @@
+custom/sssd_gost
+with-gost
+with-fingerprint
+with-silent-lastlog
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
new file mode 100644
index 0000000..e701c5c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
@@ -0,0 +1,18 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+};
diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
new file mode 100644
index 0000000..59c9ae0
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
@@ -0,0 +1,13 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+tls-enabled-mac = AEAD
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = TLS1.1
+enabled-version = TLS1.0
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
new file mode 100644
index 0000000..a306242
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
new file mode 100644
index 0000000..408e8dd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=
diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt
new file mode 100644
index 0000000..abeab8c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
new file mode 100644
index 0000000..c5c1f47
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+Groups =
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
new file mode 100644
index 0000000..e701c5c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-bind.txt
@@ -0,0 +1,18 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+};
diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt
new file mode 100644
index 0000000..59c9ae0
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-gnutls.txt
@@ -0,0 +1,13 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+tls-enabled-mac = AEAD
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = TLS1.1
+enabled-version = TLS1.0
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
new file mode 100644
index 0000000..a306242
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt
new file mode 100644
index 0000000..408e8dd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=
diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssh.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensshserver.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt
new file mode 100644
index 0000000..abeab8c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt
new file mode 100644
index 0000000..c5c1f47
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+Groups =
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
--
2.39.3