From 0f8ca1d2935360fbe1af679757b40a5ede3ff947 Mon Sep 17 00:00:00 2001 From: tigro Date: Thu, 14 Nov 2024 14:10:47 +0300 Subject: [PATCH] import crypto-policies-20240828-2.git626aa59.el9_5 --- .crypto-policies.metadata | 2 +- .gitignore | 2 +- ...olicy-also-added-experimental-PAM-ge.patch | 3253 ----------------- ...y-also-added-experimental-PAM-genera.patch | 3229 ---------------- ...0001-Added-tests-fix-for-9.4-version.patch | 59 - SPECS/crypto-policies.spec | 33 +- 6 files changed, 12 insertions(+), 6566 deletions(-) delete mode 100644 SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch delete mode 100644 SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch delete mode 100644 SOURCES/0001-Added-tests-fix-for-9.4-version.patch diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index cb7bb96..00b55ed 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz +d43a8ec9893ba0079437515360db8b2483bb0351 SOURCES/crypto-policies-git626aa59.tar.gz diff --git a/.gitignore b/.gitignore index 6b5168f..23d8e3c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git283706d.tar.gz +SOURCES/crypto-policies-git626aa59.tar.gz diff --git a/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch b/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch deleted file mode 100644 index 9553800..0000000 --- a/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch +++ /dev/null @@ -1,3253 +0,0 @@ -From f929e72a42bd205c933320ec8d4e828ced4a0050 Mon Sep 17 00:00:00 2001 -From: Alexey Berezhok -Date: Mon, 14 Oct 2024 18:08:55 +0300 -Subject: [PATCH] Added GOST 9.5 policy also added experimental PAM generator - ---- - Makefile | 12 ++ - authselect_policies/minimal_gost/README | 84 ++++++++ - authselect_policies/minimal_gost/REQUIREMENTS | 0 - authselect_policies/minimal_gost/dconf-db | 3 + - authselect_policies/minimal_gost/dconf-locks | 2 + - .../minimal_gost/fingerprint-auth | 16 ++ - .../minimal_gost/nsswitch.conf | 14 ++ - .../minimal_gost/password-auth | 15 ++ - authselect_policies/minimal_gost/postlogin | 4 + - .../minimal_gost/smartcard-auth | 16 ++ - authselect_policies/minimal_gost/system-auth | 15 ++ - authselect_policies/sssd_gost/README | 145 +++++++++++++ - authselect_policies/sssd_gost/REQUIREMENTS | 29 +++ - authselect_policies/sssd_gost/dconf-db | 9 + - authselect_policies/sssd_gost/dconf-locks | 4 + - .../sssd_gost/fingerprint-auth | 28 +++ - authselect_policies/sssd_gost/nsswitch.conf | 7 + - authselect_policies/sssd_gost/password-auth | 39 ++++ - authselect_policies/sssd_gost/postlogin | 4 + - authselect_policies/sssd_gost/smartcard-auth | 26 +++ - authselect_policies/sssd_gost/system-auth | 46 ++++ - policies/GOST-ONLY-PAM.pol | 29 +++ - policies/GOST-ONLY.pol | 28 +++ - policies/modules/GOST.pmod | 18 ++ - policies/modules/PAM-GOST.pmod | 3 + - policies/modules/PATCH-PAM-GOST.pmod | 3 + - policies/modules/SSSD-PAM-GOST.pmod | 3 + - python/build-crypto-policies.py | 8 +- - python/cryptopolicies/alg_lists.py | 19 +- - python/cryptopolicies/cryptopolicies.py | 7 +- - python/policygenerators/__init__.py | 2 + - python/policygenerators/auth.py | 36 ++++ - .../fedora-crypto-policies.code-workspace | 0 - python/policygenerators/openssl.py | 23 ++ - scripts/auth_apply.sh | 204 ++++++++++++++++++ - tests/alternative-policies/GOST-ONLY.pol | 30 +++ - tests/alternative-policies/modules/GOST.pmod | 18 ++ - tests/gnutls.py | 3 +- - tests/java.py | 3 +- - tests/nss.py | 2 +- - tests/openssl.py | 2 +- - tests/outputs/DEFAULT-auth.txt | 0 - tests/outputs/DEFAULT:GOST-auth.txt | 0 - tests/outputs/DEFAULT:GOST-bind.txt | 10 + - tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:GOST-java.txt | 4 + - tests/outputs/DEFAULT:GOST-javasystem.txt | 2 + - tests/outputs/DEFAULT:GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:GOST-libreswan.txt | 6 + - tests/outputs/DEFAULT:GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:GOST-nss.txt | 6 + - tests/outputs/DEFAULT:GOST-openssh.txt | 7 + - tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + - tests/outputs/DEFAULT:GOST-openssl.txt | 1 + - tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ - tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++ - tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ - tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ - tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 + - tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 + - tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 + - tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + - tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + - .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 + - .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + - .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + - .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + - .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + - .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + - .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/DEFAULT:SHA1-auth.txt | 0 - tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 + - .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + - .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + - .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + - .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + - .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + - .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/EMPTY-auth.txt | 0 - tests/outputs/FIPS-auth.txt | 0 - tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 - tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0 - tests/outputs/FIPS:OSPP-auth.txt | 0 - tests/outputs/FUTURE-auth.txt | 0 - tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0 - tests/outputs/GOST-ONLY-PAM-auth.txt | 2 + - tests/outputs/GOST-ONLY-PAM-bind.txt | 18 ++ - tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++ - tests/outputs/GOST-ONLY-PAM-java.txt | 4 + - tests/outputs/GOST-ONLY-PAM-javasystem.txt | 2 + - tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 + - tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 + - tests/outputs/GOST-ONLY-PAM-libssh.txt | 0 - tests/outputs/GOST-ONLY-PAM-nss.txt | 6 + - tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 + - tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 + - tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 + - tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++ - tests/outputs/GOST-ONLY-auth.txt | 0 - tests/outputs/GOST-ONLY-bind.txt | 18 ++ - tests/outputs/GOST-ONLY-gnutls.txt | 13 ++ - tests/outputs/GOST-ONLY-java.txt | 4 + - tests/outputs/GOST-ONLY-javasystem.txt | 2 + - tests/outputs/GOST-ONLY-krb5.txt | 2 + - tests/outputs/GOST-ONLY-libreswan.txt | 2 + - tests/outputs/GOST-ONLY-libssh.txt | 0 - tests/outputs/GOST-ONLY-nss.txt | 6 + - tests/outputs/GOST-ONLY-openssh.txt | 2 + - tests/outputs/GOST-ONLY-opensshserver.txt | 2 + - tests/outputs/GOST-ONLY-openssl.txt | 1 + - tests/outputs/GOST-ONLY-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++ - tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++ - tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++ - tests/outputs/LEGACY-auth.txt | 0 - .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 - 140 files changed, 2000 insertions(+), 10 deletions(-) - create mode 100644 authselect_policies/minimal_gost/README - create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS - create mode 100644 authselect_policies/minimal_gost/dconf-db - create mode 100644 authselect_policies/minimal_gost/dconf-locks - create mode 100644 authselect_policies/minimal_gost/fingerprint-auth - create mode 100644 authselect_policies/minimal_gost/nsswitch.conf - create mode 100644 authselect_policies/minimal_gost/password-auth - create mode 100644 authselect_policies/minimal_gost/postlogin - create mode 100644 authselect_policies/minimal_gost/smartcard-auth - create mode 100644 authselect_policies/minimal_gost/system-auth - create mode 100644 authselect_policies/sssd_gost/README - create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS - create mode 100644 authselect_policies/sssd_gost/dconf-db - create mode 100644 authselect_policies/sssd_gost/dconf-locks - create mode 100644 authselect_policies/sssd_gost/fingerprint-auth - create mode 100644 authselect_policies/sssd_gost/nsswitch.conf - create mode 100644 authselect_policies/sssd_gost/password-auth - create mode 100644 authselect_policies/sssd_gost/postlogin - create mode 100644 authselect_policies/sssd_gost/smartcard-auth - create mode 100644 authselect_policies/sssd_gost/system-auth - create mode 100644 policies/GOST-ONLY-PAM.pol - create mode 100644 policies/GOST-ONLY.pol - create mode 100644 policies/modules/GOST.pmod - create mode 100644 policies/modules/PAM-GOST.pmod - create mode 100644 policies/modules/PATCH-PAM-GOST.pmod - create mode 100644 policies/modules/SSSD-PAM-GOST.pmod - create mode 100644 python/policygenerators/auth.py - create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace - create mode 100755 scripts/auth_apply.sh - create mode 100644 tests/alternative-policies/GOST-ONLY.pol - create mode 100644 tests/alternative-policies/modules/GOST.pmod - create mode 100644 tests/outputs/DEFAULT-auth.txt - create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt - create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/EMPTY-auth.txt - create mode 100644 tests/outputs/FIPS-auth.txt - create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt - create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt - create mode 100644 tests/outputs/FIPS:OSPP-auth.txt - create mode 100644 tests/outputs/FUTURE-auth.txt - create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt - create mode 100644 tests/outputs/GOST-ONLY-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-bind.txt - create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt - create mode 100644 tests/outputs/GOST-ONLY-java.txt - create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt - create mode 100644 tests/outputs/GOST-ONLY-krb5.txt - create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt - create mode 100644 tests/outputs/GOST-ONLY-libssh.txt - create mode 100644 tests/outputs/GOST-ONLY-nss.txt - create mode 100644 tests/outputs/GOST-ONLY-openssh.txt - create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt - create mode 100644 tests/outputs/GOST-ONLY-openssl.txt - create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt - create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt - create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt - create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt - create mode 100644 tests/outputs/LEGACY-auth.txt - create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt - -diff --git a/Makefile b/Makefile -index 5b584b3..467807d 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,8 +1,10 @@ - VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7) - DIR?=/usr/share/crypto-policies -+DIRSCR?=/usr/share/crypto-policies-scripts - BINDIR?=/usr/bin - MANDIR?=/usr/share/man - CONFDIR?=/etc/crypto-policies -+AUTHSELECTDIR?=/etc/authselect/custom - LIBEXECDIR?=/usr/libexec - DESTDIR?= - MAN7PAGES=crypto-policies.7 -@@ -30,11 +32,14 @@ install: $(MANPAGES) - mkdir -p $(DESTDIR)$(MANDIR)/man8 - mkdir -p $(DESTDIR)$(BINDIR) - mkdir -p $(DESTDIR)$(LIBEXECDIR) -+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR) - install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 - install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 - install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) - install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) - mkdir -p $(DESTDIR)$(DIR)/ -+ mkdir -p $(DESTDIR)$(DIRSCR)/ -+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR) - install -p -m 644 default-config $(DESTDIR)$(DIR) - install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) - for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done -@@ -42,6 +47,7 @@ install: $(MANPAGES) - for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done - chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py - chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py -+ for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done - - runruff: - ruff check -@@ -65,6 +71,11 @@ check: - python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs - python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs - python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs - tests/openssl.py - tests/gnutls.py - tests/nss.py -@@ -118,6 +129,7 @@ diff-outputs: - python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true - python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true - python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true -+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true - $(DIFFTOOL) tests/outputs output/current - - clean: -diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README -new file mode 100644 -index 0000000..9839669 ---- /dev/null -+++ b/authselect_policies/minimal_gost/README -@@ -0,0 +1,84 @@ -+Local users only for minimal installations and gost support -+=========================================================== -+ -+Selecting this profile will enable local files as the source of identity -+and authentication providers. -+ -+This profile can be used on systems that require minimal installation to -+save disk and memory space. It serves only local users and groups directly -+from system files instead of going through other authentication providers. -+Therefore SSSD, winbind and fprintd packages can be safely removed. -+ -+AVAILABLE OPTIONAL FEATURES -+--------------------------- -+ -+without-nullok:: -+ Do not add nullok parameter to pam_unix. -+ -+with-gost:: -+ Use GOST hash for shadow password instead of sha512 -+ -+with-silent-lastlog:: -+ Do not produce pam_lastlog message during login. -+ -+DISABLE SPECIFIC NSSWITCH DATABASES -+----------------------------------- -+ -+Normally, nsswitch databases set by the profile overwrites values set in -+user-nsswitch.conf. The following options can force authselect to -+ignore value set by the profile and use the one set in user-nsswitch.conf -+instead. -+ -+with-custom-aliases:: -+Ignore "aliases" map set by the profile. -+ -+with-custom-automount:: -+Ignore "automount" map set by the profile. -+ -+with-custom-ethers:: -+Ignore "ethers" map set by the profile. -+ -+with-custom-group:: -+Ignore "group" map set by the profile. -+ -+with-custom-hosts:: -+Ignore "hosts" map set by the profile. -+ -+with-custom-initgroups:: -+Ignore "initgroups" map set by the profile. -+ -+with-custom-netgroup:: -+Ignore "netgroup" map set by the profile. -+ -+with-custom-networks:: -+Ignore "networks" map set by the profile. -+ -+with-custom-passwd:: -+Ignore "passwd" map set by the profile. -+ -+with-custom-protocols:: -+Ignore "protocols" map set by the profile. -+ -+with-custom-publickey:: -+Ignore "publickey" map set by the profile. -+ -+with-custom-rpc:: -+Ignore "rpc" map set by the profile. -+ -+with-custom-services:: -+Ignore "services" map set by the profile. -+ -+with-custom-shadow:: -+Ignore "shadow" map set by the profile. -+ -+EXAMPLES -+-------- -+ -+* Enable minimal profile -+ -+ authselect select minimal -+ -+SEE ALSO -+-------- -+* man passwd(5) -+* man group(5) -diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS -new file mode 100644 -index 0000000..e69de29 -diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db -new file mode 100644 -index 0000000..a3868b7 ---- /dev/null -+++ b/authselect_policies/minimal_gost/dconf-db -@@ -0,0 +1,3 @@ -+[org/gnome/login-screen] -+enable-smartcard-authentication=false -+enable-fingerprint-authentication=false -diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks -new file mode 100644 -index 0000000..8a36fa9 ---- /dev/null -+++ b/authselect_policies/minimal_gost/dconf-locks -@@ -0,0 +1,2 @@ -+/org/gnome/login-screen/enable-smartcard-authentication -+/org/gnome/login-screen/enable-fingerprint-authentication -diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth -new file mode 100644 -index 0000000..ca152fb ---- /dev/null -+++ b/authselect_policies/minimal_gost/fingerprint-auth -@@ -0,0 +1,16 @@ -+auth required pam_env.so -+auth sufficient pam_fprintd.so -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 500 quiet -+account required pam_permit.so -+ -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf -new file mode 100644 -index 0000000..f1f5941 ---- /dev/null -+++ b/authselect_policies/minimal_gost/nsswitch.conf -@@ -0,0 +1,14 @@ -+passwd: sss files systemd {exclude if "with-custom-passwd"} -+shadow: files {exclude if "with-custom-shadow"} -+group: sss files systemd {exclude if "with-custom-group"} -+hosts: files dns myhostname {exclude if "with-custom-hosts"} -+services: files sss {exclude if "with-custom-services"} -+netgroup: sss {exclude if "with-custom-netgroup"} -+automount: files sss {exclude if "with-custom-automount"} -+aliases: files {exclude if "with-custom-aliases"} -+ethers: files {exclude if "with-custom-ethers"} -+gshadow: files -+networks: files dns {exclude if "with-custom-networks"} -+protocols: files {exclude if "with-custom-protocols"} -+publickey: files {exclude if "with-custom-publickey"} -+rpc: files {exclude if "with-custom-rpc"} -diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth -new file mode 100644 -index 0000000..5da3730 ---- /dev/null -+++ b/authselect_policies/minimal_gost/password-auth -@@ -0,0 +1,15 @@ -+auth required pam_env.so -+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} -+auth required pam_deny.so -+ -+account required pam_unix.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin -new file mode 100644 -index 0000000..8d9bfd0 ---- /dev/null -+++ b/authselect_policies/minimal_gost/postlogin -@@ -0,0 +1,4 @@ -+session optional pam_umask.so silent -+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -+session optional pam_lastlog.so silent noupdate showfailed -diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth -new file mode 100644 -index 0000000..f0843be ---- /dev/null -+++ b/authselect_policies/minimal_gost/smartcard-auth -@@ -0,0 +1,16 @@ -+auth required pam_env.so -+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 500 quiet -+account required pam_permit.so -+ -+password optional pam_pkcs11.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth -new file mode 100644 -index 0000000..5da3730 ---- /dev/null -+++ b/authselect_policies/minimal_gost/system-auth -@@ -0,0 +1,15 @@ -+auth required pam_env.so -+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} -+auth required pam_deny.so -+ -+account required pam_unix.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README -new file mode 100644 -index 0000000..02daa76 ---- /dev/null -+++ b/authselect_policies/sssd_gost/README -@@ -0,0 +1,145 @@ -+Enable SSSD with GOST support for system authentication (also for local users only) -+================================================================= -+ -+Selecting this profile will enable SSSD with GOST as the source of identity -+and authentication providers. -+ -+SSSD provides a set of daemons to manage access to remote directories and -+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides -+an NSS and PAM interface toward the system and a pluggable backend system -+to connect to multiple different account sources. -+ -+More information about SSSD can be found on its project page: -+https://sssd.io -+ -+However, if you do not want to keep SSSD running on your machine, you can -+keep this profile selected and just disable SSSD service. The resulting -+configuration will still work correctly even with SSSD disabled and local users -+and groups will be read from local files directly. -+ -+SSSD CONFIGURATION -+------------------ -+ -+Authselect does not touch SSSD's configuration. Please, read SSSD's -+documentation to see how to configure it manually. Only local users -+will be available on the system if there is no existing SSSD configuration. -+ -+AVAILABLE OPTIONAL FEATURES -+--------------------------- -+ -+with-faillock:: -+ Enable account locking in case of too many consecutive -+ authentication failures. -+ -+with-mkhomedir:: -+ Enable automatic creation of home directories for users on their -+ first login. -+ -+with-smartcard:: -+ Enable authentication with smartcards through SSSD. Please note that -+ smartcard support must be also explicitly enabled within -+ SSSD's configuration. -+ -+with-smartcard-lock-on-removal:: -+ Lock screen when a smartcard is removed. -+ -+with-smartcard-required:: -+ Smartcard authentication is required. No other means of authentication -+ (including password) will be enabled. -+ -+with-fingerprint:: -+ Enable authentication with fingerprint reader through *pam_fprintd*. -+ -+with-pam-gnome-keyring:: -+ Enable pam-gnome-keyring support. -+ -+with-pam-u2f:: -+ Enable authentication via u2f dongle through *pam_u2f*. -+ -+with-pam-u2f-2fa:: -+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*. -+ -+without-pam-u2f-nouserok:: -+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used. -+ *WARNING*: Omitting nouserok argument means that users without pam-u2f -+ authentication configured will not be able to log in *INCLUDING* root. -+ Make sure you are able to log in before losing root privileges. -+ -+with-silent-lastlog:: -+ Do not produce pam_lastlog message during login. -+ -+with-sudo:: -+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers. -+ -+with-pamaccess:: -+ Check access.conf during account authorization. -+ -+with-pwhistory:: -+ Enable pam_pwhistory module for local users. -+ -+with-files-domain:: -+ If set, SSSD will be contacted before "files" when resolving users and -+ groups. The order in nsswitch.conf will be set to "sss files" instead of -+ "files sss" for passwd and group maps. -+ -+with-files-access-provider:: -+ If set, account management for local users is handled also by pam_sss. This -+ is needed if there is an explicitly configured domain with id_provider=files -+ and non-empty access_provider setting in sssd.conf. -+ -+ *WARNING:* SSSD access check will become mandatory for local users and -+ if SSSD is stopped then local users will not be able to log in. Only -+ system accounts (as defined by pam_usertype, including root) will be -+ able to log in. -+ -+with-gssapi:: -+ If set, pam_sss_gss module is enabled to perform user authentication over -+ GSSAPI. -+ -+with-subid:: -+ Enable SSSD as a source of subid database in /etc/nsswitch.conf. -+ -+without-nullok:: -+ Do not add nullok parameter to pam_unix. -+ -+with-gost:: -+ Use GOST hash for shadow password instead of sha512 -+ -+DISABLE SPECIFIC NSSWITCH DATABASES -+----------------------------------- -+ -+Normally, nsswitch databases set by the profile overwrites values set in -+user-nsswitch.conf. The following options can force authselect to -+ignore value set by the profile and use the one set in user-nsswitch.conf -+instead. -+ -+with-custom-passwd:: -+Ignore "passwd" database set by the profile. -+ -+with-custom-group:: -+Ignore "group" database set by the profile. -+ -+with-custom-netgroup:: -+Ignore "netgroup" database set by the profile. -+ -+with-custom-automount:: -+Ignore "automount" database set by the profile. -+ -+with-custom-services:: -+Ignore "services" database set by the profile. -+ -+EXAMPLES -+-------- -+ -+* Enable SSSD with sudo and smartcard support -+ -+ authselect select sssd with-sudo with-smartcard -+ -+* Enable SSSD with sudo support and create home directories for users on their -+ first login -+ -+ authselect select sssd with-mkhomedir with-sudo -+ -+SEE ALSO -+-------- -+* man sssd.conf(5) -diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS -new file mode 100644 -index 0000000..396287e ---- /dev/null -+++ b/authselect_policies/sssd_gost/REQUIREMENTS -@@ -0,0 +1,29 @@ -+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. -+ {include if "with-smartcard"} -+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"} -+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"} -+ {include if "with-fingerprint"} -+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} -+ {include if "with-pam-gnome-keyring"} -+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} -+ is present. {include if "with-pam-gnome-keyring"} -+ {include if "with-pam-u2f"} -+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} -+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} -+ {include if "with-pam-u2f-2fa"} -+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} -+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} -+ {include if "with-mkhomedir"} -+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} -+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"} -+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} -+ {include if "with-files-domain"} -+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} -+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} -+ - or create a custom domain with id_provider=files {include if "with-files-domain"} -+ {include if "with-gssapi"} -+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"} -+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"} -+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"} -+ {include if "with-gost"} -+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"} -diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db -new file mode 100644 -index 0000000..66c9949 ---- /dev/null -+++ b/authselect_policies/sssd_gost/dconf-db -@@ -0,0 +1,9 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+{imply "with-smartcard" if "with-smartcard-lock-on-removal"} -+[org/gnome/login-screen] -+enable-smartcard-authentication={if "with-smartcard":true|false} -+enable-fingerprint-authentication={if "with-fingerprint":true|false} -+enable-password-authentication={if "with-smartcard-required":false|true} -+ -+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"} -+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"} -diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks -new file mode 100644 -index 0000000..6bf15d0 ---- /dev/null -+++ b/authselect_policies/sssd_gost/dconf-locks -@@ -0,0 +1,4 @@ -+/org/gnome/login-screen/enable-smartcard-authentication -+/org/gnome/login-screen/enable-fingerprint-authentication -+/org/gnome/login-screen/enable-password-authentication -+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"} -diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth -new file mode 100644 -index 0000000..dc7befe ---- /dev/null -+++ b/authselect_policies/sssd_gost/fingerprint-auth -@@ -0,0 +1,28 @@ -+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} -+{continue if "with-fingerprint"} -+auth required pam_env.so -+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth [success=done default=bad] pam_fprintd.so -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf -new file mode 100644 -index 0000000..f9e4e54 ---- /dev/null -+++ b/authselect_policies/sssd_gost/nsswitch.conf -@@ -0,0 +1,7 @@ -+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} -+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} -+netgroup: sss files {exclude if "with-custom-netgroup"} -+automount: sss files {exclude if "with-custom-automount"} -+services: sss files {exclude if "with-custom-services"} -+sudoers: files sss {include if "with-sudo"} -+subid: sss {include if "with-subid"} -diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth -new file mode 100644 -index 0000000..7832fb7 ---- /dev/null -+++ b/authselect_policies/sssd_gost/password-auth -@@ -0,0 +1,39 @@ -+auth required pam_env.so -+auth required pam_faildelay.so delay=2000000 -+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth [default=1 ignore=ignore success=ok] pam_localuser.so -+auth sufficient pam_unix.so {if not "without-nullok":nullok} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth sufficient pam_sss.so forward_pass -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password requisite pam_pwquality.so local_users_only -+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} -+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} -+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok -+password [success=1 default=ignore] pam_localuser.so -+password sufficient pam_sss.so use_authtok -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin -new file mode 100644 -index 0000000..04a11f0 ---- /dev/null -+++ b/authselect_policies/sssd_gost/postlogin -@@ -0,0 +1,4 @@ -+session optional pam_umask.so silent -+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -+session optional pam_lastlog.so silent noupdate showfailed -diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth -new file mode 100644 -index 0000000..754847f ---- /dev/null -+++ b/authselect_policies/sssd_gost/smartcard-auth -@@ -0,0 +1,26 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"} -+{continue if "with-smartcard"} -+auth required pam_env.so -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth} -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth -new file mode 100644 -index 0000000..31d4ee1 ---- /dev/null -+++ b/authselect_policies/sssd_gost/system-auth -@@ -0,0 +1,46 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+auth required pam_env.so -+auth required pam_faildelay.so delay=2000000 -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} -+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} -+auth sufficient pam_fprintd.so {include if "with-fingerprint"} -+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} -+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} -+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} -+auth sufficient pam_unix.so {if not "without-nullok":nullok} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} -+auth sufficient pam_sss_gss.so {include if "with-gssapi"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth sufficient pam_sss.so forward_pass -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password requisite pam_pwquality.so local_users_only -+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} -+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} -+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok -+password [success=1 default=ignore] pam_localuser.so -+password sufficient pam_sss.so use_authtok -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol -new file mode 100644 -index 0000000..fce3bdb ---- /dev/null -+++ b/policies/GOST-ONLY-PAM.pol -@@ -0,0 +1,29 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT -+ -+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C -+ -+hash = GOSTR94 STREEBOG-256 STREEBOG-512 -+ -+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB -+ -+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -+authopt@AUTH = custom/minimal_gost with-gost -diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol -new file mode 100644 -index 0000000..37e478b ---- /dev/null -+++ b/policies/GOST-ONLY.pol -@@ -0,0 +1,28 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT -+ -+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C -+ -+hash = GOSTR94 STREEBOG-256 STREEBOG-512 -+ -+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB -+ -+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod -new file mode 100644 -index 0000000..b9021ea ---- /dev/null -+++ b/policies/modules/GOST.pmod -@@ -0,0 +1,18 @@ -+# Adds GOST algorithms. -+# -+ -+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD -+ -+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C -+ -+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+ -+ -+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+ -+ -+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB -+ -+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF -+ -+action_do = +GOST -diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod -new file mode 100644 -index 0000000..06d92c5 ---- /dev/null -+++ b/policies/modules/PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = custom/minimal_gost with-gost -diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod -new file mode 100644 -index 0000000..a79abd0 ---- /dev/null -+++ b/policies/modules/PATCH-PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = patch -diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod -new file mode 100644 -index 0000000..f28939e ---- /dev/null -+++ b/policies/modules/SSSD-PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog -diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py -index 2853c65..4b3d83c 100755 ---- a/python/build-crypto-policies.py -+++ b/python/build-crypto-policies.py -@@ -9,6 +9,7 @@ import argparse - import os - import sys - import warnings -+import platform - - import cryptopolicies - import policygenerators -@@ -62,6 +63,11 @@ def save_config(cmdline, policy_name, config_name, config): - try: - with open(path, encoding='utf-8') as f: - old_config = f.read() -+ if '[gost_section]' in config: -+ arch, links = platform.architecture() -+ if arch == '32bit': -+ #Make test expected file same for x86 and x86_64 systems -+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so') - if old_config != config: - eprint(f'Config for {config_name} for policy {policy_name} ' - 'differs from the existing one') -@@ -100,7 +106,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None): - gen = cls() - config = gen.generate_config(cp.scoped(gen.SCOPES)) - -- if policy_name in {'EMPTY', 'GOST-ONLY'} or gen.test_config(config): -+ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config): - try: - name = ':'.join([policy_name, *subpolicy_names]) - if not save_config(cmdline, name, gen.CONFIG_NAME, config): -diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py -index 259f61a..c1cf35c 100644 ---- a/python/cryptopolicies/alg_lists.py -+++ b/python/cryptopolicies/alg_lists.py -@@ -94,6 +94,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9') - IKE_PROTOCOLS = ('IKEv2', 'IKEv1') - ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS - -+# List of action do algoritms, for non standard libraries -+IACTION_OPT = 'action_do' -+ALL_ACTION_DO = ( 'GOST', 'NONE' ) -+ -+AUTH_PROFILES_OPT = 'authopt' -+ALL_AUTH_PROFILES = () - - ALL = { - 'cipher': ALL_CIPHERS, -@@ -103,6 +109,8 @@ ALL = { - 'mac': ALL_MACS, - 'protocol': ALL_PROTOCOLS, - 'sign': ALL_SIGN, -+ IACTION_OPT: ALL_ACTION_DO, -+ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES - } - - -@@ -116,10 +124,13 @@ def glob(pattern, alg_class): - if alg_class not in ALL: - raise validation.alg_lists.AlgorithmClassUnknownError(alg_class) - -- r = fnmatch.filter(ALL[alg_class], pattern) -- if not r: -- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) -- return r -+ if alg_class == AUTH_PROFILES_OPT: -+ return [pattern] -+ else: -+ r = fnmatch.filter(ALL[alg_class], pattern) -+ if not r: -+ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) -+ return r - - - def earliest_occurrence(needles, ordered_haystack): -diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py -index a580ce8..0f50792 100644 ---- a/python/cryptopolicies/cryptopolicies.py -+++ b/python/cryptopolicies/cryptopolicies.py -@@ -42,7 +42,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing - 'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh', - 'ipsec', 'ike', 'libreswan', - 'kerberos', 'krb5', -- 'dnssec', 'bind', -+ 'dnssec', 'bind', 'auth' - ) - DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things - 'bind': {'bind', 'dnssec'}, -@@ -55,6 +55,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things - 'openssh-client': {'openssh-client', 'openssh', 'ssh'}, - 'openssh-server': {'openssh-server', 'openssh', 'ssh'}, - 'openssl': {'openssl', 'tls', 'ssl'}, -+ 'auth': {'auth'}, - } - - -@@ -466,6 +467,8 @@ class UnscopedCryptoPolicy: - **generic_scoped.integers, - **generic_scoped.enums} - for prop_name, value in generic_all.items(): -+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): -+ continue - s += fmt(prop_name, value) - anything_scope_specific = False - for scope_name, scope_set in DUMPABLE_SCOPES.items(): -@@ -474,6 +477,8 @@ class UnscopedCryptoPolicy: - **specific_scoped.integers, - **specific_scoped.enums} - for prop_name, value in specific_all.items(): -+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): -+ continue - if value != generic_all[prop_name]: - if not anything_scope_specific: - s += ('# Scope-specific properties ' -diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py -index be516b2..ae756f0 100644 ---- a/python/policygenerators/__init__.py -+++ b/python/policygenerators/__init__.py -@@ -16,6 +16,7 @@ from .openssl import ( - OpenSSLFIPSGenerator, - OpenSSLGenerator, - ) -+from .auth import AuthGenerator - - __all__ = [ - 'BindGenerator', -@@ -31,4 +32,5 @@ __all__ = [ - 'OpenSSLConfigGenerator', - 'OpenSSLFIPSGenerator', - 'OpenSSLGenerator', -+ 'AuthGenerator', - ] -diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py -new file mode 100644 -index 0000000..eb6bda5 ---- /dev/null -+++ b/python/policygenerators/auth.py -@@ -0,0 +1,36 @@ -+# SPDX-License-Identifier: LGPL-2.1-or-later -+ -+# Copyright (c) 2019 Red Hat, Inc. -+# Copyright (c) 2019 Tomáš Mráz -+ -+import os.path -+ -+from .configgenerator import ConfigGenerator -+ -+class AuthGenerator(ConfigGenerator): -+ CONFIG_NAME = 'auth' -+ SCOPES = {'auth'} -+ -+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n' -+ -+ @classmethod -+ def generate_config(cls, policy): -+ p = policy.enabled -+ sep = '\n' -+ s = '' -+ authopt_data = p['authopt'] -+ if len(authopt_data) > 0: -+ auth_profile = authopt_data.pop(0) -+ opt_list = [] -+ for item in authopt_data: -+ if item not in opt_list: -+ if item.startswith('with'): -+ opt_list.append(item) -+ s = cls.append(s, auth_profile, sep) -+ for item in opt_list: -+ s = cls.append(s, item, sep) -+ return s -+ -+ @classmethod -+ def test_config(cls, config): # pylint: disable=unused-argument -+ return True -diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace -new file mode 100644 -index 0000000..e69de29 -diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py -index fcee9ec..a97502a 100644 ---- a/python/policygenerators/openssl.py -+++ b/python/policygenerators/openssl.py -@@ -2,6 +2,7 @@ - - # Copyright (c) 2019 Red Hat, Inc. - # Copyright (c) 2019 Tomáš Mráz -+import platform - - from subprocess import CalledProcessError, check_output - -@@ -21,6 +22,25 @@ tls1-prf-ems-check = {} - activate = 1 - ''' - -+arch, links = platform.architecture() -+library_path = '64' -+if arch == '32bit': -+ library_path = '' -+ -+GOST_MODULE_ENABLE = ''' -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib%s/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -+''' % (library_path) -+ - - class OpenSSLGenerator(ConfigGenerator): - CONFIG_NAME = 'openssl' -@@ -264,6 +284,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator): - - if 'SHA1' in p['hash']: - s += RH_ALLOW_SHA1 -+ -+ if 'GOST' in p['action_do']: -+ s += GOST_MODULE_ENABLE - - return s - -diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh -new file mode 100755 -index 0000000..5b2ecad ---- /dev/null -+++ b/scripts/auth_apply.sh -@@ -0,0 +1,204 @@ -+#!/usr/bin/bash -+exec 1> /var/log/crypto-cmc/auth.log 2>&1 -+set -x -+# Скрипт настройки профиля authselect для crypto-policy -+# Примеры запуска: -+# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля -+# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp -+# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect -+# и считать, что сгенерированный конфиг лежит в каталоге tmpconf -+ -+CONF_PATH=/etc/authselect/ -+AUTH_SEL_BAK=authselect.conf.policy -+AUTH_CONFIG=authselect.conf -+EMPTY=0 -+TEST="" -+AUTH_BACKUP_NAME="auth_saved_profile" -+USE_PATCH="$CONF_PATH/autheslect.patch" -+ -+function set_gost -+{ -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth -+ -+} -+ -+function set_no_gost -+{ -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth -+} -+ -+function get_auth_options -+{ -+ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' ' -+} -+ -+function save_restored_profile -+{ -+ if [ ! -e /etc/authselect/custom/restored ];then -+ /usr/bin/authselect create-profile restored -+ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/ -+ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf -+ fi -+} -+ -+while getopts ':et:p:h' VAL ; do -+ case $VAL in -+ e ) EMPTY=1 ;; -+ p ) CONF_PATH="$OPTARG" ;; -+ t ) TEST="$OPTARG" ;; -+ : ) -+ echo "Необходим параметр - путь к опции $OPTARG" -+ exit 255 -+ ;; -+ * ) -+ echo "Неизвестный параметр $OPTARG" -+ exit 255 -+ ;; -+ esac -+done -+shift $((OPTIND -1)) -+ -+# Если заданный путь к кинфигурации authselect заканчивается на / -+# то удалим этот символ -+LAST_SYMBOL=${CONF_PATH: -1} -+if [ "$LAST_SYMBOL" = "/" ];then -+ CONF_PATH=${CONF_PATH%?} -+fi -+LAST_SYMBOL=${TEST: -1} -+if [ "$LAST_SYMBOL" = "/" ];then -+ TEST=${TEST%?} -+fi -+ -+if [ -z "$TEST" ];then -+ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config -+else -+ POLICY_CONFIG="$TEST/auth.config" -+ if [[ "$POLICY_CONFIG" == "/*" ]];then -+ : -+ else -+ CUR_DIR=$(pwd) -+ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG" -+ fi -+fi -+ -+PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK" -+PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG" -+ -+# Дополнительная проверка, файл authselect.conf не должен быть пустым -+# или соедржать слово empty--data, иначе это признак empty -+if [ -e "$PATH_TO_AUTH_CONFIG" ];then -+ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs) -+ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then -+ EMPTY=1 -+ fi -+else -+ EMPTY=2 -+fi -+ -+# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией -+NEED_PATCH=0 -+if [ -e "$POLICY_CONFIG" ];then -+ RES=$(cat "$POLICY_CONFIG") -+ if [ "$RES" = "patch" ];then -+ NEED_PATCH=1 -+ fi -+fi -+ -+# Если задан параметр empty, это значит, что применяется профиль -+# без настройки для authselect, в этом случае нужно восстановить -+# старый заданный профиль -+# TODO: возможно даже воспользоватьс командой -+# authselect backup-restore auth_saved_profile -+# данный снимок создается при профиля через crypto-policy -+if [ "$EMPTY" = "1" ];then -+# Если есть файл authselect.patch, значит профиль был пропатчен, -+# а не установлен через профиль -+ if [ -e "$USE_PATCH" ];then -+ set_no_gost -+ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed" -+ else -+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then -+# Только root может восстанавливать конфигурацию из резервной копии -+# дабыизбежать подлога и восстановления файла, созданного пользователем -+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") -+ if [ "$OWNER_UID" = "0" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" -+ fi -+ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG") -+# Есди файл настроек authselect пустой после восстановления -+# значит он создан ранее скриптом и его нужно убрать -+ if [ -z "$AUTH_CONT" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" -+ fi -+ else -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" -+ fi -+ if [ -e "$PATH_TO_AUTH_CONFIG" ];then -+ /usr/bin/authselect apply-changes -+ else -+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME" -+ else -+ if [ -e /etc/authselect/custom/resored ];then -+ /usr/bin/authselect select custom/restored --force -+ fi -+ fi -+ fi -+ fi -+ exit 0 -+fi -+ -+# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла -+# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас -+if [ "$EMPTY" = "2" ];then -+ if [ "$NEED_PATCH" = "1" ];then -+ set_gost -+ touch "$USE_PATCH" -+ else -+ OPTS_FOR_EXECUTE=$(get_auth_options) -+ if [ -n "$OPTS_FOR_EXECUTE" ];then -+ save_restored_profile -+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force -+ else -+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile -+ fi -+ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/authselect apply-changes -+ touch "$PATH_TO_AUTH_SEL_BAK" -+ fi -+ fi -+else -+ if [ "$NEED_PATCH" = "1" ];then -+ set_gost -+ touch "$USE_PATCH" -+ else -+# Если не найден файл маркер, то создается файл бэкапа для authselect -+# а так же создается файл маркер -+ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" -+ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG") -+ if [ -n "$EMPTY_AUTH" ];then -+ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME" -+ fi -+ fi -+ fi -+ -+ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") -+ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then -+ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ #fi -+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/authselect apply-changes -+ fi -+fi -+ -+exit 0 -\ No newline at end of file -diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol -new file mode 100644 -index 0000000..6238020 ---- /dev/null -+++ b/tests/alternative-policies/GOST-ONLY.pol -@@ -0,0 +1,30 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST* -+ -+group = *GOST* -+ -+hash = *GOST* *STREEBOG* -+ -+sign = *GOST* -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C* -+ -+key_exchange = *GOST* -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+min_tls_version = TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod -new file mode 100644 -index 0000000..4280cad ---- /dev/null -+++ b/tests/alternative-policies/modules/GOST.pmod -@@ -0,0 +1,18 @@ -+# Adds GOST algorithms. -+# This is an example subpolicy, the algorithm names might differ in reality. -+ -+mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD -+ -+group = +*GOST* -+ -+hash = +*STREEBOG* +*GOST* -+ -+sign = +*GOST* -+ -+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB -+ -+key_exchange = +*GOST* -+ -+action_do = +GOST -\ No newline at end of file -diff --git a/tests/gnutls.py b/tests/gnutls.py -index 5833639..28db664 100755 ---- a/tests/gnutls.py -+++ b/tests/gnutls.py -@@ -3,6 +3,7 @@ - import os - import subprocess - import sys -+import re - from pathlib import Path - - if os.getenv('OLD_GNUTLS') == '1': -@@ -13,7 +14,7 @@ print('Checking the GnuTLS configuration') - - for policy_path in Path('tests', 'outputs').glob('*-gnutls.txt'): - policy = policy_path.name.removesuffix('-gnutls.txt') -- if policy == 'GOST-ONLY': -+ if re.match(r'^GOST-ONLY', policy): - continue - print(f'Checking policy {policy}') - -diff --git a/tests/java.py b/tests/java.py -index 97968c7..52b2d87 100755 ---- a/tests/java.py -+++ b/tests/java.py -@@ -2,6 +2,7 @@ - - import subprocess - import sys -+import re - from pathlib import Path - - print('Checking the Java configuration') -@@ -38,7 +39,7 @@ for policy_path in Path('tests', 'outputs').glob('*-java.txt'): - lines = out.split('\n') - line_count = out.count('\n') - -- if policy in {'EMPTY', 'GOST-ONLY'}: -+ if re.match(r'^GOST-ONLY', policy) or policy in {'EMPTY'}: - if line_count >= 2: # we allow SCSV # noqa: PLR2004 - print('Empty policy has ciphersuites!', file=sys.stderr) - print(p.stdout, file=sys.stderr) -diff --git a/tests/nss.py b/tests/nss.py -index fda2275..f22c701 100755 ---- a/tests/nss.py -+++ b/tests/nss.py -@@ -35,7 +35,7 @@ print('Checking the NSS configuration') - for policy_path in Path('tests', 'outputs').glob('*-nss.txt'): - policy = policy_path.name.removesuffix('-nss.txt') - print(f'Checking policy {policy}') -- if policy not in {'EMPTY', 'GOST-ONLY'}: -+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'): - try: - p = subprocess.run(['nss-policy-check', # noqa: S607 - *options, policy_path], -diff --git a/tests/openssl.py b/tests/openssl.py -index c0504f6..69b2468 100755 ---- a/tests/openssl.py -+++ b/tests/openssl.py -@@ -8,7 +8,7 @@ print('Checking the OpenSSL configuration') - - for policy_path in Path('tests', 'outputs').glob('*-openssl.txt'): - policy = policy_path.name.removesuffix('-openssl.txt') -- if policy in {'EMPTY', 'GOST-ONLY'}: -+ if policy in {'EMPTY', 'GOST-ONLY', "GOST-ONLY-PAM"}: - continue - print(f'Checking policy {policy}') - -diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt -new file mode 100644 -index 0000000..09fb3f1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-bind.txt -@@ -0,0 +1,10 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+}; -+disable-ds-digests "." { -+SHA-1; -+}; -diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt -new file mode 100644 -index 0000000..ed6f632 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt -new file mode 100644 -index 0000000..7d5cfd6 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 -diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt -new file mode 100644 -index 0000000..239566f ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt -new file mode 100644 -index 0000000..6fe6291 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt -@@ -0,0 +1,20 @@ -+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt -new file mode 100644 -index 0000000..cec1d15 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "always" -+sha1.second_preimage_resistance = "always" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "always" -+sha224.second_preimage_resistance = "always" -+sha256.collision_resistance = "always" -+sha256.second_preimage_resistance = "always" -+sha384.collision_resistance = "always" -+sha384.second_preimage_resistance = "always" -+sha512.collision_resistance = "always" -+sha512.second_preimage_resistance = "always" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "always" -+aes192 = "never" -+aes256 = "always" -+twofish = "never" -+camellia128 = "always" -+camellia192 = "never" -+camellia256 = "always" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "always" -+rsa3072 = "always" -+rsa4096 = "always" -+dsa1024 = "always" -+dsa2048 = "always" -+dsa3072 = "always" -+dsa4096 = "always" -+nistp256 = "always" -+nistp384 = "always" -+nistp521 = "always" -+cv25519 = "always" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt -new file mode 100644 -index 0000000..135997c ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "always" -+sha224.second_preimage_resistance = "always" -+sha256.collision_resistance = "always" -+sha256.second_preimage_resistance = "always" -+sha384.collision_resistance = "always" -+sha384.second_preimage_resistance = "always" -+sha512.collision_resistance = "always" -+sha512.second_preimage_resistance = "always" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "always" -+aes192 = "never" -+aes256 = "always" -+twofish = "never" -+camellia128 = "always" -+camellia192 = "never" -+camellia256 = "always" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "always" -+rsa3072 = "always" -+rsa4096 = "always" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "always" -+nistp384 = "always" -+nistp521 = "always" -+cv25519 = "always" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt -new file mode 100644 -index 0000000..110527f ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt -@@ -0,0 +1,2 @@ -+custom/minimal_gost -+with-gost -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt -new file mode 100644 -index 0000000..ed6f632 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..7d5cfd6 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt -new file mode 100644 -index 0000000..dbcae14 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt -@@ -0,0 +1 @@ -+patch -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt -new file mode 100644 -index 0000000..ed6f632 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..7d5cfd6 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt -new file mode 100644 -index 0000000..4884073 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt -@@ -0,0 +1,4 @@ -+custom/sssd_gost -+with-gost -+with-fingerprint -+with-silent-lastlog -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt -new file mode 100644 -index 0000000..ed6f632 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..7d5cfd6 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt -new file mode 100644 -index 0000000..110527f ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt -@@ -0,0 +1,2 @@ -+custom/minimal_gost -+with-gost -\ No newline at end of file -diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt -new file mode 100644 -index 0000000..e701c5c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt -@@ -0,0 +1,18 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+RSASHA256; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+RSASHA512; -+ED25519; -+ED448; -+}; -+disable-ds-digests "." { -+SHA-256; -+SHA-384; -+SHA-1; -+}; -diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt -new file mode 100644 -index 0000000..59c9ae0 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt -@@ -0,0 +1,13 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+tls-enabled-mac = AEAD -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = TLS1.1 -+enabled-version = TLS1.0 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt -new file mode 100644 -index 0000000..a306242 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt -new file mode 100644 -index 0000000..408e8dd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups= -diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt -new file mode 100644 -index 0000000..b0b1480 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = -diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt -new file mode 100644 -index 0000000..7dc12cd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt -@@ -0,0 +1,2 @@ -+conn %default -+ pfs=yes -diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt -new file mode 100644 -index 0000000..bf6f1ca ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt -new file mode 100644 -index 0000000..abeab8c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt -new file mode 100644 -index 0000000..c5c1f47 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt -@@ -0,0 +1,18 @@ -+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912 -+TLS.MinProtocol = TLSv1 -+TLS.MaxProtocol = TLSv1.3 -+SignatureAlgorithms = -+Groups = -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt -new file mode 100644 -index 0000000..e701c5c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-bind.txt -@@ -0,0 +1,18 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+RSASHA256; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+RSASHA512; -+ED25519; -+ED448; -+}; -+disable-ds-digests "." { -+SHA-256; -+SHA-384; -+SHA-1; -+}; -diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt -new file mode 100644 -index 0000000..59c9ae0 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-gnutls.txt -@@ -0,0 +1,13 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+tls-enabled-mac = AEAD -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = TLS1.1 -+enabled-version = TLS1.0 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt -new file mode 100644 -index 0000000..a306242 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-java.txt -@@ -0,0 +1,4 @@ -+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt -new file mode 100644 -index 0000000..408e8dd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-javasystem.txt -@@ -0,0 +1,2 @@ -+jdk.tls.ephemeralDHKeySize=2048 -+jdk.tls.namedGroups= -diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt -new file mode 100644 -index 0000000..b0b1480 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = -diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt -new file mode 100644 -index 0000000..7dc12cd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-libreswan.txt -@@ -0,0 +1,2 @@ -+conn %default -+ pfs=yes -diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt -new file mode 100644 -index 0000000..bf6f1ca ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssh.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-opensshserver.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt -new file mode 100644 -index 0000000..abeab8c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt -new file mode 100644 -index 0000000..c5c1f47 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt -@@ -0,0 +1,18 @@ -+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912 -+TLS.MinProtocol = TLSv1 -+TLS.MaxProtocol = TLSv1.3 -+SignatureAlgorithms = -+Groups = -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt -new file mode 100644 -index 0000000..3ec0b96 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "never" -+sha224.second_preimage_resistance = "never" -+sha256.collision_resistance = "never" -+sha256.second_preimage_resistance = "never" -+sha384.collision_resistance = "never" -+sha384.second_preimage_resistance = "never" -+sha512.collision_resistance = "never" -+sha512.second_preimage_resistance = "never" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "never" -+aes192 = "never" -+aes256 = "never" -+twofish = "never" -+camellia128 = "never" -+camellia192 = "never" -+camellia256 = "never" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "never" -+rsa3072 = "never" -+rsa4096 = "never" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "never" -+nistp384 = "never" -+nistp521 = "never" -+cv25519 = "never" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt -new file mode 100644 -index 0000000..3ec0b96 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "never" -+sha224.second_preimage_resistance = "never" -+sha256.collision_resistance = "never" -+sha256.second_preimage_resistance = "never" -+sha384.collision_resistance = "never" -+sha384.second_preimage_resistance = "never" -+sha512.collision_resistance = "never" -+sha512.second_preimage_resistance = "never" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "never" -+aes192 = "never" -+aes256 = "never" -+twofish = "never" -+camellia128 = "never" -+camellia192 = "never" -+camellia256 = "never" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "never" -+rsa3072 = "never" -+rsa4096 = "never" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "never" -+nistp384 = "never" -+nistp521 = "never" -+cv25519 = "never" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt -new file mode 100644 -index 0000000..e69de29 --- -2.39.3 - diff --git a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch deleted file mode 100644 index c4b7b79..0000000 --- a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch +++ /dev/null @@ -1,3229 +0,0 @@ -From 856e52f120f6e4fa0a6ef2f134970cfe59cce6b2 Mon Sep 17 00:00:00 2001 -From: tigro -Date: Mon, 13 May 2024 17:06:55 +0300 -Subject: [PATCH] Added GOST policy also added experimental PAM generator - ---- - Makefile | 13 ++ - authselect_policies/minimal_gost/README | 84 ++++++++ - authselect_policies/minimal_gost/REQUIREMENTS | 0 - authselect_policies/minimal_gost/dconf-db | 3 + - authselect_policies/minimal_gost/dconf-locks | 2 + - .../minimal_gost/fingerprint-auth | 16 ++ - .../minimal_gost/nsswitch.conf | 14 ++ - .../minimal_gost/password-auth | 15 ++ - authselect_policies/minimal_gost/postlogin | 4 + - .../minimal_gost/smartcard-auth | 16 ++ - authselect_policies/minimal_gost/system-auth | 15 ++ - authselect_policies/sssd_gost/README | 145 +++++++++++++ - authselect_policies/sssd_gost/REQUIREMENTS | 29 +++ - authselect_policies/sssd_gost/dconf-db | 9 + - authselect_policies/sssd_gost/dconf-locks | 4 + - .../sssd_gost/fingerprint-auth | 28 +++ - authselect_policies/sssd_gost/nsswitch.conf | 7 + - authselect_policies/sssd_gost/password-auth | 39 ++++ - authselect_policies/sssd_gost/postlogin | 4 + - authselect_policies/sssd_gost/smartcard-auth | 26 +++ - authselect_policies/sssd_gost/system-auth | 46 ++++ - policies/GOST-ONLY-PAM.pol | 29 +++ - policies/GOST-ONLY.pol | 28 +++ - policies/modules/GOST.pmod | 18 ++ - policies/modules/PAM-GOST.pmod | 3 + - policies/modules/PATCH-PAM-GOST.pmod | 3 + - policies/modules/SSSD-PAM-GOST.pmod | 3 + - python/build-crypto-policies.py | 8 +- - python/cryptopolicies/alg_lists.py | 19 +- - python/cryptopolicies/cryptopolicies.py | 7 +- - python/policygenerators/__init__.py | 2 + - python/policygenerators/auth.py | 36 ++++ - .../fedora-crypto-policies.code-workspace | 0 - python/policygenerators/openssl.py | 23 ++ - scripts/auth_apply.sh | 204 ++++++++++++++++++ - tests/alternative-policies/GOST-ONLY.pol | 30 +++ - tests/alternative-policies/modules/GOST.pmod | 18 ++ - tests/gnutls.pl | 2 +- - tests/java.pl | 2 +- - tests/nss.py | 2 +- - tests/openssl.pl | 2 +- - tests/outputs/DEFAULT-auth.txt | 0 - tests/outputs/DEFAULT:GOST-auth.txt | 0 - tests/outputs/DEFAULT:GOST-bind.txt | 10 + - tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:GOST-java.txt | 3 + - tests/outputs/DEFAULT:GOST-javasystem.txt | 1 + - tests/outputs/DEFAULT:GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:GOST-libreswan.txt | 6 + - tests/outputs/DEFAULT:GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:GOST-nss.txt | 6 + - tests/outputs/DEFAULT:GOST-openssh.txt | 7 + - tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + - tests/outputs/DEFAULT:GOST-openssl.txt | 1 + - tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ - tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++ - tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ - tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ - tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:PAM-GOST-java.txt | 3 + - tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 1 + - tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 + - tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 + - tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + - tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + - .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 3 + - .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 1 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + - .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + - .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + - .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + - .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + - .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/DEFAULT:SHA1-auth.txt | 0 - tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ - tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 3 + - .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 1 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + - .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + - .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + - .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + - .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + - .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + - tests/outputs/EMPTY-auth.txt | 0 - tests/outputs/FIPS-auth.txt | 0 - tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 - tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0 - tests/outputs/FIPS:OSPP-auth.txt | 0 - tests/outputs/FUTURE-auth.txt | 0 - tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0 - tests/outputs/GOST-ONLY-PAM-auth.txt | 2 + - tests/outputs/GOST-ONLY-PAM-bind.txt | 20 ++ - tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++ - tests/outputs/GOST-ONLY-PAM-java.txt | 3 + - tests/outputs/GOST-ONLY-PAM-javasystem.txt | 1 + - tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 + - tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 + - tests/outputs/GOST-ONLY-PAM-libssh.txt | 0 - tests/outputs/GOST-ONLY-PAM-nss.txt | 6 + - tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 + - tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 + - tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 + - tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++ - tests/outputs/GOST-ONLY-auth.txt | 0 - tests/outputs/GOST-ONLY-bind.txt | 20 ++ - tests/outputs/GOST-ONLY-gnutls.txt | 13 ++ - tests/outputs/GOST-ONLY-java.txt | 3 + - tests/outputs/GOST-ONLY-javasystem.txt | 1 + - tests/outputs/GOST-ONLY-krb5.txt | 2 + - tests/outputs/GOST-ONLY-libreswan.txt | 2 + - tests/outputs/GOST-ONLY-libssh.txt | 0 - tests/outputs/GOST-ONLY-nss.txt | 6 + - tests/outputs/GOST-ONLY-openssh.txt | 2 + - tests/outputs/GOST-ONLY-opensshserver.txt | 2 + - tests/outputs/GOST-ONLY-openssl.txt | 1 + - tests/outputs/GOST-ONLY-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++ - tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++ - tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++ - tests/outputs/LEGACY-auth.txt | 0 - .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 - 140 files changed, 1991 insertions(+), 10 deletions(-) - create mode 100644 authselect_policies/minimal_gost/README - create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS - create mode 100644 authselect_policies/minimal_gost/dconf-db - create mode 100644 authselect_policies/minimal_gost/dconf-locks - create mode 100644 authselect_policies/minimal_gost/fingerprint-auth - create mode 100644 authselect_policies/minimal_gost/nsswitch.conf - create mode 100644 authselect_policies/minimal_gost/password-auth - create mode 100644 authselect_policies/minimal_gost/postlogin - create mode 100644 authselect_policies/minimal_gost/smartcard-auth - create mode 100644 authselect_policies/minimal_gost/system-auth - create mode 100644 authselect_policies/sssd_gost/README - create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS - create mode 100644 authselect_policies/sssd_gost/dconf-db - create mode 100644 authselect_policies/sssd_gost/dconf-locks - create mode 100644 authselect_policies/sssd_gost/fingerprint-auth - create mode 100644 authselect_policies/sssd_gost/nsswitch.conf - create mode 100644 authselect_policies/sssd_gost/password-auth - create mode 100644 authselect_policies/sssd_gost/postlogin - create mode 100644 authselect_policies/sssd_gost/smartcard-auth - create mode 100644 authselect_policies/sssd_gost/system-auth - create mode 100644 policies/GOST-ONLY-PAM.pol - create mode 100644 policies/GOST-ONLY.pol - create mode 100644 policies/modules/GOST.pmod - create mode 100644 policies/modules/PAM-GOST.pmod - create mode 100644 policies/modules/PATCH-PAM-GOST.pmod - create mode 100644 policies/modules/SSSD-PAM-GOST.pmod - create mode 100644 python/policygenerators/auth.py - create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace - create mode 100755 scripts/auth_apply.sh - create mode 100644 tests/alternative-policies/GOST-ONLY.pol - create mode 100644 tests/alternative-policies/modules/GOST.pmod - create mode 100644 tests/outputs/DEFAULT-auth.txt - create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt - create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt - create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt - create mode 100644 tests/outputs/EMPTY-auth.txt - create mode 100644 tests/outputs/FIPS-auth.txt - create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt - create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt - create mode 100644 tests/outputs/FIPS:OSPP-auth.txt - create mode 100644 tests/outputs/FUTURE-auth.txt - create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt - create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt - create mode 100644 tests/outputs/GOST-ONLY-auth.txt - create mode 100644 tests/outputs/GOST-ONLY-bind.txt - create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt - create mode 100644 tests/outputs/GOST-ONLY-java.txt - create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt - create mode 100644 tests/outputs/GOST-ONLY-krb5.txt - create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt - create mode 100644 tests/outputs/GOST-ONLY-libssh.txt - create mode 100644 tests/outputs/GOST-ONLY-nss.txt - create mode 100644 tests/outputs/GOST-ONLY-openssh.txt - create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt - create mode 100644 tests/outputs/GOST-ONLY-openssl.txt - create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt - create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt - create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt - create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt - create mode 100644 tests/outputs/LEGACY-auth.txt - create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt - -diff --git a/Makefile b/Makefile -index 5fb2a61..2abbb9c 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,8 +1,10 @@ - VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7) - DIR?=/usr/share/crypto-policies -+DIRSCR?=/usr/share/crypto-policies-scripts - BINDIR?=/usr/bin - MANDIR?=/usr/share/man - CONFDIR?=/etc/crypto-policies -+AUTHSELECTDIR?=/etc/authselect/custom - DESTDIR?= - MAN7PAGES=crypto-policies.7 - MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8 -@@ -27,10 +29,14 @@ install: $(MANPAGES) - mkdir -p $(DESTDIR)$(MANDIR)/man7 - mkdir -p $(DESTDIR)$(MANDIR)/man8 - mkdir -p $(DESTDIR)$(BINDIR) -+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR) -+ - install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 - install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 - install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) - mkdir -p $(DESTDIR)$(DIR)/ -+ mkdir -p $(DESTDIR)$(DIRSCR)/ -+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR) - install -p -m 644 default-config $(DESTDIR)$(DIR) - install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) - for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done -@@ -38,6 +44,7 @@ install: $(MANPAGES) - for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done - chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py - chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py -+ for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done - - runflake8: - @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 -@@ -58,6 +65,11 @@ check: - python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs - python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs - python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs -+ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs - tests/openssl.pl - tests/gnutls.pl - tests/nss.py -@@ -113,6 +125,7 @@ diff-outputs: - python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true - python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true - python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true -+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true - $(DIFFTOOL) tests/outputs output/current - - clean: -diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README -new file mode 100644 -index 0000000..9839669 ---- /dev/null -+++ b/authselect_policies/minimal_gost/README -@@ -0,0 +1,84 @@ -+Local users only for minimal installations and gost support -+=========================================================== -+ -+Selecting this profile will enable local files as the source of identity -+and authentication providers. -+ -+This profile can be used on systems that require minimal installation to -+save disk and memory space. It serves only local users and groups directly -+from system files instead of going through other authentication providers. -+Therefore SSSD, winbind and fprintd packages can be safely removed. -+ -+AVAILABLE OPTIONAL FEATURES -+--------------------------- -+ -+without-nullok:: -+ Do not add nullok parameter to pam_unix. -+ -+with-gost:: -+ Use GOST hash for shadow password instead of sha512 -+ -+with-silent-lastlog:: -+ Do not produce pam_lastlog message during login. -+ -+DISABLE SPECIFIC NSSWITCH DATABASES -+----------------------------------- -+ -+Normally, nsswitch databases set by the profile overwrites values set in -+user-nsswitch.conf. The following options can force authselect to -+ignore value set by the profile and use the one set in user-nsswitch.conf -+instead. -+ -+with-custom-aliases:: -+Ignore "aliases" map set by the profile. -+ -+with-custom-automount:: -+Ignore "automount" map set by the profile. -+ -+with-custom-ethers:: -+Ignore "ethers" map set by the profile. -+ -+with-custom-group:: -+Ignore "group" map set by the profile. -+ -+with-custom-hosts:: -+Ignore "hosts" map set by the profile. -+ -+with-custom-initgroups:: -+Ignore "initgroups" map set by the profile. -+ -+with-custom-netgroup:: -+Ignore "netgroup" map set by the profile. -+ -+with-custom-networks:: -+Ignore "networks" map set by the profile. -+ -+with-custom-passwd:: -+Ignore "passwd" map set by the profile. -+ -+with-custom-protocols:: -+Ignore "protocols" map set by the profile. -+ -+with-custom-publickey:: -+Ignore "publickey" map set by the profile. -+ -+with-custom-rpc:: -+Ignore "rpc" map set by the profile. -+ -+with-custom-services:: -+Ignore "services" map set by the profile. -+ -+with-custom-shadow:: -+Ignore "shadow" map set by the profile. -+ -+EXAMPLES -+-------- -+ -+* Enable minimal profile -+ -+ authselect select minimal -+ -+SEE ALSO -+-------- -+* man passwd(5) -+* man group(5) -diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS -new file mode 100644 -index 0000000..e69de29 -diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db -new file mode 100644 -index 0000000..a3868b7 ---- /dev/null -+++ b/authselect_policies/minimal_gost/dconf-db -@@ -0,0 +1,3 @@ -+[org/gnome/login-screen] -+enable-smartcard-authentication=false -+enable-fingerprint-authentication=false -diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks -new file mode 100644 -index 0000000..8a36fa9 ---- /dev/null -+++ b/authselect_policies/minimal_gost/dconf-locks -@@ -0,0 +1,2 @@ -+/org/gnome/login-screen/enable-smartcard-authentication -+/org/gnome/login-screen/enable-fingerprint-authentication -diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth -new file mode 100644 -index 0000000..ca152fb ---- /dev/null -+++ b/authselect_policies/minimal_gost/fingerprint-auth -@@ -0,0 +1,16 @@ -+auth required pam_env.so -+auth sufficient pam_fprintd.so -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 500 quiet -+account required pam_permit.so -+ -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf -new file mode 100644 -index 0000000..f1f5941 ---- /dev/null -+++ b/authselect_policies/minimal_gost/nsswitch.conf -@@ -0,0 +1,14 @@ -+passwd: sss files systemd {exclude if "with-custom-passwd"} -+shadow: files {exclude if "with-custom-shadow"} -+group: sss files systemd {exclude if "with-custom-group"} -+hosts: files dns myhostname {exclude if "with-custom-hosts"} -+services: files sss {exclude if "with-custom-services"} -+netgroup: sss {exclude if "with-custom-netgroup"} -+automount: files sss {exclude if "with-custom-automount"} -+aliases: files {exclude if "with-custom-aliases"} -+ethers: files {exclude if "with-custom-ethers"} -+gshadow: files -+networks: files dns {exclude if "with-custom-networks"} -+protocols: files {exclude if "with-custom-protocols"} -+publickey: files {exclude if "with-custom-publickey"} -+rpc: files {exclude if "with-custom-rpc"} -diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth -new file mode 100644 -index 0000000..5da3730 ---- /dev/null -+++ b/authselect_policies/minimal_gost/password-auth -@@ -0,0 +1,15 @@ -+auth required pam_env.so -+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} -+auth required pam_deny.so -+ -+account required pam_unix.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin -new file mode 100644 -index 0000000..8d9bfd0 ---- /dev/null -+++ b/authselect_policies/minimal_gost/postlogin -@@ -0,0 +1,4 @@ -+session optional pam_umask.so silent -+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -+session optional pam_lastlog.so silent noupdate showfailed -diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth -new file mode 100644 -index 0000000..f0843be ---- /dev/null -+++ b/authselect_policies/minimal_gost/smartcard-auth -@@ -0,0 +1,16 @@ -+auth required pam_env.so -+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 500 quiet -+account required pam_permit.so -+ -+password optional pam_pkcs11.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth -new file mode 100644 -index 0000000..5da3730 ---- /dev/null -+++ b/authselect_policies/minimal_gost/system-auth -@@ -0,0 +1,15 @@ -+auth required pam_env.so -+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} -+auth required pam_deny.so -+ -+account required pam_unix.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README -new file mode 100644 -index 0000000..02daa76 ---- /dev/null -+++ b/authselect_policies/sssd_gost/README -@@ -0,0 +1,145 @@ -+Enable SSSD with GOST support for system authentication (also for local users only) -+================================================================= -+ -+Selecting this profile will enable SSSD with GOST as the source of identity -+and authentication providers. -+ -+SSSD provides a set of daemons to manage access to remote directories and -+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides -+an NSS and PAM interface toward the system and a pluggable backend system -+to connect to multiple different account sources. -+ -+More information about SSSD can be found on its project page: -+https://sssd.io -+ -+However, if you do not want to keep SSSD running on your machine, you can -+keep this profile selected and just disable SSSD service. The resulting -+configuration will still work correctly even with SSSD disabled and local users -+and groups will be read from local files directly. -+ -+SSSD CONFIGURATION -+------------------ -+ -+Authselect does not touch SSSD's configuration. Please, read SSSD's -+documentation to see how to configure it manually. Only local users -+will be available on the system if there is no existing SSSD configuration. -+ -+AVAILABLE OPTIONAL FEATURES -+--------------------------- -+ -+with-faillock:: -+ Enable account locking in case of too many consecutive -+ authentication failures. -+ -+with-mkhomedir:: -+ Enable automatic creation of home directories for users on their -+ first login. -+ -+with-smartcard:: -+ Enable authentication with smartcards through SSSD. Please note that -+ smartcard support must be also explicitly enabled within -+ SSSD's configuration. -+ -+with-smartcard-lock-on-removal:: -+ Lock screen when a smartcard is removed. -+ -+with-smartcard-required:: -+ Smartcard authentication is required. No other means of authentication -+ (including password) will be enabled. -+ -+with-fingerprint:: -+ Enable authentication with fingerprint reader through *pam_fprintd*. -+ -+with-pam-gnome-keyring:: -+ Enable pam-gnome-keyring support. -+ -+with-pam-u2f:: -+ Enable authentication via u2f dongle through *pam_u2f*. -+ -+with-pam-u2f-2fa:: -+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*. -+ -+without-pam-u2f-nouserok:: -+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used. -+ *WARNING*: Omitting nouserok argument means that users without pam-u2f -+ authentication configured will not be able to log in *INCLUDING* root. -+ Make sure you are able to log in before losing root privileges. -+ -+with-silent-lastlog:: -+ Do not produce pam_lastlog message during login. -+ -+with-sudo:: -+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers. -+ -+with-pamaccess:: -+ Check access.conf during account authorization. -+ -+with-pwhistory:: -+ Enable pam_pwhistory module for local users. -+ -+with-files-domain:: -+ If set, SSSD will be contacted before "files" when resolving users and -+ groups. The order in nsswitch.conf will be set to "sss files" instead of -+ "files sss" for passwd and group maps. -+ -+with-files-access-provider:: -+ If set, account management for local users is handled also by pam_sss. This -+ is needed if there is an explicitly configured domain with id_provider=files -+ and non-empty access_provider setting in sssd.conf. -+ -+ *WARNING:* SSSD access check will become mandatory for local users and -+ if SSSD is stopped then local users will not be able to log in. Only -+ system accounts (as defined by pam_usertype, including root) will be -+ able to log in. -+ -+with-gssapi:: -+ If set, pam_sss_gss module is enabled to perform user authentication over -+ GSSAPI. -+ -+with-subid:: -+ Enable SSSD as a source of subid database in /etc/nsswitch.conf. -+ -+without-nullok:: -+ Do not add nullok parameter to pam_unix. -+ -+with-gost:: -+ Use GOST hash for shadow password instead of sha512 -+ -+DISABLE SPECIFIC NSSWITCH DATABASES -+----------------------------------- -+ -+Normally, nsswitch databases set by the profile overwrites values set in -+user-nsswitch.conf. The following options can force authselect to -+ignore value set by the profile and use the one set in user-nsswitch.conf -+instead. -+ -+with-custom-passwd:: -+Ignore "passwd" database set by the profile. -+ -+with-custom-group:: -+Ignore "group" database set by the profile. -+ -+with-custom-netgroup:: -+Ignore "netgroup" database set by the profile. -+ -+with-custom-automount:: -+Ignore "automount" database set by the profile. -+ -+with-custom-services:: -+Ignore "services" database set by the profile. -+ -+EXAMPLES -+-------- -+ -+* Enable SSSD with sudo and smartcard support -+ -+ authselect select sssd with-sudo with-smartcard -+ -+* Enable SSSD with sudo support and create home directories for users on their -+ first login -+ -+ authselect select sssd with-mkhomedir with-sudo -+ -+SEE ALSO -+-------- -+* man sssd.conf(5) -diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS -new file mode 100644 -index 0000000..396287e ---- /dev/null -+++ b/authselect_policies/sssd_gost/REQUIREMENTS -@@ -0,0 +1,29 @@ -+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. -+ {include if "with-smartcard"} -+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"} -+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"} -+ {include if "with-fingerprint"} -+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} -+ {include if "with-pam-gnome-keyring"} -+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} -+ is present. {include if "with-pam-gnome-keyring"} -+ {include if "with-pam-u2f"} -+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} -+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} -+ {include if "with-pam-u2f-2fa"} -+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} -+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} -+ {include if "with-mkhomedir"} -+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} -+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"} -+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} -+ {include if "with-files-domain"} -+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} -+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} -+ - or create a custom domain with id_provider=files {include if "with-files-domain"} -+ {include if "with-gssapi"} -+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"} -+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"} -+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"} -+ {include if "with-gost"} -+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"} -diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db -new file mode 100644 -index 0000000..66c9949 ---- /dev/null -+++ b/authselect_policies/sssd_gost/dconf-db -@@ -0,0 +1,9 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+{imply "with-smartcard" if "with-smartcard-lock-on-removal"} -+[org/gnome/login-screen] -+enable-smartcard-authentication={if "with-smartcard":true|false} -+enable-fingerprint-authentication={if "with-fingerprint":true|false} -+enable-password-authentication={if "with-smartcard-required":false|true} -+ -+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"} -+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"} -diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks -new file mode 100644 -index 0000000..6bf15d0 ---- /dev/null -+++ b/authselect_policies/sssd_gost/dconf-locks -@@ -0,0 +1,4 @@ -+/org/gnome/login-screen/enable-smartcard-authentication -+/org/gnome/login-screen/enable-fingerprint-authentication -+/org/gnome/login-screen/enable-password-authentication -+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"} -diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth -new file mode 100644 -index 0000000..dc7befe ---- /dev/null -+++ b/authselect_policies/sssd_gost/fingerprint-auth -@@ -0,0 +1,28 @@ -+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} -+{continue if "with-fingerprint"} -+auth required pam_env.so -+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth [success=done default=bad] pam_fprintd.so -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf -new file mode 100644 -index 0000000..f9e4e54 ---- /dev/null -+++ b/authselect_policies/sssd_gost/nsswitch.conf -@@ -0,0 +1,7 @@ -+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} -+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} -+netgroup: sss files {exclude if "with-custom-netgroup"} -+automount: sss files {exclude if "with-custom-automount"} -+services: sss files {exclude if "with-custom-services"} -+sudoers: files sss {include if "with-sudo"} -+subid: sss {include if "with-subid"} -diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth -new file mode 100644 -index 0000000..7832fb7 ---- /dev/null -+++ b/authselect_policies/sssd_gost/password-auth -@@ -0,0 +1,39 @@ -+auth required pam_env.so -+auth required pam_faildelay.so delay=2000000 -+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth [default=1 ignore=ignore success=ok] pam_localuser.so -+auth sufficient pam_unix.so {if not "without-nullok":nullok} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth sufficient pam_sss.so forward_pass -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password requisite pam_pwquality.so local_users_only -+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} -+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} -+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok -+password [success=1 default=ignore] pam_localuser.so -+password sufficient pam_sss.so use_authtok -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin -new file mode 100644 -index 0000000..04a11f0 ---- /dev/null -+++ b/authselect_policies/sssd_gost/postlogin -@@ -0,0 +1,4 @@ -+session optional pam_umask.so silent -+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} -+session optional pam_lastlog.so silent noupdate showfailed -diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth -new file mode 100644 -index 0000000..754847f ---- /dev/null -+++ b/authselect_policies/sssd_gost/smartcard-auth -@@ -0,0 +1,26 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"} -+{continue if "with-smartcard"} -+auth required pam_env.so -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth} -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth -new file mode 100644 -index 0000000..31d4ee1 ---- /dev/null -+++ b/authselect_policies/sssd_gost/system-auth -@@ -0,0 +1,46 @@ -+{imply "with-smartcard" if "with-smartcard-required"} -+auth required pam_env.so -+auth required pam_faildelay.so delay=2000000 -+auth required pam_faillock.so preauth silent {include if "with-faillock"} -+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} -+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} -+auth sufficient pam_fprintd.so {include if "with-fingerprint"} -+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} -+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} -+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} -+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} -+auth sufficient pam_unix.so {if not "without-nullok":nullok} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} -+auth sufficient pam_sss_gss.so {include if "with-gssapi"} -+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular -+auth sufficient pam_sss.so forward_pass -+auth required pam_faillock.so authfail {include if "with-faillock"} -+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -+auth required pam_deny.so -+ -+account required pam_access.so {include if "with-pamaccess"} -+account required pam_faillock.so {include if "with-faillock"} -+account required pam_unix.so -+account sufficient pam_localuser.so {exclude if "with-files-access-provider"} -+account sufficient pam_usertype.so issystem -+account [default=bad success=ok user_unknown=ignore] pam_sss.so -+account required pam_permit.so -+ -+password requisite pam_pwquality.so local_users_only -+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} -+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} -+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok -+password [success=1 default=ignore] pam_localuser.so -+password sufficient pam_sss.so use_authtok -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+session optional pam_sss.so -+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} -diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol -new file mode 100644 -index 0000000..fce3bdb ---- /dev/null -+++ b/policies/GOST-ONLY-PAM.pol -@@ -0,0 +1,29 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT -+ -+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C -+ -+hash = GOSTR94 STREEBOG-256 STREEBOG-512 -+ -+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB -+ -+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -+authopt@AUTH = custom/minimal_gost with-gost -diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol -new file mode 100644 -index 0000000..37e478b ---- /dev/null -+++ b/policies/GOST-ONLY.pol -@@ -0,0 +1,28 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT -+ -+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C -+ -+hash = GOSTR94 STREEBOG-256 STREEBOG-512 -+ -+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB -+ -+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod -new file mode 100644 -index 0000000..b9021ea ---- /dev/null -+++ b/policies/modules/GOST.pmod -@@ -0,0 +1,18 @@ -+# Adds GOST algorithms. -+# -+ -+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD -+ -+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C -+ -+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+ -+ -+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+ -+ -+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB -+ -+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF -+ -+action_do = +GOST -diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod -new file mode 100644 -index 0000000..06d92c5 ---- /dev/null -+++ b/policies/modules/PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = custom/minimal_gost with-gost -diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod -new file mode 100644 -index 0000000..a79abd0 ---- /dev/null -+++ b/policies/modules/PATCH-PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = patch -diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod -new file mode 100644 -index 0000000..f28939e ---- /dev/null -+++ b/policies/modules/SSSD-PAM-GOST.pmod -@@ -0,0 +1,3 @@ -+#Add shadow gost support -+ -+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog -diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py -index c04d518..90a0772 100755 ---- a/python/build-crypto-policies.py -+++ b/python/build-crypto-policies.py -@@ -9,6 +9,7 @@ import argparse - import os - import sys - import warnings -+import platform - - import cryptopolicies - -@@ -64,6 +65,11 @@ def save_config(cmdline, policy_name, config_name, config): - try: - with open(path, mode='r', encoding='utf-8') as f: - old_config = f.read() -+ if '[gost_section]' in config: -+ arch, links = platform.architecture() -+ if arch == '32bit': -+ #Make test expected file same for x86 and x86_64 systems -+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so') - if old_config != config: - eprint(f'Config for {config_name} for policy {policy_name} ' - 'differs from the existing one') -@@ -102,7 +108,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None): - gen = cls() - config = gen.generate_config(cp.scoped(gen.SCOPES)) - -- if policy_name in ('EMPTY', 'GOST-ONLY') or gen.test_config(config): -+ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config): - try: - name = ':'.join([policy_name, *subpolicy_names]) - if not save_config(cmdline, name, gen.CONFIG_NAME, config): -diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py -index 792cbe1..88d79e3 100644 ---- a/python/cryptopolicies/alg_lists.py -+++ b/python/cryptopolicies/alg_lists.py -@@ -97,6 +97,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9') - IKE_PROTOCOLS = ('IKEv2', 'IKEv1') - ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS - -+# List of action do algoritms, for non standard libraries -+IACTION_OPT = 'action_do' -+ALL_ACTION_DO = ( 'GOST', 'NONE' ) -+ -+AUTH_PROFILES_OPT = 'authopt' -+ALL_AUTH_PROFILES = () - - ALL = { - 'cipher': ALL_CIPHERS, -@@ -106,6 +112,8 @@ ALL = { - 'mac': ALL_MACS, - 'protocol': ALL_PROTOCOLS, - 'sign': ALL_SIGN, -+ IACTION_OPT: ALL_ACTION_DO, -+ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES - } - - -@@ -119,10 +127,13 @@ def glob(pattern, alg_class): - if alg_class not in ALL: - raise validation.alg_lists.AlgorithmClassUnknownError(alg_class) - -- r = fnmatch.filter(ALL[alg_class], pattern) -- if not r: -- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) -- return r -+ if alg_class == AUTH_PROFILES_OPT: -+ return [pattern] -+ else: -+ r = fnmatch.filter(ALL[alg_class], pattern) -+ if not r: -+ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) -+ return r - - - def earliest_occurrence(needles, ordered_haystack): -diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py -index bca0519..fff016a 100644 ---- a/python/cryptopolicies/cryptopolicies.py -+++ b/python/cryptopolicies/cryptopolicies.py -@@ -41,7 +41,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing - 'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh', - 'ipsec', 'ike', 'libreswan', - 'kerberos', 'krb5', -- 'dnssec', 'bind', -+ 'dnssec', 'bind', 'auth' - ) - DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things - 'bind': {'bind', 'dnssec'}, -@@ -54,6 +54,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things - 'openssh-client': {'openssh-client', 'openssh', 'ssh'}, - 'openssh-server': {'openssh-server', 'openssh', 'ssh'}, - 'openssl': {'openssl', 'tls', 'ssl'}, -+ 'auth': {'auth'}, - } - - -@@ -468,6 +469,8 @@ class UnscopedCryptoPolicy: - **generic_scoped.integers, - **generic_scoped.enums} - for prop_name, value in generic_all.items(): -+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): -+ continue - s += fmt(prop_name, value) - anything_scope_specific = False - for scope_name, scope_set in DUMPABLE_SCOPES.items(): -@@ -476,6 +479,8 @@ class UnscopedCryptoPolicy: - **specific_scoped.integers, - **specific_scoped.enums} - for prop_name, value in specific_all.items(): -+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): -+ continue - if value != generic_all[prop_name]: - if not anything_scope_specific: - s += ('# Scope-specific properties ' -diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py -index 98ac27c..ac1b051 100644 ---- a/python/policygenerators/__init__.py -+++ b/python/policygenerators/__init__.py -@@ -16,6 +16,7 @@ from .openssh import OpenSSHServerGenerator - from .openssl import OpenSSLConfigGenerator - from .openssl import OpenSSLGenerator - from .openssl import OpenSSLFIPSGenerator -+from .auth import AuthGenerator - - __all__ = [ - 'BindGenerator', -@@ -31,4 +32,5 @@ __all__ = [ - 'OpenSSLConfigGenerator', - 'OpenSSLGenerator', - 'OpenSSLFIPSGenerator', -+ 'AuthGenerator', - ] -diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py -new file mode 100644 -index 0000000..eb6bda5 ---- /dev/null -+++ b/python/policygenerators/auth.py -@@ -0,0 +1,36 @@ -+# SPDX-License-Identifier: LGPL-2.1-or-later -+ -+# Copyright (c) 2019 Red Hat, Inc. -+# Copyright (c) 2019 Tomáš Mráz -+ -+import os.path -+ -+from .configgenerator import ConfigGenerator -+ -+class AuthGenerator(ConfigGenerator): -+ CONFIG_NAME = 'auth' -+ SCOPES = {'auth'} -+ -+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n' -+ -+ @classmethod -+ def generate_config(cls, policy): -+ p = policy.enabled -+ sep = '\n' -+ s = '' -+ authopt_data = p['authopt'] -+ if len(authopt_data) > 0: -+ auth_profile = authopt_data.pop(0) -+ opt_list = [] -+ for item in authopt_data: -+ if item not in opt_list: -+ if item.startswith('with'): -+ opt_list.append(item) -+ s = cls.append(s, auth_profile, sep) -+ for item in opt_list: -+ s = cls.append(s, item, sep) -+ return s -+ -+ @classmethod -+ def test_config(cls, config): # pylint: disable=unused-argument -+ return True -diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace -new file mode 100644 -index 0000000..e69de29 -diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py -index 571dc79..57c7476 100644 ---- a/python/policygenerators/openssl.py -+++ b/python/policygenerators/openssl.py -@@ -2,6 +2,7 @@ - - # Copyright (c) 2019 Red Hat, Inc. - # Copyright (c) 2019 Tomáš Mráz -+import platform - - from subprocess import check_output, CalledProcessError - -@@ -22,6 +23,25 @@ tls1-prf-ems-check = {} - activate = 1 - ''' - -+arch, links = platform.architecture() -+library_path = '64' -+if arch == '32bit': -+ library_path = '' -+ -+GOST_MODULE_ENABLE = ''' -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib%s/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -+''' % (library_path) -+ - - class OpenSSLGenerator(ConfigGenerator): - CONFIG_NAME = 'openssl' -@@ -266,6 +286,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator): - - if 'SHA1' in p['hash']: - s += RH_ALLOW_SHA1 -+ -+ if 'GOST' in p['action_do']: -+ s += GOST_MODULE_ENABLE - - return s - -diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh -new file mode 100755 -index 0000000..5b2ecad ---- /dev/null -+++ b/scripts/auth_apply.sh -@@ -0,0 +1,204 @@ -+#!/usr/bin/bash -+exec 1> /var/log/crypto-cmc/auth.log 2>&1 -+set -x -+# Скрипт настройки профиля authselect для crypto-policy -+# Примеры запуска: -+# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля -+# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp -+# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect -+# и считать, что сгенерированный конфиг лежит в каталоге tmpconf -+ -+CONF_PATH=/etc/authselect/ -+AUTH_SEL_BAK=authselect.conf.policy -+AUTH_CONFIG=authselect.conf -+EMPTY=0 -+TEST="" -+AUTH_BACKUP_NAME="auth_saved_profile" -+USE_PATCH="$CONF_PATH/autheslect.patch" -+ -+function set_gost -+{ -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth -+ -+} -+ -+function set_no_gost -+{ -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth -+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth -+} -+ -+function get_auth_options -+{ -+ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' ' -+} -+ -+function save_restored_profile -+{ -+ if [ ! -e /etc/authselect/custom/restored ];then -+ /usr/bin/authselect create-profile restored -+ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/ -+ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/ -+ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf -+ fi -+} -+ -+while getopts ':et:p:h' VAL ; do -+ case $VAL in -+ e ) EMPTY=1 ;; -+ p ) CONF_PATH="$OPTARG" ;; -+ t ) TEST="$OPTARG" ;; -+ : ) -+ echo "Необходим параметр - путь к опции $OPTARG" -+ exit 255 -+ ;; -+ * ) -+ echo "Неизвестный параметр $OPTARG" -+ exit 255 -+ ;; -+ esac -+done -+shift $((OPTIND -1)) -+ -+# Если заданный путь к кинфигурации authselect заканчивается на / -+# то удалим этот символ -+LAST_SYMBOL=${CONF_PATH: -1} -+if [ "$LAST_SYMBOL" = "/" ];then -+ CONF_PATH=${CONF_PATH%?} -+fi -+LAST_SYMBOL=${TEST: -1} -+if [ "$LAST_SYMBOL" = "/" ];then -+ TEST=${TEST%?} -+fi -+ -+if [ -z "$TEST" ];then -+ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config -+else -+ POLICY_CONFIG="$TEST/auth.config" -+ if [[ "$POLICY_CONFIG" == "/*" ]];then -+ : -+ else -+ CUR_DIR=$(pwd) -+ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG" -+ fi -+fi -+ -+PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK" -+PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG" -+ -+# Дополнительная проверка, файл authselect.conf не должен быть пустым -+# или соедржать слово empty--data, иначе это признак empty -+if [ -e "$PATH_TO_AUTH_CONFIG" ];then -+ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs) -+ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then -+ EMPTY=1 -+ fi -+else -+ EMPTY=2 -+fi -+ -+# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией -+NEED_PATCH=0 -+if [ -e "$POLICY_CONFIG" ];then -+ RES=$(cat "$POLICY_CONFIG") -+ if [ "$RES" = "patch" ];then -+ NEED_PATCH=1 -+ fi -+fi -+ -+# Если задан параметр empty, это значит, что применяется профиль -+# без настройки для authselect, в этом случае нужно восстановить -+# старый заданный профиль -+# TODO: возможно даже воспользоватьс командой -+# authselect backup-restore auth_saved_profile -+# данный снимок создается при профиля через crypto-policy -+if [ "$EMPTY" = "1" ];then -+# Если есть файл authselect.patch, значит профиль был пропатчен, -+# а не установлен через профиль -+ if [ -e "$USE_PATCH" ];then -+ set_no_gost -+ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed" -+ else -+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then -+# Только root может восстанавливать конфигурацию из резервной копии -+# дабыизбежать подлога и восстановления файла, созданного пользователем -+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") -+ if [ "$OWNER_UID" = "0" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" -+ fi -+ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG") -+# Есди файл настроек authselect пустой после восстановления -+# значит он создан ранее скриптом и его нужно убрать -+ if [ -z "$AUTH_CONT" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" -+ fi -+ else -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" -+ fi -+ if [ -e "$PATH_TO_AUTH_CONFIG" ];then -+ /usr/bin/authselect apply-changes -+ else -+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME" -+ else -+ if [ -e /etc/authselect/custom/resored ];then -+ /usr/bin/authselect select custom/restored --force -+ fi -+ fi -+ fi -+ fi -+ exit 0 -+fi -+ -+# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла -+# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас -+if [ "$EMPTY" = "2" ];then -+ if [ "$NEED_PATCH" = "1" ];then -+ set_gost -+ touch "$USE_PATCH" -+ else -+ OPTS_FOR_EXECUTE=$(get_auth_options) -+ if [ -n "$OPTS_FOR_EXECUTE" ];then -+ save_restored_profile -+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force -+ else -+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile -+ fi -+ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/authselect apply-changes -+ touch "$PATH_TO_AUTH_SEL_BAK" -+ fi -+ fi -+else -+ if [ "$NEED_PATCH" = "1" ];then -+ set_gost -+ touch "$USE_PATCH" -+ else -+# Если не найден файл маркер, то создается файл бэкапа для authselect -+# а так же создается файл маркер -+ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" -+ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG") -+ if [ -n "$EMPTY_AUTH" ];then -+ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then -+ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME" -+ fi -+ fi -+ fi -+ -+ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") -+ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then -+ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ #fi -+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+ /usr/bin/authselect apply-changes -+ fi -+fi -+ -+exit 0 -\ No newline at end of file -diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol -new file mode 100644 -index 0000000..6238020 ---- /dev/null -+++ b/tests/alternative-policies/GOST-ONLY.pol -@@ -0,0 +1,30 @@ -+# Next generation GOST algorithms -+ -+mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST* -+ -+group = *GOST* -+ -+hash = *GOST* *STREEBOG* -+ -+sign = *GOST* -+ -+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C* -+ -+key_exchange = *GOST* -+ -+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 -+ -+min_tls_version = TLS1.0 -+ -+# Parameter sizes -+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL -+min_dh_size = 2048 -+min_dsa_size = 2048 -+min_rsa_size = 2048 -+ -+# GnuTLS only for now -+sha1_in_certs = 0 -+ -+action_do = GOST -diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod -new file mode 100644 -index 0000000..4280cad ---- /dev/null -+++ b/tests/alternative-policies/modules/GOST.pmod -@@ -0,0 +1,18 @@ -+# Adds GOST algorithms. -+# This is an example subpolicy, the algorithm names might differ in reality. -+ -+mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD -+ -+group = +*GOST* -+ -+hash = +*STREEBOG* +*GOST* -+ -+sign = +*GOST* -+ -+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM -+ -+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB -+ -+key_exchange = +*GOST* -+ -+action_do = +GOST -\ No newline at end of file -diff --git a/tests/gnutls.pl b/tests/gnutls.pl -index c327d8e..6d63d86 100755 ---- a/tests/gnutls.pl -+++ b/tests/gnutls.pl -@@ -24,7 +24,7 @@ foreach my $policyfile (@gnutlspolicies) { - $policy =~ s/-[^-]+$//; - - print "Checking policy $policy\n"; -- next if $policy eq 'GOST-ONLY'; -+ next if $policy =~ /^GOST-ONLY/; - - system("GNUTLS_DEBUG_LEVEL=3 GNUTLS_SYSTEM_PRIORITY_FILE=$dir/$policyfile GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 gnutls-cli -l >$TMPFILE 2>&1"); - if ($? == 0 && $policy eq 'EMPTY') { -diff --git a/tests/java.pl b/tests/java.pl -index c285150..6639642 100755 ---- a/tests/java.pl -+++ b/tests/java.pl -@@ -43,7 +43,7 @@ foreach my $policyfile (@javapolicies) { - } - - my $lines=`cat $TMPFILE|wc -l`; -- if ("$policy" eq "EMPTY" or "$policy" eq "GOST-ONLY") { -+ if ("$policy" eq "EMPTY" or "$policy" =~ /^GOST-ONLY/) { - if ($lines >= 2) { # we allow the SCSV - print "Empty policy has ciphersuites!\n"; - exit 1; -diff --git a/tests/nss.py b/tests/nss.py -index f30f48e..4fdec63 100755 ---- a/tests/nss.py -+++ b/tests/nss.py -@@ -38,7 +38,7 @@ print('Checking the NSS configuration') - for policy_path in glob.glob('tests/outputs/*-nss.txt'): - policy = os.path.basename(policy_path)[:-len('-nss.txt')] - print(f'Checking policy {policy}') -- if policy not in ('EMPTY', 'GOST-ONLY'): -+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'): - with open(policy_path, encoding='utf-8') as pf: - config = pf.read() - with tempfile.NamedTemporaryFile('w', delete=False) as tf: -diff --git a/tests/openssl.pl b/tests/openssl.pl -index c3a7c9f..f967845 100755 ---- a/tests/openssl.pl -+++ b/tests/openssl.pl -@@ -27,7 +27,7 @@ foreach my $policyfile (@opensslpolicies) { - <$fh>; - }; - -- my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY"); -+ my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY", "GOST-ONLY-PAM"); - - system("openssl ciphers $tmp >$TMPFILE 2>&1") unless exists $skip_test{$policy}; - if ($? != 0) { -diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt -new file mode 100644 -index 0000000..09fb3f1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-bind.txt -@@ -0,0 +1,10 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+}; -+disable-ds-digests "." { -+SHA-1; -+}; -diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt -new file mode 100644 -index 0000000..1a48c4a ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt -new file mode 100644 -index 0000000..239566f ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt -new file mode 100644 -index 0000000..6fe6291 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt -@@ -0,0 +1,20 @@ -+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt -new file mode 100644 -index 0000000..cec1d15 ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "always" -+sha1.second_preimage_resistance = "always" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "always" -+sha224.second_preimage_resistance = "always" -+sha256.collision_resistance = "always" -+sha256.second_preimage_resistance = "always" -+sha384.collision_resistance = "always" -+sha384.second_preimage_resistance = "always" -+sha512.collision_resistance = "always" -+sha512.second_preimage_resistance = "always" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "always" -+aes192 = "never" -+aes256 = "always" -+twofish = "never" -+camellia128 = "always" -+camellia192 = "never" -+camellia256 = "always" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "always" -+rsa3072 = "always" -+rsa4096 = "always" -+dsa1024 = "always" -+dsa2048 = "always" -+dsa3072 = "always" -+dsa4096 = "always" -+nistp256 = "always" -+nistp384 = "always" -+nistp521 = "always" -+cv25519 = "always" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt -new file mode 100644 -index 0000000..135997c ---- /dev/null -+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "always" -+sha224.second_preimage_resistance = "always" -+sha256.collision_resistance = "always" -+sha256.second_preimage_resistance = "always" -+sha384.collision_resistance = "always" -+sha384.second_preimage_resistance = "always" -+sha512.collision_resistance = "always" -+sha512.second_preimage_resistance = "always" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "always" -+aes192 = "never" -+aes256 = "always" -+twofish = "never" -+camellia128 = "always" -+camellia192 = "never" -+camellia256 = "always" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "always" -+rsa3072 = "always" -+rsa4096 = "always" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "always" -+nistp384 = "always" -+nistp521 = "always" -+cv25519 = "always" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt -new file mode 100644 -index 0000000..110527f ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt -@@ -0,0 +1,2 @@ -+custom/minimal_gost -+with-gost -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt -new file mode 100644 -index 0000000..1a48c4a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt -new file mode 100644 -index 0000000..dbcae14 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt -@@ -0,0 +1 @@ -+patch -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt -new file mode 100644 -index 0000000..1a48c4a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt -new file mode 100644 -index 0000000..4884073 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt -@@ -0,0 +1,4 @@ -+custom/sssd_gost -+with-gost -+with-fingerprint -+with-silent-lastlog -\ No newline at end of file -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt -new file mode 100644 -index 0000000..9ec8420 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt -@@ -0,0 +1,12 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+ECCGOST; -+}; -+disable-ds-digests "." { -+SHA-1; -+GOST; -+}; -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt -new file mode 100644 -index 0000000..9a04550 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+secure-hash = SHA256 -+secure-hash = SHA384 -+secure-hash = SHA512 -+secure-hash = SHA3-256 -+secure-hash = SHA3-384 -+secure-hash = SHA3-512 -+secure-hash = SHA224 -+secure-hash = SHA3-224 -+secure-hash = SHAKE-256 -+tls-enabled-mac = AEAD -+tls-enabled-mac = SHA1 -+tls-enabled-mac = SHA512 -+tls-enabled-group = GROUP-X25519 -+tls-enabled-group = GROUP-SECP256R1 -+tls-enabled-group = GROUP-X448 -+tls-enabled-group = GROUP-SECP521R1 -+tls-enabled-group = GROUP-SECP384R1 -+tls-enabled-group = GROUP-FFDHE2048 -+tls-enabled-group = GROUP-FFDHE3072 -+tls-enabled-group = GROUP-FFDHE4096 -+tls-enabled-group = GROUP-FFDHE6144 -+tls-enabled-group = GROUP-FFDHE8192 -+secure-sig = ECDSA-SHA3-256 -+secure-sig = ECDSA-SHA256 -+secure-sig = ECDSA-SECP256R1-SHA256 -+secure-sig = ECDSA-SHA3-384 -+secure-sig = ECDSA-SHA384 -+secure-sig = ECDSA-SECP384R1-SHA384 -+secure-sig = ECDSA-SHA3-512 -+secure-sig = ECDSA-SHA512 -+secure-sig = ECDSA-SECP521R1-SHA512 -+secure-sig = EdDSA-Ed25519 -+secure-sig = EdDSA-Ed448 -+secure-sig = RSA-PSS-SHA256 -+secure-sig = RSA-PSS-SHA384 -+secure-sig = RSA-PSS-SHA512 -+secure-sig = RSA-PSS-RSAE-SHA256 -+secure-sig = RSA-PSS-RSAE-SHA384 -+secure-sig = RSA-PSS-RSAE-SHA512 -+secure-sig = RSA-SHA3-256 -+secure-sig = RSA-SHA256 -+secure-sig = RSA-SHA3-384 -+secure-sig = RSA-SHA384 -+secure-sig = RSA-SHA3-512 -+secure-sig = RSA-SHA512 -+secure-sig = ECDSA-SHA224 -+secure-sig = RSA-SHA224 -+secure-sig = ECDSA-SHA3-224 -+secure-sig = RSA-SHA3-224 -+secure-sig-for-cert = ECDSA-SHA3-256 -+secure-sig-for-cert = ECDSA-SHA256 -+secure-sig-for-cert = ECDSA-SECP256R1-SHA256 -+secure-sig-for-cert = ECDSA-SHA3-384 -+secure-sig-for-cert = ECDSA-SHA384 -+secure-sig-for-cert = ECDSA-SECP384R1-SHA384 -+secure-sig-for-cert = ECDSA-SHA3-512 -+secure-sig-for-cert = ECDSA-SHA512 -+secure-sig-for-cert = ECDSA-SECP521R1-SHA512 -+secure-sig-for-cert = EdDSA-Ed25519 -+secure-sig-for-cert = EdDSA-Ed448 -+secure-sig-for-cert = RSA-PSS-SHA256 -+secure-sig-for-cert = RSA-PSS-SHA384 -+secure-sig-for-cert = RSA-PSS-SHA512 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA256 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA384 -+secure-sig-for-cert = RSA-PSS-RSAE-SHA512 -+secure-sig-for-cert = RSA-SHA3-256 -+secure-sig-for-cert = RSA-SHA256 -+secure-sig-for-cert = RSA-SHA3-384 -+secure-sig-for-cert = RSA-SHA384 -+secure-sig-for-cert = RSA-SHA3-512 -+secure-sig-for-cert = RSA-SHA512 -+secure-sig-for-cert = ECDSA-SHA224 -+secure-sig-for-cert = RSA-SHA224 -+secure-sig-for-cert = ECDSA-SHA3-224 -+secure-sig-for-cert = RSA-SHA3-224 -+enabled-curve = X25519 -+enabled-curve = SECP256R1 -+enabled-curve = X448 -+enabled-curve = SECP521R1 -+enabled-curve = SECP384R1 -+enabled-curve = Ed25519 -+enabled-curve = Ed448 -+tls-enabled-cipher = AES-256-GCM -+tls-enabled-cipher = AES-256-CCM -+tls-enabled-cipher = CHACHA20-POLY1305 -+tls-enabled-cipher = AES-256-CBC -+tls-enabled-cipher = AES-128-GCM -+tls-enabled-cipher = AES-128-CCM -+tls-enabled-cipher = AES-128-CBC -+tls-enabled-kx = ECDHE-RSA -+tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA -+tls-enabled-kx = DHE-RSA -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = DTLS1.2 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt -new file mode 100644 -index 0000000..1a48c4a ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt -new file mode 100644 -index 0000000..415dcb3 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt -new file mode 100644 -index 0000000..9f2f5db ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ -+conn %default -+ ikev2=insist -+ pfs=yes -+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 -+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 -+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt -new file mode 100644 -index 0000000..49d8251 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt -@@ -0,0 +1,5 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt -new file mode 100644 -index 0000000..b8bf74a ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt -new file mode 100644 -index 0000000..47d352e ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt -new file mode 100644 -index 0000000..8105750 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ -+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr -+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 -+RequiredRSASize 2048 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt -new file mode 100644 -index 0000000..952c651 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt -new file mode 100644 -index 0000000..8f18d1e ---- /dev/null -+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt -@@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 -+TLS.MinProtocol = TLSv1.2 -+TLS.MaxProtocol = TLSv1.3 -+DTLS.MinProtocol = DTLSv1.2 -+DTLS.MaxProtocol = DTLSv1.2 -+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 -+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt -new file mode 100644 -index 0000000..110527f ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt -@@ -0,0 +1,2 @@ -+custom/minimal_gost -+with-gost -\ No newline at end of file -diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt -new file mode 100644 -index 0000000..3976d4a ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt -@@ -0,0 +1,20 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+RSASHA256; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+RSASHA512; -+ED25519; -+ED448; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+}; -+disable-ds-digests "." { -+SHA-256; -+SHA-384; -+SHA-1; -+}; -diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt -new file mode 100644 -index 0000000..59c9ae0 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt -@@ -0,0 +1,13 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+tls-enabled-mac = AEAD -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = TLS1.1 -+enabled-version = TLS1.0 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt -new file mode 100644 -index 0000000..b6d04cf ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt -new file mode 100644 -index 0000000..b0b1480 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = -diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt -new file mode 100644 -index 0000000..7dc12cd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt -@@ -0,0 +1,2 @@ -+conn %default -+ pfs=yes -diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt -new file mode 100644 -index 0000000..bf6f1ca ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt -new file mode 100644 -index 0000000..abeab8c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt -new file mode 100644 -index 0000000..c5c1f47 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt -@@ -0,0 +1,18 @@ -+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912 -+TLS.MinProtocol = TLSv1 -+TLS.MaxProtocol = TLSv1.3 -+SignatureAlgorithms = -+Groups = -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt -new file mode 100644 -index 0000000..3976d4a ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-bind.txt -@@ -0,0 +1,20 @@ -+disable-algorithms "." { -+RSAMD5; -+RSASHA1; -+NSEC3RSASHA1; -+DSA; -+NSEC3DSA; -+RSASHA256; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+RSASHA512; -+ED25519; -+ED448; -+ECDSAP256SHA256; -+ECDSAP384SHA384; -+}; -+disable-ds-digests "." { -+SHA-256; -+SHA-384; -+SHA-1; -+}; -diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt -new file mode 100644 -index 0000000..59c9ae0 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-gnutls.txt -@@ -0,0 +1,13 @@ -+[global] -+override-mode = allowlist -+ -+[overrides] -+tls-enabled-mac = AEAD -+enabled-version = TLS1.3 -+enabled-version = TLS1.2 -+enabled-version = TLS1.1 -+enabled-version = TLS1.0 -+min-verification-profile = medium -+ -+[priorities] -+SYSTEM=NONE -diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt -new file mode 100644 -index 0000000..b6d04cf ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-java.txt -@@ -0,0 +1,3 @@ -+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt -new file mode 100644 -index 0000000..108de3d ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-javasystem.txt -@@ -0,0 +1 @@ -+jdk.tls.ephemeralDHKeySize=2048 -diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt -new file mode 100644 -index 0000000..b0b1480 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-krb5.txt -@@ -0,0 +1,2 @@ -+[libdefaults] -+permitted_enctypes = -diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt -new file mode 100644 -index 0000000..7dc12cd ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-libreswan.txt -@@ -0,0 +1,2 @@ -+conn %default -+ pfs=yes -diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt -new file mode 100644 -index 0000000..bf6f1ca ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-nss.txt -@@ -0,0 +1,6 @@ -+library= -+name=Policy -+NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ -diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssh.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt -new file mode 100644 -index 0000000..89e06ad ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-opensshserver.txt -@@ -0,0 +1,2 @@ -+GSSAPIKeyExchange no -+RequiredRSASize 2048 -diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt -new file mode 100644 -index 0000000..abeab8c ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssl.txt -@@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt -new file mode 100644 -index 0000000..c69d6e1 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt -@@ -0,0 +1,4 @@ -+ -+[fips_sect] -+tls1-prf-ems-check = 1 -+activate = 1 -diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt -new file mode 100644 -index 0000000..c5c1f47 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt -@@ -0,0 +1,18 @@ -+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -+Ciphersuites = GOST2012-GOST8912-GOST8912 -+TLS.MinProtocol = TLSv1 -+TLS.MaxProtocol = TLSv1.3 -+SignatureAlgorithms = -+Groups = -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt -new file mode 100644 -index 0000000..3ec0b96 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "never" -+sha224.second_preimage_resistance = "never" -+sha256.collision_resistance = "never" -+sha256.second_preimage_resistance = "never" -+sha384.collision_resistance = "never" -+sha384.second_preimage_resistance = "never" -+sha512.collision_resistance = "never" -+sha512.second_preimage_resistance = "never" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "never" -+aes192 = "never" -+aes256 = "never" -+twofish = "never" -+camellia128 = "never" -+camellia192 = "never" -+camellia256 = "never" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "never" -+rsa3072 = "never" -+rsa4096 = "never" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "never" -+nistp384 = "never" -+nistp521 = "never" -+cv25519 = "never" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt -new file mode 100644 -index 0000000..3ec0b96 ---- /dev/null -+++ b/tests/outputs/GOST-ONLY-sequoia.txt -@@ -0,0 +1,51 @@ -+[hash_algorithms] -+md5.collision_resistance = "never" -+md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "never" -+sha1.second_preimage_resistance = "never" -+ripemd160.collision_resistance = "never" -+ripemd160.second_preimage_resistance = "never" -+sha224.collision_resistance = "never" -+sha224.second_preimage_resistance = "never" -+sha256.collision_resistance = "never" -+sha256.second_preimage_resistance = "never" -+sha384.collision_resistance = "never" -+sha384.second_preimage_resistance = "never" -+sha512.collision_resistance = "never" -+sha512.second_preimage_resistance = "never" -+default_disposition = "never" -+ -+[symmetric_algorithms] -+idea = "never" -+tripledes = "never" -+cast5 = "never" -+blowfish = "never" -+aes128 = "never" -+aes192 = "never" -+aes256 = "never" -+twofish = "never" -+camellia128 = "never" -+camellia192 = "never" -+camellia256 = "never" -+default_disposition = "never" -+ -+[asymmetric_algorithms] -+rsa1024 = "never" -+rsa2048 = "never" -+rsa3072 = "never" -+rsa4096 = "never" -+dsa1024 = "never" -+dsa2048 = "never" -+dsa3072 = "never" -+dsa4096 = "never" -+nistp256 = "never" -+nistp384 = "never" -+nistp521 = "never" -+cv25519 = "never" -+elgamal1024 = "never" -+elgamal2048 = "never" -+elgamal3072 = "never" -+elgamal4096 = "never" -+brainpoolp256 = "never" -+brainpoolp512 = "never" -+default_disposition = "never" -diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt -new file mode 100644 -index 0000000..e69de29 --- -2.44.0 - diff --git a/SOURCES/0001-Added-tests-fix-for-9.4-version.patch b/SOURCES/0001-Added-tests-fix-for-9.4-version.patch deleted file mode 100644 index b1d048d..0000000 --- a/SOURCES/0001-Added-tests-fix-for-9.4-version.patch +++ /dev/null @@ -1,59 +0,0 @@ -From e9833880700ad839bb8061c4fa6682229ae29bca Mon Sep 17 00:00:00 2001 -From: Alexey Berezhok -Date: Mon, 13 May 2024 18:55:28 +0300 -Subject: [PATCH] Added tests fix for 9.4 version - ---- - tests/outputs/GOST-ONLY-PAM-bind.txt | 2 -- - tests/outputs/GOST-ONLY-PAM-java.txt | 2 +- - tests/outputs/GOST-ONLY-bind.txt | 2 -- - tests/outputs/GOST-ONLY-java.txt | 2 +- - 4 files changed, 2 insertions(+), 6 deletions(-) - -diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt -index 3976d4a..e701c5c 100644 ---- a/tests/outputs/GOST-ONLY-PAM-bind.txt -+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt -@@ -10,8 +10,6 @@ ECDSAP384SHA384; - RSASHA512; - ED25519; - ED448; --ECDSAP256SHA256; --ECDSAP384SHA384; - }; - disable-ds-digests "." { - SHA-256; -diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt -index b6d04cf..088a698 100644 ---- a/tests/outputs/GOST-ONLY-PAM-java.txt -+++ b/tests/outputs/GOST-ONLY-PAM-java.txt -@@ -1,3 +1,3 @@ - jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 - jdk.tls.legacyAlgorithms= -diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt -index 3976d4a..e701c5c 100644 ---- a/tests/outputs/GOST-ONLY-bind.txt -+++ b/tests/outputs/GOST-ONLY-bind.txt -@@ -10,8 +10,6 @@ ECDSAP384SHA384; - RSASHA512; - ED25519; - ED448; --ECDSAP256SHA256; --ECDSAP384SHA384; - }; - disable-ds-digests "." { - SHA-256; -diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt -index b6d04cf..088a698 100644 ---- a/tests/outputs/GOST-ONLY-java.txt -+++ b/tests/outputs/GOST-ONLY-java.txt -@@ -1,3 +1,3 @@ - jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 --jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 -+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 - jdk.tls.legacyAlgorithms= --- -2.43.0 - diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index b947cd4..36fc061 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,19 +1,18 @@ -%global git_date 20240822 -%global git_commit baf3e063c68f6c69eec1bf79c1b3e9a745640183 +%global git_date 20240828 +%global git_commit 626aa590f9c1ffe7ce108952e9449f22a642cca2 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 Name: crypto-policies Version: %{git_date} -Release: 1.git%{git_commit_hash}%{?dist}.inferit +Release: 2.git%{git_commit_hash}%{?dist} Summary: System-wide crypto policies License: LGPL-2.1-or-later URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # For RHEL-9 we use the upstream branch rhel9. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz -Patch1: 0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch BuildArch: noarch BuildRequires: asciidoc @@ -33,11 +32,6 @@ Conflicts: nss < 3.90.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.7p1-24 Conflicts: gnutls < 3.7.6-22 -Recommends: openssl-gost-engine -Requires: authselect -Requires: findutils - - %description This package provides pre-built configuration files with @@ -80,7 +74,6 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_bindir} -mkdir -p -m 755 %{buildroot}/var/log/crypto-cmc/ make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config @@ -151,11 +144,6 @@ end %dir %{_sysconfdir}/crypto-policies/policies/ %dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ -%dir %{_sysconfdir}/authselect/custom/sssd_gost/ -%dir %{_sysconfdir}/authselect/custom/minimal_gost/ -%dir /var/log/crypto-cmc -%{_sysconfdir}/authselect/custom/sssd_gost/* -%{_sysconfdir}/authselect/custom/minimal_gost/* %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config @@ -172,7 +160,6 @@ end %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config -%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/auth.config # %verify(not mode) comes from the fact # these turn into symlinks and back to regular files at will, see bz1898986 @@ -184,8 +171,6 @@ end %{_datarootdir}/crypto-policies/DEFAULT %{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FIPS -%{_datarootdir}/crypto-policies/GOST-ONLY -%{_datarootdir}/crypto-policies/GOST-ONLY-PAM %{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/reload-cmds.sh @@ -199,7 +184,6 @@ end %{_bindir}/update-crypto-policies %{_mandir}/man8/update-crypto-policies.8* %{_datarootdir}/crypto-policies/python -%{_datarootdir}/crypto-policies-scripts/auth_apply.sh %{_bindir}/fips-mode-setup %{_bindir}/fips-finish-install @@ -207,8 +191,11 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog -* Thu Oct 10 2024 Arkady L. Shane - 20240822-1.gitbaf3e06.inferit -- Added GOST +* Tue Sep 17 2024 Alexander Sosedkin - 20240828-2.git626aa59 +- release bump + +* Wed Aug 28 2024 Alexander Sosedkin - 20240828-1.git626aa59 +- fips-mode-setup: small Argon2 detection fix * Thu Aug 22 2024 Alexander Sosedkin - 20240822-1.gitbaf3e06 - fips-mode-setup: block if LUKS devices using Argon2 are detected @@ -275,8 +262,8 @@ end - openssl: set Groups explicitly - openssl: add support for Brainpool curves -* Fri Apr 14 2023 MSVSphere Packaging Team - 20221215-1.git9a18988 -- Rebuilt for MSVSphere 9.2 beta +* Wed Mar 15 2023 MSVSphere Packaging Team - 20221215-1.git9a18988 +- Rebuilt for MSVSphere 9.1. * Thu Dec 15 2022 Alexander Sosedkin - 20221215-1.git9a18988 - bind: expand the list of disableable algorithms