From 3ed68fe0bd493fd28382b78aa48ab523a24ca12e Mon Sep 17 00:00:00 2001 From: Alexey Berezhok Date: Mon, 14 Oct 2024 18:13:27 +0300 Subject: [PATCH] Added spec and patches for 9.5 release --- ...olicy-also-added-experimental-PAM-ge.patch | 3253 +++++++++++++++++ SPECS/crypto-policies.spec | 104 +- 2 files changed, 3291 insertions(+), 66 deletions(-) create mode 100644 SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch diff --git a/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch b/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch new file mode 100644 index 0000000..9553800 --- /dev/null +++ b/SOURCES/0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch @@ -0,0 +1,3253 @@ +From f929e72a42bd205c933320ec8d4e828ced4a0050 Mon Sep 17 00:00:00 2001 +From: Alexey Berezhok +Date: Mon, 14 Oct 2024 18:08:55 +0300 +Subject: [PATCH] Added GOST 9.5 policy also added experimental PAM generator + +--- + Makefile | 12 ++ + authselect_policies/minimal_gost/README | 84 ++++++++ + authselect_policies/minimal_gost/REQUIREMENTS | 0 + authselect_policies/minimal_gost/dconf-db | 3 + + authselect_policies/minimal_gost/dconf-locks | 2 + + .../minimal_gost/fingerprint-auth | 16 ++ + .../minimal_gost/nsswitch.conf | 14 ++ + .../minimal_gost/password-auth | 15 ++ + authselect_policies/minimal_gost/postlogin | 4 + + .../minimal_gost/smartcard-auth | 16 ++ + authselect_policies/minimal_gost/system-auth | 15 ++ + authselect_policies/sssd_gost/README | 145 +++++++++++++ + authselect_policies/sssd_gost/REQUIREMENTS | 29 +++ + authselect_policies/sssd_gost/dconf-db | 9 + + authselect_policies/sssd_gost/dconf-locks | 4 + + .../sssd_gost/fingerprint-auth | 28 +++ + authselect_policies/sssd_gost/nsswitch.conf | 7 + + authselect_policies/sssd_gost/password-auth | 39 ++++ + authselect_policies/sssd_gost/postlogin | 4 + + authselect_policies/sssd_gost/smartcard-auth | 26 +++ + authselect_policies/sssd_gost/system-auth | 46 ++++ + policies/GOST-ONLY-PAM.pol | 29 +++ + policies/GOST-ONLY.pol | 28 +++ + policies/modules/GOST.pmod | 18 ++ + policies/modules/PAM-GOST.pmod | 3 + + policies/modules/PATCH-PAM-GOST.pmod | 3 + + policies/modules/SSSD-PAM-GOST.pmod | 3 + + python/build-crypto-policies.py | 8 +- + python/cryptopolicies/alg_lists.py | 19 +- + python/cryptopolicies/cryptopolicies.py | 7 +- + python/policygenerators/__init__.py | 2 + + python/policygenerators/auth.py | 36 ++++ + .../fedora-crypto-policies.code-workspace | 0 + python/policygenerators/openssl.py | 23 ++ + scripts/auth_apply.sh | 204 ++++++++++++++++++ + tests/alternative-policies/GOST-ONLY.pol | 30 +++ + tests/alternative-policies/modules/GOST.pmod | 18 ++ + tests/gnutls.py | 3 +- + tests/java.py | 3 +- + tests/nss.py | 2 +- + tests/openssl.py | 2 +- + tests/outputs/DEFAULT-auth.txt | 0 + tests/outputs/DEFAULT:GOST-auth.txt | 0 + tests/outputs/DEFAULT:GOST-bind.txt | 10 + + tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:GOST-java.txt | 4 + + tests/outputs/DEFAULT:GOST-javasystem.txt | 2 + + tests/outputs/DEFAULT:GOST-krb5.txt | 2 + + tests/outputs/DEFAULT:GOST-libreswan.txt | 6 + + tests/outputs/DEFAULT:GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:GOST-nss.txt | 6 + + tests/outputs/DEFAULT:GOST-openssh.txt | 7 + + tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:GOST-openssl.txt | 1 + + tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + + tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ + tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++ + tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ + tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + + tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ + tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 + + tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 + + tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + + tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 + + tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 + + tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 + + .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + + .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + + tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ + .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 + + .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + + .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + + .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + + .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + + .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + + .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + + .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + + .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + + tests/outputs/DEFAULT:SHA1-auth.txt | 0 + tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ + .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 + + .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + + .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + + .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + + .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + + .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + + .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + + .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + + .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + + tests/outputs/EMPTY-auth.txt | 0 + tests/outputs/FIPS-auth.txt | 0 + tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 + tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0 + tests/outputs/FIPS:OSPP-auth.txt | 0 + tests/outputs/FUTURE-auth.txt | 0 + tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0 + tests/outputs/GOST-ONLY-PAM-auth.txt | 2 + + tests/outputs/GOST-ONLY-PAM-bind.txt | 18 ++ + tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++ + tests/outputs/GOST-ONLY-PAM-java.txt | 4 + + tests/outputs/GOST-ONLY-PAM-javasystem.txt | 2 + + tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 + + tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 + + tests/outputs/GOST-ONLY-PAM-libssh.txt | 0 + tests/outputs/GOST-ONLY-PAM-nss.txt | 6 + + tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 + + tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 + + tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 + + tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 + + tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++ + tests/outputs/GOST-ONLY-auth.txt | 0 + tests/outputs/GOST-ONLY-bind.txt | 18 ++ + tests/outputs/GOST-ONLY-gnutls.txt | 13 ++ + tests/outputs/GOST-ONLY-java.txt | 4 + + tests/outputs/GOST-ONLY-javasystem.txt | 2 + + tests/outputs/GOST-ONLY-krb5.txt | 2 + + tests/outputs/GOST-ONLY-libreswan.txt | 2 + + tests/outputs/GOST-ONLY-libssh.txt | 0 + tests/outputs/GOST-ONLY-nss.txt | 6 + + tests/outputs/GOST-ONLY-openssh.txt | 2 + + tests/outputs/GOST-ONLY-opensshserver.txt | 2 + + tests/outputs/GOST-ONLY-openssl.txt | 1 + + tests/outputs/GOST-ONLY-openssl_fips.txt | 4 + + tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++ + tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++ + tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++ + tests/outputs/LEGACY-auth.txt | 0 + .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 + 140 files changed, 2000 insertions(+), 10 deletions(-) + create mode 100644 authselect_policies/minimal_gost/README + create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS + create mode 100644 authselect_policies/minimal_gost/dconf-db + create mode 100644 authselect_policies/minimal_gost/dconf-locks + create mode 100644 authselect_policies/minimal_gost/fingerprint-auth + create mode 100644 authselect_policies/minimal_gost/nsswitch.conf + create mode 100644 authselect_policies/minimal_gost/password-auth + create mode 100644 authselect_policies/minimal_gost/postlogin + create mode 100644 authselect_policies/minimal_gost/smartcard-auth + create mode 100644 authselect_policies/minimal_gost/system-auth + create mode 100644 authselect_policies/sssd_gost/README + create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS + create mode 100644 authselect_policies/sssd_gost/dconf-db + create mode 100644 authselect_policies/sssd_gost/dconf-locks + create mode 100644 authselect_policies/sssd_gost/fingerprint-auth + create mode 100644 authselect_policies/sssd_gost/nsswitch.conf + create mode 100644 authselect_policies/sssd_gost/password-auth + create mode 100644 authselect_policies/sssd_gost/postlogin + create mode 100644 authselect_policies/sssd_gost/smartcard-auth + create mode 100644 authselect_policies/sssd_gost/system-auth + create mode 100644 policies/GOST-ONLY-PAM.pol + create mode 100644 policies/GOST-ONLY.pol + create mode 100644 policies/modules/GOST.pmod + create mode 100644 policies/modules/PAM-GOST.pmod + create mode 100644 policies/modules/PATCH-PAM-GOST.pmod + create mode 100644 policies/modules/SSSD-PAM-GOST.pmod + create mode 100644 python/policygenerators/auth.py + create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace + create mode 100755 scripts/auth_apply.sh + create mode 100644 tests/alternative-policies/GOST-ONLY.pol + create mode 100644 tests/alternative-policies/modules/GOST.pmod + create mode 100644 tests/outputs/DEFAULT-auth.txt + create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt + create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/EMPTY-auth.txt + create mode 100644 tests/outputs/FIPS-auth.txt + create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt + create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt + create mode 100644 tests/outputs/FIPS:OSPP-auth.txt + create mode 100644 tests/outputs/FUTURE-auth.txt + create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt + create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt + create mode 100644 tests/outputs/GOST-ONLY-auth.txt + create mode 100644 tests/outputs/GOST-ONLY-bind.txt + create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt + create mode 100644 tests/outputs/GOST-ONLY-java.txt + create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt + create mode 100644 tests/outputs/GOST-ONLY-krb5.txt + create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt + create mode 100644 tests/outputs/GOST-ONLY-libssh.txt + create mode 100644 tests/outputs/GOST-ONLY-nss.txt + create mode 100644 tests/outputs/GOST-ONLY-openssh.txt + create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt + create mode 100644 tests/outputs/GOST-ONLY-openssl.txt + create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt + create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt + create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt + create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt + create mode 100644 tests/outputs/LEGACY-auth.txt + create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt + +diff --git a/Makefile b/Makefile +index 5b584b3..467807d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,8 +1,10 @@ + VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7) + DIR?=/usr/share/crypto-policies ++DIRSCR?=/usr/share/crypto-policies-scripts + BINDIR?=/usr/bin + MANDIR?=/usr/share/man + CONFDIR?=/etc/crypto-policies ++AUTHSELECTDIR?=/etc/authselect/custom + LIBEXECDIR?=/usr/libexec + DESTDIR?= + MAN7PAGES=crypto-policies.7 +@@ -30,11 +32,14 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(MANDIR)/man8 + mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(LIBEXECDIR) ++ mkdir -p $(DESTDIR)$(AUTHSELECTDIR) + install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 + install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 + install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR) + mkdir -p $(DESTDIR)$(DIR)/ ++ mkdir -p $(DESTDIR)$(DIRSCR)/ ++ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR) + install -p -m 644 default-config $(DESTDIR)$(DIR) + install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) + for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done +@@ -42,6 +47,7 @@ install: $(MANPAGES) + for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done + chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py + chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py ++ for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done + + runruff: + ruff check +@@ -65,6 +71,11 @@ check: + python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs + tests/openssl.py + tests/gnutls.py + tests/nss.py +@@ -118,6 +129,7 @@ diff-outputs: + python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true + python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true + python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true ++ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true + $(DIFFTOOL) tests/outputs output/current + + clean: +diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README +new file mode 100644 +index 0000000..9839669 +--- /dev/null ++++ b/authselect_policies/minimal_gost/README +@@ -0,0 +1,84 @@ ++Local users only for minimal installations and gost support ++=========================================================== ++ ++Selecting this profile will enable local files as the source of identity ++and authentication providers. ++ ++This profile can be used on systems that require minimal installation to ++save disk and memory space. It serves only local users and groups directly ++from system files instead of going through other authentication providers. ++Therefore SSSD, winbind and fprintd packages can be safely removed. ++ ++AVAILABLE OPTIONAL FEATURES ++--------------------------- ++ ++without-nullok:: ++ Do not add nullok parameter to pam_unix. ++ ++with-gost:: ++ Use GOST hash for shadow password instead of sha512 ++ ++with-silent-lastlog:: ++ Do not produce pam_lastlog message during login. ++ ++DISABLE SPECIFIC NSSWITCH DATABASES ++----------------------------------- ++ ++Normally, nsswitch databases set by the profile overwrites values set in ++user-nsswitch.conf. The following options can force authselect to ++ignore value set by the profile and use the one set in user-nsswitch.conf ++instead. ++ ++with-custom-aliases:: ++Ignore "aliases" map set by the profile. ++ ++with-custom-automount:: ++Ignore "automount" map set by the profile. ++ ++with-custom-ethers:: ++Ignore "ethers" map set by the profile. ++ ++with-custom-group:: ++Ignore "group" map set by the profile. ++ ++with-custom-hosts:: ++Ignore "hosts" map set by the profile. ++ ++with-custom-initgroups:: ++Ignore "initgroups" map set by the profile. ++ ++with-custom-netgroup:: ++Ignore "netgroup" map set by the profile. ++ ++with-custom-networks:: ++Ignore "networks" map set by the profile. ++ ++with-custom-passwd:: ++Ignore "passwd" map set by the profile. ++ ++with-custom-protocols:: ++Ignore "protocols" map set by the profile. ++ ++with-custom-publickey:: ++Ignore "publickey" map set by the profile. ++ ++with-custom-rpc:: ++Ignore "rpc" map set by the profile. ++ ++with-custom-services:: ++Ignore "services" map set by the profile. ++ ++with-custom-shadow:: ++Ignore "shadow" map set by the profile. ++ ++EXAMPLES ++-------- ++ ++* Enable minimal profile ++ ++ authselect select minimal ++ ++SEE ALSO ++-------- ++* man passwd(5) ++* man group(5) +diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS +new file mode 100644 +index 0000000..e69de29 +diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db +new file mode 100644 +index 0000000..a3868b7 +--- /dev/null ++++ b/authselect_policies/minimal_gost/dconf-db +@@ -0,0 +1,3 @@ ++[org/gnome/login-screen] ++enable-smartcard-authentication=false ++enable-fingerprint-authentication=false +diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks +new file mode 100644 +index 0000000..8a36fa9 +--- /dev/null ++++ b/authselect_policies/minimal_gost/dconf-locks +@@ -0,0 +1,2 @@ ++/org/gnome/login-screen/enable-smartcard-authentication ++/org/gnome/login-screen/enable-fingerprint-authentication +diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth +new file mode 100644 +index 0000000..ca152fb +--- /dev/null ++++ b/authselect_policies/minimal_gost/fingerprint-auth +@@ -0,0 +1,16 @@ ++auth required pam_env.so ++auth sufficient pam_fprintd.so ++auth required pam_deny.so ++ ++account required pam_unix.so ++account sufficient pam_localuser.so ++account sufficient pam_succeed_if.so uid < 500 quiet ++account required pam_permit.so ++ ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf +new file mode 100644 +index 0000000..f1f5941 +--- /dev/null ++++ b/authselect_policies/minimal_gost/nsswitch.conf +@@ -0,0 +1,14 @@ ++passwd: sss files systemd {exclude if "with-custom-passwd"} ++shadow: files {exclude if "with-custom-shadow"} ++group: sss files systemd {exclude if "with-custom-group"} ++hosts: files dns myhostname {exclude if "with-custom-hosts"} ++services: files sss {exclude if "with-custom-services"} ++netgroup: sss {exclude if "with-custom-netgroup"} ++automount: files sss {exclude if "with-custom-automount"} ++aliases: files {exclude if "with-custom-aliases"} ++ethers: files {exclude if "with-custom-ethers"} ++gshadow: files ++networks: files dns {exclude if "with-custom-networks"} ++protocols: files {exclude if "with-custom-protocols"} ++publickey: files {exclude if "with-custom-publickey"} ++rpc: files {exclude if "with-custom-rpc"} +diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth +new file mode 100644 +index 0000000..5da3730 +--- /dev/null ++++ b/authselect_policies/minimal_gost/password-auth +@@ -0,0 +1,15 @@ ++auth required pam_env.so ++auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} ++auth required pam_deny.so ++ ++account required pam_unix.so ++ ++password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ++password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin +new file mode 100644 +index 0000000..8d9bfd0 +--- /dev/null ++++ b/authselect_policies/minimal_gost/postlogin +@@ -0,0 +1,4 @@ ++session optional pam_umask.so silent ++session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet ++session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} ++session optional pam_lastlog.so silent noupdate showfailed +diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth +new file mode 100644 +index 0000000..f0843be +--- /dev/null ++++ b/authselect_policies/minimal_gost/smartcard-auth +@@ -0,0 +1,16 @@ ++auth required pam_env.so ++auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card ++auth required pam_deny.so ++ ++account required pam_unix.so ++account sufficient pam_localuser.so ++account sufficient pam_succeed_if.so uid < 500 quiet ++account required pam_permit.so ++ ++password optional pam_pkcs11.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth +new file mode 100644 +index 0000000..5da3730 +--- /dev/null ++++ b/authselect_policies/minimal_gost/system-auth +@@ -0,0 +1,15 @@ ++auth required pam_env.so ++auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} ++auth required pam_deny.so ++ ++account required pam_unix.so ++ ++password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ++password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README +new file mode 100644 +index 0000000..02daa76 +--- /dev/null ++++ b/authselect_policies/sssd_gost/README +@@ -0,0 +1,145 @@ ++Enable SSSD with GOST support for system authentication (also for local users only) ++================================================================= ++ ++Selecting this profile will enable SSSD with GOST as the source of identity ++and authentication providers. ++ ++SSSD provides a set of daemons to manage access to remote directories and ++authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides ++an NSS and PAM interface toward the system and a pluggable backend system ++to connect to multiple different account sources. ++ ++More information about SSSD can be found on its project page: ++https://sssd.io ++ ++However, if you do not want to keep SSSD running on your machine, you can ++keep this profile selected and just disable SSSD service. The resulting ++configuration will still work correctly even with SSSD disabled and local users ++and groups will be read from local files directly. ++ ++SSSD CONFIGURATION ++------------------ ++ ++Authselect does not touch SSSD's configuration. Please, read SSSD's ++documentation to see how to configure it manually. Only local users ++will be available on the system if there is no existing SSSD configuration. ++ ++AVAILABLE OPTIONAL FEATURES ++--------------------------- ++ ++with-faillock:: ++ Enable account locking in case of too many consecutive ++ authentication failures. ++ ++with-mkhomedir:: ++ Enable automatic creation of home directories for users on their ++ first login. ++ ++with-smartcard:: ++ Enable authentication with smartcards through SSSD. Please note that ++ smartcard support must be also explicitly enabled within ++ SSSD's configuration. ++ ++with-smartcard-lock-on-removal:: ++ Lock screen when a smartcard is removed. ++ ++with-smartcard-required:: ++ Smartcard authentication is required. No other means of authentication ++ (including password) will be enabled. ++ ++with-fingerprint:: ++ Enable authentication with fingerprint reader through *pam_fprintd*. ++ ++with-pam-gnome-keyring:: ++ Enable pam-gnome-keyring support. ++ ++with-pam-u2f:: ++ Enable authentication via u2f dongle through *pam_u2f*. ++ ++with-pam-u2f-2fa:: ++ Enable 2nd factor authentication via u2f dongle through *pam_u2f*. ++ ++without-pam-u2f-nouserok:: ++ Module argument nouserok is omitted if also with-pam-u2f-2fa is used. ++ *WARNING*: Omitting nouserok argument means that users without pam-u2f ++ authentication configured will not be able to log in *INCLUDING* root. ++ Make sure you are able to log in before losing root privileges. ++ ++with-silent-lastlog:: ++ Do not produce pam_lastlog message during login. ++ ++with-sudo:: ++ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers. ++ ++with-pamaccess:: ++ Check access.conf during account authorization. ++ ++with-pwhistory:: ++ Enable pam_pwhistory module for local users. ++ ++with-files-domain:: ++ If set, SSSD will be contacted before "files" when resolving users and ++ groups. The order in nsswitch.conf will be set to "sss files" instead of ++ "files sss" for passwd and group maps. ++ ++with-files-access-provider:: ++ If set, account management for local users is handled also by pam_sss. This ++ is needed if there is an explicitly configured domain with id_provider=files ++ and non-empty access_provider setting in sssd.conf. ++ ++ *WARNING:* SSSD access check will become mandatory for local users and ++ if SSSD is stopped then local users will not be able to log in. Only ++ system accounts (as defined by pam_usertype, including root) will be ++ able to log in. ++ ++with-gssapi:: ++ If set, pam_sss_gss module is enabled to perform user authentication over ++ GSSAPI. ++ ++with-subid:: ++ Enable SSSD as a source of subid database in /etc/nsswitch.conf. ++ ++without-nullok:: ++ Do not add nullok parameter to pam_unix. ++ ++with-gost:: ++ Use GOST hash for shadow password instead of sha512 ++ ++DISABLE SPECIFIC NSSWITCH DATABASES ++----------------------------------- ++ ++Normally, nsswitch databases set by the profile overwrites values set in ++user-nsswitch.conf. The following options can force authselect to ++ignore value set by the profile and use the one set in user-nsswitch.conf ++instead. ++ ++with-custom-passwd:: ++Ignore "passwd" database set by the profile. ++ ++with-custom-group:: ++Ignore "group" database set by the profile. ++ ++with-custom-netgroup:: ++Ignore "netgroup" database set by the profile. ++ ++with-custom-automount:: ++Ignore "automount" database set by the profile. ++ ++with-custom-services:: ++Ignore "services" database set by the profile. ++ ++EXAMPLES ++-------- ++ ++* Enable SSSD with sudo and smartcard support ++ ++ authselect select sssd with-sudo with-smartcard ++ ++* Enable SSSD with sudo support and create home directories for users on their ++ first login ++ ++ authselect select sssd with-mkhomedir with-sudo ++ ++SEE ALSO ++-------- ++* man sssd.conf(5) +diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS +new file mode 100644 +index 0000000..396287e +--- /dev/null ++++ b/authselect_policies/sssd_gost/REQUIREMENTS +@@ -0,0 +1,29 @@ ++Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. ++ {include if "with-smartcard"} ++- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"} ++ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"} ++ {include if "with-fingerprint"} ++- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} ++ {include if "with-pam-gnome-keyring"} ++- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} ++ is present. {include if "with-pam-gnome-keyring"} ++ {include if "with-pam-u2f"} ++- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} ++ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} ++ {include if "with-pam-u2f-2fa"} ++- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} ++ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} ++ {include if "with-mkhomedir"} ++- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} ++ is present and oddjobd service is enabled and active {include if "with-mkhomedir"} ++ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} ++ {include if "with-files-domain"} ++- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} ++ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} ++ - or create a custom domain with id_provider=files {include if "with-files-domain"} ++ {include if "with-gssapi"} ++- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"} ++ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"} ++ - see additional information in pam_sss_gss(8) {include if "with-gssapi"} ++ {include if "with-gost"} ++- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"} +diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db +new file mode 100644 +index 0000000..66c9949 +--- /dev/null ++++ b/authselect_policies/sssd_gost/dconf-db +@@ -0,0 +1,9 @@ ++{imply "with-smartcard" if "with-smartcard-required"} ++{imply "with-smartcard" if "with-smartcard-lock-on-removal"} ++[org/gnome/login-screen] ++enable-smartcard-authentication={if "with-smartcard":true|false} ++enable-fingerprint-authentication={if "with-fingerprint":true|false} ++enable-password-authentication={if "with-smartcard-required":false|true} ++ ++[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"} ++removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"} +diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks +new file mode 100644 +index 0000000..6bf15d0 +--- /dev/null ++++ b/authselect_policies/sssd_gost/dconf-locks +@@ -0,0 +1,4 @@ ++/org/gnome/login-screen/enable-smartcard-authentication ++/org/gnome/login-screen/enable-fingerprint-authentication ++/org/gnome/login-screen/enable-password-authentication ++/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"} +diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth +new file mode 100644 +index 0000000..dc7befe +--- /dev/null ++++ b/authselect_policies/sssd_gost/fingerprint-auth +@@ -0,0 +1,28 @@ ++auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} ++{continue if "with-fingerprint"} ++auth required pam_env.so ++auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} ++auth required pam_faillock.so preauth silent {include if "with-faillock"} ++auth [success=done default=bad] pam_fprintd.so ++auth required pam_faillock.so authfail {include if "with-faillock"} ++auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} ++auth required pam_deny.so ++ ++account required pam_access.so {include if "with-pamaccess"} ++account required pam_faillock.so {include if "with-faillock"} ++account required pam_unix.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} ++account sufficient pam_usertype.so issystem ++account [default=bad success=ok user_unknown=ignore] pam_sss.so ++account required pam_permit.so ++ ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so ++session optional pam_sss.so ++session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf +new file mode 100644 +index 0000000..f9e4e54 +--- /dev/null ++++ b/authselect_policies/sssd_gost/nsswitch.conf +@@ -0,0 +1,7 @@ ++passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} ++group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} ++netgroup: sss files {exclude if "with-custom-netgroup"} ++automount: sss files {exclude if "with-custom-automount"} ++services: sss files {exclude if "with-custom-services"} ++sudoers: files sss {include if "with-sudo"} ++subid: sss {include if "with-subid"} +diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth +new file mode 100644 +index 0000000..7832fb7 +--- /dev/null ++++ b/authselect_policies/sssd_gost/password-auth +@@ -0,0 +1,39 @@ ++auth required pam_env.so ++auth required pam_faildelay.so delay=2000000 ++auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} ++auth required pam_faillock.so preauth silent {include if "with-faillock"} ++auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} ++auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} ++auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++auth [default=1 ignore=ignore success=ok] pam_localuser.so ++auth sufficient pam_unix.so {if not "without-nullok":nullok} ++auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++auth sufficient pam_sss.so forward_pass ++auth required pam_faillock.so authfail {include if "with-faillock"} ++auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} ++auth required pam_deny.so ++ ++account required pam_access.so {include if "with-pamaccess"} ++account required pam_faillock.so {include if "with-faillock"} ++account required pam_unix.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} ++account sufficient pam_usertype.so issystem ++account [default=bad success=ok user_unknown=ignore] pam_sss.so ++account required pam_permit.so ++ ++password requisite pam_pwquality.so local_users_only ++password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} ++password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} ++password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok ++password [success=1 default=ignore] pam_localuser.so ++password sufficient pam_sss.so use_authtok ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so ++session optional pam_sss.so ++session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} +diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin +new file mode 100644 +index 0000000..04a11f0 +--- /dev/null ++++ b/authselect_policies/sssd_gost/postlogin +@@ -0,0 +1,4 @@ ++session optional pam_umask.so silent ++session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet ++session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} ++session optional pam_lastlog.so silent noupdate showfailed +diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth +new file mode 100644 +index 0000000..754847f +--- /dev/null ++++ b/authselect_policies/sssd_gost/smartcard-auth +@@ -0,0 +1,26 @@ ++{imply "with-smartcard" if "with-smartcard-required"} ++auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"} ++{continue if "with-smartcard"} ++auth required pam_env.so ++auth required pam_faillock.so preauth silent {include if "with-faillock"} ++auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth} ++auth required pam_faillock.so authfail {include if "with-faillock"} ++auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} ++auth required pam_deny.so ++ ++account required pam_access.so {include if "with-pamaccess"} ++account required pam_faillock.so {include if "with-faillock"} ++account required pam_unix.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} ++account sufficient pam_usertype.so issystem ++account [default=bad success=ok user_unknown=ignore] pam_sss.so ++account required pam_permit.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so ++session optional pam_sss.so ++session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth +new file mode 100644 +index 0000000..31d4ee1 +--- /dev/null ++++ b/authselect_policies/sssd_gost/system-auth +@@ -0,0 +1,46 @@ ++{imply "with-smartcard" if "with-smartcard-required"} ++auth required pam_env.so ++auth required pam_faildelay.so delay=2000000 ++auth required pam_faillock.so preauth silent {include if "with-faillock"} ++auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} ++auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} ++auth sufficient pam_fprintd.so {include if "with-fingerprint"} ++auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} ++auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} ++auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} ++auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} ++auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} ++auth sufficient pam_unix.so {if not "without-nullok":nullok} ++auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} ++auth sufficient pam_sss_gss.so {include if "with-gssapi"} ++auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular ++auth sufficient pam_sss.so forward_pass ++auth required pam_faillock.so authfail {include if "with-faillock"} ++auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} ++auth required pam_deny.so ++ ++account required pam_access.so {include if "with-pamaccess"} ++account required pam_faillock.so {include if "with-faillock"} ++account required pam_unix.so ++account sufficient pam_localuser.so {exclude if "with-files-access-provider"} ++account sufficient pam_usertype.so issystem ++account [default=bad success=ok user_unknown=ignore] pam_sss.so ++account required pam_permit.so ++ ++password requisite pam_pwquality.so local_users_only ++password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} ++password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} ++password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok ++password [success=1 default=ignore] pam_localuser.so ++password sufficient pam_sss.so use_authtok ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so ++session optional pam_sss.so ++session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol +new file mode 100644 +index 0000000..fce3bdb +--- /dev/null ++++ b/policies/GOST-ONLY-PAM.pol +@@ -0,0 +1,29 @@ ++# Next generation GOST algorithms ++ ++mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT ++ ++group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C ++ ++hash = GOSTR94 STREEBOG-256 STREEBOG-512 ++ ++sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 ++ ++cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM ++ ++cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB ++ ++key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF ++ ++protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 ++ ++# Parameter sizes ++# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL ++min_dh_size = 2048 ++min_dsa_size = 2048 ++min_rsa_size = 2048 ++ ++# GnuTLS only for now ++sha1_in_certs = 0 ++ ++action_do = GOST ++authopt@AUTH = custom/minimal_gost with-gost +diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol +new file mode 100644 +index 0000000..37e478b +--- /dev/null ++++ b/policies/GOST-ONLY.pol +@@ -0,0 +1,28 @@ ++# Next generation GOST algorithms ++ ++mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT ++ ++group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C ++ ++hash = GOSTR94 STREEBOG-256 STREEBOG-512 ++ ++sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 ++ ++cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM ++ ++cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB ++ ++key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF ++ ++protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 ++ ++# Parameter sizes ++# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL ++min_dh_size = 2048 ++min_dsa_size = 2048 ++min_rsa_size = 2048 ++ ++# GnuTLS only for now ++sha1_in_certs = 0 ++ ++action_do = GOST +diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod +new file mode 100644 +index 0000000..b9021ea +--- /dev/null ++++ b/policies/modules/GOST.pmod +@@ -0,0 +1,18 @@ ++# Adds GOST algorithms. ++# ++ ++mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD ++ ++group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C ++ ++hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+ ++ ++sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+ ++ ++cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM ++ ++cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB ++ ++key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF ++ ++action_do = +GOST +diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod +new file mode 100644 +index 0000000..06d92c5 +--- /dev/null ++++ b/policies/modules/PAM-GOST.pmod +@@ -0,0 +1,3 @@ ++#Add shadow gost support ++ ++authopt@AUTH = custom/minimal_gost with-gost +diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod +new file mode 100644 +index 0000000..a79abd0 +--- /dev/null ++++ b/policies/modules/PATCH-PAM-GOST.pmod +@@ -0,0 +1,3 @@ ++#Add shadow gost support ++ ++authopt@AUTH = patch +diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod +new file mode 100644 +index 0000000..f28939e +--- /dev/null ++++ b/policies/modules/SSSD-PAM-GOST.pmod +@@ -0,0 +1,3 @@ ++#Add shadow gost support ++ ++authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog +diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py +index 2853c65..4b3d83c 100755 +--- a/python/build-crypto-policies.py ++++ b/python/build-crypto-policies.py +@@ -9,6 +9,7 @@ import argparse + import os + import sys + import warnings ++import platform + + import cryptopolicies + import policygenerators +@@ -62,6 +63,11 @@ def save_config(cmdline, policy_name, config_name, config): + try: + with open(path, encoding='utf-8') as f: + old_config = f.read() ++ if '[gost_section]' in config: ++ arch, links = platform.architecture() ++ if arch == '32bit': ++ #Make test expected file same for x86 and x86_64 systems ++ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so') + if old_config != config: + eprint(f'Config for {config_name} for policy {policy_name} ' + 'differs from the existing one') +@@ -100,7 +106,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None): + gen = cls() + config = gen.generate_config(cp.scoped(gen.SCOPES)) + +- if policy_name in {'EMPTY', 'GOST-ONLY'} or gen.test_config(config): ++ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config): + try: + name = ':'.join([policy_name, *subpolicy_names]) + if not save_config(cmdline, name, gen.CONFIG_NAME, config): +diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py +index 259f61a..c1cf35c 100644 +--- a/python/cryptopolicies/alg_lists.py ++++ b/python/cryptopolicies/alg_lists.py +@@ -94,6 +94,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9') + IKE_PROTOCOLS = ('IKEv2', 'IKEv1') + ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS + ++# List of action do algoritms, for non standard libraries ++IACTION_OPT = 'action_do' ++ALL_ACTION_DO = ( 'GOST', 'NONE' ) ++ ++AUTH_PROFILES_OPT = 'authopt' ++ALL_AUTH_PROFILES = () + + ALL = { + 'cipher': ALL_CIPHERS, +@@ -103,6 +109,8 @@ ALL = { + 'mac': ALL_MACS, + 'protocol': ALL_PROTOCOLS, + 'sign': ALL_SIGN, ++ IACTION_OPT: ALL_ACTION_DO, ++ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES + } + + +@@ -116,10 +124,13 @@ def glob(pattern, alg_class): + if alg_class not in ALL: + raise validation.alg_lists.AlgorithmClassUnknownError(alg_class) + +- r = fnmatch.filter(ALL[alg_class], pattern) +- if not r: +- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) +- return r ++ if alg_class == AUTH_PROFILES_OPT: ++ return [pattern] ++ else: ++ r = fnmatch.filter(ALL[alg_class], pattern) ++ if not r: ++ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) ++ return r + + + def earliest_occurrence(needles, ordered_haystack): +diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py +index a580ce8..0f50792 100644 +--- a/python/cryptopolicies/cryptopolicies.py ++++ b/python/cryptopolicies/cryptopolicies.py +@@ -42,7 +42,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing + 'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh', + 'ipsec', 'ike', 'libreswan', + 'kerberos', 'krb5', +- 'dnssec', 'bind', ++ 'dnssec', 'bind', 'auth' + ) + DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things + 'bind': {'bind', 'dnssec'}, +@@ -55,6 +55,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things + 'openssh-client': {'openssh-client', 'openssh', 'ssh'}, + 'openssh-server': {'openssh-server', 'openssh', 'ssh'}, + 'openssl': {'openssl', 'tls', 'ssl'}, ++ 'auth': {'auth'}, + } + + +@@ -466,6 +467,8 @@ class UnscopedCryptoPolicy: + **generic_scoped.integers, + **generic_scoped.enums} + for prop_name, value in generic_all.items(): ++ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): ++ continue + s += fmt(prop_name, value) + anything_scope_specific = False + for scope_name, scope_set in DUMPABLE_SCOPES.items(): +@@ -474,6 +477,8 @@ class UnscopedCryptoPolicy: + **specific_scoped.integers, + **specific_scoped.enums} + for prop_name, value in specific_all.items(): ++ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): ++ continue + if value != generic_all[prop_name]: + if not anything_scope_specific: + s += ('# Scope-specific properties ' +diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py +index be516b2..ae756f0 100644 +--- a/python/policygenerators/__init__.py ++++ b/python/policygenerators/__init__.py +@@ -16,6 +16,7 @@ from .openssl import ( + OpenSSLFIPSGenerator, + OpenSSLGenerator, + ) ++from .auth import AuthGenerator + + __all__ = [ + 'BindGenerator', +@@ -31,4 +32,5 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLFIPSGenerator', + 'OpenSSLGenerator', ++ 'AuthGenerator', + ] +diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py +new file mode 100644 +index 0000000..eb6bda5 +--- /dev/null ++++ b/python/policygenerators/auth.py +@@ -0,0 +1,36 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++ ++# Copyright (c) 2019 Red Hat, Inc. ++# Copyright (c) 2019 Tomáš Mráz ++ ++import os.path ++ ++from .configgenerator import ConfigGenerator ++ ++class AuthGenerator(ConfigGenerator): ++ CONFIG_NAME = 'auth' ++ SCOPES = {'auth'} ++ ++ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n' ++ ++ @classmethod ++ def generate_config(cls, policy): ++ p = policy.enabled ++ sep = '\n' ++ s = '' ++ authopt_data = p['authopt'] ++ if len(authopt_data) > 0: ++ auth_profile = authopt_data.pop(0) ++ opt_list = [] ++ for item in authopt_data: ++ if item not in opt_list: ++ if item.startswith('with'): ++ opt_list.append(item) ++ s = cls.append(s, auth_profile, sep) ++ for item in opt_list: ++ s = cls.append(s, item, sep) ++ return s ++ ++ @classmethod ++ def test_config(cls, config): # pylint: disable=unused-argument ++ return True +diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace +new file mode 100644 +index 0000000..e69de29 +diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py +index fcee9ec..a97502a 100644 +--- a/python/policygenerators/openssl.py ++++ b/python/policygenerators/openssl.py +@@ -2,6 +2,7 @@ + + # Copyright (c) 2019 Red Hat, Inc. + # Copyright (c) 2019 Tomáš Mráz ++import platform + + from subprocess import CalledProcessError, check_output + +@@ -21,6 +22,25 @@ tls1-prf-ems-check = {} + activate = 1 + ''' + ++arch, links = platform.architecture() ++library_path = '64' ++if arch == '32bit': ++ library_path = '' ++ ++GOST_MODULE_ENABLE = ''' ++[openssl_init] ++engines = engine_gost ++ ++[engine_gost] ++gost = gost_section ++ ++[gost_section] ++engine_id = gost ++dynamic_path = /usr/lib%s/engines-3/gost.so ++default_algorithms = ALL ++CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet ++''' % (library_path) ++ + + class OpenSSLGenerator(ConfigGenerator): + CONFIG_NAME = 'openssl' +@@ -264,6 +284,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator): + + if 'SHA1' in p['hash']: + s += RH_ALLOW_SHA1 ++ ++ if 'GOST' in p['action_do']: ++ s += GOST_MODULE_ENABLE + + return s + +diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh +new file mode 100755 +index 0000000..5b2ecad +--- /dev/null ++++ b/scripts/auth_apply.sh +@@ -0,0 +1,204 @@ ++#!/usr/bin/bash ++exec 1> /var/log/crypto-cmc/auth.log 2>&1 ++set -x ++# Скрипт настройки профиля authselect для crypto-policy ++# Примеры запуска: ++# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля ++# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp ++# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect ++# и считать, что сгенерированный конфиг лежит в каталоге tmpconf ++ ++CONF_PATH=/etc/authselect/ ++AUTH_SEL_BAK=authselect.conf.policy ++AUTH_CONFIG=authselect.conf ++EMPTY=0 ++TEST="" ++AUTH_BACKUP_NAME="auth_saved_profile" ++USE_PATCH="$CONF_PATH/autheslect.patch" ++ ++function set_gost ++{ ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth ++ ++} ++ ++function set_no_gost ++{ ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth ++} ++ ++function get_auth_options ++{ ++ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' ' ++} ++ ++function save_restored_profile ++{ ++ if [ ! -e /etc/authselect/custom/restored ];then ++ /usr/bin/authselect create-profile restored ++ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/ ++ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf ++ fi ++} ++ ++while getopts ':et:p:h' VAL ; do ++ case $VAL in ++ e ) EMPTY=1 ;; ++ p ) CONF_PATH="$OPTARG" ;; ++ t ) TEST="$OPTARG" ;; ++ : ) ++ echo "Необходим параметр - путь к опции $OPTARG" ++ exit 255 ++ ;; ++ * ) ++ echo "Неизвестный параметр $OPTARG" ++ exit 255 ++ ;; ++ esac ++done ++shift $((OPTIND -1)) ++ ++# Если заданный путь к кинфигурации authselect заканчивается на / ++# то удалим этот символ ++LAST_SYMBOL=${CONF_PATH: -1} ++if [ "$LAST_SYMBOL" = "/" ];then ++ CONF_PATH=${CONF_PATH%?} ++fi ++LAST_SYMBOL=${TEST: -1} ++if [ "$LAST_SYMBOL" = "/" ];then ++ TEST=${TEST%?} ++fi ++ ++if [ -z "$TEST" ];then ++ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config ++else ++ POLICY_CONFIG="$TEST/auth.config" ++ if [[ "$POLICY_CONFIG" == "/*" ]];then ++ : ++ else ++ CUR_DIR=$(pwd) ++ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG" ++ fi ++fi ++ ++PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK" ++PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG" ++ ++# Дополнительная проверка, файл authselect.conf не должен быть пустым ++# или соедржать слово empty--data, иначе это признак empty ++if [ -e "$PATH_TO_AUTH_CONFIG" ];then ++ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs) ++ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then ++ EMPTY=1 ++ fi ++else ++ EMPTY=2 ++fi ++ ++# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией ++NEED_PATCH=0 ++if [ -e "$POLICY_CONFIG" ];then ++ RES=$(cat "$POLICY_CONFIG") ++ if [ "$RES" = "patch" ];then ++ NEED_PATCH=1 ++ fi ++fi ++ ++# Если задан параметр empty, это значит, что применяется профиль ++# без настройки для authselect, в этом случае нужно восстановить ++# старый заданный профиль ++# TODO: возможно даже воспользоватьс командой ++# authselect backup-restore auth_saved_profile ++# данный снимок создается при профиля через crypto-policy ++if [ "$EMPTY" = "1" ];then ++# Если есть файл authselect.patch, значит профиль был пропатчен, ++# а не установлен через профиль ++ if [ -e "$USE_PATCH" ];then ++ set_no_gost ++ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed" ++ else ++ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then ++# Только root может восстанавливать конфигурацию из резервной копии ++# дабыизбежать подлога и восстановления файла, созданного пользователем ++ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") ++ if [ "$OWNER_UID" = "0" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" ++ fi ++ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG") ++# Есди файл настроек authselect пустой после восстановления ++# значит он создан ранее скриптом и его нужно убрать ++ if [ -z "$AUTH_CONT" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" ++ fi ++ else ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" ++ fi ++ if [ -e "$PATH_TO_AUTH_CONFIG" ];then ++ /usr/bin/authselect apply-changes ++ else ++ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME" ++ else ++ if [ -e /etc/authselect/custom/resored ];then ++ /usr/bin/authselect select custom/restored --force ++ fi ++ fi ++ fi ++ fi ++ exit 0 ++fi ++ ++# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла ++# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас ++if [ "$EMPTY" = "2" ];then ++ if [ "$NEED_PATCH" = "1" ];then ++ set_gost ++ touch "$USE_PATCH" ++ else ++ OPTS_FOR_EXECUTE=$(get_auth_options) ++ if [ -n "$OPTS_FOR_EXECUTE" ];then ++ save_restored_profile ++ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force ++ else ++ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile ++ fi ++ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/authselect apply-changes ++ touch "$PATH_TO_AUTH_SEL_BAK" ++ fi ++ fi ++else ++ if [ "$NEED_PATCH" = "1" ];then ++ set_gost ++ touch "$USE_PATCH" ++ else ++# Если не найден файл маркер, то создается файл бэкапа для authselect ++# а так же создается файл маркер ++ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" ++ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG") ++ if [ -n "$EMPTY_AUTH" ];then ++ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME" ++ fi ++ fi ++ fi ++ ++ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") ++ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then ++ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ #fi ++ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/authselect apply-changes ++ fi ++fi ++ ++exit 0 +\ No newline at end of file +diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol +new file mode 100644 +index 0000000..6238020 +--- /dev/null ++++ b/tests/alternative-policies/GOST-ONLY.pol +@@ -0,0 +1,30 @@ ++# Next generation GOST algorithms ++ ++mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST* ++ ++group = *GOST* ++ ++hash = *GOST* *STREEBOG* ++ ++sign = *GOST* ++ ++cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM ++ ++cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C* ++ ++key_exchange = *GOST* ++ ++protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 ++ ++min_tls_version = TLS1.0 ++ ++# Parameter sizes ++# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL ++min_dh_size = 2048 ++min_dsa_size = 2048 ++min_rsa_size = 2048 ++ ++# GnuTLS only for now ++sha1_in_certs = 0 ++ ++action_do = GOST +diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod +new file mode 100644 +index 0000000..4280cad +--- /dev/null ++++ b/tests/alternative-policies/modules/GOST.pmod +@@ -0,0 +1,18 @@ ++# Adds GOST algorithms. ++# This is an example subpolicy, the algorithm names might differ in reality. ++ ++mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD ++ ++group = +*GOST* ++ ++hash = +*STREEBOG* +*GOST* ++ ++sign = +*GOST* ++ ++cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM ++ ++cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB ++ ++key_exchange = +*GOST* ++ ++action_do = +GOST +\ No newline at end of file +diff --git a/tests/gnutls.py b/tests/gnutls.py +index 5833639..28db664 100755 +--- a/tests/gnutls.py ++++ b/tests/gnutls.py +@@ -3,6 +3,7 @@ + import os + import subprocess + import sys ++import re + from pathlib import Path + + if os.getenv('OLD_GNUTLS') == '1': +@@ -13,7 +14,7 @@ print('Checking the GnuTLS configuration') + + for policy_path in Path('tests', 'outputs').glob('*-gnutls.txt'): + policy = policy_path.name.removesuffix('-gnutls.txt') +- if policy == 'GOST-ONLY': ++ if re.match(r'^GOST-ONLY', policy): + continue + print(f'Checking policy {policy}') + +diff --git a/tests/java.py b/tests/java.py +index 97968c7..52b2d87 100755 +--- a/tests/java.py ++++ b/tests/java.py +@@ -2,6 +2,7 @@ + + import subprocess + import sys ++import re + from pathlib import Path + + print('Checking the Java configuration') +@@ -38,7 +39,7 @@ for policy_path in Path('tests', 'outputs').glob('*-java.txt'): + lines = out.split('\n') + line_count = out.count('\n') + +- if policy in {'EMPTY', 'GOST-ONLY'}: ++ if re.match(r'^GOST-ONLY', policy) or policy in {'EMPTY'}: + if line_count >= 2: # we allow SCSV # noqa: PLR2004 + print('Empty policy has ciphersuites!', file=sys.stderr) + print(p.stdout, file=sys.stderr) +diff --git a/tests/nss.py b/tests/nss.py +index fda2275..f22c701 100755 +--- a/tests/nss.py ++++ b/tests/nss.py +@@ -35,7 +35,7 @@ print('Checking the NSS configuration') + for policy_path in Path('tests', 'outputs').glob('*-nss.txt'): + policy = policy_path.name.removesuffix('-nss.txt') + print(f'Checking policy {policy}') +- if policy not in {'EMPTY', 'GOST-ONLY'}: ++ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'): + try: + p = subprocess.run(['nss-policy-check', # noqa: S607 + *options, policy_path], +diff --git a/tests/openssl.py b/tests/openssl.py +index c0504f6..69b2468 100755 +--- a/tests/openssl.py ++++ b/tests/openssl.py +@@ -8,7 +8,7 @@ print('Checking the OpenSSL configuration') + + for policy_path in Path('tests', 'outputs').glob('*-openssl.txt'): + policy = policy_path.name.removesuffix('-openssl.txt') +- if policy in {'EMPTY', 'GOST-ONLY'}: ++ if policy in {'EMPTY', 'GOST-ONLY', "GOST-ONLY-PAM"}: + continue + print(f'Checking policy {policy}') + +diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt +new file mode 100644 +index 0000000..09fb3f1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-bind.txt +@@ -0,0 +1,10 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++}; ++disable-ds-digests "." { ++SHA-1; ++}; +diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt +new file mode 100644 +index 0000000..9a04550 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt +new file mode 100644 +index 0000000..ed6f632 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt +new file mode 100644 +index 0000000..7d5cfd6 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 +diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt +new file mode 100644 +index 0000000..239566f +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt +new file mode 100644 +index 0000000..6fe6291 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt +@@ -0,0 +1,20 @@ ++CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 ++ ++[openssl_init] ++engines = engine_gost ++ ++[engine_gost] ++gost = gost_section ++ ++[gost_section] ++engine_id = gost ++dynamic_path = /usr/lib64/engines-3/gost.so ++default_algorithms = ALL ++CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt +new file mode 100644 +index 0000000..cec1d15 +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "always" ++sha1.second_preimage_resistance = "always" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "always" ++camellia192 = "never" ++camellia256 = "always" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "always" ++dsa2048 = "always" ++dsa3072 = "always" ++dsa4096 = "always" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt +new file mode 100644 +index 0000000..135997c +--- /dev/null ++++ b/tests/outputs/DEFAULT:GOST-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "always" ++camellia192 = "never" ++camellia256 = "always" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt +new file mode 100644 +index 0000000..110527f +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt +@@ -0,0 +1,2 @@ ++custom/minimal_gost ++with-gost +\ No newline at end of file +diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt +new file mode 100644 +index 0000000..9ec8420 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt +@@ -0,0 +1,12 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++ECCGOST; ++}; ++disable-ds-digests "." { ++SHA-1; ++GOST; ++}; +diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt +new file mode 100644 +index 0000000..9a04550 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt +new file mode 100644 +index 0000000..ed6f632 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt +new file mode 100644 +index 0000000..7d5cfd6 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt +new file mode 100644 +index 0000000..952c651 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt +new file mode 100644 +index 0000000..8f18d1e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt +@@ -0,0 +1,8 @@ ++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt +new file mode 100644 +index 0000000..dbcae14 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt +@@ -0,0 +1 @@ ++patch +\ No newline at end of file +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt +new file mode 100644 +index 0000000..9ec8420 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt +@@ -0,0 +1,12 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++ECCGOST; ++}; ++disable-ds-digests "." { ++SHA-1; ++GOST; ++}; +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt +new file mode 100644 +index 0000000..9a04550 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt +new file mode 100644 +index 0000000..ed6f632 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt +new file mode 100644 +index 0000000..7d5cfd6 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt +new file mode 100644 +index 0000000..952c651 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt +new file mode 100644 +index 0000000..8f18d1e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt +@@ -0,0 +1,8 @@ ++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt +new file mode 100644 +index 0000000..4884073 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt +@@ -0,0 +1,4 @@ ++custom/sssd_gost ++with-gost ++with-fingerprint ++with-silent-lastlog +\ No newline at end of file +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt +new file mode 100644 +index 0000000..9ec8420 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt +@@ -0,0 +1,12 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++ECCGOST; ++}; ++disable-ds-digests "." { ++SHA-1; ++GOST; ++}; +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt +new file mode 100644 +index 0000000..9a04550 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt +new file mode 100644 +index 0000000..ed6f632 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt +new file mode 100644 +index 0000000..7d5cfd6 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt +new file mode 100644 +index 0000000..952c651 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt +new file mode 100644 +index 0000000..8f18d1e +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt +@@ -0,0 +1,8 @@ ++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt +new file mode 100644 +index 0000000..110527f +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-auth.txt +@@ -0,0 +1,2 @@ ++custom/minimal_gost ++with-gost +\ No newline at end of file +diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt +new file mode 100644 +index 0000000..e701c5c +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-bind.txt +@@ -0,0 +1,18 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++RSASHA256; ++ECDSAP256SHA256; ++ECDSAP384SHA384; ++RSASHA512; ++ED25519; ++ED448; ++}; ++disable-ds-digests "." { ++SHA-256; ++SHA-384; ++SHA-1; ++}; +diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt +new file mode 100644 +index 0000000..59c9ae0 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt +@@ -0,0 +1,13 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++tls-enabled-mac = AEAD ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = TLS1.1 ++enabled-version = TLS1.0 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt +new file mode 100644 +index 0000000..a306242 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 ++jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt +new file mode 100644 +index 0000000..408e8dd +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups= +diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt +new file mode 100644 +index 0000000..b0b1480 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = +diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt +new file mode 100644 +index 0000000..7dc12cd +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt +@@ -0,0 +1,2 @@ ++conn %default ++ pfs=yes +diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt +new file mode 100644 +index 0000000..bf6f1ca +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt +new file mode 100644 +index 0000000..89e06ad +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt +@@ -0,0 +1,2 @@ ++GSSAPIKeyExchange no ++RequiredRSASize 2048 +diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt +new file mode 100644 +index 0000000..89e06ad +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt +@@ -0,0 +1,2 @@ ++GSSAPIKeyExchange no ++RequiredRSASize 2048 +diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt +new file mode 100644 +index 0000000..abeab8c +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt +new file mode 100644 +index 0000000..c5c1f47 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt +@@ -0,0 +1,18 @@ ++CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = GOST2012-GOST8912-GOST8912 ++TLS.MinProtocol = TLSv1 ++TLS.MaxProtocol = TLSv1.3 ++SignatureAlgorithms = ++Groups = ++ ++[openssl_init] ++engines = engine_gost ++ ++[engine_gost] ++gost = gost_section ++ ++[gost_section] ++engine_id = gost ++dynamic_path = /usr/lib64/engines-3/gost.so ++default_algorithms = ALL ++CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt +new file mode 100644 +index 0000000..e701c5c +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-bind.txt +@@ -0,0 +1,18 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++RSASHA256; ++ECDSAP256SHA256; ++ECDSAP384SHA384; ++RSASHA512; ++ED25519; ++ED448; ++}; ++disable-ds-digests "." { ++SHA-256; ++SHA-384; ++SHA-1; ++}; +diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt +new file mode 100644 +index 0000000..59c9ae0 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-gnutls.txt +@@ -0,0 +1,13 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++tls-enabled-mac = AEAD ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = TLS1.1 ++enabled-version = TLS1.0 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt +new file mode 100644 +index 0000000..a306242 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-java.txt +@@ -0,0 +1,4 @@ ++jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 ++jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt +new file mode 100644 +index 0000000..408e8dd +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-javasystem.txt +@@ -0,0 +1,2 @@ ++jdk.tls.ephemeralDHKeySize=2048 ++jdk.tls.namedGroups= +diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt +new file mode 100644 +index 0000000..b0b1480 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = +diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt +new file mode 100644 +index 0000000..7dc12cd +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-libreswan.txt +@@ -0,0 +1,2 @@ ++conn %default ++ pfs=yes +diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt +new file mode 100644 +index 0000000..bf6f1ca +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt +new file mode 100644 +index 0000000..89e06ad +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-openssh.txt +@@ -0,0 +1,2 @@ ++GSSAPIKeyExchange no ++RequiredRSASize 2048 +diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt +new file mode 100644 +index 0000000..89e06ad +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-opensshserver.txt +@@ -0,0 +1,2 @@ ++GSSAPIKeyExchange no ++RequiredRSASize 2048 +diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt +new file mode 100644 +index 0000000..abeab8c +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt +new file mode 100644 +index 0000000..c5c1f47 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-opensslcnf.txt +@@ -0,0 +1,18 @@ ++CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = GOST2012-GOST8912-GOST8912 ++TLS.MinProtocol = TLSv1 ++TLS.MaxProtocol = TLSv1.3 ++SignatureAlgorithms = ++Groups = ++ ++[openssl_init] ++engines = engine_gost ++ ++[engine_gost] ++gost = gost_section ++ ++[gost_section] ++engine_id = gost ++dynamic_path = /usr/lib64/engines-3/gost.so ++default_algorithms = ALL ++CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt +new file mode 100644 +index 0000000..3ec0b96 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "never" ++sha224.second_preimage_resistance = "never" ++sha256.collision_resistance = "never" ++sha256.second_preimage_resistance = "never" ++sha384.collision_resistance = "never" ++sha384.second_preimage_resistance = "never" ++sha512.collision_resistance = "never" ++sha512.second_preimage_resistance = "never" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "never" ++aes192 = "never" ++aes256 = "never" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "never" ++rsa3072 = "never" ++rsa4096 = "never" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "never" ++nistp384 = "never" ++nistp521 = "never" ++cv25519 = "never" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt +new file mode 100644 +index 0000000..3ec0b96 +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "never" ++sha224.second_preimage_resistance = "never" ++sha256.collision_resistance = "never" ++sha256.second_preimage_resistance = "never" ++sha384.collision_resistance = "never" ++sha384.second_preimage_resistance = "never" ++sha512.collision_resistance = "never" ++sha512.second_preimage_resistance = "never" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "never" ++aes192 = "never" ++aes256 = "never" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "never" ++rsa3072 = "never" ++rsa4096 = "never" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "never" ++nistp384 = "never" ++nistp521 = "never" ++cv25519 = "never" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt +new file mode 100644 +index 0000000..e69de29 +-- +2.39.3 + diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 9f41584..b947cd4 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,31 +1,9 @@ -%global git_date 20240202 -%global git_commit 283706dbc258f4ac0b19b3291bc18f9b691b222f +%global git_date 20240822 +%global git_commit baf3e063c68f6c69eec1bf79c1b3e9a745640183 %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 -# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 -%if 0%{?rhel} == 9 - # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced, - %global MIN_RSA_NAME RequiredRSASize -%elif 0%{?rhel} == 10 - # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2 - %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5" - %global MIN_RSA_NAME RequiredRSASize - %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2" - %global MIN_RSA_NAME RSAMinSize - %else - %global MIN_RSA_NAME none - %endif -%else - # some other distro, follow autodetection which checks for openssh >= 9.1 - %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1" - %global MIN_RSA_NAME RequiredRSASize - %else - %global MIN_RSA_NAME none - %endif -%endif - Name: crypto-policies Version: %{git_date} Release: 1.git%{git_commit_hash}%{?dist}.inferit @@ -35,41 +13,32 @@ License: LGPL-2.1-or-later URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies # For RHEL-9 we use the upstream branch rhel9. Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz -Patch1: 0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch -Patch2: 0001-Added-tests-fix-for-9.4-version.patch +Patch1: 0001-Added-GOST-9.5-policy-also-added-experimental-PAM-ge.patch -%if 0%{?rhel} >= 10 -ExclusiveArch: %{java_arches} noarch -%endif BuildArch: noarch BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: openssl BuildRequires: nss-tools -BuildRequires: gnutls-utils >= 3.6.0 +BuildRequires: gnutls-utils +BuildRequires: openssh-clients BuildRequires: java-devel BuildRequires: bind -BuildRequires: perl-interpreter -BuildRequires: perl-generators -BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) -BuildRequires: perl(File::Which) -BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-devel >= 3.9 BuildRequires: python3-pytest BuildRequires: make -Conflicts: openssl < 1:3.0.1-10 +Conflicts: openssl-libs < 1:3.0.1-10 Conflicts: nss < 3.90.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.7p1-24 -%if 0%{?rhel} == 10 -Conflicts: gnutls < 3.7.2-3 -%else Conflicts: gnutls < 3.7.6-22 -%endif Recommends: openssl-gost-engine Requires: authselect Requires: findutils + + %description This package provides pre-built configuration files with cryptographic policies for various cryptographic back-ends, @@ -96,20 +65,9 @@ to enable or disable the system FIPS mode. %build sed -i \ - "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ + "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ python/policygenerators/openssh.py -grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py - -%if 0%{?rhel} == 10 -# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch -sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \ - python/policygenerators/nss.py tests/nss.py -sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt -# currently ELN/RHEL gnutls do not carry the tls-session-hash patch -sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \ - python/policygenerators/gnutls.py -sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt -%endif +grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py %make_build @@ -147,16 +105,7 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %check -# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 -%if "%{MIN_RSA_NAME}" == "none" - sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt -%elif "%{MIN_RSA_NAME}" == "RSAMinSize" - sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt -%else - [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7 -%endif - -make ON_RHEL9=1 test +make test SKIP_LINTING=1 %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -242,6 +191,8 @@ end %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies +%{_libexecdir}/fips-setup-helper + %license COPYING.LESSER %files scripts @@ -256,9 +207,30 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog -* Mon May 13 2024 Arkady L. Shane - 20240202-1.git283706d.inferit -- Added GOST policy also added experimental PAM generator -- Use Recommends: openssl-gost-engine instead of Requires +* Thu Oct 10 2024 Arkady L. Shane - 20240822-1.gitbaf3e06.inferit +- Added GOST + +* Thu Aug 22 2024 Alexander Sosedkin - 20240822-1.gitbaf3e06 +- fips-mode-setup: block if LUKS devices using Argon2 are detected + +* Thu Aug 15 2024 Alexander Sosedkin - 20240815-1.gite217f03 +- java: start controlling / disable DTLSv1.0 +- java: disable anon ciphersuites, tying them to NULL +- java: respect more key size restrictions +- java: specify jdk.tls.namedGroups system property +- java: make hash, mac and sign more orthogonal +- fips-mode-setup: add another scary "unsupported" +- fips-mode-setup: flashy ticking warning upon use +- java: use and include jdk.disabled.namedCurves +- ec_min_size: introduce and use in java, default to 256 +- java: stop specifying jdk.tls.namedGroups in javasystem +- fips-setup-helper: add a libexec helper for anaconda +- fips-mode-setup: force --no-bootcfg when UKI is detected + +* Mon Mar 04 2024 Alexander Sosedkin - 20240304-1.gitb1c706d +- packaging: remove perl build-dependency, it's not needed anymore +- packaging: use newly introduced SKIP_LINTING=1 +- packaging: drop stale workarounds * Fri Feb 02 2024 Alexander Sosedkin - 20240202-1.git283706d - fips-finish-install: make sure ostree is detected in chroot