rpms
/
crypto-policies
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix patch

Browse Source
i10-beta
Arkady L. Shane 4 weeks ago
parent 9189f56982
commit 60decf8b76
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503
1 changed files with 44 additions and 400 deletions
Show Stats Download Patch File Download Diff File

444
SOURCES/0001-Added-GOST-10.0-policy-also-added-experimental-PAM-g.patch
Unescape View File

@ -1,47 +1,46 @@
From 247b8e0e95300da9565dd7bd7214772c315bfdd9 Mon Sep 17 00:00:00 2001
From 4ec052241411a1f0543cc70d3fa3ca672374ce15 Mon Sep 17 00:00:00 2001
From: tigro <tigro@msvsphere-os.ru>
Date: Wed, 8 Jan 2025 22:11:14 +0300
Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
---
Makefile | 12 +
authselect_policies/minimal_gost/README | 84 +++++
Makefile | 12 ++
authselect_policies/minimal_gost/README | 84 ++++++++
authselect_policies/minimal_gost/REQUIREMENTS | 0
authselect_policies/minimal_gost/dconf-db | 3 +
authselect_policies/minimal_gost/dconf-locks | 2 +
.../minimal_gost/fingerprint-auth | 16 +
.../minimal_gost/nsswitch.conf | 14 +
.../minimal_gost/password-auth | 15 +
.../minimal_gost/fingerprint-auth | 16 ++
.../minimal_gost/nsswitch.conf | 14 ++
.../minimal_gost/password-auth | 15 ++
authselect_policies/minimal_gost/postlogin | 4 +
.../minimal_gost/smartcard-auth | 16 +
authselect_policies/minimal_gost/system-auth | 15 +
authselect_policies/sssd_gost/README | 145 ++++++++
authselect_policies/sssd_gost/REQUIREMENTS | 29 ++
.../minimal_gost/smartcard-auth | 16 ++
authselect_policies/minimal_gost/system-auth | 15 ++
authselect_policies/sssd_gost/README | 145 +++++++++++++
authselect_policies/sssd_gost/REQUIREMENTS | 29 +++
authselect_policies/sssd_gost/dconf-db | 9 +
authselect_policies/sssd_gost/dconf-locks | 4 +
.../sssd_gost/fingerprint-auth | 28 ++
.../sssd_gost/fingerprint-auth | 28 +++
authselect_policies/sssd_gost/nsswitch.conf | 7 +
authselect_policies/sssd_gost/password-auth | 39 ++
authselect_policies/sssd_gost/password-auth | 39 ++++
authselect_policies/sssd_gost/postlogin | 4 +
authselect_policies/sssd_gost/smartcard-auth | 26 ++
authselect_policies/sssd_gost/system-auth | 46 +++
policies/GOST-ONLY-PAM.pol | 29 ++
policies/GOST-ONLY.pol | 28 ++
policies/modules/GOST.pmod | 18 +
authselect_policies/sssd_gost/smartcard-auth | 26 +++
authselect_policies/sssd_gost/system-auth | 46 ++++
policies/GOST-ONLY-PAM.pol | 29 +++
policies/GOST-ONLY.pol | 28 +++
policies/modules/GOST.pmod | 18 ++
policies/modules/PAM-GOST.pmod | 3 +
policies/modules/PATCH-PAM-GOST.pmod | 3 +
policies/modules/SSSD-PAM-GOST.pmod | 3 +
python/build-crypto-policies.py | 8 +-
python/cryptopolicies/alg_lists.py | 35 +-
python/cryptopolicies/alg_lists.py | 35 +--
python/cryptopolicies/cryptopolicies.py | 7 +-
python/policygenerators/__init__.py | 2 +
python/policygenerators/auth.py | 36 ++
python/policygenerators/auth.py | 36 ++++
.../fedora-crypto-policies.code-workspace | 0
python/policygenerators/openssl.py | 23 ++
python/policygenerators/openssl.py.orig | 348 ++++++++++++++++++
scripts/auth_apply.sh | 204 ++++++++++
tests/alternative-policies/GOST-ONLY.pol | 30 ++
tests/alternative-policies/modules/GOST.pmod | 18 +
scripts/auth_apply.sh | 204 ++++++++++++++++++
tests/alternative-policies/GOST-ONLY.pol | 30 +++
tests/alternative-policies/modules/GOST.pmod | 18 ++
tests/gnutls.py | 3 +
tests/java.py | 3 +-
tests/nss.py | 2 +-
@ -49,7 +48,7 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
tests/outputs/DEFAULT-auth.txt | 0
tests/outputs/DEFAULT:GOST-auth.txt | 0
tests/outputs/DEFAULT:GOST-bind.txt | 10 +
tests/outputs/DEFAULT:GOST-gnutls.txt | 105 ++++++
tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:GOST-java.txt | 4 +
tests/outputs/DEFAULT:GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:GOST-krb5.txt | 2 +
@ -60,12 +59,12 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 +
tests/outputs/DEFAULT:GOST-openssl.txt | 1 +
tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 +
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 +
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 ++++++
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 +
@ -78,8 +77,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
.../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 +
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 ++++++
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 +
@ -93,8 +92,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
.../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:SHA1-auth.txt | 0
tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 +
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 ++++++
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 +
@ -114,8 +113,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
tests/outputs/FUTURE-auth.txt | 0
tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0
tests/outputs/GOST-ONLY-PAM-auth.txt | 2 +
tests/outputs/GOST-ONLY-PAM-bind.txt | 18 +
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 +
tests/outputs/GOST-ONLY-PAM-bind.txt | 18 ++
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-PAM-java.txt | 4 +
tests/outputs/GOST-ONLY-PAM-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 +
@ -126,10 +125,10 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 +
tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 +
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-auth.txt | 0
tests/outputs/GOST-ONLY-bind.txt | 18 +
tests/outputs/GOST-ONLY-gnutls.txt | 13 +
tests/outputs/GOST-ONLY-bind.txt | 18 ++
tests/outputs/GOST-ONLY-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-java.txt | 4 +
tests/outputs/GOST-ONLY-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-krb5.txt | 2 +
@ -140,12 +139,12 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
tests/outputs/GOST-ONLY-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-openssl.txt | 1 +
tests/outputs/GOST-ONLY-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 +
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++
tests/outputs/GOST-ONLY-sequoia.txt | 51 +++
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++
tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++
tests/outputs/LEGACY-auth.txt | 0
.../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0
141 files changed, 2357 insertions(+), 17 deletions(-)
140 files changed, 2009 insertions(+), 17 deletions(-)
create mode 100644 authselect_policies/minimal_gost/README
create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS
create mode 100644 authselect_policies/minimal_gost/dconf-db
@ -174,7 +173,6 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator
create mode 100644 policies/modules/SSSD-PAM-GOST.pmod
create mode 100644 python/policygenerators/auth.py
create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace
create mode 100644 python/policygenerators/openssl.py.orig
create mode 100755 scripts/auth_apply.sh
create mode 100644 tests/alternative-policies/GOST-ONLY.pol
create mode 100644 tests/alternative-policies/modules/GOST.pmod
@ -1175,7 +1173,7 @@ index fa19b96..c62b496 100644
def earliest_occurrence(needles, ordered_haystack):
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
index 24bf5c1..abbb1ce 100644
index 24bf5c1..3438e8b 100644
--- a/python/cryptopolicies/cryptopolicies.py
+++ b/python/cryptopolicies/cryptopolicies.py
@@ -51,7 +51,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
@ -1235,7 +1233,7 @@ index 0e3013e..06553f3 100644
]
diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py
new file mode 100644
index 0000000..eb6bda5
index 0000000..05e3ef9
--- /dev/null
+++ b/python/policygenerators/auth.py
@@ -0,0 +1,36 @@
@ -1255,7 +1253,7 @@ index 0000000..eb6bda5
+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n'
+
+ @classmethod
+ def generate_config(cls, policy):
+ def generate_config(cls, unscoped_policy):
+ p = policy.enabled
+ sep = '\n'
+ s = ''
@ -1326,360 +1324,6 @@ index c6824b0..b199949 100644
return s
diff --git a/python/policygenerators/openssl.py.orig b/python/policygenerators/openssl.py.orig
new file mode 100644
index 0000000..c6824b0
--- /dev/null
+++ b/python/policygenerators/openssl.py.orig
@@ -0,0 +1,348 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+
+from subprocess import CalledProcessError, check_output
+
+from .configgenerator import ConfigGenerator
+
+RH_ALLOW_SHA1 = '''
+[openssl_init]
+alg_section = evp_properties
+
+[evp_properties]
+rh-allow-sha1-signatures = yes
+'''
+
+FIPS_MODULE_CONFIG = '''
+[fips_sect]
+tls1-prf-ems-check = {}
+activate = 1
+'''
+
+
+class OpenSSLGenerator(ConfigGenerator):
+ CONFIG_NAME = 'openssl'
+
+ cipher_not_map = {
+ 'AES-256-CTR': '',
+ 'AES-128-CTR': '',
+ 'AES-256-GCM': '-AES256',
+ 'AES-128-GCM': '-AES128',
+ 'AES-256-CBC': '-SHA256',
+ 'AES-128-CBC': '',
+ 'CHACHA20-POLY1305': '-CHACHA20',
+ 'SEED-CBC': '-SEED',
+ 'IDEA-CBC': '!IDEA',
+ 'DES-CBC': '!DES',
+ 'RC4-40': '',
+ 'DES40-CBC': '',
+ '3DES-CBC': '-3DES',
+ 'RC4-128': '!RC4',
+ 'RC2-CBC': '!RC2',
+ 'NULL': '!eNULL:!aNULL'
+ }
+
+ key_exchange_map = {
+ 'RSA': 'kRSA',
+ 'ECDHE': 'kEECDH',
+ 'PSK': 'kPSK',
+ 'DHE-PSK': 'kDHEPSK',
+ 'DHE-RSA': 'kEDH',
+ 'DHE-DSS': '',
+ 'ECDHE-PSK': 'kECDHEPSK',
+ 'RSA-PSK': 'kRSAPSK',
+ 'VKO-GOST-2012': 'kGOST'
+ }
+
+ key_exchange_not_map = {
+ 'ANON': '',
+ 'DH': '',
+ 'ECDH': '',
+ 'RSA': '-kRSA',
+ 'ECDHE': '-kEECDH',
+ 'DHE-RSA': '-aRSA',
+ 'DHE-DSS': '-aDSS',
+ 'PSK': '-kPSK',
+ 'DHE-PSK': '-kDHEPSK',
+ 'ECDHE-PSK': '-kECDHEPSK',
+ 'RSA-PSK': '-kRSAPSK'
+ }
+
+ mac_not_map = {
+ 'HMAC-MD5': '!MD5',
+ 'HMAC-SHA1': '-SHA1'
+ }
+
+ ciphersuite_map = {
+ 'AES-256-GCM': 'TLS_AES_256_GCM_SHA384',
+ 'AES-128-GCM': 'TLS_AES_128_GCM_SHA256',
+ 'CHACHA20-POLY1305': 'TLS_CHACHA20_POLY1305_SHA256',
+ 'AES-128-CCM': 'TLS_AES_128_CCM_SHA256',
+ 'AES-128-CCM8': 'TLS_AES_128_CCM_8_SHA256',
+ 'GOST28147-TC26Z-CNT': 'GOST2012-GOST8912-GOST8912',
+ 'GOST28147-CPA-CNT': 'GOST2001-GOST89-GOST89'
+ }
+
+ @classmethod
+ def generate_ciphers(cls, policy):
+ s = ''
+ p = policy.enabled
+ ip = policy.disabled
+ # We cannot separate RSA strength from DH params.
+ min_dh_size = policy.integers['min_dh_size']
+ min_rsa_size = policy.integers['min_rsa_size']
+ if min_dh_size < 1023 or min_rsa_size < 1023:
+ s = cls.append(s, '@SECLEVEL=0')
+ elif min_dh_size < 2048 or min_rsa_size < 2048:
+ s = cls.append(s, '@SECLEVEL=1')
+ elif min_dh_size < 3072 or min_rsa_size < 3072:
+ s = cls.append(s, '@SECLEVEL=2')
+ else:
+ s = cls.append(s, '@SECLEVEL=3')
+
+ for i in p['key_exchange']:
+ try:
+ s = cls.append(s, cls.key_exchange_map[i])
+ except KeyError:
+ pass
+
+ for i in ip['key_exchange']:
+ try:
+ s = cls.append(s, cls.key_exchange_not_map[i])
+ except KeyError:
+ pass
+
+ for i in ip['cipher']:
+ try:
+ s = cls.append(s, cls.cipher_not_map[i])
+ except KeyError:
+ pass
+ if 'AES-128-CCM' in ip['cipher']:
+ if 'AES-256-CCM' in ip['cipher']:
+ s = cls.append(s, '-AESCCM')
+
+ for i in ip['mac']:
+ try:
+ s = cls.append(s, cls.mac_not_map[i])
+ except KeyError:
+ pass
+
+ # These ciphers are not necessary for any
+ # policy level, and only increase the attack surface.
+ # FIXME! must be fixed for custom policies
+ for c in ('-SHA384', '-CAMELLIA', '-ARIA', '-AESCCM8'):
+ s = cls.append(s, c)
+
+ return s
+
+ @classmethod
+ def generate_ciphersuites(cls, policy):
+ s = ''
+ p = policy.enabled
+ for i in p['cipher']:
+ try:
+ s = cls.append(s, cls.ciphersuite_map[i])
+ except KeyError:
+ pass
+
+ return s
+
+ @classmethod
+ def generate_config(cls, unscoped_policy):
+ policy = unscoped_policy.scoped({'tls', 'ssl', 'openssl'})
+ return cls.generate_ciphers(policy) + '\n'
+
+ @classmethod
+ def test_config(cls, config):
+ output = b''
+ assert config.endswith('\n') # noqa: S101
+ try:
+ output = check_output(['openssl', # noqa: S607
+ 'ciphers', config[:-1]])
+ except CalledProcessError:
+ cls.eprint('There is an error in openssl generated policy')
+ cls.eprint(f'Policy:\n{config}')
+ return False
+ except OSError:
+ # Ignore missing openssl
+ return True
+ if b'NULL' in output or b'ADH' in output:
+ cls.eprint('There is NULL or ADH in openssl generated policy')
+ cls.eprint(f'Policy:\n{config}')
+ return False
+ return True
+
+
+class OpenSSLConfigGenerator(OpenSSLGenerator):
+ CONFIG_NAME = 'opensslcnf'
+
+ # has to cover everything c-p has
+ protocol_map = {
+ 'SSL3.0': 'SSLv3',
+ 'TLS1.0': 'TLSv1',
+ 'TLS1.1': 'TLSv1.1',
+ 'TLS1.2': 'TLSv1.2',
+ 'TLS1.3': 'TLSv1.3',
+ 'DTLS0.9': 'DTLSv0.9',
+ 'DTLS1.0': 'DTLSv1',
+ 'DTLS1.2': 'DTLSv1.2'
+ }
+
+ sign_map = {
+ 'RSA-SHA1': 'RSA+SHA1',
+ 'DSA-SHA1': 'DSA+SHA1',
+ 'ECDSA-SHA1': 'ECDSA+SHA1',
+ 'RSA-SHA2-224': 'RSA+SHA224',
+ 'DSA-SHA2-224': 'DSA+SHA224',
+ 'ECDSA-SHA2-224': 'ECDSA+SHA224',
+ 'RSA-SHA2-256': 'RSA+SHA256',
+ 'DSA-SHA2-256': 'DSA+SHA256',
+ 'ECDSA-SHA2-256': 'ECDSA+SHA256',
+ 'RSA-SHA2-384': 'RSA+SHA384',
+ 'DSA-SHA2-384': 'DSA+SHA384',
+ 'ECDSA-SHA2-384': 'ECDSA+SHA384',
+ 'RSA-SHA2-512': 'RSA+SHA512',
+ 'DSA-SHA2-512': 'DSA+SHA512',
+ 'ECDSA-SHA2-512': 'ECDSA+SHA512',
+ 'RSA-PSS-SHA2-256': 'rsa_pss_pss_sha256',
+ 'RSA-PSS-SHA2-384': 'rsa_pss_pss_sha384',
+ 'RSA-PSS-SHA2-512': 'rsa_pss_pss_sha512',
+ 'RSA-PSS-RSAE-SHA2-256': 'rsa_pss_rsae_sha256',
+ 'RSA-PSS-RSAE-SHA2-384': 'rsa_pss_rsae_sha384',
+ 'RSA-PSS-RSAE-SHA2-512': 'rsa_pss_rsae_sha512',
+ 'EDDSA-ED25519': 'ed25519',
+ 'EDDSA-ED448': 'ed448',
+ # provider-only, so, optional (openssl#23050) + marked experimental
+ 'MLDSA44': '?mldsa44',
+ 'P256-MLDSA44': '?p256_mldsa44',
+ 'RSA3072-MLDSA44': '?rsa3072_mldsa44',
+ 'MLDSA44-PSS2048': '?mldsa44_pss2048',
+ 'MLDSA44-RSA2048': '?mldsa44_rsa2048',
+ 'MLDSA44-ED25519': '?mldsa44_ed25519',
+ 'MLDSA44-P256': '?mldsa44_p256',
+ 'MLDSA44-BP256': '?mldsa44_bp256',
+ 'MLDSA65': '?mldsa65',
+ 'P384-MLDSA65': '?p384_mldsa65',
+ 'MLDSA65-PSS3072': '?mldsa65_pss3072',
+ 'MLDSA65-RSA3072': '?mldsa65_rsa3072',
+ 'MLDSA65-P256': '?mldsa65_p256',
+ 'MLDSA65-BP256': '?mldsa65_bp256',
+ 'MLDSA65-ED25519': '?mldsa65_ed25519',
+ 'MLDSA87': '?mldsa87',
+ 'P521-MLDSA87': '?p521_mldsa87',
+ 'MLDSA87-P384': '?mldsa87_p384',
+ 'MLDSA87-BP384': '?mldsa87_bp384',
+ 'MLDSA87-ED448': '?mldsa87_ed448',
+ 'FALCON512': '?falcon512',
+ 'P256-FALCON512': '?p256_falcon512',
+ 'RSA3072-FALCON512': '?rsa3072_falcon512',
+ 'FALCONPADDED512': '?falconpadded512',
+ 'P256-FALCONPADDED512': '?p256_falconpadded512',
+ 'RSA3072-FALCONPADDED512': '?rsa3072_falconpadded512',
+ 'FALCON1024': '?falcon1024',
+ 'P521-FALCON1024': '?p521_falcon1024',
+ 'FALCONPADDED1024': '?falconpadded1024',
+ 'P521-FALCONPADDED1024': '?p521_falconpadded1024',
+ 'SPHINCSSHA2128FSIMPLE': '?sphincssha2128fsimple',
+ 'P256-SPHINCSSHA2128FSIMPLE': '?p256_sphincssha2128fsimple',
+ 'RSA3072-SPHINCSSHA2128FSIMPLE': '?rsa3072_sphincssha2128fsimple',
+ 'SPHINCSSHA2128SSIMPLE': '?sphincssha2128ssimple',
+ 'P256-SPHINCSSHA2128SSIMPLE': '?p256_sphincssha2128ssimple',
+ 'RSA3072-SPHINCSSHA2128SSIMPLE': '?rsa3072_sphincssha2128ssimple',
+ 'SPHINCSSHA2192FSIMPLE': '?sphincssha2192fsimple',
+ 'P384-SPHINCSSHA2192FSIMPLE': '?p384_sphincssha2192fsimple',
+ 'SPHINCSSHAKE128FSIMPLE': '?sphincsshake128fsimple',
+ 'P256-SPHINCSSHAKE128FSIMPLE': '?p256_sphincsshake128fsimple',
+ 'RSA3072-SPHINCSSHAKE128FSIMPLE': '?rsa3072_sphincsshake128fsimple',
+ }
+
+ group_map = {
+ 'SECP224R1': 'secp224r1',
+ 'SECP256R1': 'secp256r1',
+ 'SECP384R1': 'secp384r1',
+ 'SECP521R1': 'secp521r1',
+ 'X25519': 'X25519',
+ 'X448': 'X448',
+ 'FFDHE-2048': 'ffdhe2048',
+ 'FFDHE-3072': 'ffdhe3072',
+ 'FFDHE-4096': 'ffdhe4096',
+ 'FFDHE-6144': 'ffdhe6144',
+ 'FFDHE-8192': 'ffdhe8192',
+ 'BRAINPOOL-P256R1': 'brainpoolP256r1',
+ 'BRAINPOOL-P384R1': 'brainpoolP384r1',
+ 'BRAINPOOL-P512R1': 'brainpoolP512r1',
+ # provider-only, so, optional (openssl#23050) + marked experimental
+ 'KYBER768': '?kyber768',
+ 'X25519-KYBER768': '?x25519_kyber768',
+ 'P256-KYBER768': '?p256_kyber768',
+ 'MLKEM512': '?mlkem512',
+ 'P256-MLKEM512': '?p256_mlkem512',
+ 'X25519-MLKEM512': '?x25519_mlkem512',
+ 'MLKEM768': '?mlkem768',
+ 'P384-MLKEM768': '?p384_mlkem768',
+ 'X448-MLKEM768': '?x448_mlkem768',
+ 'X25519-MLKEM768': '?x25519_mlkem768',
+ 'P256-MLKEM768': '?p256_mlkem768',
+ 'MLKEM1024': '?mlkem1024',
+ 'P521-MLKEM1024': '?p521_mlkem1024',
+ 'P384-MLKEM1024': '?p384_mlkem1024',
+ }
+
+ @classmethod
+ def generate_config(cls, unscoped_policy):
+ policy = unscoped_policy.scoped({'tls', 'ssl', 'openssl'})
+ p = policy.enabled
+ # This includes the seclevel
+ s = f'CipherString = {cls.generate_ciphers(policy)}\n'
+ s += f'Ciphersuites = {cls.generate_ciphersuites(policy)}\n'
+
+ if policy.min_tls_version:
+ s += 'TLS.MinProtocol ='
+ s += f' {cls.protocol_map[policy.min_tls_version]}\n'
+ if policy.max_tls_version:
+ s += 'TLS.MaxProtocol ='
+ s += f' {cls.protocol_map[policy.max_tls_version]}\n'
+ if policy.min_dtls_version:
+ s += 'DTLS.MinProtocol ='
+ s += f' {cls.protocol_map[policy.min_dtls_version]}\n'
+ if policy.max_dtls_version:
+ s += 'DTLS.MaxProtocol ='
+ s += f' {cls.protocol_map[policy.max_dtls_version]}\n'
+
+ sig_algs = [cls.sign_map[i] for i in p['sign'] if i in cls.sign_map]
+ s += 'SignatureAlgorithms = ' + ':'.join(sig_algs) + '\n'
+
+ groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map]
+ s += 'Groups = ' + ':'.join(groups) + '\n'
+
+ if policy.enums['__ems'] == 'RELAX':
+ s += 'Options = RHNoEnforceEMSinFIPS\n'
+
+ if 'SHA1' in p['hash']:
+ s += RH_ALLOW_SHA1
+
+ return s
+
+ @classmethod
+ def test_config(cls, config): # pylint: disable=unused-argument
+ return True
+
+
+class OpenSSLFIPSGenerator(ConfigGenerator):
+ CONFIG_NAME = 'openssl_fips'
+
+ @classmethod
+ def generate_config(cls, unscoped_policy):
+ policy = unscoped_policy.scoped({'tls', 'ssl', 'openssl'})
+ # OpenSSL EMS relaxation is special
+ # in that it uses a separate FIPS module config
+ # and, just in case, EMS is enforcing by default.
+ # It only puts `= 0` there if it's explicitly relaxed.
+ # That's the reason why `__ems` is a tri-state enum.
+ return FIPS_MODULE_CONFIG.format(int(policy.enums['__ems'] != 'RELAX'))
+
+ @classmethod
+ def test_config(cls, config): # pylint: disable=unused-argument
+ return True
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
new file mode 100755
index 0000000..5b2ecad

Write Preview
Loading…
Cancel
Save