From d231f9e91fbc9d3d6d1650c95f410f9333355f23 Mon Sep 17 00:00:00 2001 From: Alexey Berezhok Date: Sat, 10 Feb 2024 19:42:12 +0300 Subject: [PATCH] Added GOST policy also added experimental PAM generator --- ...y-also-added-experimental-PAM-genera.patch | 1164 +++++++++++++++-- SPECS/crypto-policies.spec | 9 +- 2 files changed, 1044 insertions(+), 129 deletions(-) diff --git a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch index 1ab3a70..d060e24 100644 --- a/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch +++ b/SOURCES/0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch @@ -1,42 +1,54 @@ -From dc91f590afb518ad562b8df7054f3b725f8a1d1f Mon Sep 17 00:00:00 2001 +From a62a60980cb42127f000ea42548a31dc068cb39f Mon Sep 17 00:00:00 2001 From: Alexey Berezhok -Date: Tue, 23 Jan 2024 23:01:57 +0300 +Date: Sat, 10 Feb 2024 18:31:11 +0300 Subject: [PATCH] Added GOST policy also added experimental PAM generator --- - Makefile | 11 ++ - authselect_policies/sssd_gost/README | 145 ++++++++++++++++++ - authselect_policies/sssd_gost/REQUIREMENTS | 29 ++++ - authselect_policies/sssd_gost/dconf-db | 9 ++ + Makefile | 13 ++ + authselect_policies/minimal_gost/README | 84 ++++++++ + authselect_policies/minimal_gost/REQUIREMENTS | 0 + authselect_policies/minimal_gost/dconf-db | 3 + + authselect_policies/minimal_gost/dconf-locks | 2 + + .../minimal_gost/fingerprint-auth | 16 ++ + .../minimal_gost/nsswitch.conf | 14 ++ + .../minimal_gost/password-auth | 15 ++ + authselect_policies/minimal_gost/postlogin | 4 + + .../minimal_gost/smartcard-auth | 16 ++ + authselect_policies/minimal_gost/system-auth | 15 ++ + authselect_policies/sssd_gost/README | 145 +++++++++++++ + authselect_policies/sssd_gost/REQUIREMENTS | 29 +++ + authselect_policies/sssd_gost/dconf-db | 9 + authselect_policies/sssd_gost/dconf-locks | 4 + - .../sssd_gost/fingerprint-auth | 28 ++++ + .../sssd_gost/fingerprint-auth | 28 +++ authselect_policies/sssd_gost/nsswitch.conf | 7 + - authselect_policies/sssd_gost/password-auth | 39 +++++ + authselect_policies/sssd_gost/password-auth | 39 ++++ authselect_policies/sssd_gost/postlogin | 4 + - authselect_policies/sssd_gost/smartcard-auth | 26 ++++ - authselect_policies/sssd_gost/system-auth | 46 ++++++ - policies/GOST-ONLY-PAM.pol | 29 ++++ - policies/GOST-ONLY.pol | 28 ++++ - policies/modules/GOST.pmod | 18 +++ - policies/modules/PAM-GOST.pmod | 5 + + authselect_policies/sssd_gost/smartcard-auth | 26 +++ + authselect_policies/sssd_gost/system-auth | 46 ++++ + policies/GOST-ONLY-PAM.pol | 29 +++ + policies/GOST-ONLY.pol | 28 +++ + policies/modules/GOST.pmod | 18 ++ + policies/modules/PAM-GOST.pmod | 3 + + policies/modules/PATCH-PAM-GOST.pmod | 3 + + policies/modules/SSSD-PAM-GOST.pmod | 3 + python/build-crypto-policies.py | 8 +- - python/cryptopolicies/alg_lists.py | 19 ++- + python/cryptopolicies/alg_lists.py | 19 +- python/cryptopolicies/cryptopolicies.py | 7 +- python/policygenerators/__init__.py | 2 + - python/policygenerators/auth.py | 36 +++++ + python/policygenerators/auth.py | 36 ++++ .../fedora-crypto-policies.code-workspace | 0 - python/policygenerators/openssl.py | 23 +++ - scripts/auth_apply.sh | 115 ++++++++++++++ - tests/alternative-policies/GOST-ONLY.pol | 30 ++++ - tests/alternative-policies/modules/GOST.pmod | 18 +++ + python/policygenerators/openssl.py | 23 ++ + scripts/auth_apply.sh | 204 ++++++++++++++++++ + tests/alternative-policies/GOST-ONLY.pol | 30 +++ + tests/alternative-policies/modules/GOST.pmod | 18 ++ tests/gnutls.pl | 2 +- tests/java.pl | 2 +- tests/nss.py | 2 +- tests/openssl.pl | 2 +- tests/outputs/DEFAULT-auth.txt | 0 tests/outputs/DEFAULT:GOST-auth.txt | 0 - tests/outputs/DEFAULT:GOST-bind.txt | 10 ++ - tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++++++ + tests/outputs/DEFAULT:GOST-bind.txt | 10 + + tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:GOST-java.txt | 3 + tests/outputs/DEFAULT:GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:GOST-krb5.txt | 2 + @@ -47,12 +59,12 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + tests/outputs/DEFAULT:GOST-openssl.txt | 1 + tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 +++ - tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 ++++++ - tests/outputs/DEFAULT:GOST-sequoia.txt | 51 ++++++ - tests/outputs/DEFAULT:PAM-GOST-auth.txt | 4 + + tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ + tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++ + tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ + tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ - tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++++++ + tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:PAM-GOST-java.txt | 3 + tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + @@ -63,8 +75,36 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + - tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 20 +++ + tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ + .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 3 + + .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 1 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + + .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + + .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + + .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + + .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + + .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + + .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + + .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + tests/outputs/DEFAULT:SHA1-auth.txt | 0 + tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ + .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 3 + + .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 1 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + + .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + + .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + + .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + + .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + + .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + + .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + + .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + tests/outputs/EMPTY-auth.txt | 0 tests/outputs/FIPS-auth.txt | 0 tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 @@ -72,8 +112,8 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator tests/outputs/FIPS:OSPP-auth.txt | 0 tests/outputs/FUTURE-auth.txt | 0 tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0 - tests/outputs/GOST-ONLY-PAM-auth.txt | 4 + - tests/outputs/GOST-ONLY-PAM-bind.txt | 20 +++ + tests/outputs/GOST-ONLY-PAM-auth.txt | 2 + + tests/outputs/GOST-ONLY-PAM-bind.txt | 20 ++ tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++ tests/outputs/GOST-ONLY-PAM-java.txt | 3 + tests/outputs/GOST-ONLY-PAM-javasystem.txt | 1 + @@ -85,9 +125,9 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 + tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 + tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 +++ + tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++ tests/outputs/GOST-ONLY-auth.txt | 0 - tests/outputs/GOST-ONLY-bind.txt | 20 +++ + tests/outputs/GOST-ONLY-bind.txt | 20 ++ tests/outputs/GOST-ONLY-gnutls.txt | 13 ++ tests/outputs/GOST-ONLY-java.txt | 3 + tests/outputs/GOST-ONLY-javasystem.txt | 1 + @@ -99,12 +139,22 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator tests/outputs/GOST-ONLY-opensshserver.txt | 2 + tests/outputs/GOST-ONLY-openssl.txt | 1 + tests/outputs/GOST-ONLY-openssl_fips.txt | 4 + - tests/outputs/GOST-ONLY-opensslcnf.txt | 18 +++ - tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 ++++++ - tests/outputs/GOST-ONLY-sequoia.txt | 51 ++++++ + tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++ + tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++ + tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++ tests/outputs/LEGACY-auth.txt | 0 .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 - 100 files changed, 1402 insertions(+), 10 deletions(-) + 140 files changed, 1991 insertions(+), 10 deletions(-) + create mode 100644 authselect_policies/minimal_gost/README + create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS + create mode 100644 authselect_policies/minimal_gost/dconf-db + create mode 100644 authselect_policies/minimal_gost/dconf-locks + create mode 100644 authselect_policies/minimal_gost/fingerprint-auth + create mode 100644 authselect_policies/minimal_gost/nsswitch.conf + create mode 100644 authselect_policies/minimal_gost/password-auth + create mode 100644 authselect_policies/minimal_gost/postlogin + create mode 100644 authselect_policies/minimal_gost/smartcard-auth + create mode 100644 authselect_policies/minimal_gost/system-auth create mode 100644 authselect_policies/sssd_gost/README create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS create mode 100644 authselect_policies/sssd_gost/dconf-db @@ -119,6 +169,8 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator create mode 100644 policies/GOST-ONLY.pol create mode 100644 policies/modules/GOST.pmod create mode 100644 policies/modules/PAM-GOST.pmod + create mode 100644 policies/modules/PATCH-PAM-GOST.pmod + create mode 100644 policies/modules/SSSD-PAM-GOST.pmod create mode 100644 python/policygenerators/auth.py create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace create mode 100755 scripts/auth_apply.sh @@ -155,7 +207,35 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt create mode 100644 tests/outputs/EMPTY-auth.txt create mode 100644 tests/outputs/FIPS-auth.txt create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt @@ -197,7 +277,7 @@ Subject: [PATCH] Added GOST policy also added experimental PAM generator create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt diff --git a/Makefile b/Makefile -index 5fb2a61..d3aaa72 100644 +index 5fb2a61..2abbb9c 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,10 @@ @@ -234,17 +314,19 @@ index 5fb2a61..d3aaa72 100644 runflake8: @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 -@@ -58,6 +65,9 @@ check: +@@ -58,6 +65,11 @@ check: python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs ++ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs tests/openssl.pl tests/gnutls.pl tests/nss.py -@@ -113,6 +123,7 @@ diff-outputs: +@@ -113,6 +125,7 @@ diff-outputs: python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true @@ -252,6 +334,232 @@ index 5fb2a61..d3aaa72 100644 $(DIFFTOOL) tests/outputs output/current clean: +diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README +new file mode 100644 +index 0000000..9839669 +--- /dev/null ++++ b/authselect_policies/minimal_gost/README +@@ -0,0 +1,84 @@ ++Local users only for minimal installations and gost support ++=========================================================== ++ ++Selecting this profile will enable local files as the source of identity ++and authentication providers. ++ ++This profile can be used on systems that require minimal installation to ++save disk and memory space. It serves only local users and groups directly ++from system files instead of going through other authentication providers. ++Therefore SSSD, winbind and fprintd packages can be safely removed. ++ ++AVAILABLE OPTIONAL FEATURES ++--------------------------- ++ ++without-nullok:: ++ Do not add nullok parameter to pam_unix. ++ ++with-gost:: ++ Use GOST hash for shadow password instead of sha512 ++ ++with-silent-lastlog:: ++ Do not produce pam_lastlog message during login. ++ ++DISABLE SPECIFIC NSSWITCH DATABASES ++----------------------------------- ++ ++Normally, nsswitch databases set by the profile overwrites values set in ++user-nsswitch.conf. The following options can force authselect to ++ignore value set by the profile and use the one set in user-nsswitch.conf ++instead. ++ ++with-custom-aliases:: ++Ignore "aliases" map set by the profile. ++ ++with-custom-automount:: ++Ignore "automount" map set by the profile. ++ ++with-custom-ethers:: ++Ignore "ethers" map set by the profile. ++ ++with-custom-group:: ++Ignore "group" map set by the profile. ++ ++with-custom-hosts:: ++Ignore "hosts" map set by the profile. ++ ++with-custom-initgroups:: ++Ignore "initgroups" map set by the profile. ++ ++with-custom-netgroup:: ++Ignore "netgroup" map set by the profile. ++ ++with-custom-networks:: ++Ignore "networks" map set by the profile. ++ ++with-custom-passwd:: ++Ignore "passwd" map set by the profile. ++ ++with-custom-protocols:: ++Ignore "protocols" map set by the profile. ++ ++with-custom-publickey:: ++Ignore "publickey" map set by the profile. ++ ++with-custom-rpc:: ++Ignore "rpc" map set by the profile. ++ ++with-custom-services:: ++Ignore "services" map set by the profile. ++ ++with-custom-shadow:: ++Ignore "shadow" map set by the profile. ++ ++EXAMPLES ++-------- ++ ++* Enable minimal profile ++ ++ authselect select minimal ++ ++SEE ALSO ++-------- ++* man passwd(5) ++* man group(5) +diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS +new file mode 100644 +index 0000000..e69de29 +diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db +new file mode 100644 +index 0000000..a3868b7 +--- /dev/null ++++ b/authselect_policies/minimal_gost/dconf-db +@@ -0,0 +1,3 @@ ++[org/gnome/login-screen] ++enable-smartcard-authentication=false ++enable-fingerprint-authentication=false +diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks +new file mode 100644 +index 0000000..8a36fa9 +--- /dev/null ++++ b/authselect_policies/minimal_gost/dconf-locks +@@ -0,0 +1,2 @@ ++/org/gnome/login-screen/enable-smartcard-authentication ++/org/gnome/login-screen/enable-fingerprint-authentication +diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth +new file mode 100644 +index 0000000..ca152fb +--- /dev/null ++++ b/authselect_policies/minimal_gost/fingerprint-auth +@@ -0,0 +1,16 @@ ++auth required pam_env.so ++auth sufficient pam_fprintd.so ++auth required pam_deny.so ++ ++account required pam_unix.so ++account sufficient pam_localuser.so ++account sufficient pam_succeed_if.so uid < 500 quiet ++account required pam_permit.so ++ ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf +new file mode 100644 +index 0000000..f1f5941 +--- /dev/null ++++ b/authselect_policies/minimal_gost/nsswitch.conf +@@ -0,0 +1,14 @@ ++passwd: sss files systemd {exclude if "with-custom-passwd"} ++shadow: files {exclude if "with-custom-shadow"} ++group: sss files systemd {exclude if "with-custom-group"} ++hosts: files dns myhostname {exclude if "with-custom-hosts"} ++services: files sss {exclude if "with-custom-services"} ++netgroup: sss {exclude if "with-custom-netgroup"} ++automount: files sss {exclude if "with-custom-automount"} ++aliases: files {exclude if "with-custom-aliases"} ++ethers: files {exclude if "with-custom-ethers"} ++gshadow: files ++networks: files dns {exclude if "with-custom-networks"} ++protocols: files {exclude if "with-custom-protocols"} ++publickey: files {exclude if "with-custom-publickey"} ++rpc: files {exclude if "with-custom-rpc"} +diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth +new file mode 100644 +index 0000000..5da3730 +--- /dev/null ++++ b/authselect_policies/minimal_gost/password-auth +@@ -0,0 +1,15 @@ ++auth required pam_env.so ++auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} ++auth required pam_deny.so ++ ++account required pam_unix.so ++ ++password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ++password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin +new file mode 100644 +index 0000000..8d9bfd0 +--- /dev/null ++++ b/authselect_policies/minimal_gost/postlogin +@@ -0,0 +1,4 @@ ++session optional pam_umask.so silent ++session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet ++session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} ++session optional pam_lastlog.so silent noupdate showfailed +diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth +new file mode 100644 +index 0000000..f0843be +--- /dev/null ++++ b/authselect_policies/minimal_gost/smartcard-auth +@@ -0,0 +1,16 @@ ++auth required pam_env.so ++auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card ++auth required pam_deny.so ++ ++account required pam_unix.so ++account sufficient pam_localuser.so ++account sufficient pam_succeed_if.so uid < 500 quiet ++account required pam_permit.so ++ ++password optional pam_pkcs11.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so +diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth +new file mode 100644 +index 0000000..5da3730 +--- /dev/null ++++ b/authselect_policies/minimal_gost/system-auth +@@ -0,0 +1,15 @@ ++auth required pam_env.so ++auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} ++auth required pam_deny.so ++ ++account required pam_unix.so ++ ++password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ++password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow ++password required pam_deny.so ++ ++session optional pam_keyinit.so revoke ++session required pam_limits.so ++-session optional pam_systemd.so ++session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ++session required pam_unix.so diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README new file mode 100644 index 0000000..02daa76 @@ -651,7 +959,7 @@ index 0000000..31d4ee1 +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol new file mode 100644 -index 0000000..399d2f7 +index 0000000..fce3bdb --- /dev/null +++ b/policies/GOST-ONLY-PAM.pol @@ -0,0 +1,29 @@ @@ -683,7 +991,7 @@ index 0000000..399d2f7 +sha1_in_certs = 0 + +action_do = GOST -+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog ++authopt@AUTH = custom/minimal_gost with-gost diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol new file mode 100644 index 0000000..37e478b @@ -744,13 +1052,29 @@ index 0000000..b9021ea +action_do = +GOST diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod new file mode 100644 -index 0000000..9082402 +index 0000000..06d92c5 --- /dev/null +++ b/policies/modules/PAM-GOST.pmod -@@ -0,0 +1,5 @@ +@@ -0,0 +1,3 @@ +#Add shadow gost support + -+action_do = +GOST ++authopt@AUTH = custom/minimal_gost with-gost +diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod +new file mode 100644 +index 0000000..a79abd0 +--- /dev/null ++++ b/policies/modules/PATCH-PAM-GOST.pmod +@@ -0,0 +1,3 @@ ++#Add shadow gost support ++ ++authopt@AUTH = patch +diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod +new file mode 100644 +index 0000000..f28939e +--- /dev/null ++++ b/policies/modules/SSSD-PAM-GOST.pmod +@@ -0,0 +1,3 @@ ++#Add shadow gost support + +authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py @@ -982,11 +1306,13 @@ index 165a26b..75940d8 100644 s += 'Options = RHNoEnforceEMSinFIPS\n' diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh new file mode 100755 -index 0000000..0fa7192 +index 0000000..5b2ecad --- /dev/null +++ b/scripts/auth_apply.sh -@@ -0,0 +1,115 @@ +@@ -0,0 +1,204 @@ +#!/usr/bin/bash ++exec 1> /var/log/crypto-cmc/auth.log 2>&1 ++set -x +# Скрипт настройки профиля authselect для crypto-policy +# Примеры запуска: +# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля @@ -999,10 +1325,39 @@ index 0000000..0fa7192 +AUTH_CONFIG=authselect.conf +EMPTY=0 +TEST="" -+AUTH_SELECT_APPLY="/usr/bin/authselect apply-changes" -+AUTH_SELECT_APPLY_FORCE="/usr/bin/authselect apply-changes --force" -+AUTH_SELECT_APPLY_FORCE_BACKUP="/usr/bin/authselect apply-changes --force --backup=" +AUTH_BACKUP_NAME="auth_saved_profile" ++USE_PATCH="$CONF_PATH/autheslect.patch" ++ ++function set_gost ++{ ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth ++ ++} ++ ++function set_no_gost ++{ ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth ++ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth ++} ++ ++function get_auth_options ++{ ++ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' ' ++} ++ ++function save_restored_profile ++{ ++ if [ ! -e /etc/authselect/custom/restored ];then ++ /usr/bin/authselect create-profile restored ++ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/ ++ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/ ++ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf ++ fi ++} + +while getopts ':et:p:h' VAL ; do + case $VAL in @@ -1049,9 +1404,22 @@ index 0000000..0fa7192 + +# Дополнительная проверка, файл authselect.conf не должен быть пустым +# или соедржать слово empty--data, иначе это признак empty -+AUTH_CONF_CONT=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG" | /usr/bin/xargs) -+if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then -+ EMPTY=1 ++if [ -e "$PATH_TO_AUTH_CONFIG" ];then ++ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs) ++ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then ++ EMPTY=1 ++ fi ++else ++ EMPTY=2 ++fi ++ ++# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией ++NEED_PATCH=0 ++if [ -e "$POLICY_CONFIG" ];then ++ RES=$(cat "$POLICY_CONFIG") ++ if [ "$RES" = "patch" ];then ++ NEED_PATCH=1 ++ fi +fi + +# Если задан параметр empty, это значит, что применяется профиль @@ -1061,43 +1429,88 @@ index 0000000..0fa7192 +# authselect backup-restore auth_saved_profile +# данный снимок создается при профиля через crypto-policy +if [ "$EMPTY" = "1" ];then -+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then ++# Если есть файл authselect.patch, значит профиль был пропатчен, ++# а не установлен через профиль ++ if [ -e "$USE_PATCH" ];then ++ set_no_gost ++ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed" ++ else ++ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then +# Только root может восстанавливать конфигурацию из резервной копии +# дабыизбежать подлога и восстановления файла, созданного пользователем -+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") -+ if [ "$OWNER_UID" = "0" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" ++ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") ++ if [ "$OWNER_UID" = "0" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" ++ fi ++ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG") ++# Есди файл настроек authselect пустой после восстановления ++# значит он создан ранее скриптом и его нужно убрать ++ if [ -z "$AUTH_CONT" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" ++ fi ++ else ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" ++ fi ++ if [ -e "$PATH_TO_AUTH_CONFIG" ];then ++ /usr/bin/authselect apply-changes ++ else ++ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME" ++ else ++ if [ -e /etc/authselect/custom/resored ];then ++ /usr/bin/authselect select custom/restored --force ++ fi ++ fi + fi -+ fi -+ if [ -z "$TEST" ];then -+ $AUTH_SELECT_APPLY -+ else -+ echo "$AUTH_SELECT_APPLY" + fi + exit 0 +fi + -+# Если не найден файл маркер, то создается файл бэкапа для authselect -+# а так же создается файл маркер -+if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then -+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" -+ if [ -z "$TEST" ];then -+ AUTH_BKP="$AUTH_SELECT_APPLY_FORCE_BACKUP$AUTH_BACKUP_NAME" -+ $AUTH_BKP -+ else -+ echo "$AUTH_SELECT_APPLY_FORCE_BACKUP$AUTH_BACKUP_NAME" -+ fi -+fi +# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла +# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас -+LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") -+if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then -+ /usr/bin/ln -s "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" -+fi -+if [ -z "$TEST" ];then -+ $AUTH_SELECT_APPLY ++if [ "$EMPTY" = "2" ];then ++ if [ "$NEED_PATCH" = "1" ];then ++ set_gost ++ touch "$USE_PATCH" ++ else ++ OPTS_FOR_EXECUTE=$(get_auth_options) ++ if [ -n "$OPTS_FOR_EXECUTE" ];then ++ save_restored_profile ++ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force ++ else ++ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile ++ fi ++ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/authselect apply-changes ++ touch "$PATH_TO_AUTH_SEL_BAK" ++ fi ++ fi +else -+ echo "$AUTH_SELECT_APPLY" ++ if [ "$NEED_PATCH" = "1" ];then ++ set_gost ++ touch "$USE_PATCH" ++ else ++# Если не найден файл маркер, то создается файл бэкапа для authselect ++# а так же создается файл маркер ++ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then ++ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" ++ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG") ++ if [ -n "$EMPTY_AUTH" ];then ++ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then ++ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME" ++ fi ++ fi ++ fi ++ ++ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") ++ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then ++ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ #fi ++ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" ++ /usr/bin/authselect apply-changes ++ fi +fi + +exit 0 @@ -1593,14 +2006,12 @@ index 0000000..135997c +default_disposition = "never" diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt new file mode 100644 -index 0000000..4884073 +index 0000000..110527f --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt -@@ -0,0 +1,4 @@ -+custom/sssd_gost +@@ -0,0 +1,2 @@ ++custom/minimal_gost +with-gost -+with-fingerprint -+with-silent-lastlog \ No newline at end of file diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt new file mode 100644 @@ -1836,10 +2247,10 @@ index 0000000..c69d6e1 +activate = 1 diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt new file mode 100644 -index 0000000..1af2431 +index 0000000..8f18d1e --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt -@@ -0,0 +1,20 @@ +@@ -0,0 +1,8 @@ +CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 @@ -1848,52 +2259,549 @@ index 0000000..1af2431 +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 -+ -+[openssl_init] -+engines = engine_gost -+ -+[engine_gost] -+gost = gost_section -+ -+[gost_section] -+engine_id = gost -+dynamic_path = /usr/lib64/engines-3/gost.so -+default_algorithms = ALL -+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet -diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt +index 0000000..dbcae14 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt +@@ -0,0 +1 @@ ++patch +\ No newline at end of file +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt +index 0000000..9ec8420 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt +@@ -0,0 +1,12 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++ECCGOST; ++}; ++disable-ds-digests "." { ++SHA-1; ++GOST; ++}; +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt new file mode 100644 -index 0000000..4884073 +index 0000000..9a04550 --- /dev/null -+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt -@@ -0,0 +1,4 @@ -+custom/sssd_gost -+with-gost -+with-fingerprint -+with-silent-lastlog ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt +new file mode 100644 +index 0000000..1a48c4a +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt +@@ -0,0 +1,3 @@ ++jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 ++jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt +new file mode 100644 +index 0000000..108de3d +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt +@@ -0,0 +1 @@ ++jdk.tls.ephemeralDHKeySize=2048 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt +new file mode 100644 +index 0000000..952c651 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt +new file mode 100644 +index 0000000..8f18d1e +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt +@@ -0,0 +1,8 @@ ++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt +new file mode 100644 +index 0000000..4884073 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt +@@ -0,0 +1,4 @@ ++custom/sssd_gost ++with-gost ++with-fingerprint ++with-silent-lastlog +\ No newline at end of file +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt +new file mode 100644 +index 0000000..9ec8420 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt +@@ -0,0 +1,12 @@ ++disable-algorithms "." { ++RSAMD5; ++RSASHA1; ++NSEC3RSASHA1; ++DSA; ++NSEC3DSA; ++ECCGOST; ++}; ++disable-ds-digests "." { ++SHA-1; ++GOST; ++}; +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt +new file mode 100644 +index 0000000..9a04550 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt +@@ -0,0 +1,105 @@ ++[global] ++override-mode = allowlist ++ ++[overrides] ++secure-hash = SHA256 ++secure-hash = SHA384 ++secure-hash = SHA512 ++secure-hash = SHA3-256 ++secure-hash = SHA3-384 ++secure-hash = SHA3-512 ++secure-hash = SHA224 ++secure-hash = SHA3-224 ++secure-hash = SHAKE-256 ++tls-enabled-mac = AEAD ++tls-enabled-mac = SHA1 ++tls-enabled-mac = SHA512 ++tls-enabled-group = GROUP-X25519 ++tls-enabled-group = GROUP-SECP256R1 ++tls-enabled-group = GROUP-X448 ++tls-enabled-group = GROUP-SECP521R1 ++tls-enabled-group = GROUP-SECP384R1 ++tls-enabled-group = GROUP-FFDHE2048 ++tls-enabled-group = GROUP-FFDHE3072 ++tls-enabled-group = GROUP-FFDHE4096 ++tls-enabled-group = GROUP-FFDHE6144 ++tls-enabled-group = GROUP-FFDHE8192 ++secure-sig = ECDSA-SHA3-256 ++secure-sig = ECDSA-SHA256 ++secure-sig = ECDSA-SECP256R1-SHA256 ++secure-sig = ECDSA-SHA3-384 ++secure-sig = ECDSA-SHA384 ++secure-sig = ECDSA-SECP384R1-SHA384 ++secure-sig = ECDSA-SHA3-512 ++secure-sig = ECDSA-SHA512 ++secure-sig = ECDSA-SECP521R1-SHA512 ++secure-sig = EdDSA-Ed25519 ++secure-sig = EdDSA-Ed448 ++secure-sig = RSA-PSS-SHA256 ++secure-sig = RSA-PSS-SHA384 ++secure-sig = RSA-PSS-SHA512 ++secure-sig = RSA-PSS-RSAE-SHA256 ++secure-sig = RSA-PSS-RSAE-SHA384 ++secure-sig = RSA-PSS-RSAE-SHA512 ++secure-sig = RSA-SHA3-256 ++secure-sig = RSA-SHA256 ++secure-sig = RSA-SHA3-384 ++secure-sig = RSA-SHA384 ++secure-sig = RSA-SHA3-512 ++secure-sig = RSA-SHA512 ++secure-sig = ECDSA-SHA224 ++secure-sig = RSA-SHA224 ++secure-sig = ECDSA-SHA3-224 ++secure-sig = RSA-SHA3-224 ++secure-sig-for-cert = ECDSA-SHA3-256 ++secure-sig-for-cert = ECDSA-SHA256 ++secure-sig-for-cert = ECDSA-SECP256R1-SHA256 ++secure-sig-for-cert = ECDSA-SHA3-384 ++secure-sig-for-cert = ECDSA-SHA384 ++secure-sig-for-cert = ECDSA-SECP384R1-SHA384 ++secure-sig-for-cert = ECDSA-SHA3-512 ++secure-sig-for-cert = ECDSA-SHA512 ++secure-sig-for-cert = ECDSA-SECP521R1-SHA512 ++secure-sig-for-cert = EdDSA-Ed25519 ++secure-sig-for-cert = EdDSA-Ed448 ++secure-sig-for-cert = RSA-PSS-SHA256 ++secure-sig-for-cert = RSA-PSS-SHA384 ++secure-sig-for-cert = RSA-PSS-SHA512 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA256 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA384 ++secure-sig-for-cert = RSA-PSS-RSAE-SHA512 ++secure-sig-for-cert = RSA-SHA3-256 ++secure-sig-for-cert = RSA-SHA256 ++secure-sig-for-cert = RSA-SHA3-384 ++secure-sig-for-cert = RSA-SHA384 ++secure-sig-for-cert = RSA-SHA3-512 ++secure-sig-for-cert = RSA-SHA512 ++secure-sig-for-cert = ECDSA-SHA224 ++secure-sig-for-cert = RSA-SHA224 ++secure-sig-for-cert = ECDSA-SHA3-224 ++secure-sig-for-cert = RSA-SHA3-224 ++enabled-curve = X25519 ++enabled-curve = SECP256R1 ++enabled-curve = X448 ++enabled-curve = SECP521R1 ++enabled-curve = SECP384R1 ++enabled-curve = Ed25519 ++enabled-curve = Ed448 ++tls-enabled-cipher = AES-256-GCM ++tls-enabled-cipher = AES-256-CCM ++tls-enabled-cipher = CHACHA20-POLY1305 ++tls-enabled-cipher = AES-256-CBC ++tls-enabled-cipher = AES-128-GCM ++tls-enabled-cipher = AES-128-CCM ++tls-enabled-cipher = AES-128-CBC ++tls-enabled-kx = ECDHE-RSA ++tls-enabled-kx = ECDHE-ECDSA ++tls-enabled-kx = RSA ++tls-enabled-kx = DHE-RSA ++enabled-version = TLS1.3 ++enabled-version = TLS1.2 ++enabled-version = DTLS1.2 ++min-verification-profile = medium ++ ++[priorities] ++SYSTEM=NONE +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt +new file mode 100644 +index 0000000..1a48c4a +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt +@@ -0,0 +1,3 @@ ++jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 ++jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 ++jdk.tls.legacyAlgorithms= +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt +new file mode 100644 +index 0000000..108de3d +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt +@@ -0,0 +1 @@ ++jdk.tls.ephemeralDHKeySize=2048 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt +new file mode 100644 +index 0000000..415dcb3 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt +@@ -0,0 +1,2 @@ ++[libdefaults] ++permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt +new file mode 100644 +index 0000000..9f2f5db +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt +@@ -0,0 +1,6 @@ ++conn %default ++ ikev2=insist ++ pfs=yes ++ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 ++ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 ++ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt +new file mode 100644 +index 0000000..49d8251 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt +@@ -0,0 +1,5 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt +new file mode 100644 +index 0000000..b8bf74a +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt +@@ -0,0 +1,6 @@ ++library= ++name=Policy ++NSS=flags=policyOnly,moduleDB ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" ++ ++ +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt +new file mode 100644 +index 0000000..47d352e +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt +@@ -0,0 +1,7 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt +new file mode 100644 +index 0000000..8105750 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt +@@ -0,0 +1,8 @@ ++Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr ++MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 ++GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 ++RequiredRSASize 2048 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt +new file mode 100644 +index 0000000..952c651 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt +@@ -0,0 +1 @@ ++@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt +new file mode 100644 +index 0000000..c69d6e1 +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt +@@ -0,0 +1,4 @@ ++ ++[fips_sect] ++tls1-prf-ems-check = 1 ++activate = 1 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt +new file mode 100644 +index 0000000..8f18d1e +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt +@@ -0,0 +1,8 @@ ++CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ++TLS.MinProtocol = TLSv1.2 ++TLS.MaxProtocol = TLSv1.3 ++DTLS.MinProtocol = DTLSv1.2 ++DTLS.MaxProtocol = DTLSv1.2 ++SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 ++Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt +new file mode 100644 +index 0000000..110527f +--- /dev/null ++++ b/tests/outputs/GOST-ONLY-PAM-auth.txt +@@ -0,0 +1,2 @@ ++custom/minimal_gost ++with-gost \ No newline at end of file diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt new file mode 100644 diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index d6cc7f7..7330dac 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -27,7 +27,7 @@ Name: crypto-policies Version: 20230731 -Release: 1.git94f0e2c%{?dist}.1.inferit.3 +Release: 1.git94f0e2c%{?dist}.1.inferit.4 Summary: System-wide crypto policies License: LGPLv2+ @@ -117,6 +117,7 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_bindir} +mkdir -p -m 755 %{buildroot}/var/log/crypto-cmc/ make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config @@ -197,7 +198,10 @@ end %dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ %dir %{_sysconfdir}/authselect/custom/sssd_gost/ +%dir %{_sysconfdir}/authselect/custom/minimal_gost/ +%dir /var/log/crypto-cmc %{_sysconfdir}/authselect/custom/sssd_gost/* +%{_sysconfdir}/authselect/custom/minimal_gost/* %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config @@ -247,6 +251,9 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Sat Feb 10 2024 Alexey Berezhok - 20230731-1.git94f0e2c.1.inferit.4 +- Added GOST policy also added experimental PAM generator + * Thu Feb 08 2024 Arkady L. Shane - 20230731-1.git94f0e2c.1.inferit.3 - Use Recommends: openssl-gost-engine instead of Requires.