diff --git a/SOURCES/0001-Added-GOST-10.0-policy-also-added-experimental-PAM-g.patch b/SOURCES/0001-Added-GOST-10.0-policy-also-added-experimental-PAM-g.patch index 121a7ce..aee1d57 100644 --- a/SOURCES/0001-Added-GOST-10.0-policy-also-added-experimental-PAM-g.patch +++ b/SOURCES/0001-Added-GOST-10.0-policy-also-added-experimental-PAM-g.patch @@ -1,4 +1,4 @@ -From 140968b582c1eef74200a03eaeb99839be8e6ba9 Mon Sep 17 00:00:00 2001 +From 1ca39841d43485fd57090b227416acef43194599 Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 8 Jan 2025 22:11:14 +0300 Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator @@ -48,15 +48,15 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator tests/outputs/DEFAULT-auth.txt | 0 tests/outputs/DEFAULT:GOST-auth.txt | 0 tests/outputs/DEFAULT:GOST-bind.txt | 10 + - tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:GOST-gnutls.txt | 104 +++++++++ tests/outputs/DEFAULT:GOST-java.txt | 4 + tests/outputs/DEFAULT:GOST-javasystem.txt | 2 + tests/outputs/DEFAULT:GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:GOST-libreswan.txt | 6 + + tests/outputs/DEFAULT:GOST-libreswan.txt | 4 + tests/outputs/DEFAULT:GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:GOST-nss.txt | 6 + - tests/outputs/DEFAULT:GOST-openssh.txt | 7 + - tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:GOST-nss.txt | 8 + + tests/outputs/DEFAULT:GOST-openssh.txt | 8 + + tests/outputs/DEFAULT:GOST-opensshserver.txt | 9 + tests/outputs/DEFAULT:GOST-openssl.txt | 1 + tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ @@ -64,47 +64,53 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ - tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ + tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 104 +++++++++ tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 + tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 + tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + - tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 + + tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 4 + tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 + - tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:PAM-GOST-nss.txt | 8 + + tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 8 + + .../DEFAULT:PAM-GOST-opensshserver.txt | 9 + tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + + .../outputs/DEFAULT:PAM-GOST-rpm-sequoia.txt | 51 +++++ + tests/outputs/DEFAULT:PAM-GOST-sequoia.txt | 51 +++++ tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ + .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 104 +++++++++ tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 + .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 + tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + + .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 4 + .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + - .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 8 + + .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 8 + + .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 9 + .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + + .../DEFAULT:PATCH-PAM-GOST-rpm-sequoia.txt | 51 +++++ + .../DEFAULT:PATCH-PAM-GOST-sequoia.txt | 51 +++++ tests/outputs/DEFAULT:SHA1-auth.txt | 0 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ - .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ + .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 104 +++++++++ tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 + .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 + tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + - .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + + .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 4 + .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + - tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + - .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + - .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + + tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 8 + + .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 8 + + .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 9 + .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + + .../DEFAULT:SSSD-PAM-GOST-rpm-sequoia.txt | 51 +++++ + .../outputs/DEFAULT:SSSD-PAM-GOST-sequoia.txt | 51 +++++ tests/outputs/EMPTY-auth.txt | 0 tests/outputs/FIPS-auth.txt | 0 tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 @@ -145,7 +151,7 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator tests/outputs/LEGACY-auth.txt | 0 .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 tests/unit/test_cryptopolicy.py | 87 -------- - 141 files changed, 2012 insertions(+), 104 deletions(-) + 147 files changed, 2322 insertions(+), 104 deletions(-) create mode 100644 authselect_policies/minimal_gost/README create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS create mode 100644 authselect_policies/minimal_gost/dconf-db @@ -208,6 +214,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-rpm-sequoia.txt + create mode 100644 tests/outputs/DEFAULT:PAM-GOST-sequoia.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt @@ -222,6 +230,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-rpm-sequoia.txt + create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-sequoia.txt create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt @@ -237,6 +247,8 @@ Subject: [PATCH] Added GOST 10.0 policy also added experimental PAM generator create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-rpm-sequoia.txt + create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-sequoia.txt create mode 100644 tests/outputs/EMPTY-auth.txt create mode 100644 tests/outputs/FIPS-auth.txt create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt @@ -1690,10 +1702,10 @@ index 0000000..09fb3f1 +}; diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt new file mode 100644 -index 0000000..9a04550 +index 0000000..ba8e610 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-gnutls.txt -@@ -0,0 +1,105 @@ +@@ -0,0 +1,104 @@ +[global] +override-mode = allowlist + @@ -1790,7 +1802,6 @@ index 0000000..9a04550 +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 @@ -1801,13 +1812,13 @@ index 0000000..9a04550 +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt new file mode 100644 -index 0000000..ed6f632 +index 0000000..aa87af9 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-java.txt @@ -0,0 +1,4 @@ +jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP320r1 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt new file mode 100644 @@ -1827,73 +1838,75 @@ index 0000000..415dcb3 +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt new file mode 100644 -index 0000000..9f2f5db +index 0000000..78f6952 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-libreswan.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,4 @@ +conn %default -+ ikev2=insist -+ pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt new file mode 100644 -index 0000000..49d8251 +index 0000000..6445df9 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt new file mode 100644 -index 0000000..b8bf74a +index 0000000..72b9c4e --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-nss.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ ++library=p11-kit-proxy.so ++name=p11-kit-proxy ++ ++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm/ssl:chacha20-poly1305/ssl:aes256-cbc:aes128-gcm/ssl:aes128-cbc:des-ede3-cbc/pkcs12-legacy,smime:rc2/pkcs12-legacy,smime-legacy:rc2-40-cbc/pkcs12-legacy,smime-legacy:rc2-64-cbc/pkcs12-legacy,smime-legacy:rc2-128-cbc/pkcs12-legacy,smime-legacy:SHA256:SHA384:SHA512:SHA3-256:SHA3-384:SHA3-512:SHA224:SHA3-224:SHA1/pkcs12-legacy,smime-signature,signature:ECDHE-RSA/ssl-key-exchange:ECDHE-ECDSA/ssl-key-exchange:DHE-RSA/ssl-key-exchange:RSA-PKCS/smime-key-exchange:RSA-OAEP/smime-key-exchange:DH/smime-key-exchange:ECDH/smime-key-exchange:ECDSA:ED25519:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt new file mode 100644 -index 0000000..47d352e +index 0000000..0b3a195 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-openssh.txt -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt new file mode 100644 -index 0000000..8105750 +index 0000000..a8ff437 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt -@@ -0,0 +1,8 @@ +@@ -0,0 +1,9 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt new file mode 100644 -index 0000000..239566f +index 0000000..0f1c248 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-openssl.txt @@ -0,0 +1 @@ -+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++@SECLEVEL=2:kGOST:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 @@ -1906,11 +1919,11 @@ index 0000000..c69d6e1 +activate = 1 diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt new file mode 100644 -index 0000000..6fe6291 +index 0000000..9d887a2 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt @@ -0,0 +1,20 @@ -+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++CipherString = @SECLEVEL=2:kGOST:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 @@ -1932,15 +1945,15 @@ index 0000000..6fe6291 +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt new file mode 100644 -index 0000000..cec1d15 +index 0000000..3b6690f --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt @@ -0,0 +1,51 @@ +[hash_algorithms] +md5.collision_resistance = "never" +md5.second_preimage_resistance = "never" -+sha1.collision_resistance = "always" -+sha1.second_preimage_resistance = "always" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" +ripemd160.collision_resistance = "never" +ripemd160.second_preimage_resistance = "never" +sha224.collision_resistance = "always" @@ -1962,9 +1975,9 @@ index 0000000..cec1d15 +aes192 = "never" +aes256 = "always" +twofish = "never" -+camellia128 = "always" ++camellia128 = "never" +camellia192 = "never" -+camellia256 = "always" ++camellia256 = "never" +default_disposition = "never" + +[asymmetric_algorithms] @@ -1972,10 +1985,10 @@ index 0000000..cec1d15 +rsa2048 = "always" +rsa3072 = "always" +rsa4096 = "always" -+dsa1024 = "always" -+dsa2048 = "always" -+dsa3072 = "always" -+dsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" +nistp256 = "always" +nistp384 = "always" +nistp521 = "always" @@ -1989,7 +2002,7 @@ index 0000000..cec1d15 +default_disposition = "never" diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt new file mode 100644 -index 0000000..135997c +index 0000000..3b6690f --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-sequoia.txt @@ -0,0 +1,51 @@ @@ -2019,9 +2032,9 @@ index 0000000..135997c +aes192 = "never" +aes256 = "always" +twofish = "never" -+camellia128 = "always" ++camellia128 = "never" +camellia192 = "never" -+camellia256 = "always" ++camellia256 = "never" +default_disposition = "never" + +[asymmetric_algorithms] @@ -2073,10 +2086,10 @@ index 0000000..9ec8420 +}; diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt new file mode 100644 -index 0000000..9a04550 +index 0000000..ba8e610 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ +@@ -0,0 +1,104 @@ +[global] +override-mode = allowlist + @@ -2173,7 +2186,6 @@ index 0000000..9a04550 +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 @@ -2184,13 +2196,13 @@ index 0000000..9a04550 +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt new file mode 100644 -index 0000000..ed6f632 +index 0000000..aa87af9 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt @@ -0,0 +1,4 @@ +jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP320r1 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt new file mode 100644 @@ -2210,73 +2222,75 @@ index 0000000..415dcb3 +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt new file mode 100644 -index 0000000..9f2f5db +index 0000000..78f6952 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,4 @@ +conn %default -+ ikev2=insist -+ pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt new file mode 100644 -index 0000000..49d8251 +index 0000000..6445df9 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt new file mode 100644 -index 0000000..b8bf74a +index 0000000..72b9c4e --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ ++library=p11-kit-proxy.so ++name=p11-kit-proxy ++ ++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm/ssl:chacha20-poly1305/ssl:aes256-cbc:aes128-gcm/ssl:aes128-cbc:des-ede3-cbc/pkcs12-legacy,smime:rc2/pkcs12-legacy,smime-legacy:rc2-40-cbc/pkcs12-legacy,smime-legacy:rc2-64-cbc/pkcs12-legacy,smime-legacy:rc2-128-cbc/pkcs12-legacy,smime-legacy:SHA256:SHA384:SHA512:SHA3-256:SHA3-384:SHA3-512:SHA224:SHA3-224:SHA1/pkcs12-legacy,smime-signature,signature:ECDHE-RSA/ssl-key-exchange:ECDHE-ECDSA/ssl-key-exchange:DHE-RSA/ssl-key-exchange:RSA-PKCS/smime-key-exchange:RSA-OAEP/smime-key-exchange:DH/smime-key-exchange:ECDH/smime-key-exchange:ECDSA:ED25519:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt new file mode 100644 -index 0000000..47d352e +index 0000000..0b3a195 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt new file mode 100644 -index 0000000..8105750 +index 0000000..a8ff437 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ +@@ -0,0 +1,9 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt new file mode 100644 -index 0000000..952c651 +index 0000000..f707ad3 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt @@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 @@ -2289,11 +2303,11 @@ index 0000000..c69d6e1 +activate = 1 diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt new file mode 100644 -index 0000000..8f18d1e +index 0000000..c518a6a --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 @@ -2301,6 +2315,120 @@ index 0000000..8f18d1e +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:PAM-GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:PAM-GOST-rpm-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-rpm-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/DEFAULT:PAM-GOST-sequoia.txt b/tests/outputs/DEFAULT:PAM-GOST-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:PAM-GOST-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt new file mode 100644 index 0000000..dbcae14 @@ -2329,10 +2457,10 @@ index 0000000..9ec8420 +}; diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt new file mode 100644 -index 0000000..9a04550 +index 0000000..ba8e610 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ +@@ -0,0 +1,104 @@ +[global] +override-mode = allowlist + @@ -2429,7 +2557,6 @@ index 0000000..9a04550 +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 @@ -2440,13 +2567,13 @@ index 0000000..9a04550 +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt new file mode 100644 -index 0000000..ed6f632 +index 0000000..aa87af9 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt @@ -0,0 +1,4 @@ +jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP320r1 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt new file mode 100644 @@ -2466,73 +2593,75 @@ index 0000000..415dcb3 +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt new file mode 100644 -index 0000000..9f2f5db +index 0000000..78f6952 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,4 @@ +conn %default -+ ikev2=insist -+ pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt new file mode 100644 -index 0000000..49d8251 +index 0000000..6445df9 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt new file mode 100644 -index 0000000..b8bf74a +index 0000000..72b9c4e --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ ++library=p11-kit-proxy.so ++name=p11-kit-proxy ++ ++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm/ssl:chacha20-poly1305/ssl:aes256-cbc:aes128-gcm/ssl:aes128-cbc:des-ede3-cbc/pkcs12-legacy,smime:rc2/pkcs12-legacy,smime-legacy:rc2-40-cbc/pkcs12-legacy,smime-legacy:rc2-64-cbc/pkcs12-legacy,smime-legacy:rc2-128-cbc/pkcs12-legacy,smime-legacy:SHA256:SHA384:SHA512:SHA3-256:SHA3-384:SHA3-512:SHA224:SHA3-224:SHA1/pkcs12-legacy,smime-signature,signature:ECDHE-RSA/ssl-key-exchange:ECDHE-ECDSA/ssl-key-exchange:DHE-RSA/ssl-key-exchange:RSA-PKCS/smime-key-exchange:RSA-OAEP/smime-key-exchange:DH/smime-key-exchange:ECDH/smime-key-exchange:ECDSA:ED25519:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt new file mode 100644 -index 0000000..47d352e +index 0000000..0b3a195 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt new file mode 100644 -index 0000000..8105750 +index 0000000..a8ff437 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ +@@ -0,0 +1,9 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt new file mode 100644 -index 0000000..952c651 +index 0000000..f707ad3 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt @@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 @@ -2545,11 +2674,11 @@ index 0000000..c69d6e1 +activate = 1 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt new file mode 100644 -index 0000000..8f18d1e +index 0000000..c518a6a --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 @@ -2557,6 +2686,120 @@ index 0000000..8f18d1e +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-rpm-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-rpm-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-sequoia.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt new file mode 100644 index 0000000..e69de29 @@ -2591,10 +2834,10 @@ index 0000000..9ec8420 +}; diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt new file mode 100644 -index 0000000..9a04550 +index 0000000..ba8e610 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt -@@ -0,0 +1,105 @@ +@@ -0,0 +1,104 @@ +[global] +override-mode = allowlist + @@ -2691,7 +2934,6 @@ index 0000000..9a04550 +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA -+tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 @@ -2702,13 +2944,13 @@ index 0000000..9a04550 +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt new file mode 100644 -index 0000000..ed6f632 +index 0000000..aa87af9 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt @@ -0,0 +1,4 @@ +jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5 -+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 -+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1 ++jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5 ++jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP320r1 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt new file mode 100644 @@ -2728,73 +2970,75 @@ index 0000000..415dcb3 +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt new file mode 100644 -index 0000000..9f2f5db +index 0000000..78f6952 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,4 @@ +conn %default -+ ikev2=insist -+ pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt new file mode 100644 -index 0000000..49d8251 +index 0000000..6445df9 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt new file mode 100644 -index 0000000..b8bf74a +index 0000000..72b9c4e --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ ++library=p11-kit-proxy.so ++name=p11-kit-proxy ++ ++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB -+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" -+ -+ ++config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm/ssl:chacha20-poly1305/ssl:aes256-cbc:aes128-gcm/ssl:aes128-cbc:des-ede3-cbc/pkcs12-legacy,smime:rc2/pkcs12-legacy,smime-legacy:rc2-40-cbc/pkcs12-legacy,smime-legacy:rc2-64-cbc/pkcs12-legacy,smime-legacy:rc2-128-cbc/pkcs12-legacy,smime-legacy:SHA256:SHA384:SHA512:SHA3-256:SHA3-384:SHA3-512:SHA224:SHA3-224:SHA1/pkcs12-legacy,smime-signature,signature:ECDHE-RSA/ssl-key-exchange:ECDHE-ECDSA/ssl-key-exchange:DHE-RSA/ssl-key-exchange:RSA-PKCS/smime-key-exchange:RSA-OAEP/smime-key-exchange:DH/smime-key-exchange:ECDH/smime-key-exchange:ECDSA:ED25519:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt new file mode 100644 -index 0000000..47d352e +index 0000000..0b3a195 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt new file mode 100644 -index 0000000..8105750 +index 0000000..a8ff437 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt -@@ -0,0 +1,8 @@ +@@ -0,0 +1,9 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ++HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt new file mode 100644 -index 0000000..952c651 +index 0000000..f707ad3 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt @@ -0,0 +1 @@ -+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 @@ -2807,11 +3051,11 @@ index 0000000..c69d6e1 +activate = 1 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt new file mode 100644 -index 0000000..8f18d1e +index 0000000..c518a6a --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ -+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 ++CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 @@ -2819,6 +3063,120 @@ index 0000000..8f18d1e +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-rpm-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-rpm-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" +diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-sequoia.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-sequoia.txt +new file mode 100644 +index 0000000..3b6690f +--- /dev/null ++++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-sequoia.txt +@@ -0,0 +1,51 @@ ++[hash_algorithms] ++md5.collision_resistance = "never" ++md5.second_preimage_resistance = "never" ++sha1.collision_resistance = "never" ++sha1.second_preimage_resistance = "never" ++ripemd160.collision_resistance = "never" ++ripemd160.second_preimage_resistance = "never" ++sha224.collision_resistance = "always" ++sha224.second_preimage_resistance = "always" ++sha256.collision_resistance = "always" ++sha256.second_preimage_resistance = "always" ++sha384.collision_resistance = "always" ++sha384.second_preimage_resistance = "always" ++sha512.collision_resistance = "always" ++sha512.second_preimage_resistance = "always" ++default_disposition = "never" ++ ++[symmetric_algorithms] ++idea = "never" ++tripledes = "never" ++cast5 = "never" ++blowfish = "never" ++aes128 = "always" ++aes192 = "never" ++aes256 = "always" ++twofish = "never" ++camellia128 = "never" ++camellia192 = "never" ++camellia256 = "never" ++default_disposition = "never" ++ ++[asymmetric_algorithms] ++rsa1024 = "never" ++rsa2048 = "always" ++rsa3072 = "always" ++rsa4096 = "always" ++dsa1024 = "never" ++dsa2048 = "never" ++dsa3072 = "never" ++dsa4096 = "never" ++nistp256 = "always" ++nistp384 = "always" ++nistp521 = "always" ++cv25519 = "always" ++elgamal1024 = "never" ++elgamal2048 = "never" ++elgamal3072 = "never" ++elgamal4096 = "never" ++brainpoolp256 = "never" ++brainpoolp512 = "never" ++default_disposition = "never" diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt new file mode 100644 index 0000000..e69de29