From 856e52f120f6e4fa0a6ef2f134970cfe59cce6b2 Mon Sep 17 00:00:00 2001 From: tigro Date: Mon, 13 May 2024 17:06:55 +0300 Subject: [PATCH] Added GOST policy also added experimental PAM generator --- Makefile | 13 ++ authselect_policies/minimal_gost/README | 84 ++++++++ authselect_policies/minimal_gost/REQUIREMENTS | 0 authselect_policies/minimal_gost/dconf-db | 3 + authselect_policies/minimal_gost/dconf-locks | 2 + .../minimal_gost/fingerprint-auth | 16 ++ .../minimal_gost/nsswitch.conf | 14 ++ .../minimal_gost/password-auth | 15 ++ authselect_policies/minimal_gost/postlogin | 4 + .../minimal_gost/smartcard-auth | 16 ++ authselect_policies/minimal_gost/system-auth | 15 ++ authselect_policies/sssd_gost/README | 145 +++++++++++++ authselect_policies/sssd_gost/REQUIREMENTS | 29 +++ authselect_policies/sssd_gost/dconf-db | 9 + authselect_policies/sssd_gost/dconf-locks | 4 + .../sssd_gost/fingerprint-auth | 28 +++ authselect_policies/sssd_gost/nsswitch.conf | 7 + authselect_policies/sssd_gost/password-auth | 39 ++++ authselect_policies/sssd_gost/postlogin | 4 + authselect_policies/sssd_gost/smartcard-auth | 26 +++ authselect_policies/sssd_gost/system-auth | 46 ++++ policies/GOST-ONLY-PAM.pol | 29 +++ policies/GOST-ONLY.pol | 28 +++ policies/modules/GOST.pmod | 18 ++ policies/modules/PAM-GOST.pmod | 3 + policies/modules/PATCH-PAM-GOST.pmod | 3 + policies/modules/SSSD-PAM-GOST.pmod | 3 + python/build-crypto-policies.py | 8 +- python/cryptopolicies/alg_lists.py | 19 +- python/cryptopolicies/cryptopolicies.py | 7 +- python/policygenerators/__init__.py | 2 + python/policygenerators/auth.py | 36 ++++ .../fedora-crypto-policies.code-workspace | 0 python/policygenerators/openssl.py | 23 ++ scripts/auth_apply.sh | 204 ++++++++++++++++++ tests/alternative-policies/GOST-ONLY.pol | 30 +++ tests/alternative-policies/modules/GOST.pmod | 18 ++ tests/gnutls.pl | 2 +- tests/java.pl | 2 +- tests/nss.py | 2 +- tests/openssl.pl | 2 +- tests/outputs/DEFAULT-auth.txt | 0 tests/outputs/DEFAULT:GOST-auth.txt | 0 tests/outputs/DEFAULT:GOST-bind.txt | 10 + tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:GOST-java.txt | 3 + tests/outputs/DEFAULT:GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:GOST-krb5.txt | 2 + tests/outputs/DEFAULT:GOST-libreswan.txt | 6 + tests/outputs/DEFAULT:GOST-libssh.txt | 5 + tests/outputs/DEFAULT:GOST-nss.txt | 6 + tests/outputs/DEFAULT:GOST-openssh.txt | 7 + tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 + tests/outputs/DEFAULT:GOST-openssl.txt | 1 + tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 + tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++ tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++ tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++ tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 + tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++ tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:PAM-GOST-java.txt | 3 + tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 + tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 + tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 + tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 + tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 + .../DEFAULT:PAM-GOST-opensshserver.txt | 8 + tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 + .../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 + tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 + tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 + tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++ .../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 3 + .../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 + .../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 + .../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 + tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 + .../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 + .../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 + .../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 + .../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 + .../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 + tests/outputs/DEFAULT:SHA1-auth.txt | 0 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 + tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++ .../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++ tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 3 + .../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 1 + tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 + .../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 + .../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 + tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 + .../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 + .../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 + .../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 + .../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 + .../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 + tests/outputs/EMPTY-auth.txt | 0 tests/outputs/FIPS-auth.txt | 0 tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0 tests/outputs/FIPS:OSPP-auth.txt | 0 tests/outputs/FUTURE-auth.txt | 0 tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0 tests/outputs/GOST-ONLY-PAM-auth.txt | 2 + tests/outputs/GOST-ONLY-PAM-bind.txt | 20 ++ tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++ tests/outputs/GOST-ONLY-PAM-java.txt | 3 + tests/outputs/GOST-ONLY-PAM-javasystem.txt | 1 + tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 + tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 + tests/outputs/GOST-ONLY-PAM-libssh.txt | 0 tests/outputs/GOST-ONLY-PAM-nss.txt | 6 + tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 + tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 + tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 + tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 + tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++ tests/outputs/GOST-ONLY-auth.txt | 0 tests/outputs/GOST-ONLY-bind.txt | 20 ++ tests/outputs/GOST-ONLY-gnutls.txt | 13 ++ tests/outputs/GOST-ONLY-java.txt | 3 + tests/outputs/GOST-ONLY-javasystem.txt | 1 + tests/outputs/GOST-ONLY-krb5.txt | 2 + tests/outputs/GOST-ONLY-libreswan.txt | 2 + tests/outputs/GOST-ONLY-libssh.txt | 0 tests/outputs/GOST-ONLY-nss.txt | 6 + tests/outputs/GOST-ONLY-openssh.txt | 2 + tests/outputs/GOST-ONLY-opensshserver.txt | 2 + tests/outputs/GOST-ONLY-openssl.txt | 1 + tests/outputs/GOST-ONLY-openssl_fips.txt | 4 + tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++ tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++ tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++ tests/outputs/LEGACY-auth.txt | 0 .../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0 140 files changed, 1991 insertions(+), 10 deletions(-) create mode 100644 authselect_policies/minimal_gost/README create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS create mode 100644 authselect_policies/minimal_gost/dconf-db create mode 100644 authselect_policies/minimal_gost/dconf-locks create mode 100644 authselect_policies/minimal_gost/fingerprint-auth create mode 100644 authselect_policies/minimal_gost/nsswitch.conf create mode 100644 authselect_policies/minimal_gost/password-auth create mode 100644 authselect_policies/minimal_gost/postlogin create mode 100644 authselect_policies/minimal_gost/smartcard-auth create mode 100644 authselect_policies/minimal_gost/system-auth create mode 100644 authselect_policies/sssd_gost/README create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS create mode 100644 authselect_policies/sssd_gost/dconf-db create mode 100644 authselect_policies/sssd_gost/dconf-locks create mode 100644 authselect_policies/sssd_gost/fingerprint-auth create mode 100644 authselect_policies/sssd_gost/nsswitch.conf create mode 100644 authselect_policies/sssd_gost/password-auth create mode 100644 authselect_policies/sssd_gost/postlogin create mode 100644 authselect_policies/sssd_gost/smartcard-auth create mode 100644 authselect_policies/sssd_gost/system-auth create mode 100644 policies/GOST-ONLY-PAM.pol create mode 100644 policies/GOST-ONLY.pol create mode 100644 policies/modules/GOST.pmod create mode 100644 policies/modules/PAM-GOST.pmod create mode 100644 policies/modules/PATCH-PAM-GOST.pmod create mode 100644 policies/modules/SSSD-PAM-GOST.pmod create mode 100644 python/policygenerators/auth.py create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace create mode 100755 scripts/auth_apply.sh create mode 100644 tests/alternative-policies/GOST-ONLY.pol create mode 100644 tests/alternative-policies/modules/GOST.pmod create mode 100644 tests/outputs/DEFAULT-auth.txt create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt create mode 100644 tests/outputs/DEFAULT:GOST-java.txt create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt create mode 100644 tests/outputs/EMPTY-auth.txt create mode 100644 tests/outputs/FIPS-auth.txt create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt create mode 100644 tests/outputs/FIPS:OSPP-auth.txt create mode 100644 tests/outputs/FUTURE-auth.txt create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt create mode 100644 tests/outputs/GOST-ONLY-auth.txt create mode 100644 tests/outputs/GOST-ONLY-bind.txt create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt create mode 100644 tests/outputs/GOST-ONLY-java.txt create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt create mode 100644 tests/outputs/GOST-ONLY-krb5.txt create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt create mode 100644 tests/outputs/GOST-ONLY-libssh.txt create mode 100644 tests/outputs/GOST-ONLY-nss.txt create mode 100644 tests/outputs/GOST-ONLY-openssh.txt create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt create mode 100644 tests/outputs/GOST-ONLY-openssl.txt create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt create mode 100644 tests/outputs/LEGACY-auth.txt create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt diff --git a/Makefile b/Makefile index 5fb2a61..2abbb9c 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,10 @@ VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7) DIR?=/usr/share/crypto-policies +DIRSCR?=/usr/share/crypto-policies-scripts BINDIR?=/usr/bin MANDIR?=/usr/share/man CONFDIR?=/etc/crypto-policies +AUTHSELECTDIR?=/etc/authselect/custom DESTDIR?= MAN7PAGES=crypto-policies.7 MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8 @@ -27,10 +29,14 @@ install: $(MANPAGES) mkdir -p $(DESTDIR)$(MANDIR)/man7 mkdir -p $(DESTDIR)$(MANDIR)/man8 mkdir -p $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(AUTHSELECTDIR) + install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) mkdir -p $(DESTDIR)$(DIR)/ + mkdir -p $(DESTDIR)$(DIRSCR)/ + install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR) install -p -m 644 default-config $(DESTDIR)$(DIR) install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done @@ -38,6 +44,7 @@ install: $(MANPAGES) for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py + for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done runflake8: @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 @@ -58,6 +65,11 @@ check: python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs + python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs tests/openssl.pl tests/gnutls.pl tests/nss.py @@ -113,6 +125,7 @@ diff-outputs: python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true + python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true $(DIFFTOOL) tests/outputs output/current clean: diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README new file mode 100644 index 0000000..9839669 --- /dev/null +++ b/authselect_policies/minimal_gost/README @@ -0,0 +1,84 @@ +Local users only for minimal installations and gost support +=========================================================== + +Selecting this profile will enable local files as the source of identity +and authentication providers. + +This profile can be used on systems that require minimal installation to +save disk and memory space. It serves only local users and groups directly +from system files instead of going through other authentication providers. +Therefore SSSD, winbind and fprintd packages can be safely removed. + +AVAILABLE OPTIONAL FEATURES +--------------------------- + +without-nullok:: + Do not add nullok parameter to pam_unix. + +with-gost:: + Use GOST hash for shadow password instead of sha512 + +with-silent-lastlog:: + Do not produce pam_lastlog message during login. + +DISABLE SPECIFIC NSSWITCH DATABASES +----------------------------------- + +Normally, nsswitch databases set by the profile overwrites values set in +user-nsswitch.conf. The following options can force authselect to +ignore value set by the profile and use the one set in user-nsswitch.conf +instead. + +with-custom-aliases:: +Ignore "aliases" map set by the profile. + +with-custom-automount:: +Ignore "automount" map set by the profile. + +with-custom-ethers:: +Ignore "ethers" map set by the profile. + +with-custom-group:: +Ignore "group" map set by the profile. + +with-custom-hosts:: +Ignore "hosts" map set by the profile. + +with-custom-initgroups:: +Ignore "initgroups" map set by the profile. + +with-custom-netgroup:: +Ignore "netgroup" map set by the profile. + +with-custom-networks:: +Ignore "networks" map set by the profile. + +with-custom-passwd:: +Ignore "passwd" map set by the profile. + +with-custom-protocols:: +Ignore "protocols" map set by the profile. + +with-custom-publickey:: +Ignore "publickey" map set by the profile. + +with-custom-rpc:: +Ignore "rpc" map set by the profile. + +with-custom-services:: +Ignore "services" map set by the profile. + +with-custom-shadow:: +Ignore "shadow" map set by the profile. + +EXAMPLES +-------- + +* Enable minimal profile + + authselect select minimal + +SEE ALSO +-------- +* man passwd(5) +* man group(5) diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS new file mode 100644 index 0000000..e69de29 diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db new file mode 100644 index 0000000..a3868b7 --- /dev/null +++ b/authselect_policies/minimal_gost/dconf-db @@ -0,0 +1,3 @@ +[org/gnome/login-screen] +enable-smartcard-authentication=false +enable-fingerprint-authentication=false diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks new file mode 100644 index 0000000..8a36fa9 --- /dev/null +++ b/authselect_policies/minimal_gost/dconf-locks @@ -0,0 +1,2 @@ +/org/gnome/login-screen/enable-smartcard-authentication +/org/gnome/login-screen/enable-fingerprint-authentication diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth new file mode 100644 index 0000000..ca152fb --- /dev/null +++ b/authselect_policies/minimal_gost/fingerprint-auth @@ -0,0 +1,16 @@ +auth required pam_env.so +auth sufficient pam_fprintd.so +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf new file mode 100644 index 0000000..f1f5941 --- /dev/null +++ b/authselect_policies/minimal_gost/nsswitch.conf @@ -0,0 +1,14 @@ +passwd: sss files systemd {exclude if "with-custom-passwd"} +shadow: files {exclude if "with-custom-shadow"} +group: sss files systemd {exclude if "with-custom-group"} +hosts: files dns myhostname {exclude if "with-custom-hosts"} +services: files sss {exclude if "with-custom-services"} +netgroup: sss {exclude if "with-custom-netgroup"} +automount: files sss {exclude if "with-custom-automount"} +aliases: files {exclude if "with-custom-aliases"} +ethers: files {exclude if "with-custom-ethers"} +gshadow: files +networks: files dns {exclude if "with-custom-networks"} +protocols: files {exclude if "with-custom-protocols"} +publickey: files {exclude if "with-custom-publickey"} +rpc: files {exclude if "with-custom-rpc"} diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth new file mode 100644 index 0000000..5da3730 --- /dev/null +++ b/authselect_policies/minimal_gost/password-auth @@ -0,0 +1,15 @@ +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin new file mode 100644 index 0000000..8d9bfd0 --- /dev/null +++ b/authselect_policies/minimal_gost/postlogin @@ -0,0 +1,4 @@ +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +session optional pam_lastlog.so silent noupdate showfailed diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth new file mode 100644 index 0000000..f0843be --- /dev/null +++ b/authselect_policies/minimal_gost/smartcard-auth @@ -0,0 +1,16 @@ +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth new file mode 100644 index 0000000..5da3730 --- /dev/null +++ b/authselect_policies/minimal_gost/system-auth @@ -0,0 +1,15 @@ +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok} +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README new file mode 100644 index 0000000..02daa76 --- /dev/null +++ b/authselect_policies/sssd_gost/README @@ -0,0 +1,145 @@ +Enable SSSD with GOST support for system authentication (also for local users only) +================================================================= + +Selecting this profile will enable SSSD with GOST as the source of identity +and authentication providers. + +SSSD provides a set of daemons to manage access to remote directories and +authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides +an NSS and PAM interface toward the system and a pluggable backend system +to connect to multiple different account sources. + +More information about SSSD can be found on its project page: +https://sssd.io + +However, if you do not want to keep SSSD running on your machine, you can +keep this profile selected and just disable SSSD service. The resulting +configuration will still work correctly even with SSSD disabled and local users +and groups will be read from local files directly. + +SSSD CONFIGURATION +------------------ + +Authselect does not touch SSSD's configuration. Please, read SSSD's +documentation to see how to configure it manually. Only local users +will be available on the system if there is no existing SSSD configuration. + +AVAILABLE OPTIONAL FEATURES +--------------------------- + +with-faillock:: + Enable account locking in case of too many consecutive + authentication failures. + +with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within + SSSD's configuration. + +with-smartcard-lock-on-removal:: + Lock screen when a smartcard is removed. + +with-smartcard-required:: + Smartcard authentication is required. No other means of authentication + (including password) will be enabled. + +with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +with-pam-gnome-keyring:: + Enable pam-gnome-keyring support. + +with-pam-u2f:: + Enable authentication via u2f dongle through *pam_u2f*. + +with-pam-u2f-2fa:: + Enable 2nd factor authentication via u2f dongle through *pam_u2f*. + +without-pam-u2f-nouserok:: + Module argument nouserok is omitted if also with-pam-u2f-2fa is used. + *WARNING*: Omitting nouserok argument means that users without pam-u2f + authentication configured will not be able to log in *INCLUDING* root. + Make sure you are able to log in before losing root privileges. + +with-silent-lastlog:: + Do not produce pam_lastlog message during login. + +with-sudo:: + Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers. + +with-pamaccess:: + Check access.conf during account authorization. + +with-pwhistory:: + Enable pam_pwhistory module for local users. + +with-files-domain:: + If set, SSSD will be contacted before "files" when resolving users and + groups. The order in nsswitch.conf will be set to "sss files" instead of + "files sss" for passwd and group maps. + +with-files-access-provider:: + If set, account management for local users is handled also by pam_sss. This + is needed if there is an explicitly configured domain with id_provider=files + and non-empty access_provider setting in sssd.conf. + + *WARNING:* SSSD access check will become mandatory for local users and + if SSSD is stopped then local users will not be able to log in. Only + system accounts (as defined by pam_usertype, including root) will be + able to log in. + +with-gssapi:: + If set, pam_sss_gss module is enabled to perform user authentication over + GSSAPI. + +with-subid:: + Enable SSSD as a source of subid database in /etc/nsswitch.conf. + +without-nullok:: + Do not add nullok parameter to pam_unix. + +with-gost:: + Use GOST hash for shadow password instead of sha512 + +DISABLE SPECIFIC NSSWITCH DATABASES +----------------------------------- + +Normally, nsswitch databases set by the profile overwrites values set in +user-nsswitch.conf. The following options can force authselect to +ignore value set by the profile and use the one set in user-nsswitch.conf +instead. + +with-custom-passwd:: +Ignore "passwd" database set by the profile. + +with-custom-group:: +Ignore "group" database set by the profile. + +with-custom-netgroup:: +Ignore "netgroup" database set by the profile. + +with-custom-automount:: +Ignore "automount" database set by the profile. + +with-custom-services:: +Ignore "services" database set by the profile. + +EXAMPLES +-------- + +* Enable SSSD with sudo and smartcard support + + authselect select sssd with-sudo with-smartcard + +* Enable SSSD with sudo support and create home directories for users on their + first login + + authselect select sssd with-mkhomedir with-sudo + +SEE ALSO +-------- +* man sssd.conf(5) diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS new file mode 100644 index 0000000..396287e --- /dev/null +++ b/authselect_policies/sssd_gost/REQUIREMENTS @@ -0,0 +1,29 @@ +Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. + {include if "with-smartcard"} +- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"} + - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"} + {include if "with-fingerprint"} +- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} + {include if "with-pam-gnome-keyring"} +- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} + is present. {include if "with-pam-gnome-keyring"} + {include if "with-pam-u2f"} +- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} + - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} + {include if "with-pam-u2f-2fa"} +- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} + - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} + {include if "with-mkhomedir"} +- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} + is present and oddjobd service is enabled and active {include if "with-mkhomedir"} + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} + {include if "with-files-domain"} +- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} + - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} + - or create a custom domain with id_provider=files {include if "with-files-domain"} + {include if "with-gssapi"} +- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"} + - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"} + - see additional information in pam_sss_gss(8) {include if "with-gssapi"} + {include if "with-gost"} +- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"} diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db new file mode 100644 index 0000000..66c9949 --- /dev/null +++ b/authselect_policies/sssd_gost/dconf-db @@ -0,0 +1,9 @@ +{imply "with-smartcard" if "with-smartcard-required"} +{imply "with-smartcard" if "with-smartcard-lock-on-removal"} +[org/gnome/login-screen] +enable-smartcard-authentication={if "with-smartcard":true|false} +enable-fingerprint-authentication={if "with-fingerprint":true|false} +enable-password-authentication={if "with-smartcard-required":false|true} + +[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"} +removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"} diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks new file mode 100644 index 0000000..6bf15d0 --- /dev/null +++ b/authselect_policies/sssd_gost/dconf-locks @@ -0,0 +1,4 @@ +/org/gnome/login-screen/enable-smartcard-authentication +/org/gnome/login-screen/enable-fingerprint-authentication +/org/gnome/login-screen/enable-password-authentication +/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"} diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth new file mode 100644 index 0000000..dc7befe --- /dev/null +++ b/authselect_policies/sssd_gost/fingerprint-auth @@ -0,0 +1,28 @@ +auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} +{continue if "with-fingerprint"} +auth required pam_env.so +auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth [success=done default=bad] pam_fprintd.so +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf new file mode 100644 index 0000000..f9e4e54 --- /dev/null +++ b/authselect_policies/sssd_gost/nsswitch.conf @@ -0,0 +1,7 @@ +passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} +group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} +netgroup: sss files {exclude if "with-custom-netgroup"} +automount: sss files {exclude if "with-custom-automount"} +services: sss files {exclude if "with-custom-services"} +sudoers: files sss {include if "with-sudo"} +subid: sss {include if "with-subid"} diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth new file mode 100644 index 0000000..7832fb7 --- /dev/null +++ b/authselect_policies/sssd_gost/password-auth @@ -0,0 +1,39 @@ +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth sufficient pam_sss.so forward_pass +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so local_users_only +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so +session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"} diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin new file mode 100644 index 0000000..04a11f0 --- /dev/null +++ b/authselect_policies/sssd_gost/postlogin @@ -0,0 +1,4 @@ +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +session optional pam_lastlog.so silent noupdate showfailed diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth new file mode 100644 index 0000000..754847f --- /dev/null +++ b/authselect_policies/sssd_gost/smartcard-auth @@ -0,0 +1,26 @@ +{imply "with-smartcard" if "with-smartcard-required"} +auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"} +{continue if "with-smartcard"} +auth required pam_env.so +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth} +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth new file mode 100644 index 0000000..31d4ee1 --- /dev/null +++ b/authselect_policies/sssd_gost/system-auth @@ -0,0 +1,46 @@ +{imply "with-smartcard" if "with-smartcard-required"} +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} +auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} +auth sufficient pam_fprintd.so {include if "with-fingerprint"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} +auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} +auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} +auth sufficient pam_sss_gss.so {include if "with-gssapi"} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth sufficient pam_sss.so forward_pass +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so local_users_only +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol new file mode 100644 index 0000000..fce3bdb --- /dev/null +++ b/policies/GOST-ONLY-PAM.pol @@ -0,0 +1,29 @@ +# Next generation GOST algorithms + +mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT + +group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C + +hash = GOSTR94 STREEBOG-256 STREEBOG-512 + +sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 + +cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM + +cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB + +key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF + +protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 + +# Parameter sizes +# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL +min_dh_size = 2048 +min_dsa_size = 2048 +min_rsa_size = 2048 + +# GnuTLS only for now +sha1_in_certs = 0 + +action_do = GOST +authopt@AUTH = custom/minimal_gost with-gost diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol new file mode 100644 index 0000000..37e478b --- /dev/null +++ b/policies/GOST-ONLY.pol @@ -0,0 +1,28 @@ +# Next generation GOST algorithms + +mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT + +group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C + +hash = GOSTR94 STREEBOG-256 STREEBOG-512 + +sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512 + +cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM + +cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB + +key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF + +protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 + +# Parameter sizes +# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL +min_dh_size = 2048 +min_dsa_size = 2048 +min_rsa_size = 2048 + +# GnuTLS only for now +sha1_in_certs = 0 + +action_do = GOST diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod new file mode 100644 index 0000000..b9021ea --- /dev/null +++ b/policies/modules/GOST.pmod @@ -0,0 +1,18 @@ +# Adds GOST algorithms. +# + +mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD + +group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C + +hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+ + +sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+ + +cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM + +cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB + +key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF + +action_do = +GOST diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod new file mode 100644 index 0000000..06d92c5 --- /dev/null +++ b/policies/modules/PAM-GOST.pmod @@ -0,0 +1,3 @@ +#Add shadow gost support + +authopt@AUTH = custom/minimal_gost with-gost diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod new file mode 100644 index 0000000..a79abd0 --- /dev/null +++ b/policies/modules/PATCH-PAM-GOST.pmod @@ -0,0 +1,3 @@ +#Add shadow gost support + +authopt@AUTH = patch diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod new file mode 100644 index 0000000..f28939e --- /dev/null +++ b/policies/modules/SSSD-PAM-GOST.pmod @@ -0,0 +1,3 @@ +#Add shadow gost support + +authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py index c04d518..90a0772 100755 --- a/python/build-crypto-policies.py +++ b/python/build-crypto-policies.py @@ -9,6 +9,7 @@ import argparse import os import sys import warnings +import platform import cryptopolicies @@ -64,6 +65,11 @@ def save_config(cmdline, policy_name, config_name, config): try: with open(path, mode='r', encoding='utf-8') as f: old_config = f.read() + if '[gost_section]' in config: + arch, links = platform.architecture() + if arch == '32bit': + #Make test expected file same for x86 and x86_64 systems + config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so') if old_config != config: eprint(f'Config for {config_name} for policy {policy_name} ' 'differs from the existing one') @@ -102,7 +108,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None): gen = cls() config = gen.generate_config(cp.scoped(gen.SCOPES)) - if policy_name in ('EMPTY', 'GOST-ONLY') or gen.test_config(config): + if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config): try: name = ':'.join([policy_name, *subpolicy_names]) if not save_config(cmdline, name, gen.CONFIG_NAME, config): diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py index 792cbe1..88d79e3 100644 --- a/python/cryptopolicies/alg_lists.py +++ b/python/cryptopolicies/alg_lists.py @@ -97,6 +97,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9') IKE_PROTOCOLS = ('IKEv2', 'IKEv1') ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS +# List of action do algoritms, for non standard libraries +IACTION_OPT = 'action_do' +ALL_ACTION_DO = ( 'GOST', 'NONE' ) + +AUTH_PROFILES_OPT = 'authopt' +ALL_AUTH_PROFILES = () ALL = { 'cipher': ALL_CIPHERS, @@ -106,6 +112,8 @@ ALL = { 'mac': ALL_MACS, 'protocol': ALL_PROTOCOLS, 'sign': ALL_SIGN, + IACTION_OPT: ALL_ACTION_DO, + AUTH_PROFILES_OPT: ALL_AUTH_PROFILES } @@ -119,10 +127,13 @@ def glob(pattern, alg_class): if alg_class not in ALL: raise validation.alg_lists.AlgorithmClassUnknownError(alg_class) - r = fnmatch.filter(ALL[alg_class], pattern) - if not r: - raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) - return r + if alg_class == AUTH_PROFILES_OPT: + return [pattern] + else: + r = fnmatch.filter(ALL[alg_class], pattern) + if not r: + raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) + return r def earliest_occurrence(needles, ordered_haystack): diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py index bca0519..fff016a 100644 --- a/python/cryptopolicies/cryptopolicies.py +++ b/python/cryptopolicies/cryptopolicies.py @@ -41,7 +41,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing 'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh', 'ipsec', 'ike', 'libreswan', 'kerberos', 'krb5', - 'dnssec', 'bind', + 'dnssec', 'bind', 'auth' ) DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things 'bind': {'bind', 'dnssec'}, @@ -54,6 +54,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things 'openssh-client': {'openssh-client', 'openssh', 'ssh'}, 'openssh-server': {'openssh-server', 'openssh', 'ssh'}, 'openssl': {'openssl', 'tls', 'ssl'}, + 'auth': {'auth'}, } @@ -468,6 +469,8 @@ class UnscopedCryptoPolicy: **generic_scoped.integers, **generic_scoped.enums} for prop_name, value in generic_all.items(): + if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): + continue s += fmt(prop_name, value) anything_scope_specific = False for scope_name, scope_set in DUMPABLE_SCOPES.items(): @@ -476,6 +479,8 @@ class UnscopedCryptoPolicy: **specific_scoped.integers, **specific_scoped.enums} for prop_name, value in specific_all.items(): + if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT): + continue if value != generic_all[prop_name]: if not anything_scope_specific: s += ('# Scope-specific properties ' diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py index 98ac27c..ac1b051 100644 --- a/python/policygenerators/__init__.py +++ b/python/policygenerators/__init__.py @@ -16,6 +16,7 @@ from .openssh import OpenSSHServerGenerator from .openssl import OpenSSLConfigGenerator from .openssl import OpenSSLGenerator from .openssl import OpenSSLFIPSGenerator +from .auth import AuthGenerator __all__ = [ 'BindGenerator', @@ -31,4 +32,5 @@ __all__ = [ 'OpenSSLConfigGenerator', 'OpenSSLGenerator', 'OpenSSLFIPSGenerator', + 'AuthGenerator', ] diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py new file mode 100644 index 0000000..eb6bda5 --- /dev/null +++ b/python/policygenerators/auth.py @@ -0,0 +1,36 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +# Copyright (c) 2019 Red Hat, Inc. +# Copyright (c) 2019 Tomáš Mráz + +import os.path + +from .configgenerator import ConfigGenerator + +class AuthGenerator(ConfigGenerator): + CONFIG_NAME = 'auth' + SCOPES = {'auth'} + + RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n' + + @classmethod + def generate_config(cls, policy): + p = policy.enabled + sep = '\n' + s = '' + authopt_data = p['authopt'] + if len(authopt_data) > 0: + auth_profile = authopt_data.pop(0) + opt_list = [] + for item in authopt_data: + if item not in opt_list: + if item.startswith('with'): + opt_list.append(item) + s = cls.append(s, auth_profile, sep) + for item in opt_list: + s = cls.append(s, item, sep) + return s + + @classmethod + def test_config(cls, config): # pylint: disable=unused-argument + return True diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace new file mode 100644 index 0000000..e69de29 diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py index 571dc79..57c7476 100644 --- a/python/policygenerators/openssl.py +++ b/python/policygenerators/openssl.py @@ -2,6 +2,7 @@ # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz +import platform from subprocess import check_output, CalledProcessError @@ -22,6 +23,25 @@ tls1-prf-ems-check = {} activate = 1 ''' +arch, links = platform.architecture() +library_path = '64' +if arch == '32bit': + library_path = '' + +GOST_MODULE_ENABLE = ''' +[openssl_init] +engines = engine_gost + +[engine_gost] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib%s/engines-3/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +''' % (library_path) + class OpenSSLGenerator(ConfigGenerator): CONFIG_NAME = 'openssl' @@ -266,6 +286,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator): if 'SHA1' in p['hash']: s += RH_ALLOW_SHA1 + + if 'GOST' in p['action_do']: + s += GOST_MODULE_ENABLE return s diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh new file mode 100755 index 0000000..5b2ecad --- /dev/null +++ b/scripts/auth_apply.sh @@ -0,0 +1,204 @@ +#!/usr/bin/bash +exec 1> /var/log/crypto-cmc/auth.log 2>&1 +set -x +# Скрипт настройки профиля authselect для crypto-policy +# Примеры запуска: +# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля +# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp +# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect +# и считать, что сгенерированный конфиг лежит в каталоге tmpconf + +CONF_PATH=/etc/authselect/ +AUTH_SEL_BAK=authselect.conf.policy +AUTH_CONFIG=authselect.conf +EMPTY=0 +TEST="" +AUTH_BACKUP_NAME="auth_saved_profile" +USE_PATCH="$CONF_PATH/autheslect.patch" + +function set_gost +{ + /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth + /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth + +} + +function set_no_gost +{ + /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth + /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth +} + +function get_auth_options +{ + /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' ' +} + +function save_restored_profile +{ + if [ ! -e /etc/authselect/custom/restored ];then + /usr/bin/authselect create-profile restored + [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/ + [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/ + [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/ + [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/ + [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/ + [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf + fi +} + +while getopts ':et:p:h' VAL ; do + case $VAL in + e ) EMPTY=1 ;; + p ) CONF_PATH="$OPTARG" ;; + t ) TEST="$OPTARG" ;; + : ) + echo "Необходим параметр - путь к опции $OPTARG" + exit 255 + ;; + * ) + echo "Неизвестный параметр $OPTARG" + exit 255 + ;; + esac +done +shift $((OPTIND -1)) + +# Если заданный путь к кинфигурации authselect заканчивается на / +# то удалим этот символ +LAST_SYMBOL=${CONF_PATH: -1} +if [ "$LAST_SYMBOL" = "/" ];then + CONF_PATH=${CONF_PATH%?} +fi +LAST_SYMBOL=${TEST: -1} +if [ "$LAST_SYMBOL" = "/" ];then + TEST=${TEST%?} +fi + +if [ -z "$TEST" ];then + POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config +else + POLICY_CONFIG="$TEST/auth.config" + if [[ "$POLICY_CONFIG" == "/*" ]];then + : + else + CUR_DIR=$(pwd) + POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG" + fi +fi + +PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK" +PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG" + +# Дополнительная проверка, файл authselect.conf не должен быть пустым +# или соедржать слово empty--data, иначе это признак empty +if [ -e "$PATH_TO_AUTH_CONFIG" ];then + AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs) + if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then + EMPTY=1 + fi +else + EMPTY=2 +fi + +# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией +NEED_PATCH=0 +if [ -e "$POLICY_CONFIG" ];then + RES=$(cat "$POLICY_CONFIG") + if [ "$RES" = "patch" ];then + NEED_PATCH=1 + fi +fi + +# Если задан параметр empty, это значит, что применяется профиль +# без настройки для authselect, в этом случае нужно восстановить +# старый заданный профиль +# TODO: возможно даже воспользоватьс командой +# authselect backup-restore auth_saved_profile +# данный снимок создается при профиля через crypto-policy +if [ "$EMPTY" = "1" ];then +# Если есть файл authselect.patch, значит профиль был пропатчен, +# а не установлен через профиль + if [ -e "$USE_PATCH" ];then + set_no_gost + /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed" + else + if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then +# Только root может восстанавливать конфигурацию из резервной копии +# дабыизбежать подлога и восстановления файла, созданного пользователем + OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK") + if [ "$OWNER_UID" = "0" ];then + /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG" + fi + AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG") +# Есди файл настроек authselect пустой после восстановления +# значит он создан ранее скриптом и его нужно убрать + if [ -z "$AUTH_CONT" ];then + /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" + fi + else + /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed" + fi + if [ -e "$PATH_TO_AUTH_CONFIG" ];then + /usr/bin/authselect apply-changes + else + if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then + /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME" + else + if [ -e /etc/authselect/custom/resored ];then + /usr/bin/authselect select custom/restored --force + fi + fi + fi + fi + exit 0 +fi + +# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла +# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас +if [ "$EMPTY" = "2" ];then + if [ "$NEED_PATCH" = "1" ];then + set_gost + touch "$USE_PATCH" + else + OPTS_FOR_EXECUTE=$(get_auth_options) + if [ -n "$OPTS_FOR_EXECUTE" ];then + save_restored_profile + if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then + /usr/bin/authselect select $OPTS_FOR_EXECUTE --force + else + /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile + fi + #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" + /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" + /usr/bin/authselect apply-changes + touch "$PATH_TO_AUTH_SEL_BAK" + fi + fi +else + if [ "$NEED_PATCH" = "1" ];then + set_gost + touch "$USE_PATCH" + else +# Если не найден файл маркер, то создается файл бэкапа для authselect +# а так же создается файл маркер + if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then + /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK" + EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG") + if [ -n "$EMPTY_AUTH" ];then + if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then + /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME" + fi + fi + fi + + #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG") + #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then + # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" + #fi + /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG" + /usr/bin/authselect apply-changes + fi +fi + +exit 0 \ No newline at end of file diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol new file mode 100644 index 0000000..6238020 --- /dev/null +++ b/tests/alternative-policies/GOST-ONLY.pol @@ -0,0 +1,30 @@ +# Next generation GOST algorithms + +mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST* + +group = *GOST* + +hash = *GOST* *STREEBOG* + +sign = *GOST* + +cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM + +cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C* + +key_exchange = *GOST* + +protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 + +min_tls_version = TLS1.0 + +# Parameter sizes +# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL +min_dh_size = 2048 +min_dsa_size = 2048 +min_rsa_size = 2048 + +# GnuTLS only for now +sha1_in_certs = 0 + +action_do = GOST diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod new file mode 100644 index 0000000..4280cad --- /dev/null +++ b/tests/alternative-policies/modules/GOST.pmod @@ -0,0 +1,18 @@ +# Adds GOST algorithms. +# This is an example subpolicy, the algorithm names might differ in reality. + +mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD + +group = +*GOST* + +hash = +*STREEBOG* +*GOST* + +sign = +*GOST* + +cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM + +cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB + +key_exchange = +*GOST* + +action_do = +GOST \ No newline at end of file diff --git a/tests/gnutls.pl b/tests/gnutls.pl index c327d8e..6d63d86 100755 --- a/tests/gnutls.pl +++ b/tests/gnutls.pl @@ -24,7 +24,7 @@ foreach my $policyfile (@gnutlspolicies) { $policy =~ s/-[^-]+$//; print "Checking policy $policy\n"; - next if $policy eq 'GOST-ONLY'; + next if $policy =~ /^GOST-ONLY/; system("GNUTLS_DEBUG_LEVEL=3 GNUTLS_SYSTEM_PRIORITY_FILE=$dir/$policyfile GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 gnutls-cli -l >$TMPFILE 2>&1"); if ($? == 0 && $policy eq 'EMPTY') { diff --git a/tests/java.pl b/tests/java.pl index c285150..6639642 100755 --- a/tests/java.pl +++ b/tests/java.pl @@ -43,7 +43,7 @@ foreach my $policyfile (@javapolicies) { } my $lines=`cat $TMPFILE|wc -l`; - if ("$policy" eq "EMPTY" or "$policy" eq "GOST-ONLY") { + if ("$policy" eq "EMPTY" or "$policy" =~ /^GOST-ONLY/) { if ($lines >= 2) { # we allow the SCSV print "Empty policy has ciphersuites!\n"; exit 1; diff --git a/tests/nss.py b/tests/nss.py index f30f48e..4fdec63 100755 --- a/tests/nss.py +++ b/tests/nss.py @@ -38,7 +38,7 @@ print('Checking the NSS configuration') for policy_path in glob.glob('tests/outputs/*-nss.txt'): policy = os.path.basename(policy_path)[:-len('-nss.txt')] print(f'Checking policy {policy}') - if policy not in ('EMPTY', 'GOST-ONLY'): + if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'): with open(policy_path, encoding='utf-8') as pf: config = pf.read() with tempfile.NamedTemporaryFile('w', delete=False) as tf: diff --git a/tests/openssl.pl b/tests/openssl.pl index c3a7c9f..f967845 100755 --- a/tests/openssl.pl +++ b/tests/openssl.pl @@ -27,7 +27,7 @@ foreach my $policyfile (@opensslpolicies) { <$fh>; }; - my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY"); + my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY", "GOST-ONLY-PAM"); system("openssl ciphers $tmp >$TMPFILE 2>&1") unless exists $skip_test{$policy}; if ($? != 0) { diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt new file mode 100644 index 0000000..09fb3f1 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-bind.txt @@ -0,0 +1,10 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +}; +disable-ds-digests "." { +SHA-1; +}; diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt new file mode 100644 index 0000000..9a04550 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-gnutls.txt @@ -0,0 +1,105 @@ +[global] +override-mode = allowlist + +[overrides] +secure-hash = SHA256 +secure-hash = SHA384 +secure-hash = SHA512 +secure-hash = SHA3-256 +secure-hash = SHA3-384 +secure-hash = SHA3-512 +secure-hash = SHA224 +secure-hash = SHA3-224 +secure-hash = SHAKE-256 +tls-enabled-mac = AEAD +tls-enabled-mac = SHA1 +tls-enabled-mac = SHA512 +tls-enabled-group = GROUP-X25519 +tls-enabled-group = GROUP-SECP256R1 +tls-enabled-group = GROUP-X448 +tls-enabled-group = GROUP-SECP521R1 +tls-enabled-group = GROUP-SECP384R1 +tls-enabled-group = GROUP-FFDHE2048 +tls-enabled-group = GROUP-FFDHE3072 +tls-enabled-group = GROUP-FFDHE4096 +tls-enabled-group = GROUP-FFDHE6144 +tls-enabled-group = GROUP-FFDHE8192 +secure-sig = ECDSA-SHA3-256 +secure-sig = ECDSA-SHA256 +secure-sig = ECDSA-SECP256R1-SHA256 +secure-sig = ECDSA-SHA3-384 +secure-sig = ECDSA-SHA384 +secure-sig = ECDSA-SECP384R1-SHA384 +secure-sig = ECDSA-SHA3-512 +secure-sig = ECDSA-SHA512 +secure-sig = ECDSA-SECP521R1-SHA512 +secure-sig = EdDSA-Ed25519 +secure-sig = EdDSA-Ed448 +secure-sig = RSA-PSS-SHA256 +secure-sig = RSA-PSS-SHA384 +secure-sig = RSA-PSS-SHA512 +secure-sig = RSA-PSS-RSAE-SHA256 +secure-sig = RSA-PSS-RSAE-SHA384 +secure-sig = RSA-PSS-RSAE-SHA512 +secure-sig = RSA-SHA3-256 +secure-sig = RSA-SHA256 +secure-sig = RSA-SHA3-384 +secure-sig = RSA-SHA384 +secure-sig = RSA-SHA3-512 +secure-sig = RSA-SHA512 +secure-sig = ECDSA-SHA224 +secure-sig = RSA-SHA224 +secure-sig = ECDSA-SHA3-224 +secure-sig = RSA-SHA3-224 +secure-sig-for-cert = ECDSA-SHA3-256 +secure-sig-for-cert = ECDSA-SHA256 +secure-sig-for-cert = ECDSA-SECP256R1-SHA256 +secure-sig-for-cert = ECDSA-SHA3-384 +secure-sig-for-cert = ECDSA-SHA384 +secure-sig-for-cert = ECDSA-SECP384R1-SHA384 +secure-sig-for-cert = ECDSA-SHA3-512 +secure-sig-for-cert = ECDSA-SHA512 +secure-sig-for-cert = ECDSA-SECP521R1-SHA512 +secure-sig-for-cert = EdDSA-Ed25519 +secure-sig-for-cert = EdDSA-Ed448 +secure-sig-for-cert = RSA-PSS-SHA256 +secure-sig-for-cert = RSA-PSS-SHA384 +secure-sig-for-cert = RSA-PSS-SHA512 +secure-sig-for-cert = RSA-PSS-RSAE-SHA256 +secure-sig-for-cert = RSA-PSS-RSAE-SHA384 +secure-sig-for-cert = RSA-PSS-RSAE-SHA512 +secure-sig-for-cert = RSA-SHA3-256 +secure-sig-for-cert = RSA-SHA256 +secure-sig-for-cert = RSA-SHA3-384 +secure-sig-for-cert = RSA-SHA384 +secure-sig-for-cert = RSA-SHA3-512 +secure-sig-for-cert = RSA-SHA512 +secure-sig-for-cert = ECDSA-SHA224 +secure-sig-for-cert = RSA-SHA224 +secure-sig-for-cert = ECDSA-SHA3-224 +secure-sig-for-cert = RSA-SHA3-224 +enabled-curve = X25519 +enabled-curve = SECP256R1 +enabled-curve = X448 +enabled-curve = SECP521R1 +enabled-curve = SECP384R1 +enabled-curve = Ed25519 +enabled-curve = Ed448 +tls-enabled-cipher = AES-256-GCM +tls-enabled-cipher = AES-256-CCM +tls-enabled-cipher = CHACHA20-POLY1305 +tls-enabled-cipher = AES-256-CBC +tls-enabled-cipher = AES-128-GCM +tls-enabled-cipher = AES-128-CCM +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA +tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = DTLS1.2 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt new file mode 100644 index 0000000..1a48c4a --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt new file mode 100644 index 0000000..415dcb3 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt new file mode 100644 index 0000000..9f2f5db --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-libreswan.txt @@ -0,0 +1,6 @@ +conn %default + ikev2=insist + pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt new file mode 100644 index 0000000..49d8251 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt new file mode 100644 index 0000000..b8bf74a --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt new file mode 100644 index 0000000..47d352e --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-openssh.txt @@ -0,0 +1,7 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt new file mode 100644 index 0000000..8105750 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt @@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt new file mode 100644 index 0000000..239566f --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt new file mode 100644 index 0000000..6fe6291 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt @@ -0,0 +1,20 @@ +CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 +DTLS.MinProtocol = DTLSv1.2 +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 + +[openssl_init] +engines = engine_gost + +[engine_gost] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib64/engines-3/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt new file mode 100644 index 0000000..cec1d15 --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt @@ -0,0 +1,51 @@ +[hash_algorithms] +md5.collision_resistance = "never" +md5.second_preimage_resistance = "never" +sha1.collision_resistance = "always" +sha1.second_preimage_resistance = "always" +ripemd160.collision_resistance = "never" +ripemd160.second_preimage_resistance = "never" +sha224.collision_resistance = "always" +sha224.second_preimage_resistance = "always" +sha256.collision_resistance = "always" +sha256.second_preimage_resistance = "always" +sha384.collision_resistance = "always" +sha384.second_preimage_resistance = "always" +sha512.collision_resistance = "always" +sha512.second_preimage_resistance = "always" +default_disposition = "never" + +[symmetric_algorithms] +idea = "never" +tripledes = "never" +cast5 = "never" +blowfish = "never" +aes128 = "always" +aes192 = "never" +aes256 = "always" +twofish = "never" +camellia128 = "always" +camellia192 = "never" +camellia256 = "always" +default_disposition = "never" + +[asymmetric_algorithms] +rsa1024 = "never" +rsa2048 = "always" +rsa3072 = "always" +rsa4096 = "always" +dsa1024 = "always" +dsa2048 = "always" +dsa3072 = "always" +dsa4096 = "always" +nistp256 = "always" +nistp384 = "always" +nistp521 = "always" +cv25519 = "always" +elgamal1024 = "never" +elgamal2048 = "never" +elgamal3072 = "never" +elgamal4096 = "never" +brainpoolp256 = "never" +brainpoolp512 = "never" +default_disposition = "never" diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt new file mode 100644 index 0000000..135997c --- /dev/null +++ b/tests/outputs/DEFAULT:GOST-sequoia.txt @@ -0,0 +1,51 @@ +[hash_algorithms] +md5.collision_resistance = "never" +md5.second_preimage_resistance = "never" +sha1.collision_resistance = "never" +sha1.second_preimage_resistance = "never" +ripemd160.collision_resistance = "never" +ripemd160.second_preimage_resistance = "never" +sha224.collision_resistance = "always" +sha224.second_preimage_resistance = "always" +sha256.collision_resistance = "always" +sha256.second_preimage_resistance = "always" +sha384.collision_resistance = "always" +sha384.second_preimage_resistance = "always" +sha512.collision_resistance = "always" +sha512.second_preimage_resistance = "always" +default_disposition = "never" + +[symmetric_algorithms] +idea = "never" +tripledes = "never" +cast5 = "never" +blowfish = "never" +aes128 = "always" +aes192 = "never" +aes256 = "always" +twofish = "never" +camellia128 = "always" +camellia192 = "never" +camellia256 = "always" +default_disposition = "never" + +[asymmetric_algorithms] +rsa1024 = "never" +rsa2048 = "always" +rsa3072 = "always" +rsa4096 = "always" +dsa1024 = "never" +dsa2048 = "never" +dsa3072 = "never" +dsa4096 = "never" +nistp256 = "always" +nistp384 = "always" +nistp521 = "always" +cv25519 = "always" +elgamal1024 = "never" +elgamal2048 = "never" +elgamal3072 = "never" +elgamal4096 = "never" +brainpoolp256 = "never" +brainpoolp512 = "never" +default_disposition = "never" diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt new file mode 100644 index 0000000..110527f --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt @@ -0,0 +1,2 @@ +custom/minimal_gost +with-gost \ No newline at end of file diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt new file mode 100644 index 0000000..9ec8420 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt @@ -0,0 +1,12 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +ECCGOST; +}; +disable-ds-digests "." { +SHA-1; +GOST; +}; diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt new file mode 100644 index 0000000..9a04550 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt @@ -0,0 +1,105 @@ +[global] +override-mode = allowlist + +[overrides] +secure-hash = SHA256 +secure-hash = SHA384 +secure-hash = SHA512 +secure-hash = SHA3-256 +secure-hash = SHA3-384 +secure-hash = SHA3-512 +secure-hash = SHA224 +secure-hash = SHA3-224 +secure-hash = SHAKE-256 +tls-enabled-mac = AEAD +tls-enabled-mac = SHA1 +tls-enabled-mac = SHA512 +tls-enabled-group = GROUP-X25519 +tls-enabled-group = GROUP-SECP256R1 +tls-enabled-group = GROUP-X448 +tls-enabled-group = GROUP-SECP521R1 +tls-enabled-group = GROUP-SECP384R1 +tls-enabled-group = GROUP-FFDHE2048 +tls-enabled-group = GROUP-FFDHE3072 +tls-enabled-group = GROUP-FFDHE4096 +tls-enabled-group = GROUP-FFDHE6144 +tls-enabled-group = GROUP-FFDHE8192 +secure-sig = ECDSA-SHA3-256 +secure-sig = ECDSA-SHA256 +secure-sig = ECDSA-SECP256R1-SHA256 +secure-sig = ECDSA-SHA3-384 +secure-sig = ECDSA-SHA384 +secure-sig = ECDSA-SECP384R1-SHA384 +secure-sig = ECDSA-SHA3-512 +secure-sig = ECDSA-SHA512 +secure-sig = ECDSA-SECP521R1-SHA512 +secure-sig = EdDSA-Ed25519 +secure-sig = EdDSA-Ed448 +secure-sig = RSA-PSS-SHA256 +secure-sig = RSA-PSS-SHA384 +secure-sig = RSA-PSS-SHA512 +secure-sig = RSA-PSS-RSAE-SHA256 +secure-sig = RSA-PSS-RSAE-SHA384 +secure-sig = RSA-PSS-RSAE-SHA512 +secure-sig = RSA-SHA3-256 +secure-sig = RSA-SHA256 +secure-sig = RSA-SHA3-384 +secure-sig = RSA-SHA384 +secure-sig = RSA-SHA3-512 +secure-sig = RSA-SHA512 +secure-sig = ECDSA-SHA224 +secure-sig = RSA-SHA224 +secure-sig = ECDSA-SHA3-224 +secure-sig = RSA-SHA3-224 +secure-sig-for-cert = ECDSA-SHA3-256 +secure-sig-for-cert = ECDSA-SHA256 +secure-sig-for-cert = ECDSA-SECP256R1-SHA256 +secure-sig-for-cert = ECDSA-SHA3-384 +secure-sig-for-cert = ECDSA-SHA384 +secure-sig-for-cert = ECDSA-SECP384R1-SHA384 +secure-sig-for-cert = ECDSA-SHA3-512 +secure-sig-for-cert = ECDSA-SHA512 +secure-sig-for-cert = ECDSA-SECP521R1-SHA512 +secure-sig-for-cert = EdDSA-Ed25519 +secure-sig-for-cert = EdDSA-Ed448 +secure-sig-for-cert = RSA-PSS-SHA256 +secure-sig-for-cert = RSA-PSS-SHA384 +secure-sig-for-cert = RSA-PSS-SHA512 +secure-sig-for-cert = RSA-PSS-RSAE-SHA256 +secure-sig-for-cert = RSA-PSS-RSAE-SHA384 +secure-sig-for-cert = RSA-PSS-RSAE-SHA512 +secure-sig-for-cert = RSA-SHA3-256 +secure-sig-for-cert = RSA-SHA256 +secure-sig-for-cert = RSA-SHA3-384 +secure-sig-for-cert = RSA-SHA384 +secure-sig-for-cert = RSA-SHA3-512 +secure-sig-for-cert = RSA-SHA512 +secure-sig-for-cert = ECDSA-SHA224 +secure-sig-for-cert = RSA-SHA224 +secure-sig-for-cert = ECDSA-SHA3-224 +secure-sig-for-cert = RSA-SHA3-224 +enabled-curve = X25519 +enabled-curve = SECP256R1 +enabled-curve = X448 +enabled-curve = SECP521R1 +enabled-curve = SECP384R1 +enabled-curve = Ed25519 +enabled-curve = Ed448 +tls-enabled-cipher = AES-256-GCM +tls-enabled-cipher = AES-256-CCM +tls-enabled-cipher = CHACHA20-POLY1305 +tls-enabled-cipher = AES-256-CBC +tls-enabled-cipher = AES-128-GCM +tls-enabled-cipher = AES-128-CCM +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA +tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = DTLS1.2 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt new file mode 100644 index 0000000..1a48c4a --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt new file mode 100644 index 0000000..415dcb3 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt new file mode 100644 index 0000000..9f2f5db --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt @@ -0,0 +1,6 @@ +conn %default + ikev2=insist + pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt new file mode 100644 index 0000000..49d8251 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt new file mode 100644 index 0000000..b8bf74a --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt new file mode 100644 index 0000000..47d352e --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt @@ -0,0 +1,7 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt new file mode 100644 index 0000000..8105750 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt @@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt new file mode 100644 index 0000000..952c651 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt new file mode 100644 index 0000000..8f18d1e --- /dev/null +++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ +CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 +DTLS.MinProtocol = DTLSv1.2 +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt new file mode 100644 index 0000000..dbcae14 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt @@ -0,0 +1 @@ +patch \ No newline at end of file diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt new file mode 100644 index 0000000..9ec8420 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt @@ -0,0 +1,12 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +ECCGOST; +}; +disable-ds-digests "." { +SHA-1; +GOST; +}; diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt new file mode 100644 index 0000000..9a04550 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt @@ -0,0 +1,105 @@ +[global] +override-mode = allowlist + +[overrides] +secure-hash = SHA256 +secure-hash = SHA384 +secure-hash = SHA512 +secure-hash = SHA3-256 +secure-hash = SHA3-384 +secure-hash = SHA3-512 +secure-hash = SHA224 +secure-hash = SHA3-224 +secure-hash = SHAKE-256 +tls-enabled-mac = AEAD +tls-enabled-mac = SHA1 +tls-enabled-mac = SHA512 +tls-enabled-group = GROUP-X25519 +tls-enabled-group = GROUP-SECP256R1 +tls-enabled-group = GROUP-X448 +tls-enabled-group = GROUP-SECP521R1 +tls-enabled-group = GROUP-SECP384R1 +tls-enabled-group = GROUP-FFDHE2048 +tls-enabled-group = GROUP-FFDHE3072 +tls-enabled-group = GROUP-FFDHE4096 +tls-enabled-group = GROUP-FFDHE6144 +tls-enabled-group = GROUP-FFDHE8192 +secure-sig = ECDSA-SHA3-256 +secure-sig = ECDSA-SHA256 +secure-sig = ECDSA-SECP256R1-SHA256 +secure-sig = ECDSA-SHA3-384 +secure-sig = ECDSA-SHA384 +secure-sig = ECDSA-SECP384R1-SHA384 +secure-sig = ECDSA-SHA3-512 +secure-sig = ECDSA-SHA512 +secure-sig = ECDSA-SECP521R1-SHA512 +secure-sig = EdDSA-Ed25519 +secure-sig = EdDSA-Ed448 +secure-sig = RSA-PSS-SHA256 +secure-sig = RSA-PSS-SHA384 +secure-sig = RSA-PSS-SHA512 +secure-sig = RSA-PSS-RSAE-SHA256 +secure-sig = RSA-PSS-RSAE-SHA384 +secure-sig = RSA-PSS-RSAE-SHA512 +secure-sig = RSA-SHA3-256 +secure-sig = RSA-SHA256 +secure-sig = RSA-SHA3-384 +secure-sig = RSA-SHA384 +secure-sig = RSA-SHA3-512 +secure-sig = RSA-SHA512 +secure-sig = ECDSA-SHA224 +secure-sig = RSA-SHA224 +secure-sig = ECDSA-SHA3-224 +secure-sig = RSA-SHA3-224 +secure-sig-for-cert = ECDSA-SHA3-256 +secure-sig-for-cert = ECDSA-SHA256 +secure-sig-for-cert = ECDSA-SECP256R1-SHA256 +secure-sig-for-cert = ECDSA-SHA3-384 +secure-sig-for-cert = ECDSA-SHA384 +secure-sig-for-cert = ECDSA-SECP384R1-SHA384 +secure-sig-for-cert = ECDSA-SHA3-512 +secure-sig-for-cert = ECDSA-SHA512 +secure-sig-for-cert = ECDSA-SECP521R1-SHA512 +secure-sig-for-cert = EdDSA-Ed25519 +secure-sig-for-cert = EdDSA-Ed448 +secure-sig-for-cert = RSA-PSS-SHA256 +secure-sig-for-cert = RSA-PSS-SHA384 +secure-sig-for-cert = RSA-PSS-SHA512 +secure-sig-for-cert = RSA-PSS-RSAE-SHA256 +secure-sig-for-cert = RSA-PSS-RSAE-SHA384 +secure-sig-for-cert = RSA-PSS-RSAE-SHA512 +secure-sig-for-cert = RSA-SHA3-256 +secure-sig-for-cert = RSA-SHA256 +secure-sig-for-cert = RSA-SHA3-384 +secure-sig-for-cert = RSA-SHA384 +secure-sig-for-cert = RSA-SHA3-512 +secure-sig-for-cert = RSA-SHA512 +secure-sig-for-cert = ECDSA-SHA224 +secure-sig-for-cert = RSA-SHA224 +secure-sig-for-cert = ECDSA-SHA3-224 +secure-sig-for-cert = RSA-SHA3-224 +enabled-curve = X25519 +enabled-curve = SECP256R1 +enabled-curve = X448 +enabled-curve = SECP521R1 +enabled-curve = SECP384R1 +enabled-curve = Ed25519 +enabled-curve = Ed448 +tls-enabled-cipher = AES-256-GCM +tls-enabled-cipher = AES-256-CCM +tls-enabled-cipher = CHACHA20-POLY1305 +tls-enabled-cipher = AES-256-CBC +tls-enabled-cipher = AES-128-GCM +tls-enabled-cipher = AES-128-CCM +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA +tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = DTLS1.2 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt new file mode 100644 index 0000000..1a48c4a --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt new file mode 100644 index 0000000..415dcb3 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt new file mode 100644 index 0000000..9f2f5db --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt @@ -0,0 +1,6 @@ +conn %default + ikev2=insist + pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt new file mode 100644 index 0000000..49d8251 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt new file mode 100644 index 0000000..b8bf74a --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt new file mode 100644 index 0000000..47d352e --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt @@ -0,0 +1,7 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt new file mode 100644 index 0000000..8105750 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt @@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt new file mode 100644 index 0000000..952c651 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt new file mode 100644 index 0000000..8f18d1e --- /dev/null +++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ +CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 +DTLS.MinProtocol = DTLSv1.2 +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt new file mode 100644 index 0000000..4884073 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt @@ -0,0 +1,4 @@ +custom/sssd_gost +with-gost +with-fingerprint +with-silent-lastlog \ No newline at end of file diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt new file mode 100644 index 0000000..9ec8420 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt @@ -0,0 +1,12 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +ECCGOST; +}; +disable-ds-digests "." { +SHA-1; +GOST; +}; diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt new file mode 100644 index 0000000..9a04550 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt @@ -0,0 +1,105 @@ +[global] +override-mode = allowlist + +[overrides] +secure-hash = SHA256 +secure-hash = SHA384 +secure-hash = SHA512 +secure-hash = SHA3-256 +secure-hash = SHA3-384 +secure-hash = SHA3-512 +secure-hash = SHA224 +secure-hash = SHA3-224 +secure-hash = SHAKE-256 +tls-enabled-mac = AEAD +tls-enabled-mac = SHA1 +tls-enabled-mac = SHA512 +tls-enabled-group = GROUP-X25519 +tls-enabled-group = GROUP-SECP256R1 +tls-enabled-group = GROUP-X448 +tls-enabled-group = GROUP-SECP521R1 +tls-enabled-group = GROUP-SECP384R1 +tls-enabled-group = GROUP-FFDHE2048 +tls-enabled-group = GROUP-FFDHE3072 +tls-enabled-group = GROUP-FFDHE4096 +tls-enabled-group = GROUP-FFDHE6144 +tls-enabled-group = GROUP-FFDHE8192 +secure-sig = ECDSA-SHA3-256 +secure-sig = ECDSA-SHA256 +secure-sig = ECDSA-SECP256R1-SHA256 +secure-sig = ECDSA-SHA3-384 +secure-sig = ECDSA-SHA384 +secure-sig = ECDSA-SECP384R1-SHA384 +secure-sig = ECDSA-SHA3-512 +secure-sig = ECDSA-SHA512 +secure-sig = ECDSA-SECP521R1-SHA512 +secure-sig = EdDSA-Ed25519 +secure-sig = EdDSA-Ed448 +secure-sig = RSA-PSS-SHA256 +secure-sig = RSA-PSS-SHA384 +secure-sig = RSA-PSS-SHA512 +secure-sig = RSA-PSS-RSAE-SHA256 +secure-sig = RSA-PSS-RSAE-SHA384 +secure-sig = RSA-PSS-RSAE-SHA512 +secure-sig = RSA-SHA3-256 +secure-sig = RSA-SHA256 +secure-sig = RSA-SHA3-384 +secure-sig = RSA-SHA384 +secure-sig = RSA-SHA3-512 +secure-sig = RSA-SHA512 +secure-sig = ECDSA-SHA224 +secure-sig = RSA-SHA224 +secure-sig = ECDSA-SHA3-224 +secure-sig = RSA-SHA3-224 +secure-sig-for-cert = ECDSA-SHA3-256 +secure-sig-for-cert = ECDSA-SHA256 +secure-sig-for-cert = ECDSA-SECP256R1-SHA256 +secure-sig-for-cert = ECDSA-SHA3-384 +secure-sig-for-cert = ECDSA-SHA384 +secure-sig-for-cert = ECDSA-SECP384R1-SHA384 +secure-sig-for-cert = ECDSA-SHA3-512 +secure-sig-for-cert = ECDSA-SHA512 +secure-sig-for-cert = ECDSA-SECP521R1-SHA512 +secure-sig-for-cert = EdDSA-Ed25519 +secure-sig-for-cert = EdDSA-Ed448 +secure-sig-for-cert = RSA-PSS-SHA256 +secure-sig-for-cert = RSA-PSS-SHA384 +secure-sig-for-cert = RSA-PSS-SHA512 +secure-sig-for-cert = RSA-PSS-RSAE-SHA256 +secure-sig-for-cert = RSA-PSS-RSAE-SHA384 +secure-sig-for-cert = RSA-PSS-RSAE-SHA512 +secure-sig-for-cert = RSA-SHA3-256 +secure-sig-for-cert = RSA-SHA256 +secure-sig-for-cert = RSA-SHA3-384 +secure-sig-for-cert = RSA-SHA384 +secure-sig-for-cert = RSA-SHA3-512 +secure-sig-for-cert = RSA-SHA512 +secure-sig-for-cert = ECDSA-SHA224 +secure-sig-for-cert = RSA-SHA224 +secure-sig-for-cert = ECDSA-SHA3-224 +secure-sig-for-cert = RSA-SHA3-224 +enabled-curve = X25519 +enabled-curve = SECP256R1 +enabled-curve = X448 +enabled-curve = SECP521R1 +enabled-curve = SECP384R1 +enabled-curve = Ed25519 +enabled-curve = Ed448 +tls-enabled-cipher = AES-256-GCM +tls-enabled-cipher = AES-256-CCM +tls-enabled-cipher = CHACHA20-POLY1305 +tls-enabled-cipher = AES-256-CBC +tls-enabled-cipher = AES-128-GCM +tls-enabled-cipher = AES-128-CCM +tls-enabled-cipher = AES-128-CBC +tls-enabled-kx = ECDHE-RSA +tls-enabled-kx = ECDHE-ECDSA +tls-enabled-kx = RSA +tls-enabled-kx = DHE-RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = DTLS1.2 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt new file mode 100644 index 0000000..1a48c4a --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt new file mode 100644 index 0000000..415dcb3 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt new file mode 100644 index 0000000..9f2f5db --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt @@ -0,0 +1,6 @@ +conn %default + ikev2=insist + pfs=yes + ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18 + esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 + authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt new file mode 100644 index 0000000..49d8251 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt @@ -0,0 +1,5 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt new file mode 100644 index 0000000..b8bf74a --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt new file mode 100644 index 0000000..47d352e --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt @@ -0,0 +1,7 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt new file mode 100644 index 0000000..8105750 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt @@ -0,0 +1,8 @@ +Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com +CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 +RequiredRSASize 2048 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt new file mode 100644 index 0000000..952c651 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt new file mode 100644 index 0000000..8f18d1e --- /dev/null +++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt @@ -0,0 +1,8 @@ +CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 +TLS.MinProtocol = TLSv1.2 +TLS.MaxProtocol = TLSv1.3 +DTLS.MinProtocol = DTLSv1.2 +DTLS.MaxProtocol = DTLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 +Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt new file mode 100644 index 0000000..110527f --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-auth.txt @@ -0,0 +1,2 @@ +custom/minimal_gost +with-gost \ No newline at end of file diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt new file mode 100644 index 0000000..3976d4a --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-bind.txt @@ -0,0 +1,20 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +RSASHA256; +ECDSAP256SHA256; +ECDSAP384SHA384; +RSASHA512; +ED25519; +ED448; +ECDSAP256SHA256; +ECDSAP384SHA384; +}; +disable-ds-digests "." { +SHA-256; +SHA-384; +SHA-1; +}; diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt new file mode 100644 index 0000000..59c9ae0 --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt @@ -0,0 +1,13 @@ +[global] +override-mode = allowlist + +[overrides] +tls-enabled-mac = AEAD +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = TLS1.1 +enabled-version = TLS1.0 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt new file mode 100644 index 0000000..b6d04cf --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt new file mode 100644 index 0000000..b0b1480 --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt new file mode 100644 index 0000000..7dc12cd --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt @@ -0,0 +1,2 @@ +conn %default + pfs=yes diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt new file mode 100644 index 0000000..bf6f1ca --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt new file mode 100644 index 0000000..89e06ad --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt @@ -0,0 +1,2 @@ +GSSAPIKeyExchange no +RequiredRSASize 2048 diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt new file mode 100644 index 0000000..89e06ad --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt @@ -0,0 +1,2 @@ +GSSAPIKeyExchange no +RequiredRSASize 2048 diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt new file mode 100644 index 0000000..abeab8c --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt new file mode 100644 index 0000000..c5c1f47 --- /dev/null +++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt @@ -0,0 +1,18 @@ +CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = GOST2012-GOST8912-GOST8912 +TLS.MinProtocol = TLSv1 +TLS.MaxProtocol = TLSv1.3 +SignatureAlgorithms = +Groups = + +[openssl_init] +engines = engine_gost + +[engine_gost] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib64/engines-3/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt new file mode 100644 index 0000000..3976d4a --- /dev/null +++ b/tests/outputs/GOST-ONLY-bind.txt @@ -0,0 +1,20 @@ +disable-algorithms "." { +RSAMD5; +RSASHA1; +NSEC3RSASHA1; +DSA; +NSEC3DSA; +RSASHA256; +ECDSAP256SHA256; +ECDSAP384SHA384; +RSASHA512; +ED25519; +ED448; +ECDSAP256SHA256; +ECDSAP384SHA384; +}; +disable-ds-digests "." { +SHA-256; +SHA-384; +SHA-1; +}; diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt new file mode 100644 index 0000000..59c9ae0 --- /dev/null +++ b/tests/outputs/GOST-ONLY-gnutls.txt @@ -0,0 +1,13 @@ +[global] +override-mode = allowlist + +[overrides] +tls-enabled-mac = AEAD +enabled-version = TLS1.3 +enabled-version = TLS1.2 +enabled-version = TLS1.1 +enabled-version = TLS1.0 +min-verification-profile = medium + +[priorities] +SYSTEM=NONE diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt new file mode 100644 index 0000000..b6d04cf --- /dev/null +++ b/tests/outputs/GOST-ONLY-java.txt @@ -0,0 +1,3 @@ +jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048 +jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 +jdk.tls.legacyAlgorithms= diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt new file mode 100644 index 0000000..108de3d --- /dev/null +++ b/tests/outputs/GOST-ONLY-javasystem.txt @@ -0,0 +1 @@ +jdk.tls.ephemeralDHKeySize=2048 diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt new file mode 100644 index 0000000..b0b1480 --- /dev/null +++ b/tests/outputs/GOST-ONLY-krb5.txt @@ -0,0 +1,2 @@ +[libdefaults] +permitted_enctypes = diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt new file mode 100644 index 0000000..7dc12cd --- /dev/null +++ b/tests/outputs/GOST-ONLY-libreswan.txt @@ -0,0 +1,2 @@ +conn %default + pfs=yes diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt new file mode 100644 index 0000000..bf6f1ca --- /dev/null +++ b/tests/outputs/GOST-ONLY-nss.txt @@ -0,0 +1,6 @@ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" + + diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt new file mode 100644 index 0000000..89e06ad --- /dev/null +++ b/tests/outputs/GOST-ONLY-openssh.txt @@ -0,0 +1,2 @@ +GSSAPIKeyExchange no +RequiredRSASize 2048 diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt new file mode 100644 index 0000000..89e06ad --- /dev/null +++ b/tests/outputs/GOST-ONLY-opensshserver.txt @@ -0,0 +1,2 @@ +GSSAPIKeyExchange no +RequiredRSASize 2048 diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt new file mode 100644 index 0000000..abeab8c --- /dev/null +++ b/tests/outputs/GOST-ONLY-openssl.txt @@ -0,0 +1 @@ +@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt new file mode 100644 index 0000000..c69d6e1 --- /dev/null +++ b/tests/outputs/GOST-ONLY-openssl_fips.txt @@ -0,0 +1,4 @@ + +[fips_sect] +tls1-prf-ems-check = 1 +activate = 1 diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt new file mode 100644 index 0000000..c5c1f47 --- /dev/null +++ b/tests/outputs/GOST-ONLY-opensslcnf.txt @@ -0,0 +1,18 @@ +CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 +Ciphersuites = GOST2012-GOST8912-GOST8912 +TLS.MinProtocol = TLSv1 +TLS.MaxProtocol = TLSv1.3 +SignatureAlgorithms = +Groups = + +[openssl_init] +engines = engine_gost + +[engine_gost] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib64/engines-3/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt new file mode 100644 index 0000000..3ec0b96 --- /dev/null +++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt @@ -0,0 +1,51 @@ +[hash_algorithms] +md5.collision_resistance = "never" +md5.second_preimage_resistance = "never" +sha1.collision_resistance = "never" +sha1.second_preimage_resistance = "never" +ripemd160.collision_resistance = "never" +ripemd160.second_preimage_resistance = "never" +sha224.collision_resistance = "never" +sha224.second_preimage_resistance = "never" +sha256.collision_resistance = "never" +sha256.second_preimage_resistance = "never" +sha384.collision_resistance = "never" +sha384.second_preimage_resistance = "never" +sha512.collision_resistance = "never" +sha512.second_preimage_resistance = "never" +default_disposition = "never" + +[symmetric_algorithms] +idea = "never" +tripledes = "never" +cast5 = "never" +blowfish = "never" +aes128 = "never" +aes192 = "never" +aes256 = "never" +twofish = "never" +camellia128 = "never" +camellia192 = "never" +camellia256 = "never" +default_disposition = "never" + +[asymmetric_algorithms] +rsa1024 = "never" +rsa2048 = "never" +rsa3072 = "never" +rsa4096 = "never" +dsa1024 = "never" +dsa2048 = "never" +dsa3072 = "never" +dsa4096 = "never" +nistp256 = "never" +nistp384 = "never" +nistp521 = "never" +cv25519 = "never" +elgamal1024 = "never" +elgamal2048 = "never" +elgamal3072 = "never" +elgamal4096 = "never" +brainpoolp256 = "never" +brainpoolp512 = "never" +default_disposition = "never" diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt new file mode 100644 index 0000000..3ec0b96 --- /dev/null +++ b/tests/outputs/GOST-ONLY-sequoia.txt @@ -0,0 +1,51 @@ +[hash_algorithms] +md5.collision_resistance = "never" +md5.second_preimage_resistance = "never" +sha1.collision_resistance = "never" +sha1.second_preimage_resistance = "never" +ripemd160.collision_resistance = "never" +ripemd160.second_preimage_resistance = "never" +sha224.collision_resistance = "never" +sha224.second_preimage_resistance = "never" +sha256.collision_resistance = "never" +sha256.second_preimage_resistance = "never" +sha384.collision_resistance = "never" +sha384.second_preimage_resistance = "never" +sha512.collision_resistance = "never" +sha512.second_preimage_resistance = "never" +default_disposition = "never" + +[symmetric_algorithms] +idea = "never" +tripledes = "never" +cast5 = "never" +blowfish = "never" +aes128 = "never" +aes192 = "never" +aes256 = "never" +twofish = "never" +camellia128 = "never" +camellia192 = "never" +camellia256 = "never" +default_disposition = "never" + +[asymmetric_algorithms] +rsa1024 = "never" +rsa2048 = "never" +rsa3072 = "never" +rsa4096 = "never" +dsa1024 = "never" +dsa2048 = "never" +dsa3072 = "never" +dsa4096 = "never" +nistp256 = "never" +nistp384 = "never" +nistp521 = "never" +cv25519 = "never" +elgamal1024 = "never" +elgamal2048 = "never" +elgamal3072 = "never" +elgamal4096 = "never" +brainpoolp256 = "never" +brainpoolp512 = "never" +default_disposition = "never" diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt new file mode 100644 index 0000000..e69de29 diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt new file mode 100644 index 0000000..e69de29 -- 2.44.0