You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2445 lines
123 KiB
2445 lines
123 KiB
From d98745f5f9fce4c769924a2a733d1a81d08956b7 Mon Sep 17 00:00:00 2001
|
|
From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
|
|
Date: Sun, 21 Jul 2024 23:37:04 +0300
|
|
Subject: [PATCH] Added GOST policy to crypto-policy no PAM
|
|
|
|
---
|
|
Makefile | 12 +-
|
|
authselect_policies/minimal_gost/README | 84 ++++++++++
|
|
authselect_policies/minimal_gost/REQUIREMENTS | 0
|
|
authselect_policies/minimal_gost/dconf-db | 3 +
|
|
authselect_policies/minimal_gost/dconf-locks | 2 +
|
|
.../minimal_gost/fingerprint-auth | 16 ++
|
|
.../minimal_gost/nsswitch.conf | 14 ++
|
|
.../minimal_gost/password-auth | 15 ++
|
|
authselect_policies/minimal_gost/postlogin | 4 +
|
|
.../minimal_gost/smartcard-auth | 16 ++
|
|
authselect_policies/minimal_gost/system-auth | 15 ++
|
|
authselect_policies/sssd_gost/README | 145 ++++++++++++++++++
|
|
authselect_policies/sssd_gost/REQUIREMENTS | 29 ++++
|
|
authselect_policies/sssd_gost/dconf-db | 9 ++
|
|
authselect_policies/sssd_gost/dconf-locks | 4 +
|
|
.../sssd_gost/fingerprint-auth | 28 ++++
|
|
authselect_policies/sssd_gost/nsswitch.conf | 7 +
|
|
authselect_policies/sssd_gost/password-auth | 39 +++++
|
|
authselect_policies/sssd_gost/postlogin | 4 +
|
|
authselect_policies/sssd_gost/smartcard-auth | 26 ++++
|
|
authselect_policies/sssd_gost/system-auth | 46 ++++++
|
|
policies/GOST-ONLY.pol | 28 ++++
|
|
policies/modules/GOST.pmod | 18 +++
|
|
python/build-crypto-policies.py | 8 +-
|
|
python/cryptopolicies/alg_lists.py | 22 ++-
|
|
python/cryptopolicies/cryptopolicies.py | 6 +-
|
|
python/policygenerators/bind.py | 1 +
|
|
python/policygenerators/java.py | 3 +-
|
|
python/policygenerators/nss.py | 3 +-
|
|
python/policygenerators/openssl.py | 30 +++-
|
|
scripts/auth_apply.sh | 3 +
|
|
tests/gnutls.pl | 1 +
|
|
tests/java.pl | 2 +-
|
|
tests/nss.py | 2 +-
|
|
tests/openssl.pl | 4 +-
|
|
tests/outputs/DEFAULT-bind.txt | 1 +
|
|
tests/outputs/DEFAULT:GOST-bind.txt | 9 ++
|
|
tests/outputs/DEFAULT:GOST-gnutls.txt | 1 +
|
|
tests/outputs/DEFAULT:GOST-java.txt | 4 +
|
|
tests/outputs/DEFAULT:GOST-javasystem.txt | 1 +
|
|
tests/outputs/DEFAULT:GOST-krb5.txt | 2 +
|
|
tests/outputs/DEFAULT:GOST-libreswan.txt | 5 +
|
|
tests/outputs/DEFAULT:GOST-libssh.txt | 5 +
|
|
tests/outputs/DEFAULT:GOST-nss.txt | 6 +
|
|
tests/outputs/DEFAULT:GOST-openssh.txt | 6 +
|
|
tests/outputs/DEFAULT:GOST-opensshserver.txt | 1 +
|
|
tests/outputs/DEFAULT:GOST-openssl.txt | 1 +
|
|
tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 +
|
|
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 +++
|
|
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 ++++++
|
|
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 ++++++
|
|
tests/outputs/DEFAULT:NO-SHA1-bind.txt | 1 +
|
|
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 10 ++
|
|
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 1 +
|
|
tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 +
|
|
tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 1 +
|
|
tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 +
|
|
tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 5 +
|
|
tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 +
|
|
tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 +
|
|
tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 6 +
|
|
.../DEFAULT:PAM-GOST-opensshserver.txt | 1 +
|
|
tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 +
|
|
.../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 +
|
|
tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 7 +
|
|
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 10 ++
|
|
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 1 +
|
|
tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 +
|
|
.../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 1 +
|
|
tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 +
|
|
.../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 5 +
|
|
.../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 +
|
|
tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 +
|
|
.../DEFAULT:PATCH-PAM-GOST-openssh.txt | 6 +
|
|
.../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 1 +
|
|
.../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 +
|
|
.../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 +
|
|
.../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 7 +
|
|
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 10 ++
|
|
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 1 +
|
|
tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 +
|
|
.../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 1 +
|
|
tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 +
|
|
.../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 5 +
|
|
.../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 +
|
|
tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 +
|
|
.../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 6 +
|
|
.../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 1 +
|
|
.../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 +
|
|
.../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 +
|
|
.../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 7 +
|
|
tests/outputs/EMPTY-bind.txt | 1 +
|
|
tests/outputs/FIPS-bind.txt | 1 +
|
|
tests/outputs/FIPS:ECDHE-ONLY-bind.txt | 1 +
|
|
tests/outputs/FIPS:OSPP-bind.txt | 1 +
|
|
tests/outputs/FUTURE-bind.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-bind.txt | 22 +++
|
|
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-java.txt | 4 +
|
|
tests/outputs/GOST-ONLY-PAM-javasystem.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 +
|
|
tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 +
|
|
tests/outputs/GOST-ONLY-PAM-libssh.txt | 0
|
|
tests/outputs/GOST-ONLY-PAM-nss.txt | 6 +
|
|
tests/outputs/GOST-ONLY-PAM-openssh.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 +
|
|
tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 +
|
|
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 +++
|
|
tests/outputs/GOST-ONLY-bind.txt | 22 +++
|
|
tests/outputs/GOST-ONLY-gnutls.txt | 1 +
|
|
tests/outputs/GOST-ONLY-java.txt | 4 +
|
|
tests/outputs/GOST-ONLY-javasystem.txt | 1 +
|
|
tests/outputs/GOST-ONLY-krb5.txt | 2 +
|
|
tests/outputs/GOST-ONLY-libreswan.txt | 2 +
|
|
tests/outputs/GOST-ONLY-libssh.txt | 0
|
|
tests/outputs/GOST-ONLY-nss.txt | 6 +
|
|
tests/outputs/GOST-ONLY-openssh.txt | 1 +
|
|
tests/outputs/GOST-ONLY-opensshserver.txt | 1 +
|
|
tests/outputs/GOST-ONLY-openssl.txt | 1 +
|
|
tests/outputs/GOST-ONLY-openssl_fips.txt | 4 +
|
|
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 +++
|
|
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 ++++++
|
|
tests/outputs/GOST-ONLY-sequoia.txt | 51 ++++++
|
|
tests/outputs/LEGACY-bind.txt | 1 +
|
|
tests/outputs/LEGACY:AD-SUPPORT-bind.txt | 1 +
|
|
126 files changed, 1201 insertions(+), 11 deletions(-)
|
|
create mode 100644 authselect_policies/minimal_gost/README
|
|
create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS
|
|
create mode 100644 authselect_policies/minimal_gost/dconf-db
|
|
create mode 100644 authselect_policies/minimal_gost/dconf-locks
|
|
create mode 100644 authselect_policies/minimal_gost/fingerprint-auth
|
|
create mode 100644 authselect_policies/minimal_gost/nsswitch.conf
|
|
create mode 100644 authselect_policies/minimal_gost/password-auth
|
|
create mode 100644 authselect_policies/minimal_gost/postlogin
|
|
create mode 100644 authselect_policies/minimal_gost/smartcard-auth
|
|
create mode 100644 authselect_policies/minimal_gost/system-auth
|
|
create mode 100644 authselect_policies/sssd_gost/README
|
|
create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS
|
|
create mode 100644 authselect_policies/sssd_gost/dconf-db
|
|
create mode 100644 authselect_policies/sssd_gost/dconf-locks
|
|
create mode 100644 authselect_policies/sssd_gost/fingerprint-auth
|
|
create mode 100644 authselect_policies/sssd_gost/nsswitch.conf
|
|
create mode 100644 authselect_policies/sssd_gost/password-auth
|
|
create mode 100644 authselect_policies/sssd_gost/postlogin
|
|
create mode 100644 authselect_policies/sssd_gost/smartcard-auth
|
|
create mode 100644 authselect_policies/sssd_gost/system-auth
|
|
create mode 100644 policies/GOST-ONLY.pol
|
|
create mode 100644 policies/modules/GOST.pmod
|
|
create mode 100755 scripts/auth_apply.sh
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-java.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
|
|
create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
|
|
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
|
|
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-bind.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-java.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-krb5.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-libssh.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-nss.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-openssh.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-openssl.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt
|
|
create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt
|
|
|
|
diff --git a/Makefile b/Makefile
|
|
index 65506f4..cf671cf 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -1,8 +1,10 @@
|
|
VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7)
|
|
DIR?=/usr/share/crypto-policies
|
|
+DIRSCR?=/usr/share/crypto-policies-scripts
|
|
BINDIR?=/usr/bin
|
|
MANDIR?=/usr/share/man
|
|
CONFDIR?=/etc/crypto-policies
|
|
+AUTHSELECTDIR?=/etc/authselect/custom
|
|
DESTDIR?=
|
|
MAN7PAGES=crypto-policies.7
|
|
MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
|
|
@@ -22,10 +24,14 @@ install: $(MANPAGES)
|
|
mkdir -p $(DESTDIR)$(MANDIR)/man7
|
|
mkdir -p $(DESTDIR)$(MANDIR)/man8
|
|
mkdir -p $(DESTDIR)$(BINDIR)
|
|
+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR)
|
|
+
|
|
install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
|
|
install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
|
|
install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
|
|
mkdir -p $(DESTDIR)$(DIR)/
|
|
+ mkdir -p $(DESTDIR)$(DIRSCR)/
|
|
+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR)
|
|
install -p -m 644 default-config $(DESTDIR)$(DIR)
|
|
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
|
|
for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
|
|
@@ -33,6 +39,7 @@ install: $(MANPAGES)
|
|
for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
|
|
chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py
|
|
chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py
|
|
+ for f in $$(find authselect_policies -name '*' -type f) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done
|
|
|
|
runflake8:
|
|
@find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8
|
|
@@ -48,6 +55,8 @@ check:
|
|
python/build-crypto-policies.py --strict --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
|
|
python/build-crypto-policies.py --strict --policy DEFAULT:NO-SHA1 --test --flat policies tests/outputs
|
|
python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT --test --flat policies tests/outputs
|
|
+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs
|
|
+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs
|
|
tests/openssl.pl
|
|
tests/gnutls.pl
|
|
tests/nss.py
|
|
@@ -88,7 +97,7 @@ covtest: #doctest unittest
|
|
|
|
ifdef ON_RHEL8
|
|
# flake8 and pylint are missing on RHEL-8
|
|
-test: doctest unittest check check-alternatives covtest
|
|
+test: doctest unittest check check-alternatives
|
|
else
|
|
test: doctest unittest check check-alternatives covtest runflake8 runpylint
|
|
endif
|
|
@@ -105,6 +114,7 @@ diff-outputs:
|
|
python/build-crypto-policies.py --policy DEFAULT:NO-SHA1 --test --flat policies output/current || true
|
|
python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true
|
|
python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true
|
|
+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true
|
|
$(DIFFTOOL) tests/outputs output/current
|
|
|
|
clean:
|
|
diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README
|
|
new file mode 100644
|
|
index 0000000..9839669
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/README
|
|
@@ -0,0 +1,84 @@
|
|
+Local users only for minimal installations and gost support
|
|
+===========================================================
|
|
+
|
|
+Selecting this profile will enable local files as the source of identity
|
|
+and authentication providers.
|
|
+
|
|
+This profile can be used on systems that require minimal installation to
|
|
+save disk and memory space. It serves only local users and groups directly
|
|
+from system files instead of going through other authentication providers.
|
|
+Therefore SSSD, winbind and fprintd packages can be safely removed.
|
|
+
|
|
+AVAILABLE OPTIONAL FEATURES
|
|
+---------------------------
|
|
+
|
|
+without-nullok::
|
|
+ Do not add nullok parameter to pam_unix.
|
|
+
|
|
+with-gost::
|
|
+ Use GOST hash for shadow password instead of sha512
|
|
+
|
|
+with-silent-lastlog::
|
|
+ Do not produce pam_lastlog message during login.
|
|
+
|
|
+DISABLE SPECIFIC NSSWITCH DATABASES
|
|
+-----------------------------------
|
|
+
|
|
+Normally, nsswitch databases set by the profile overwrites values set in
|
|
+user-nsswitch.conf. The following options can force authselect to
|
|
+ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
+instead.
|
|
+
|
|
+with-custom-aliases::
|
|
+Ignore "aliases" map set by the profile.
|
|
+
|
|
+with-custom-automount::
|
|
+Ignore "automount" map set by the profile.
|
|
+
|
|
+with-custom-ethers::
|
|
+Ignore "ethers" map set by the profile.
|
|
+
|
|
+with-custom-group::
|
|
+Ignore "group" map set by the profile.
|
|
+
|
|
+with-custom-hosts::
|
|
+Ignore "hosts" map set by the profile.
|
|
+
|
|
+with-custom-initgroups::
|
|
+Ignore "initgroups" map set by the profile.
|
|
+
|
|
+with-custom-netgroup::
|
|
+Ignore "netgroup" map set by the profile.
|
|
+
|
|
+with-custom-networks::
|
|
+Ignore "networks" map set by the profile.
|
|
+
|
|
+with-custom-passwd::
|
|
+Ignore "passwd" map set by the profile.
|
|
+
|
|
+with-custom-protocols::
|
|
+Ignore "protocols" map set by the profile.
|
|
+
|
|
+with-custom-publickey::
|
|
+Ignore "publickey" map set by the profile.
|
|
+
|
|
+with-custom-rpc::
|
|
+Ignore "rpc" map set by the profile.
|
|
+
|
|
+with-custom-services::
|
|
+Ignore "services" map set by the profile.
|
|
+
|
|
+with-custom-shadow::
|
|
+Ignore "shadow" map set by the profile.
|
|
+
|
|
+EXAMPLES
|
|
+--------
|
|
+
|
|
+* Enable minimal profile
|
|
+
|
|
+ authselect select minimal
|
|
+
|
|
+SEE ALSO
|
|
+--------
|
|
+* man passwd(5)
|
|
+* man group(5)
|
|
diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS
|
|
new file mode 100644
|
|
index 0000000..e69de29
|
|
diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db
|
|
new file mode 100644
|
|
index 0000000..a3868b7
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/dconf-db
|
|
@@ -0,0 +1,3 @@
|
|
+[org/gnome/login-screen]
|
|
+enable-smartcard-authentication=false
|
|
+enable-fingerprint-authentication=false
|
|
diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks
|
|
new file mode 100644
|
|
index 0000000..8a36fa9
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/dconf-locks
|
|
@@ -0,0 +1,2 @@
|
|
+/org/gnome/login-screen/enable-smartcard-authentication
|
|
+/org/gnome/login-screen/enable-fingerprint-authentication
|
|
diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth
|
|
new file mode 100644
|
|
index 0000000..ca152fb
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/fingerprint-auth
|
|
@@ -0,0 +1,16 @@
|
|
+auth required pam_env.so
|
|
+auth sufficient pam_fprintd.so
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so
|
|
+account sufficient pam_succeed_if.so uid < 500 quiet
|
|
+account required pam_permit.so
|
|
+
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf
|
|
new file mode 100644
|
|
index 0000000..f1f5941
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/nsswitch.conf
|
|
@@ -0,0 +1,14 @@
|
|
+passwd: sss files systemd {exclude if "with-custom-passwd"}
|
|
+shadow: files {exclude if "with-custom-shadow"}
|
|
+group: sss files systemd {exclude if "with-custom-group"}
|
|
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
|
|
+services: files sss {exclude if "with-custom-services"}
|
|
+netgroup: sss {exclude if "with-custom-netgroup"}
|
|
+automount: files sss {exclude if "with-custom-automount"}
|
|
+aliases: files {exclude if "with-custom-aliases"}
|
|
+ethers: files {exclude if "with-custom-ethers"}
|
|
+gshadow: files
|
|
+networks: files dns {exclude if "with-custom-networks"}
|
|
+protocols: files {exclude if "with-custom-protocols"}
|
|
+publickey: files {exclude if "with-custom-publickey"}
|
|
+rpc: files {exclude if "with-custom-rpc"}
|
|
diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth
|
|
new file mode 100644
|
|
index 0000000..5da3730
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/password-auth
|
|
@@ -0,0 +1,15 @@
|
|
+auth required pam_env.so
|
|
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_unix.so
|
|
+
|
|
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
|
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin
|
|
new file mode 100644
|
|
index 0000000..8d9bfd0
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/postlogin
|
|
@@ -0,0 +1,4 @@
|
|
+session optional pam_umask.so silent
|
|
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
|
+session optional pam_lastlog.so silent noupdate showfailed
|
|
diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth
|
|
new file mode 100644
|
|
index 0000000..f0843be
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/smartcard-auth
|
|
@@ -0,0 +1,16 @@
|
|
+auth required pam_env.so
|
|
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so
|
|
+account sufficient pam_succeed_if.so uid < 500 quiet
|
|
+account required pam_permit.so
|
|
+
|
|
+password optional pam_pkcs11.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth
|
|
new file mode 100644
|
|
index 0000000..5da3730
|
|
--- /dev/null
|
|
+++ b/authselect_policies/minimal_gost/system-auth
|
|
@@ -0,0 +1,15 @@
|
|
+auth required pam_env.so
|
|
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_unix.so
|
|
+
|
|
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
|
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README
|
|
new file mode 100644
|
|
index 0000000..02daa76
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/README
|
|
@@ -0,0 +1,145 @@
|
|
+Enable SSSD with GOST support for system authentication (also for local users only)
|
|
+=================================================================
|
|
+
|
|
+Selecting this profile will enable SSSD with GOST as the source of identity
|
|
+and authentication providers.
|
|
+
|
|
+SSSD provides a set of daemons to manage access to remote directories and
|
|
+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides
|
|
+an NSS and PAM interface toward the system and a pluggable backend system
|
|
+to connect to multiple different account sources.
|
|
+
|
|
+More information about SSSD can be found on its project page:
|
|
+https://sssd.io
|
|
+
|
|
+However, if you do not want to keep SSSD running on your machine, you can
|
|
+keep this profile selected and just disable SSSD service. The resulting
|
|
+configuration will still work correctly even with SSSD disabled and local users
|
|
+and groups will be read from local files directly.
|
|
+
|
|
+SSSD CONFIGURATION
|
|
+------------------
|
|
+
|
|
+Authselect does not touch SSSD's configuration. Please, read SSSD's
|
|
+documentation to see how to configure it manually. Only local users
|
|
+will be available on the system if there is no existing SSSD configuration.
|
|
+
|
|
+AVAILABLE OPTIONAL FEATURES
|
|
+---------------------------
|
|
+
|
|
+with-faillock::
|
|
+ Enable account locking in case of too many consecutive
|
|
+ authentication failures.
|
|
+
|
|
+with-mkhomedir::
|
|
+ Enable automatic creation of home directories for users on their
|
|
+ first login.
|
|
+
|
|
+with-smartcard::
|
|
+ Enable authentication with smartcards through SSSD. Please note that
|
|
+ smartcard support must be also explicitly enabled within
|
|
+ SSSD's configuration.
|
|
+
|
|
+with-smartcard-lock-on-removal::
|
|
+ Lock screen when a smartcard is removed.
|
|
+
|
|
+with-smartcard-required::
|
|
+ Smartcard authentication is required. No other means of authentication
|
|
+ (including password) will be enabled.
|
|
+
|
|
+with-fingerprint::
|
|
+ Enable authentication with fingerprint reader through *pam_fprintd*.
|
|
+
|
|
+with-pam-gnome-keyring::
|
|
+ Enable pam-gnome-keyring support.
|
|
+
|
|
+with-pam-u2f::
|
|
+ Enable authentication via u2f dongle through *pam_u2f*.
|
|
+
|
|
+with-pam-u2f-2fa::
|
|
+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
|
|
+
|
|
+without-pam-u2f-nouserok::
|
|
+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
|
|
+ *WARNING*: Omitting nouserok argument means that users without pam-u2f
|
|
+ authentication configured will not be able to log in *INCLUDING* root.
|
|
+ Make sure you are able to log in before losing root privileges.
|
|
+
|
|
+with-silent-lastlog::
|
|
+ Do not produce pam_lastlog message during login.
|
|
+
|
|
+with-sudo::
|
|
+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
|
|
+
|
|
+with-pamaccess::
|
|
+ Check access.conf during account authorization.
|
|
+
|
|
+with-pwhistory::
|
|
+ Enable pam_pwhistory module for local users.
|
|
+
|
|
+with-files-domain::
|
|
+ If set, SSSD will be contacted before "files" when resolving users and
|
|
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
|
|
+ "files sss" for passwd and group maps.
|
|
+
|
|
+with-files-access-provider::
|
|
+ If set, account management for local users is handled also by pam_sss. This
|
|
+ is needed if there is an explicitly configured domain with id_provider=files
|
|
+ and non-empty access_provider setting in sssd.conf.
|
|
+
|
|
+ *WARNING:* SSSD access check will become mandatory for local users and
|
|
+ if SSSD is stopped then local users will not be able to log in. Only
|
|
+ system accounts (as defined by pam_usertype, including root) will be
|
|
+ able to log in.
|
|
+
|
|
+with-gssapi::
|
|
+ If set, pam_sss_gss module is enabled to perform user authentication over
|
|
+ GSSAPI.
|
|
+
|
|
+with-subid::
|
|
+ Enable SSSD as a source of subid database in /etc/nsswitch.conf.
|
|
+
|
|
+without-nullok::
|
|
+ Do not add nullok parameter to pam_unix.
|
|
+
|
|
+with-gost::
|
|
+ Use GOST hash for shadow password instead of sha512
|
|
+
|
|
+DISABLE SPECIFIC NSSWITCH DATABASES
|
|
+-----------------------------------
|
|
+
|
|
+Normally, nsswitch databases set by the profile overwrites values set in
|
|
+user-nsswitch.conf. The following options can force authselect to
|
|
+ignore value set by the profile and use the one set in user-nsswitch.conf
|
|
+instead.
|
|
+
|
|
+with-custom-passwd::
|
|
+Ignore "passwd" database set by the profile.
|
|
+
|
|
+with-custom-group::
|
|
+Ignore "group" database set by the profile.
|
|
+
|
|
+with-custom-netgroup::
|
|
+Ignore "netgroup" database set by the profile.
|
|
+
|
|
+with-custom-automount::
|
|
+Ignore "automount" database set by the profile.
|
|
+
|
|
+with-custom-services::
|
|
+Ignore "services" database set by the profile.
|
|
+
|
|
+EXAMPLES
|
|
+--------
|
|
+
|
|
+* Enable SSSD with sudo and smartcard support
|
|
+
|
|
+ authselect select sssd with-sudo with-smartcard
|
|
+
|
|
+* Enable SSSD with sudo support and create home directories for users on their
|
|
+ first login
|
|
+
|
|
+ authselect select sssd with-mkhomedir with-sudo
|
|
+
|
|
+SEE ALSO
|
|
+--------
|
|
+* man sssd.conf(5)
|
|
diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS
|
|
new file mode 100644
|
|
index 0000000..396287e
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/REQUIREMENTS
|
|
@@ -0,0 +1,29 @@
|
|
+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
|
|
+ {include if "with-smartcard"}
|
|
+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"}
|
|
+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"}
|
|
+ {include if "with-fingerprint"}
|
|
+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
|
|
+ {include if "with-pam-gnome-keyring"}
|
|
+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"}
|
|
+ is present. {include if "with-pam-gnome-keyring"}
|
|
+ {include if "with-pam-u2f"}
|
|
+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
|
|
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
|
|
+ {include if "with-pam-u2f-2fa"}
|
|
+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
|
|
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
|
|
+ {include if "with-mkhomedir"}
|
|
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
|
|
+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
|
|
+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
|
|
+ {include if "with-files-domain"}
|
|
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
|
|
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
|
|
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
|
|
+ {include if "with-gssapi"}
|
|
+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"}
|
|
+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"}
|
|
+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"}
|
|
+ {include if "with-gost"}
|
|
+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"}
|
|
diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db
|
|
new file mode 100644
|
|
index 0000000..66c9949
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/dconf-db
|
|
@@ -0,0 +1,9 @@
|
|
+{imply "with-smartcard" if "with-smartcard-required"}
|
|
+{imply "with-smartcard" if "with-smartcard-lock-on-removal"}
|
|
+[org/gnome/login-screen]
|
|
+enable-smartcard-authentication={if "with-smartcard":true|false}
|
|
+enable-fingerprint-authentication={if "with-fingerprint":true|false}
|
|
+enable-password-authentication={if "with-smartcard-required":false|true}
|
|
+
|
|
+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
|
|
+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
|
|
diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks
|
|
new file mode 100644
|
|
index 0000000..6bf15d0
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/dconf-locks
|
|
@@ -0,0 +1,4 @@
|
|
+/org/gnome/login-screen/enable-smartcard-authentication
|
|
+/org/gnome/login-screen/enable-fingerprint-authentication
|
|
+/org/gnome/login-screen/enable-password-authentication
|
|
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
|
|
diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth
|
|
new file mode 100644
|
|
index 0000000..dc7befe
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/fingerprint-auth
|
|
@@ -0,0 +1,28 @@
|
|
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"}
|
|
+{continue if "with-fingerprint"}
|
|
+auth required pam_env.so
|
|
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
|
|
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
+auth [success=done default=bad] pam_fprintd.so
|
|
+auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_access.so {include if "with-pamaccess"}
|
|
+account required pam_faillock.so {include if "with-faillock"}
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
+account sufficient pam_usertype.so issystem
|
|
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
+account required pam_permit.so
|
|
+
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
+session optional pam_sss.so
|
|
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf
|
|
new file mode 100644
|
|
index 0000000..f9e4e54
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/nsswitch.conf
|
|
@@ -0,0 +1,7 @@
|
|
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
|
|
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
|
|
+netgroup: sss files {exclude if "with-custom-netgroup"}
|
|
+automount: sss files {exclude if "with-custom-automount"}
|
|
+services: sss files {exclude if "with-custom-services"}
|
|
+sudoers: files sss {include if "with-sudo"}
|
|
+subid: sss {include if "with-subid"}
|
|
diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth
|
|
new file mode 100644
|
|
index 0000000..7832fb7
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/password-auth
|
|
@@ -0,0 +1,39 @@
|
|
+auth required pam_env.so
|
|
+auth required pam_faildelay.so delay=2000000
|
|
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
|
|
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
+auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
+auth sufficient pam_sss.so forward_pass
|
|
+auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_access.so {include if "with-pamaccess"}
|
|
+account required pam_faillock.so {include if "with-faillock"}
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
+account sufficient pam_usertype.so issystem
|
|
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
+account required pam_permit.so
|
|
+
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
|
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
|
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
|
|
+password [success=1 default=ignore] pam_localuser.so
|
|
+password sufficient pam_sss.so use_authtok
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
+session optional pam_sss.so
|
|
+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
|
|
diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin
|
|
new file mode 100644
|
|
index 0000000..04a11f0
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/postlogin
|
|
@@ -0,0 +1,4 @@
|
|
+session optional pam_umask.so silent
|
|
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
|
+session optional pam_lastlog.so silent noupdate showfailed
|
|
diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth
|
|
new file mode 100644
|
|
index 0000000..754847f
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/smartcard-auth
|
|
@@ -0,0 +1,26 @@
|
|
+{imply "with-smartcard" if "with-smartcard-required"}
|
|
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"}
|
|
+{continue if "with-smartcard"}
|
|
+auth required pam_env.so
|
|
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth}
|
|
+auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_access.so {include if "with-pamaccess"}
|
|
+account required pam_faillock.so {include if "with-faillock"}
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
+account sufficient pam_usertype.so issystem
|
|
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
+account required pam_permit.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
+session optional pam_sss.so
|
|
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth
|
|
new file mode 100644
|
|
index 0000000..31d4ee1
|
|
--- /dev/null
|
|
+++ b/authselect_policies/sssd_gost/system-auth
|
|
@@ -0,0 +1,46 @@
|
|
+{imply "with-smartcard" if "with-smartcard-required"}
|
|
+auth required pam_env.so
|
|
+auth required pam_faildelay.so delay=2000000
|
|
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
|
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
|
+auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
|
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
|
+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
|
+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
|
|
+auth sufficient pam_sss_gss.so {include if "with-gssapi"}
|
|
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
+auth sufficient pam_sss.so forward_pass
|
|
+auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
+auth required pam_deny.so
|
|
+
|
|
+account required pam_access.so {include if "with-pamaccess"}
|
|
+account required pam_faillock.so {include if "with-faillock"}
|
|
+account required pam_unix.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
+account sufficient pam_usertype.so issystem
|
|
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
+account required pam_permit.so
|
|
+
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
|
|
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
|
|
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
|
|
+password [success=1 default=ignore] pam_localuser.so
|
|
+password sufficient pam_sss.so use_authtok
|
|
+password required pam_deny.so
|
|
+
|
|
+session optional pam_keyinit.so revoke
|
|
+session required pam_limits.so
|
|
+-session optional pam_systemd.so
|
|
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
+session required pam_unix.so
|
|
+session optional pam_sss.so
|
|
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
|
diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol
|
|
new file mode 100644
|
|
index 0000000..37e478b
|
|
--- /dev/null
|
|
+++ b/policies/GOST-ONLY.pol
|
|
@@ -0,0 +1,28 @@
|
|
+# Next generation GOST algorithms
|
|
+
|
|
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
|
|
+
|
|
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
|
|
+
|
|
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
|
|
+
|
|
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
|
|
+
|
|
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
|
|
+
|
|
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
|
|
+
|
|
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
|
|
+
|
|
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
|
|
+
|
|
+# Parameter sizes
|
|
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
|
|
+min_dh_size = 2048
|
|
+min_dsa_size = 2048
|
|
+min_rsa_size = 2048
|
|
+
|
|
+# GnuTLS only for now
|
|
+sha1_in_certs = 0
|
|
+
|
|
+action_do = GOST
|
|
diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod
|
|
new file mode 100644
|
|
index 0000000..b9021ea
|
|
--- /dev/null
|
|
+++ b/policies/modules/GOST.pmod
|
|
@@ -0,0 +1,18 @@
|
|
+# Adds GOST algorithms.
|
|
+#
|
|
+
|
|
+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD
|
|
+
|
|
+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C
|
|
+
|
|
+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+
|
|
+
|
|
+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+
|
|
+
|
|
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
|
|
+
|
|
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
|
|
+
|
|
+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF
|
|
+
|
|
+action_do = +GOST
|
|
diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
|
|
index 9253e76..20c66c1 100755
|
|
--- a/python/build-crypto-policies.py
|
|
+++ b/python/build-crypto-policies.py
|
|
@@ -9,6 +9,7 @@ import argparse
|
|
import os
|
|
import sys
|
|
import warnings
|
|
+import platform
|
|
|
|
import cryptopolicies
|
|
|
|
@@ -59,6 +60,11 @@ def save_config(cmdline, policy_name, config_name, config):
|
|
try:
|
|
with open(path, mode='r') as f:
|
|
old_config = f.read()
|
|
+ if '[gost_section]' in config:
|
|
+ arch, links = platform.architecture()
|
|
+ if arch == '32bit':
|
|
+ #Make test expected file same for x86 and x86_64 systems
|
|
+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
|
|
if old_config != config:
|
|
eprint('Config for {} for policy {} differs from the existing one'.format(config_name, policy_name))
|
|
return False
|
|
@@ -96,7 +102,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None):
|
|
gen = cls()
|
|
config = gen.generate_config(cp.scoped(gen.SCOPES))
|
|
|
|
- if policy_name == 'EMPTY' or gen.test_config(config):
|
|
+ if policy_name in ('EMPTY', 'GOST-ONLY') or gen.test_config(config):
|
|
try:
|
|
name = ':'.join([policy_name, *subpolicy_names])
|
|
if not save_config(cmdline, name, gen.CONFIG_NAME, config):
|
|
diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py
|
|
index 69e2f33..31e9093 100644
|
|
--- a/python/cryptopolicies/alg_lists.py
|
|
+++ b/python/cryptopolicies/alg_lists.py
|
|
@@ -24,18 +24,26 @@ ALL_CIPHERS = (
|
|
'CAMELLIA-256-CBC', 'CAMELLIA-128-CBC',
|
|
'3DES-CBC', 'DES-CBC', 'RC4-40', 'RC4-128',
|
|
'DES40-CBC', 'RC2-CBC', 'IDEA-CBC', 'SEED-CBC',
|
|
+ 'GOST28147-TC26Z-CFB', 'GOST28147-CPA-CFB',
|
|
+ 'GOST28147-CPB-CFB', 'GOST28147-CPC-CFB',
|
|
+ 'GOST28147-CPD-CFB', 'GOST28147-TC26Z-CNT',
|
|
+ 'MAGMA-CTR-ACPKM', 'KUZNYECHIK-CTR-ACPKM',
|
|
'NULL',
|
|
)
|
|
|
|
ALL_MACS = (
|
|
'AEAD', 'UMAC-128', 'HMAC-SHA1', 'HMAC-SHA2-256',
|
|
'HMAC-SHA2-384', 'HMAC-SHA2-512', 'UMAC-64', 'HMAC-MD5',
|
|
+ 'HMAC-STREEBOG-256', 'HMAC-STREEBOG-512',
|
|
+ 'GOST28147-CPA-IMIT', 'GOST28147-TC26Z-IMIT',
|
|
+ 'MAGMA-OMAC', 'KUZNYECHIK-OMAC',
|
|
+ 'MAGMA-OMAC-ACPKM', 'KUZNYECHIK-OMAC-ACPKM',
|
|
)
|
|
|
|
ALL_HASHES = (
|
|
'SHA2-256', 'SHA2-384', 'SHA2-512', 'SHA3-256', 'SHA3-384', 'SHA3-512',
|
|
- 'SHA2-224', 'SHA1', 'MD5',
|
|
- 'GOST',
|
|
+ 'SHA2-224', 'SHA1', 'MD5', 'GOST',
|
|
+ 'STREEBOG-256', 'STREEBOG-512', 'GOSTR94',
|
|
)
|
|
|
|
# we disable curves <= 256 bits by default in Fedora
|
|
@@ -43,6 +51,8 @@ ALL_GROUPS = (
|
|
'X25519', 'SECP256R1', 'SECP384R1', 'SECP521R1', 'X448',
|
|
'FFDHE-1536', 'FFDHE-2048', 'FFDHE-3072', 'FFDHE-4096',
|
|
'FFDHE-6144', 'FFDHE-8192', 'FFDHE-1024',
|
|
+ 'GOST-GC256A', 'GOST-GC256B', 'GOST-GC256C', 'GOST-GC256D',
|
|
+ 'GOST-GC512A', 'GOST-GC512B', 'GOST-GC512C',
|
|
)
|
|
|
|
ALL_SIGN = (
|
|
@@ -59,12 +69,14 @@ ALL_SIGN = (
|
|
'RSA-PSS-SHA2-384', 'RSA-PSS-SHA2-512', 'RSA-PSS-RSAE-SHA1',
|
|
'RSA-PSS-RSAE-SHA2-224', 'RSA-PSS-RSAE-SHA2-256',
|
|
'RSA-PSS-RSAE-SHA2-384', 'RSA-PSS-RSAE-SHA2-512',
|
|
+ 'GOSTR341012-512', 'GOSTR341012-256', 'GOSTR341001',
|
|
)
|
|
|
|
|
|
ALL_KEY_EXCHANGES = (
|
|
'PSK', 'DHE-PSK', 'ECDHE-PSK', 'ECDHE', 'RSA',
|
|
'DHE', 'DHE-RSA', 'DHE-DSS', 'EXPORT', 'ANON', 'DH', 'ECDH',
|
|
+ 'VKO-GOST-2001', 'VKO-GOST-2012', 'VKO-GOST-KDF',
|
|
'DHE-GSS', 'ECDHE-GSS',
|
|
)
|
|
|
|
@@ -74,6 +86,11 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9')
|
|
IKE_PROTOCOLS = ('IKEv2', 'IKEv1')
|
|
ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS
|
|
|
|
+# List of action do algoritms, for non standard libraries
|
|
+IACTION_OPT = 'action_do'
|
|
+ALL_ACTION_DO = ( 'GOST', 'NONE' )
|
|
+
|
|
+ALL_AUTH_PROFILES = ()
|
|
|
|
ALL = {
|
|
'cipher': ALL_CIPHERS,
|
|
@@ -83,6 +100,7 @@ ALL = {
|
|
'mac': ALL_MACS,
|
|
'protocol': ALL_PROTOCOLS,
|
|
'sign': ALL_SIGN,
|
|
+ IACTION_OPT: ALL_ACTION_DO
|
|
}
|
|
|
|
|
|
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
|
|
index 75918d4..4511a49 100644
|
|
--- a/python/cryptopolicies/cryptopolicies.py
|
|
+++ b/python/cryptopolicies/cryptopolicies.py
|
|
@@ -33,7 +33,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
|
|
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
|
|
'ipsec', 'ike', 'libreswan',
|
|
'kerberos', 'krb5',
|
|
- 'dnssec', 'bind',
|
|
+ 'dnssec', 'bind'
|
|
)
|
|
DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
|
|
'bind': {'bind', 'dnssec'},
|
|
@@ -434,6 +434,8 @@ class UnscopedCryptoPolicy:
|
|
s += '# Baseline values for all scopes:\n'
|
|
generic_all = {**generic_scoped.enabled, **generic_scoped.integers}
|
|
for prop_name, value in generic_all.items():
|
|
+ if prop_name in (alg_lists.IACTION_OPT):
|
|
+ continue
|
|
s += fmt(prop_name, value)
|
|
anything_scope_specific = False
|
|
for scope_name, scope_set in DUMPABLE_SCOPES.items():
|
|
@@ -441,6 +443,8 @@ class UnscopedCryptoPolicy:
|
|
specific_all = {**specific_scoped.enabled,
|
|
**specific_scoped.integers}
|
|
for prop_name, value in specific_all.items():
|
|
+ if prop_name in (alg_lists.IACTION_OPT):
|
|
+ continue
|
|
if value != generic_all[prop_name]:
|
|
if not anything_scope_specific:
|
|
s += ('# Scope-specific properties '
|
|
diff --git a/python/policygenerators/bind.py b/python/policygenerators/bind.py
|
|
index afff885..d5216f0 100644
|
|
--- a/python/policygenerators/bind.py
|
|
+++ b/python/policygenerators/bind.py
|
|
@@ -32,6 +32,7 @@ class BindGenerator(ConfigGenerator):
|
|
'SHA2-256': 'SHA-256',
|
|
'SHA2-384': 'SHA-384',
|
|
'GOST': 'GOST',
|
|
+ 'GOSTR94': 'GOST',
|
|
}
|
|
|
|
@classmethod
|
|
diff --git a/python/policygenerators/java.py b/python/policygenerators/java.py
|
|
index fd48b91..1f21a45 100644
|
|
--- a/python/policygenerators/java.py
|
|
+++ b/python/policygenerators/java.py
|
|
@@ -21,7 +21,8 @@ class JavaGenerator(ConfigGenerator):
|
|
'SHA3-256':'SHA3_256',
|
|
'SHA3-384':'SHA3_384',
|
|
'SHA3-512':'SHA3_512',
|
|
- 'GOST':''
|
|
+ 'GOST':'',
|
|
+ 'GOSTR94': ''
|
|
}
|
|
|
|
cipher_not_map = {
|
|
diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
|
|
index 86bd308..325a70b 100644
|
|
--- a/python/policygenerators/nss.py
|
|
+++ b/python/policygenerators/nss.py
|
|
@@ -36,7 +36,8 @@ class NSSGenerator(ConfigGenerator):
|
|
'SHA3-256':'',
|
|
'SHA3-384':'',
|
|
'SHA3-512':'',
|
|
- 'GOST':''
|
|
+ 'GOST':'',
|
|
+ 'GOSTR94': ''
|
|
}
|
|
|
|
curve_map = {
|
|
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
|
|
index c3b5385..5f98aa1 100644
|
|
--- a/python/policygenerators/openssl.py
|
|
+++ b/python/policygenerators/openssl.py
|
|
@@ -2,11 +2,33 @@
|
|
|
|
# Copyright (c) 2019 Red Hat, Inc.
|
|
# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
|
|
+import platform
|
|
|
|
from subprocess import check_output, CalledProcessError
|
|
|
|
from .configgenerator import ConfigGenerator
|
|
|
|
+arch, links = platform.architecture()
|
|
+library_path = '64'
|
|
+if arch == '32bit':
|
|
+ library_path = ''
|
|
+
|
|
+GOST_MODULE_ENABLE = '''
|
|
+
|
|
+[ default_modules ]
|
|
+engines = engine_gost
|
|
+
|
|
+[ engine_gost ]
|
|
+gost = gost_section
|
|
+
|
|
+[ gost_section ]
|
|
+engine_id = gost
|
|
+dynamic_path = /usr/lib%s/engines-1.1/gost.so
|
|
+default_algorithms = ALL
|
|
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
|
|
+
|
|
+''' % (library_path)
|
|
+
|
|
|
|
class OpenSSLGenerator(ConfigGenerator):
|
|
CONFIG_NAME = 'openssl'
|
|
@@ -38,7 +60,8 @@ class OpenSSLGenerator(ConfigGenerator):
|
|
'DHE-PSK':'kDHEPSK',
|
|
'DHE-RSA':'kEDH',
|
|
'DHE-DSS':'',
|
|
- 'ECDHE-PSK':'kECDHEPSK'
|
|
+ 'ECDHE-PSK':'kECDHEPSK',
|
|
+ 'VKO-GOST-2012': 'kGOST'
|
|
}
|
|
|
|
key_exchange_not_map = {
|
|
@@ -65,6 +88,8 @@ class OpenSSLGenerator(ConfigGenerator):
|
|
'CHACHA20-POLY1305':'TLS_CHACHA20_POLY1305_SHA256',
|
|
'AES-128-CCM':'TLS_AES_128_CCM_SHA256',
|
|
'AES-128-CCM8':'TLS_AES_128_CCM_8_SHA256',
|
|
+ 'GOST28147-TC26Z-CNT': 'GOST2012-GOST8912-GOST8912',
|
|
+ 'GOST28147-CPA-CNT': 'GOST2001-GOST89-GOST89'
|
|
}
|
|
|
|
@classmethod
|
|
@@ -222,6 +247,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
|
|
for i in p['sign'] if i in cls.sign_map]
|
|
s += 'SignatureAlgorithms = ' + ':'.join(sig_algs)
|
|
|
|
+ if 'GOST' in p['action_do']:
|
|
+ s += GOST_MODULE_ENABLE
|
|
+
|
|
return s
|
|
|
|
@classmethod
|
|
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
|
|
new file mode 100755
|
|
index 0000000..70c87c6
|
|
--- /dev/null
|
|
+++ b/scripts/auth_apply.sh
|
|
@@ -0,0 +1,3 @@
|
|
+#!/usr/bin/bash
|
|
+exec 1> /var/log/crypto-cmc/auth.log 2>&1
|
|
+exit 0
|
|
\ No newline at end of file
|
|
diff --git a/tests/gnutls.pl b/tests/gnutls.pl
|
|
index c0901d3..57a42ef 100755
|
|
--- a/tests/gnutls.pl
|
|
+++ b/tests/gnutls.pl
|
|
@@ -19,6 +19,7 @@ foreach my $policyfile (@gnutlspolicies) {
|
|
$policy =~ s/-[^-]+$//;
|
|
|
|
print "Checking policy $policy\n";
|
|
+ next if $policy =~ /^GOST-ONLY/;
|
|
|
|
my $tmp = do {
|
|
local $/ = undef;
|
|
diff --git a/tests/java.pl b/tests/java.pl
|
|
index cbe26df..91158d2 100755
|
|
--- a/tests/java.pl
|
|
+++ b/tests/java.pl
|
|
@@ -57,7 +57,7 @@ foreach my $policyfile (@javapolicies) {
|
|
exit 1;
|
|
}
|
|
|
|
- if ($lines <= 1) {
|
|
+ if ($lines <= 1 and not("$policy" =~ "^GOST-ONLY") ) {
|
|
print "Policy $policy has no ciphersuites!\n";
|
|
system("cat $TMPFILE");
|
|
exit 1;
|
|
diff --git a/tests/nss.py b/tests/nss.py
|
|
index dbbf8e8..d5d7ef8 100755
|
|
--- a/tests/nss.py
|
|
+++ b/tests/nss.py
|
|
@@ -32,7 +32,7 @@ print('Checking the NSS configuration')
|
|
for policy_path in glob.glob('tests/outputs/*-nss.txt'):
|
|
policy = os.path.basename(policy_path)[:-len('-nss.txt')]
|
|
print(f'Checking policy {policy}')
|
|
- if policy not in ('EMPTY', 'GOST-ONLY'):
|
|
+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'):
|
|
p = subprocess.Popen(['nss-policy-check', policy_path],
|
|
stdout=subprocess.PIPE,
|
|
stderr=subprocess.STDOUT)
|
|
diff --git a/tests/openssl.pl b/tests/openssl.pl
|
|
index c43c337..72e6888 100755
|
|
--- a/tests/openssl.pl
|
|
+++ b/tests/openssl.pl
|
|
@@ -26,8 +26,10 @@ foreach my $policyfile (@opensslpolicies) {
|
|
or die "could not open $file: $!";
|
|
<$fh>;
|
|
};
|
|
+
|
|
+ my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY", "GOST-ONLY-PAM");
|
|
|
|
- system("openssl ciphers $tmp >$TMPFILE 2>&1") if $policy ne 'EMPTY';
|
|
+ system("openssl ciphers $tmp >$TMPFILE 2>&1") unless exists $skip_test{$policy};
|
|
if ($? != 0) {
|
|
print "Error in OpenSSL policy for $policy\n";
|
|
|
|
diff --git a/tests/outputs/DEFAULT-bind.txt b/tests/outputs/DEFAULT-bind.txt
|
|
index aad9c13..dd1929f 100644
|
|
--- a/tests/outputs/DEFAULT-bind.txt
|
|
+++ b/tests/outputs/DEFAULT-bind.txt
|
|
@@ -6,4 +6,5 @@ NSEC3DSA;
|
|
};
|
|
disable-ds-digests "." {
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt
|
|
new file mode 100644
|
|
index 0000000..aad9c13
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-bind.txt
|
|
@@ -0,0 +1,9 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..1f36982
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt
|
|
new file mode 100644
|
|
index 0000000..baafc5b
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..8a92aec
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
|
|
diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..1d8ffd9
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt
|
|
@@ -0,0 +1,5 @@
|
|
+conn %default
|
|
+ ikev2=insist
|
|
+ pfs=yes
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..11c0ffc
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-libssh.txt
|
|
@@ -0,0 +1,5 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt
|
|
new file mode 100644
|
|
index 0000000..846beb2
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..6d30013
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-openssh.txt
|
|
@@ -0,0 +1,6 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
|
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
|
|
diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..b43a591
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..05615c7
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..f61edd1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
|
|
@@ -0,0 +1,20 @@
|
|
+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
|
|
+TLS.MinProtocol = TLSv1.2
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+DTLS.MinProtocol = DTLSv1.2
|
|
+DTLS.MaxProtocol = DTLSv1.2
|
|
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
|
|
+
|
|
+[ default_modules ]
|
|
+engines = engine_gost
|
|
+
|
|
+[ engine_gost ]
|
|
+gost = gost_section
|
|
+
|
|
+[ gost_section ]
|
|
+engine_id = gost
|
|
+dynamic_path = /usr/lib64/engines-1.1/gost.so
|
|
+default_algorithms = ALL
|
|
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
|
|
+
|
|
diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
|
|
new file mode 100644
|
|
index 0000000..cec1d15
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
|
|
@@ -0,0 +1,51 @@
|
|
+[hash_algorithms]
|
|
+md5.collision_resistance = "never"
|
|
+md5.second_preimage_resistance = "never"
|
|
+sha1.collision_resistance = "always"
|
|
+sha1.second_preimage_resistance = "always"
|
|
+ripemd160.collision_resistance = "never"
|
|
+ripemd160.second_preimage_resistance = "never"
|
|
+sha224.collision_resistance = "always"
|
|
+sha224.second_preimage_resistance = "always"
|
|
+sha256.collision_resistance = "always"
|
|
+sha256.second_preimage_resistance = "always"
|
|
+sha384.collision_resistance = "always"
|
|
+sha384.second_preimage_resistance = "always"
|
|
+sha512.collision_resistance = "always"
|
|
+sha512.second_preimage_resistance = "always"
|
|
+default_disposition = "never"
|
|
+
|
|
+[symmetric_algorithms]
|
|
+idea = "never"
|
|
+tripledes = "never"
|
|
+cast5 = "never"
|
|
+blowfish = "never"
|
|
+aes128 = "always"
|
|
+aes192 = "never"
|
|
+aes256 = "always"
|
|
+twofish = "never"
|
|
+camellia128 = "always"
|
|
+camellia192 = "never"
|
|
+camellia256 = "always"
|
|
+default_disposition = "never"
|
|
+
|
|
+[asymmetric_algorithms]
|
|
+rsa1024 = "never"
|
|
+rsa2048 = "always"
|
|
+rsa3072 = "always"
|
|
+rsa4096 = "always"
|
|
+dsa1024 = "always"
|
|
+dsa2048 = "always"
|
|
+dsa3072 = "always"
|
|
+dsa4096 = "always"
|
|
+nistp256 = "always"
|
|
+nistp384 = "always"
|
|
+nistp521 = "always"
|
|
+cv25519 = "always"
|
|
+elgamal1024 = "never"
|
|
+elgamal2048 = "never"
|
|
+elgamal3072 = "never"
|
|
+elgamal4096 = "never"
|
|
+brainpoolp256 = "never"
|
|
+brainpoolp512 = "never"
|
|
+default_disposition = "never"
|
|
diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt
|
|
new file mode 100644
|
|
index 0000000..135997c
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt
|
|
@@ -0,0 +1,51 @@
|
|
+[hash_algorithms]
|
|
+md5.collision_resistance = "never"
|
|
+md5.second_preimage_resistance = "never"
|
|
+sha1.collision_resistance = "never"
|
|
+sha1.second_preimage_resistance = "never"
|
|
+ripemd160.collision_resistance = "never"
|
|
+ripemd160.second_preimage_resistance = "never"
|
|
+sha224.collision_resistance = "always"
|
|
+sha224.second_preimage_resistance = "always"
|
|
+sha256.collision_resistance = "always"
|
|
+sha256.second_preimage_resistance = "always"
|
|
+sha384.collision_resistance = "always"
|
|
+sha384.second_preimage_resistance = "always"
|
|
+sha512.collision_resistance = "always"
|
|
+sha512.second_preimage_resistance = "always"
|
|
+default_disposition = "never"
|
|
+
|
|
+[symmetric_algorithms]
|
|
+idea = "never"
|
|
+tripledes = "never"
|
|
+cast5 = "never"
|
|
+blowfish = "never"
|
|
+aes128 = "always"
|
|
+aes192 = "never"
|
|
+aes256 = "always"
|
|
+twofish = "never"
|
|
+camellia128 = "always"
|
|
+camellia192 = "never"
|
|
+camellia256 = "always"
|
|
+default_disposition = "never"
|
|
+
|
|
+[asymmetric_algorithms]
|
|
+rsa1024 = "never"
|
|
+rsa2048 = "always"
|
|
+rsa3072 = "always"
|
|
+rsa4096 = "always"
|
|
+dsa1024 = "never"
|
|
+dsa2048 = "never"
|
|
+dsa3072 = "never"
|
|
+dsa4096 = "never"
|
|
+nistp256 = "always"
|
|
+nistp384 = "always"
|
|
+nistp521 = "always"
|
|
+cv25519 = "always"
|
|
+elgamal1024 = "never"
|
|
+elgamal2048 = "never"
|
|
+elgamal3072 = "never"
|
|
+elgamal4096 = "never"
|
|
+brainpoolp256 = "never"
|
|
+brainpoolp512 = "never"
|
|
+default_disposition = "never"
|
|
diff --git a/tests/outputs/DEFAULT:NO-SHA1-bind.txt b/tests/outputs/DEFAULT:NO-SHA1-bind.txt
|
|
index 293b4c9..d77b344 100644
|
|
--- a/tests/outputs/DEFAULT:NO-SHA1-bind.txt
|
|
+++ b/tests/outputs/DEFAULT:NO-SHA1-bind.txt
|
|
@@ -9,4 +9,5 @@ NSEC3DSA;
|
|
disable-ds-digests "." {
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
|
|
new file mode 100644
|
|
index 0000000..dd1929f
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
|
|
@@ -0,0 +1,10 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+GOST;
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..1f36982
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt
|
|
new file mode 100644
|
|
index 0000000..baafc5b
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..8a92aec
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..1d8ffd9
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
|
|
@@ -0,0 +1,5 @@
|
|
+conn %default
|
|
+ ikev2=insist
|
|
+ pfs=yes
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..11c0ffc
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
|
|
@@ -0,0 +1,5 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
|
|
new file mode 100644
|
|
index 0000000..846beb2
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..6d30013
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
|
|
@@ -0,0 +1,6 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
|
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..b43a591
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..1691be8
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..3a15cad
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
|
|
@@ -0,0 +1,7 @@
|
|
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
|
|
+TLS.MinProtocol = TLSv1.2
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+DTLS.MinProtocol = DTLSv1.2
|
|
+DTLS.MaxProtocol = DTLSv1.2
|
|
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
|
|
new file mode 100644
|
|
index 0000000..dd1929f
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
|
|
@@ -0,0 +1,10 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+GOST;
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..1f36982
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
|
|
new file mode 100644
|
|
index 0000000..baafc5b
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..8a92aec
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..1d8ffd9
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
|
|
@@ -0,0 +1,5 @@
|
|
+conn %default
|
|
+ ikev2=insist
|
|
+ pfs=yes
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..11c0ffc
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
|
|
@@ -0,0 +1,5 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
|
|
new file mode 100644
|
|
index 0000000..846beb2
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..6d30013
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
|
|
@@ -0,0 +1,6 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
|
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..b43a591
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..1691be8
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..3a15cad
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
|
|
@@ -0,0 +1,7 @@
|
|
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
|
|
+TLS.MinProtocol = TLSv1.2
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+DTLS.MinProtocol = DTLSv1.2
|
|
+DTLS.MaxProtocol = DTLSv1.2
|
|
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
|
|
new file mode 100644
|
|
index 0000000..dd1929f
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
|
|
@@ -0,0 +1,10 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+GOST;
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..1f36982
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
|
|
new file mode 100644
|
|
index 0000000..baafc5b
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..8a92aec
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..1d8ffd9
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
|
|
@@ -0,0 +1,5 @@
|
|
+conn %default
|
|
+ ikev2=insist
|
|
+ pfs=yes
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..11c0ffc
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
|
|
@@ -0,0 +1,5 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
|
|
new file mode 100644
|
|
index 0000000..846beb2
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..6d30013
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
|
|
@@ -0,0 +1,6 @@
|
|
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
|
|
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
|
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
|
|
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
|
|
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..b43a591
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..1691be8
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..3a15cad
|
|
--- /dev/null
|
|
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
|
|
@@ -0,0 +1,7 @@
|
|
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
|
|
+TLS.MinProtocol = TLSv1.2
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+DTLS.MinProtocol = DTLSv1.2
|
|
+DTLS.MaxProtocol = DTLSv1.2
|
|
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/EMPTY-bind.txt b/tests/outputs/EMPTY-bind.txt
|
|
index cbba221..54afa34 100644
|
|
--- a/tests/outputs/EMPTY-bind.txt
|
|
+++ b/tests/outputs/EMPTY-bind.txt
|
|
@@ -19,4 +19,5 @@ SHA-256;
|
|
SHA-384;
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/FIPS-bind.txt b/tests/outputs/FIPS-bind.txt
|
|
index d70f4ae..0fc1346 100644
|
|
--- a/tests/outputs/FIPS-bind.txt
|
|
+++ b/tests/outputs/FIPS-bind.txt
|
|
@@ -11,4 +11,5 @@ ED448;
|
|
disable-ds-digests "." {
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-bind.txt b/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
|
|
index d70f4ae..0fc1346 100644
|
|
--- a/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
|
|
+++ b/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
|
|
@@ -11,4 +11,5 @@ ED448;
|
|
disable-ds-digests "." {
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/FIPS:OSPP-bind.txt b/tests/outputs/FIPS:OSPP-bind.txt
|
|
index d70f4ae..0fc1346 100644
|
|
--- a/tests/outputs/FIPS:OSPP-bind.txt
|
|
+++ b/tests/outputs/FIPS:OSPP-bind.txt
|
|
@@ -11,4 +11,5 @@ ED448;
|
|
disable-ds-digests "." {
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/FUTURE-bind.txt b/tests/outputs/FUTURE-bind.txt
|
|
index 293b4c9..d77b344 100644
|
|
--- a/tests/outputs/FUTURE-bind.txt
|
|
+++ b/tests/outputs/FUTURE-bind.txt
|
|
@@ -9,4 +9,5 @@ NSEC3DSA;
|
|
disable-ds-digests "." {
|
|
SHA-1;
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
|
|
new file mode 100644
|
|
index 0000000..cbba221
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
|
|
@@ -0,0 +1,22 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+RSASHA1;
|
|
+NSEC3RSASHA1;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+RSASHA256;
|
|
+ECDSAP256SHA256;
|
|
+ECDSAP384SHA384;
|
|
+RSASHA512;
|
|
+ED25519;
|
|
+ED448;
|
|
+ECDSAP256SHA256;
|
|
+ECDSAP384SHA384;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+SHA-256;
|
|
+SHA-384;
|
|
+SHA-1;
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..2563be5
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-SHA1:-SHA256:-SHA384:-SHA512:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-SECP521R1:-GROUP-X448:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE8192:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-RSA-SHA256:-SIGN-DSA-SHA256:-SIGN-ECDSA-SHA256:-SIGN-RSA-SHA384:-SIGN-DSA-SHA384:-SIGN-ECDSA-SHA384:-SIGN-RSA-SHA512:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512:+CIPHER-ALL:-AES-256-GCM:-AES-256-CCM:-AES-128-GCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-DTLS1.2:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
|
|
new file mode 100644
|
|
index 0000000..a2c07ad
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..b0b1480
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes =
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..7dc12cd
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
|
|
@@ -0,0 +1,2 @@
|
|
+conn %default
|
|
+ pfs=yes
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..e69de29
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt
|
|
new file mode 100644
|
|
index 0000000..bf6f1ca
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..15ddb71
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt
|
|
@@ -0,0 +1 @@
|
|
+GSSAPIKeyExchange no
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..dfe971d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oGSSAPIKeyExchange=no'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..2acf9bf
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..aff0062
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
|
|
@@ -0,0 +1,18 @@
|
|
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = GOST2012-GOST8912-GOST8912
|
|
+TLS.MinProtocol = TLSv1
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+SignatureAlgorithms =
|
|
+
|
|
+[ default_modules ]
|
|
+engines = engine_gost
|
|
+
|
|
+[ engine_gost ]
|
|
+gost = gost_section
|
|
+
|
|
+[ gost_section ]
|
|
+engine_id = gost
|
|
+dynamic_path = /usr/lib64/engines-1.1/gost.so
|
|
+default_algorithms = ALL
|
|
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
|
|
+
|
|
diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
|
|
new file mode 100644
|
|
index 0000000..cbba221
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-bind.txt
|
|
@@ -0,0 +1,22 @@
|
|
+disable-algorithms "." {
|
|
+RSAMD5;
|
|
+ECCGOST;
|
|
+RSASHA1;
|
|
+NSEC3RSASHA1;
|
|
+DSA;
|
|
+NSEC3DSA;
|
|
+RSASHA256;
|
|
+ECDSAP256SHA256;
|
|
+ECDSAP384SHA384;
|
|
+RSASHA512;
|
|
+ED25519;
|
|
+ED448;
|
|
+ECDSAP256SHA256;
|
|
+ECDSAP384SHA384;
|
|
+};
|
|
+disable-ds-digests "." {
|
|
+SHA-256;
|
|
+SHA-384;
|
|
+SHA-1;
|
|
+GOST;
|
|
+};
|
|
diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt
|
|
new file mode 100644
|
|
index 0000000..2563be5
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-gnutls.txt
|
|
@@ -0,0 +1 @@
|
|
+SYSTEM=NONE:+MAC-ALL:-SHA1:-SHA256:-SHA384:-SHA512:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-SECP521R1:-GROUP-X448:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE8192:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-RSA-SHA256:-SIGN-DSA-SHA256:-SIGN-ECDSA-SHA256:-SIGN-RSA-SHA384:-SIGN-DSA-SHA384:-SIGN-ECDSA-SHA384:-SIGN-RSA-SHA512:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512:+CIPHER-ALL:-AES-256-GCM:-AES-256-CCM:-AES-128-GCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-DTLS1.2:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
|
|
diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
|
|
new file mode 100644
|
|
index 0000000..a2c07ad
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-java.txt
|
|
@@ -0,0 +1,4 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
|
|
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
|
|
+jdk.tls.legacyAlgorithms=
|
|
diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt
|
|
new file mode 100644
|
|
index 0000000..108de3d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-javasystem.txt
|
|
@@ -0,0 +1 @@
|
|
+jdk.tls.ephemeralDHKeySize=2048
|
|
diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt
|
|
new file mode 100644
|
|
index 0000000..b0b1480
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-krb5.txt
|
|
@@ -0,0 +1,2 @@
|
|
+[libdefaults]
|
|
+permitted_enctypes =
|
|
diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt
|
|
new file mode 100644
|
|
index 0000000..7dc12cd
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-libreswan.txt
|
|
@@ -0,0 +1,2 @@
|
|
+conn %default
|
|
+ pfs=yes
|
|
diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt
|
|
new file mode 100644
|
|
index 0000000..e69de29
|
|
diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt
|
|
new file mode 100644
|
|
index 0000000..bf6f1ca
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-nss.txt
|
|
@@ -0,0 +1,6 @@
|
|
+library=
|
|
+name=Policy
|
|
+NSS=flags=policyOnly,moduleDB
|
|
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
|
|
+
|
|
+
|
|
diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt
|
|
new file mode 100644
|
|
index 0000000..15ddb71
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-openssh.txt
|
|
@@ -0,0 +1 @@
|
|
+GSSAPIKeyExchange no
|
|
diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt
|
|
new file mode 100644
|
|
index 0000000..dfe971d
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-opensshserver.txt
|
|
@@ -0,0 +1 @@
|
|
+CRYPTO_POLICY='-oGSSAPIKeyExchange=no'
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt
|
|
new file mode 100644
|
|
index 0000000..2acf9bf
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-openssl.txt
|
|
@@ -0,0 +1 @@
|
|
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
\ No newline at end of file
|
|
diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt
|
|
new file mode 100644
|
|
index 0000000..c69d6e1
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+[fips_sect]
|
|
+tls1-prf-ems-check = 1
|
|
+activate = 1
|
|
diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt
|
|
new file mode 100644
|
|
index 0000000..aff0062
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt
|
|
@@ -0,0 +1,18 @@
|
|
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
|
|
+Ciphersuites = GOST2012-GOST8912-GOST8912
|
|
+TLS.MinProtocol = TLSv1
|
|
+TLS.MaxProtocol = TLSv1.3
|
|
+SignatureAlgorithms =
|
|
+
|
|
+[ default_modules ]
|
|
+engines = engine_gost
|
|
+
|
|
+[ engine_gost ]
|
|
+gost = gost_section
|
|
+
|
|
+[ gost_section ]
|
|
+engine_id = gost
|
|
+dynamic_path = /usr/lib64/engines-1.1/gost.so
|
|
+default_algorithms = ALL
|
|
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
|
|
+
|
|
diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
|
|
new file mode 100644
|
|
index 0000000..3ec0b96
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
|
|
@@ -0,0 +1,51 @@
|
|
+[hash_algorithms]
|
|
+md5.collision_resistance = "never"
|
|
+md5.second_preimage_resistance = "never"
|
|
+sha1.collision_resistance = "never"
|
|
+sha1.second_preimage_resistance = "never"
|
|
+ripemd160.collision_resistance = "never"
|
|
+ripemd160.second_preimage_resistance = "never"
|
|
+sha224.collision_resistance = "never"
|
|
+sha224.second_preimage_resistance = "never"
|
|
+sha256.collision_resistance = "never"
|
|
+sha256.second_preimage_resistance = "never"
|
|
+sha384.collision_resistance = "never"
|
|
+sha384.second_preimage_resistance = "never"
|
|
+sha512.collision_resistance = "never"
|
|
+sha512.second_preimage_resistance = "never"
|
|
+default_disposition = "never"
|
|
+
|
|
+[symmetric_algorithms]
|
|
+idea = "never"
|
|
+tripledes = "never"
|
|
+cast5 = "never"
|
|
+blowfish = "never"
|
|
+aes128 = "never"
|
|
+aes192 = "never"
|
|
+aes256 = "never"
|
|
+twofish = "never"
|
|
+camellia128 = "never"
|
|
+camellia192 = "never"
|
|
+camellia256 = "never"
|
|
+default_disposition = "never"
|
|
+
|
|
+[asymmetric_algorithms]
|
|
+rsa1024 = "never"
|
|
+rsa2048 = "never"
|
|
+rsa3072 = "never"
|
|
+rsa4096 = "never"
|
|
+dsa1024 = "never"
|
|
+dsa2048 = "never"
|
|
+dsa3072 = "never"
|
|
+dsa4096 = "never"
|
|
+nistp256 = "never"
|
|
+nistp384 = "never"
|
|
+nistp521 = "never"
|
|
+cv25519 = "never"
|
|
+elgamal1024 = "never"
|
|
+elgamal2048 = "never"
|
|
+elgamal3072 = "never"
|
|
+elgamal4096 = "never"
|
|
+brainpoolp256 = "never"
|
|
+brainpoolp512 = "never"
|
|
+default_disposition = "never"
|
|
diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt
|
|
new file mode 100644
|
|
index 0000000..3ec0b96
|
|
--- /dev/null
|
|
+++ b/tests/outputs/GOST-ONLY-sequoia.txt
|
|
@@ -0,0 +1,51 @@
|
|
+[hash_algorithms]
|
|
+md5.collision_resistance = "never"
|
|
+md5.second_preimage_resistance = "never"
|
|
+sha1.collision_resistance = "never"
|
|
+sha1.second_preimage_resistance = "never"
|
|
+ripemd160.collision_resistance = "never"
|
|
+ripemd160.second_preimage_resistance = "never"
|
|
+sha224.collision_resistance = "never"
|
|
+sha224.second_preimage_resistance = "never"
|
|
+sha256.collision_resistance = "never"
|
|
+sha256.second_preimage_resistance = "never"
|
|
+sha384.collision_resistance = "never"
|
|
+sha384.second_preimage_resistance = "never"
|
|
+sha512.collision_resistance = "never"
|
|
+sha512.second_preimage_resistance = "never"
|
|
+default_disposition = "never"
|
|
+
|
|
+[symmetric_algorithms]
|
|
+idea = "never"
|
|
+tripledes = "never"
|
|
+cast5 = "never"
|
|
+blowfish = "never"
|
|
+aes128 = "never"
|
|
+aes192 = "never"
|
|
+aes256 = "never"
|
|
+twofish = "never"
|
|
+camellia128 = "never"
|
|
+camellia192 = "never"
|
|
+camellia256 = "never"
|
|
+default_disposition = "never"
|
|
+
|
|
+[asymmetric_algorithms]
|
|
+rsa1024 = "never"
|
|
+rsa2048 = "never"
|
|
+rsa3072 = "never"
|
|
+rsa4096 = "never"
|
|
+dsa1024 = "never"
|
|
+dsa2048 = "never"
|
|
+dsa3072 = "never"
|
|
+dsa4096 = "never"
|
|
+nistp256 = "never"
|
|
+nistp384 = "never"
|
|
+nistp521 = "never"
|
|
+cv25519 = "never"
|
|
+elgamal1024 = "never"
|
|
+elgamal2048 = "never"
|
|
+elgamal3072 = "never"
|
|
+elgamal4096 = "never"
|
|
+brainpoolp256 = "never"
|
|
+brainpoolp512 = "never"
|
|
+default_disposition = "never"
|
|
diff --git a/tests/outputs/LEGACY-bind.txt b/tests/outputs/LEGACY-bind.txt
|
|
index 050ab92..c08435b 100644
|
|
--- a/tests/outputs/LEGACY-bind.txt
|
|
+++ b/tests/outputs/LEGACY-bind.txt
|
|
@@ -4,4 +4,5 @@ ECCGOST;
|
|
};
|
|
disable-ds-digests "." {
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-bind.txt b/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
|
|
index 050ab92..c08435b 100644
|
|
--- a/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
|
|
+++ b/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
|
|
@@ -4,4 +4,5 @@ ECCGOST;
|
|
};
|
|
disable-ds-digests "." {
|
|
GOST;
|
|
+GOST;
|
|
};
|
|
--
|
|
2.43.5
|
|
|