rpms
/
crypto-policies
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'i8'
${ noResults }
crypto-policies/SOURCES/0001-Added-GOST-policy-to-c...

2930 lines
142 KiB
Raw Permalink Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

From 7c957dd966c765e650d471cb0b6c9c33c00d5ae2 Mon Sep 17 00:00:00 2001
From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
Date: Thu, 18 Jul 2024 22:24:12 +0300
Subject: [PATCH] Added GOST policy to crypto-policy
---
Makefile | 15 +-
authselect_policies/minimal_gost/README | 84 ++++++++
authselect_policies/minimal_gost/REQUIREMENTS | 0
authselect_policies/minimal_gost/dconf-db | 3 +
authselect_policies/minimal_gost/dconf-locks | 2 +
.../minimal_gost/fingerprint-auth | 16 ++
.../minimal_gost/nsswitch.conf | 14 ++
.../minimal_gost/password-auth | 15 ++
authselect_policies/minimal_gost/postlogin | 4 +
.../minimal_gost/smartcard-auth | 16 ++
authselect_policies/minimal_gost/system-auth | 15 ++
authselect_policies/sssd_gost/README | 145 +++++++++++++
authselect_policies/sssd_gost/REQUIREMENTS | 29 +++
authselect_policies/sssd_gost/dconf-db | 9 +
authselect_policies/sssd_gost/dconf-locks | 4 +
.../sssd_gost/fingerprint-auth | 28 +++
authselect_policies/sssd_gost/nsswitch.conf | 7 +
authselect_policies/sssd_gost/password-auth | 39 ++++
authselect_policies/sssd_gost/postlogin | 4 +
authselect_policies/sssd_gost/smartcard-auth | 26 +++
authselect_policies/sssd_gost/system-auth | 46 ++++
policies/GOST-ONLY-PAM.pol | 29 +++
policies/GOST-ONLY.pol | 28 +++
policies/modules/GOST.pmod | 18 ++
policies/modules/PAM-GOST.pmod | 3 +
policies/modules/PATCH-PAM-GOST.pmod | 3 +
policies/modules/SSSD-PAM-GOST.pmod | 3 +
python/build-crypto-policies.py | 8 +-
python/cryptopolicies/alg_lists.py | 35 ++-
python/cryptopolicies/cryptopolicies.py | 7 +-
python/policygenerators/__init__.py | 2 +
python/policygenerators/auth.py | 36 ++++
python/policygenerators/bind.py | 1 +
python/policygenerators/java.py | 3 +-
python/policygenerators/nss.py | 3 +-
python/policygenerators/openssl.py | 30 ++-
scripts/auth_apply.sh | 204 ++++++++++++++++++
tests/gnutls.pl | 1 +
tests/java.pl | 2 +-
tests/nss.py | 2 +-
tests/openssl.pl | 4 +-
tests/outputs/DEFAULT-auth.txt | 0
tests/outputs/DEFAULT-bind.txt | 1 +
tests/outputs/DEFAULT:GOST-auth.txt | 0
tests/outputs/DEFAULT:GOST-bind.txt | 9 +
tests/outputs/DEFAULT:GOST-gnutls.txt | 1 +
tests/outputs/DEFAULT:GOST-java.txt | 4 +
tests/outputs/DEFAULT:GOST-javasystem.txt | 1 +
tests/outputs/DEFAULT:GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:GOST-libreswan.txt | 5 +
tests/outputs/DEFAULT:GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:GOST-nss.txt | 6 +
tests/outputs/DEFAULT:GOST-openssh.txt | 6 +
tests/outputs/DEFAULT:GOST-opensshserver.txt | 1 +
tests/outputs/DEFAULT:GOST-openssl.txt | 1 +
tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:NO-SHA1-auth.txt | 0
tests/outputs/DEFAULT:NO-SHA1-bind.txt | 1 +
tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 10 +
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 1 +
tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 1 +
tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 5 +
tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 +
tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 6 +
.../DEFAULT:PAM-GOST-opensshserver.txt | 1 +
tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 +
.../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 7 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 10 +
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 5 +
.../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 +
.../DEFAULT:PATCH-PAM-GOST-openssh.txt | 6 +
.../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 1 +
.../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 7 +
tests/outputs/DEFAULT:SHA1-auth.txt | 0
tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 10 +
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 1 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 1 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 5 +
.../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 6 +
.../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 1 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 7 +
tests/outputs/EMPTY-auth.txt | 0
tests/outputs/EMPTY-bind.txt | 1 +
tests/outputs/FIPS-auth.txt | 0
tests/outputs/FIPS-bind.txt | 1 +
tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0
tests/outputs/FIPS:ECDHE-ONLY-bind.txt | 1 +
tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0
tests/outputs/FIPS:OSPP-auth.txt | 0
tests/outputs/FIPS:OSPP-bind.txt | 1 +
tests/outputs/FUTURE-auth.txt | 0
tests/outputs/FUTURE-bind.txt | 1 +
tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0
tests/outputs/GOST-ONLY-PAM-auth.txt | 2 +
tests/outputs/GOST-ONLY-PAM-bind.txt | 22 ++
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 1 +
tests/outputs/GOST-ONLY-PAM-java.txt | 4 +
tests/outputs/GOST-ONLY-PAM-javasystem.txt | 1 +
tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libssh.txt | 0
tests/outputs/GOST-ONLY-PAM-nss.txt | 6 +
tests/outputs/GOST-ONLY-PAM-openssh.txt | 1 +
tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 1 +
tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 +
tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-auth.txt | 0
tests/outputs/GOST-ONLY-bind.txt | 22 ++
tests/outputs/GOST-ONLY-gnutls.txt | 1 +
tests/outputs/GOST-ONLY-java.txt | 4 +
tests/outputs/GOST-ONLY-javasystem.txt | 1 +
tests/outputs/GOST-ONLY-krb5.txt | 2 +
tests/outputs/GOST-ONLY-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-libssh.txt | 0
tests/outputs/GOST-ONLY-nss.txt | 6 +
tests/outputs/GOST-ONLY-openssh.txt | 1 +
tests/outputs/GOST-ONLY-opensshserver.txt | 1 +
tests/outputs/GOST-ONLY-openssl.txt | 1 +
tests/outputs/GOST-ONLY-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++
tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++
tests/outputs/LEGACY-auth.txt | 0
tests/outputs/LEGACY-bind.txt | 1 +
.../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0
tests/outputs/LEGACY:AD-SUPPORT-auth.txt | 0
tests/outputs/LEGACY:AD-SUPPORT-bind.txt | 1 +
151 files changed, 1500 insertions(+), 15 deletions(-)
create mode 100644 authselect_policies/minimal_gost/README
create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS
create mode 100644 authselect_policies/minimal_gost/dconf-db
create mode 100644 authselect_policies/minimal_gost/dconf-locks
create mode 100644 authselect_policies/minimal_gost/fingerprint-auth
create mode 100644 authselect_policies/minimal_gost/nsswitch.conf
create mode 100644 authselect_policies/minimal_gost/password-auth
create mode 100644 authselect_policies/minimal_gost/postlogin
create mode 100644 authselect_policies/minimal_gost/smartcard-auth
create mode 100644 authselect_policies/minimal_gost/system-auth
create mode 100644 authselect_policies/sssd_gost/README
create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS
create mode 100644 authselect_policies/sssd_gost/dconf-db
create mode 100644 authselect_policies/sssd_gost/dconf-locks
create mode 100644 authselect_policies/sssd_gost/fingerprint-auth
create mode 100644 authselect_policies/sssd_gost/nsswitch.conf
create mode 100644 authselect_policies/sssd_gost/password-auth
create mode 100644 authselect_policies/sssd_gost/postlogin
create mode 100644 authselect_policies/sssd_gost/smartcard-auth
create mode 100644 authselect_policies/sssd_gost/system-auth
create mode 100644 policies/GOST-ONLY-PAM.pol
create mode 100644 policies/GOST-ONLY.pol
create mode 100644 policies/modules/GOST.pmod
create mode 100644 policies/modules/PAM-GOST.pmod
create mode 100644 policies/modules/PATCH-PAM-GOST.pmod
create mode 100644 policies/modules/SSSD-PAM-GOST.pmod
create mode 100644 python/policygenerators/auth.py
create mode 100755 scripts/auth_apply.sh
create mode 100644 tests/outputs/DEFAULT-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:NO-SHA1-auth.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/EMPTY-auth.txt
create mode 100644 tests/outputs/FIPS-auth.txt
create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt
create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
create mode 100644 tests/outputs/FIPS:OSPP-auth.txt
create mode 100644 tests/outputs/FUTURE-auth.txt
create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-java.txt
create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt
create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt
create mode 100644 tests/outputs/LEGACY-auth.txt
create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-auth.txt
diff --git a/Makefile b/Makefile
index 65506f4..ae781dd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,10 @@
VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7)
DIR?=/usr/share/crypto-policies
+DIRSCR?=/usr/share/crypto-policies-scripts
BINDIR?=/usr/bin
MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
+AUTHSELECTDIR?=/etc/authselect/custom
DESTDIR?=
MAN7PAGES=crypto-policies.7
MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
@@ -22,10 +24,14 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR)
+
install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(DIR)/
+ mkdir -p $(DESTDIR)$(DIRSCR)/
+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR)
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
@@ -33,6 +39,7 @@ install: $(MANPAGES)
for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py
chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py
+ for f in $$(find authselect_policies -name '*' -type f) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done
runflake8:
@find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8
@@ -48,6 +55,11 @@ check:
python/build-crypto-policies.py --strict --policy FIPS:ECDHE-ONLY --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy DEFAULT:NO-SHA1 --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs
tests/openssl.pl
tests/gnutls.pl
tests/nss.py
@@ -88,7 +100,7 @@ covtest: #doctest unittest
ifdef ON_RHEL8
# flake8 and pylint are missing on RHEL-8
-test: doctest unittest check check-alternatives covtest
+test: doctest unittest check check-alternatives
else
test: doctest unittest check check-alternatives covtest runflake8 runpylint
endif
@@ -105,6 +117,7 @@ diff-outputs:
python/build-crypto-policies.py --policy DEFAULT:NO-SHA1 --test --flat policies output/current || true
python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true
python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true
+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true
$(DIFFTOOL) tests/outputs output/current
clean:
diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README
new file mode 100644
index 0000000..9839669
--- /dev/null
+++ b/authselect_policies/minimal_gost/README
@@ -0,0 +1,84 @@
+Local users only for minimal installations and gost support
+===========================================================
+
+Selecting this profile will enable local files as the source of identity
+and authentication providers.
+
+This profile can be used on systems that require minimal installation to
+save disk and memory space. It serves only local users and groups directly
+from system files instead of going through other authentication providers.
+Therefore SSSD, winbind and fprintd packages can be safely removed.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
+EXAMPLES
+--------
+
+* Enable minimal profile
+
+ authselect select minimal
+
+SEE ALSO
+--------
+* man passwd(5)
+* man group(5)
diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS
new file mode 100644
index 0000000..e69de29
diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db
new file mode 100644
index 0000000..a3868b7
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-db
@@ -0,0 +1,3 @@
+[org/gnome/login-screen]
+enable-smartcard-authentication=false
+enable-fingerprint-authentication=false
diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks
new file mode 100644
index 0000000..8a36fa9
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-locks
@@ -0,0 +1,2 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth
new file mode 100644
index 0000000..ca152fb
--- /dev/null
+++ b/authselect_policies/minimal_gost/fingerprint-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth sufficient pam_fprintd.so
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf
new file mode 100644
index 0000000..f1f5941
--- /dev/null
+++ b/authselect_policies/minimal_gost/nsswitch.conf
@@ -0,0 +1,14 @@
+passwd: sss files systemd {exclude if "with-custom-passwd"}
+shadow: files {exclude if "with-custom-shadow"}
+group: sss files systemd {exclude if "with-custom-group"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
+services: files sss {exclude if "with-custom-services"}
+netgroup: sss {exclude if "with-custom-netgroup"}
+automount: files sss {exclude if "with-custom-automount"}
+aliases: files {exclude if "with-custom-aliases"}
+ethers: files {exclude if "with-custom-ethers"}
+gshadow: files
+networks: files dns {exclude if "with-custom-networks"}
+protocols: files {exclude if "with-custom-protocols"}
+publickey: files {exclude if "with-custom-publickey"}
+rpc: files {exclude if "with-custom-rpc"}
diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/password-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin
new file mode 100644
index 0000000..8d9bfd0
--- /dev/null
+++ b/authselect_policies/minimal_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth
new file mode 100644
index 0000000..f0843be
--- /dev/null
+++ b/authselect_policies/minimal_gost/smartcard-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/system-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README
new file mode 100644
index 0000000..02daa76
--- /dev/null
+++ b/authselect_policies/sssd_gost/README
@@ -0,0 +1,145 @@
+Enable SSSD with GOST support for system authentication (also for local users only)
+=================================================================
+
+Selecting this profile will enable SSSD with GOST as the source of identity
+and authentication providers.
+
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page:
+https://sssd.io
+
+However, if you do not want to keep SSSD running on your machine, you can
+keep this profile selected and just disable SSSD service. The resulting
+configuration will still work correctly even with SSSD disabled and local users
+and groups will be read from local files directly.
+
+SSSD CONFIGURATION
+------------------
+
+Authselect does not touch SSSD's configuration. Please, read SSSD's
+documentation to see how to configure it manually. Only local users
+will be available on the system if there is no existing SSSD configuration.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+with-faillock::
+ Enable account locking in case of too many consecutive
+ authentication failures.
+
+with-mkhomedir::
+ Enable automatic creation of home directories for users on their
+ first login.
+
+with-smartcard::
+ Enable authentication with smartcards through SSSD. Please note that
+ smartcard support must be also explicitly enabled within
+ SSSD's configuration.
+
+with-smartcard-lock-on-removal::
+ Lock screen when a smartcard is removed.
+
+with-smartcard-required::
+ Smartcard authentication is required. No other means of authentication
+ (including password) will be enabled.
+
+with-fingerprint::
+ Enable authentication with fingerprint reader through *pam_fprintd*.
+
+with-pam-gnome-keyring::
+ Enable pam-gnome-keyring support.
+
+with-pam-u2f::
+ Enable authentication via u2f dongle through *pam_u2f*.
+
+with-pam-u2f-2fa::
+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
+
+without-pam-u2f-nouserok::
+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
+ *WARNING*: Omitting nouserok argument means that users without pam-u2f
+ authentication configured will not be able to log in *INCLUDING* root.
+ Make sure you are able to log in before losing root privileges.
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+with-sudo::
+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
+with-pamaccess::
+ Check access.conf during account authorization.
+
+with-pwhistory::
+ Enable pam_pwhistory module for local users.
+
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
+with-files-access-provider::
+ If set, account management for local users is handled also by pam_sss. This
+ is needed if there is an explicitly configured domain with id_provider=files
+ and non-empty access_provider setting in sssd.conf.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
+with-gssapi::
+ If set, pam_sss_gss module is enabled to perform user authentication over
+ GSSAPI.
+
+with-subid::
+ Enable SSSD as a source of subid database in /etc/nsswitch.conf.
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+EXAMPLES
+--------
+
+* Enable SSSD with sudo and smartcard support
+
+ authselect select sssd with-sudo with-smartcard
+
+* Enable SSSD with sudo support and create home directories for users on their
+ first login
+
+ authselect select sssd with-mkhomedir with-sudo
+
+SEE ALSO
+--------
+* man sssd.conf(5)
diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS
new file mode 100644
index 0000000..396287e
--- /dev/null
+++ b/authselect_policies/sssd_gost/REQUIREMENTS
@@ -0,0 +1,29 @@
+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
+ {include if "with-smartcard"}
+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"}
+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"}
+ {include if "with-fingerprint"}
+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
+ {include if "with-pam-gnome-keyring"}
+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"}
+ is present. {include if "with-pam-gnome-keyring"}
+ {include if "with-pam-u2f"}
+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
+ {include if "with-pam-u2f-2fa"}
+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
+ {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
+ {include if "with-gssapi"}
+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"}
+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"}
+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"}
+ {include if "with-gost"}
+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"}
diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db
new file mode 100644
index 0000000..66c9949
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-db
@@ -0,0 +1,9 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+{imply "with-smartcard" if "with-smartcard-lock-on-removal"}
+[org/gnome/login-screen]
+enable-smartcard-authentication={if "with-smartcard":true|false}
+enable-fingerprint-authentication={if "with-fingerprint":true|false}
+enable-password-authentication={if "with-smartcard-required":false|true}
+
+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks
new file mode 100644
index 0000000..6bf15d0
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-locks
@@ -0,0 +1,4 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
+/org/gnome/login-screen/enable-password-authentication
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth
new file mode 100644
index 0000000..dc7befe
--- /dev/null
+++ b/authselect_policies/sssd_gost/fingerprint-auth
@@ -0,0 +1,28 @@
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"}
+{continue if "with-fingerprint"}
+auth required pam_env.so
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=done default=bad] pam_fprintd.so
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf
new file mode 100644
index 0000000..f9e4e54
--- /dev/null
+++ b/authselect_policies/sssd_gost/nsswitch.conf
@@ -0,0 +1,7 @@
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
+netgroup: sss files {exclude if "with-custom-netgroup"}
+automount: sss files {exclude if "with-custom-automount"}
+services: sss files {exclude if "with-custom-services"}
+sudoers: files sss {include if "with-sudo"}
+subid: sss {include if "with-subid"}
diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth
new file mode 100644
index 0000000..7832fb7
--- /dev/null
+++ b/authselect_policies/sssd_gost/password-auth
@@ -0,0 +1,39 @@
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin
new file mode 100644
index 0000000..04a11f0
--- /dev/null
+++ b/authselect_policies/sssd_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth
new file mode 100644
index 0000000..754847f
--- /dev/null
+++ b/authselect_policies/sssd_gost/smartcard-auth
@@ -0,0 +1,26 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"}
+{continue if "with-smartcard"}
+auth required pam_env.so
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth}
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth
new file mode 100644
index 0000000..31d4ee1
--- /dev/null
+++ b/authselect_policies/sssd_gost/system-auth
@@ -0,0 +1,46 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
+auth sufficient pam_fprintd.so {include if "with-fingerprint"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
+auth sufficient pam_sss_gss.so {include if "with-gssapi"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol
new file mode 100644
index 0000000..fce3bdb
--- /dev/null
+++ b/policies/GOST-ONLY-PAM.pol
@@ -0,0 +1,29 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol
new file mode 100644
index 0000000..37e478b
--- /dev/null
+++ b/policies/GOST-ONLY.pol
@@ -0,0 +1,28 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod
new file mode 100644
index 0000000..b9021ea
--- /dev/null
+++ b/policies/modules/GOST.pmod
@@ -0,0 +1,18 @@
+# Adds GOST algorithms.
+#
+
+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD
+
+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C
+
+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+
+
+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+
+
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
+
+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF
+
+action_do = +GOST
diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod
new file mode 100644
index 0000000..06d92c5
--- /dev/null
+++ b/policies/modules/PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod
new file mode 100644
index 0000000..a79abd0
--- /dev/null
+++ b/policies/modules/PATCH-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = patch
diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod
new file mode 100644
index 0000000..f28939e
--- /dev/null
+++ b/policies/modules/SSSD-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog
diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
index 9253e76..0d8d4b4 100755
--- a/python/build-crypto-policies.py
+++ b/python/build-crypto-policies.py
@@ -9,6 +9,7 @@ import argparse
import os
import sys
import warnings
+import platform
import cryptopolicies
@@ -59,6 +60,11 @@ def save_config(cmdline, policy_name, config_name, config):
try:
with open(path, mode='r') as f:
old_config = f.read()
+ if '[gost_section]' in config:
+ arch, links = platform.architecture()
+ if arch == '32bit':
+ #Make test expected file same for x86 and x86_64 systems
+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
if old_config != config:
eprint('Config for {} for policy {} differs from the existing one'.format(config_name, policy_name))
return False
@@ -96,7 +102,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None):
gen = cls()
config = gen.generate_config(cp.scoped(gen.SCOPES))
- if policy_name == 'EMPTY' or gen.test_config(config):
+ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config):
try:
name = ':'.join([policy_name, *subpolicy_names])
if not save_config(cmdline, name, gen.CONFIG_NAME, config):
diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py
index 69e2f33..b3a211c 100644
--- a/python/cryptopolicies/alg_lists.py
+++ b/python/cryptopolicies/alg_lists.py
@@ -24,18 +24,26 @@ ALL_CIPHERS = (
'CAMELLIA-256-CBC', 'CAMELLIA-128-CBC',
'3DES-CBC', 'DES-CBC', 'RC4-40', 'RC4-128',
'DES40-CBC', 'RC2-CBC', 'IDEA-CBC', 'SEED-CBC',
+ 'GOST28147-TC26Z-CFB', 'GOST28147-CPA-CFB',
+ 'GOST28147-CPB-CFB', 'GOST28147-CPC-CFB',
+ 'GOST28147-CPD-CFB', 'GOST28147-TC26Z-CNT',
+ 'MAGMA-CTR-ACPKM', 'KUZNYECHIK-CTR-ACPKM',
'NULL',
)
ALL_MACS = (
'AEAD', 'UMAC-128', 'HMAC-SHA1', 'HMAC-SHA2-256',
'HMAC-SHA2-384', 'HMAC-SHA2-512', 'UMAC-64', 'HMAC-MD5',
+ 'HMAC-STREEBOG-256', 'HMAC-STREEBOG-512',
+ 'GOST28147-CPA-IMIT', 'GOST28147-TC26Z-IMIT',
+ 'MAGMA-OMAC', 'KUZNYECHIK-OMAC',
+ 'MAGMA-OMAC-ACPKM', 'KUZNYECHIK-OMAC-ACPKM',
)
ALL_HASHES = (
'SHA2-256', 'SHA2-384', 'SHA2-512', 'SHA3-256', 'SHA3-384', 'SHA3-512',
- 'SHA2-224', 'SHA1', 'MD5',
- 'GOST',
+ 'SHA2-224', 'SHA1', 'MD5', 'GOST',
+ 'STREEBOG-256', 'STREEBOG-512', 'GOSTR94',
)
# we disable curves <= 256 bits by default in Fedora
@@ -43,6 +51,8 @@ ALL_GROUPS = (
'X25519', 'SECP256R1', 'SECP384R1', 'SECP521R1', 'X448',
'FFDHE-1536', 'FFDHE-2048', 'FFDHE-3072', 'FFDHE-4096',
'FFDHE-6144', 'FFDHE-8192', 'FFDHE-1024',
+ 'GOST-GC256A', 'GOST-GC256B', 'GOST-GC256C', 'GOST-GC256D',
+ 'GOST-GC512A', 'GOST-GC512B', 'GOST-GC512C',
)
ALL_SIGN = (
@@ -59,12 +69,14 @@ ALL_SIGN = (
'RSA-PSS-SHA2-384', 'RSA-PSS-SHA2-512', 'RSA-PSS-RSAE-SHA1',
'RSA-PSS-RSAE-SHA2-224', 'RSA-PSS-RSAE-SHA2-256',
'RSA-PSS-RSAE-SHA2-384', 'RSA-PSS-RSAE-SHA2-512',
+ 'GOSTR341012-512', 'GOSTR341012-256', 'GOSTR341001',
)
ALL_KEY_EXCHANGES = (
'PSK', 'DHE-PSK', 'ECDHE-PSK', 'ECDHE', 'RSA',
'DHE', 'DHE-RSA', 'DHE-DSS', 'EXPORT', 'ANON', 'DH', 'ECDH',
+ 'VKO-GOST-2001', 'VKO-GOST-2012', 'VKO-GOST-KDF',
'DHE-GSS', 'ECDHE-GSS',
)
@@ -74,6 +86,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9')
IKE_PROTOCOLS = ('IKEv2', 'IKEv1')
ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS
+# List of action do algoritms, for non standard libraries
+IACTION_OPT = 'action_do'
+ALL_ACTION_DO = ( 'GOST', 'NONE' )
+
+AUTH_PROFILES_OPT = 'authopt'
+ALL_AUTH_PROFILES = ()
ALL = {
'cipher': ALL_CIPHERS,
@@ -83,6 +101,8 @@ ALL = {
'mac': ALL_MACS,
'protocol': ALL_PROTOCOLS,
'sign': ALL_SIGN,
+ IACTION_OPT: ALL_ACTION_DO,
+ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES
}
@@ -96,10 +116,13 @@ def glob(pattern, alg_class):
if alg_class not in ALL:
raise validation.alg_lists.AlgorithmClassUnknownError(alg_class)
- r = fnmatch.filter(ALL[alg_class], pattern)
- if not r:
- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
- return r
+ if alg_class == AUTH_PROFILES_OPT:
+ return [pattern]
+ else:
+ r = fnmatch.filter(ALL[alg_class], pattern)
+ if not r:
+ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
+ return r
def earliest_occurrence(needles, ordered_haystack):
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
index 75918d4..a8250ef 100644
--- a/python/cryptopolicies/cryptopolicies.py
+++ b/python/cryptopolicies/cryptopolicies.py
@@ -33,7 +33,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
'ipsec', 'ike', 'libreswan',
'kerberos', 'krb5',
- 'dnssec', 'bind',
+ 'dnssec', 'bind', 'auth'
)
DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'bind': {'bind', 'dnssec'},
@@ -46,6 +46,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'openssh-client': {'openssh-client', 'openssh', 'ssh'},
'openssh-server': {'openssh-server', 'openssh', 'ssh'},
'openssl': {'openssl', 'tls', 'ssl'},
+ 'auth': {'auth'},
}
@@ -434,6 +435,8 @@ class UnscopedCryptoPolicy:
s += '# Baseline values for all scopes:\n'
generic_all = {**generic_scoped.enabled, **generic_scoped.integers}
for prop_name, value in generic_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
s += fmt(prop_name, value)
anything_scope_specific = False
for scope_name, scope_set in DUMPABLE_SCOPES.items():
@@ -441,6 +444,8 @@ class UnscopedCryptoPolicy:
specific_all = {**specific_scoped.enabled,
**specific_scoped.integers}
for prop_name, value in specific_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
if value != generic_all[prop_name]:
if not anything_scope_specific:
s += ('# Scope-specific properties '
diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py
index f3c5e9e..826cea2 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -14,6 +14,7 @@ from .openssh import OpenSSHClientGenerator
from .openssh import OpenSSHServerGenerator
from .openssl import OpenSSLConfigGenerator
from .openssl import OpenSSLGenerator
+from .auth import AuthGenerator
__all__ = [
'BindGenerator',
@@ -27,4 +28,5 @@ __all__ = [
'OpenSSHServerGenerator',
'OpenSSLConfigGenerator',
'OpenSSLGenerator',
+ 'AuthGenerator',
]
diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py
new file mode 100644
index 0000000..eb6bda5
--- /dev/null
+++ b/python/policygenerators/auth.py
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+
+import os.path
+
+from .configgenerator import ConfigGenerator
+
+class AuthGenerator(ConfigGenerator):
+ CONFIG_NAME = 'auth'
+ SCOPES = {'auth'}
+
+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n'
+
+ @classmethod
+ def generate_config(cls, policy):
+ p = policy.enabled
+ sep = '\n'
+ s = ''
+ authopt_data = p['authopt']
+ if len(authopt_data) > 0:
+ auth_profile = authopt_data.pop(0)
+ opt_list = []
+ for item in authopt_data:
+ if item not in opt_list:
+ if item.startswith('with'):
+ opt_list.append(item)
+ s = cls.append(s, auth_profile, sep)
+ for item in opt_list:
+ s = cls.append(s, item, sep)
+ return s
+
+ @classmethod
+ def test_config(cls, config): # pylint: disable=unused-argument
+ return True
diff --git a/python/policygenerators/bind.py b/python/policygenerators/bind.py
index afff885..d5216f0 100644
--- a/python/policygenerators/bind.py
+++ b/python/policygenerators/bind.py
@@ -32,6 +32,7 @@ class BindGenerator(ConfigGenerator):
'SHA2-256': 'SHA-256',
'SHA2-384': 'SHA-384',
'GOST': 'GOST',
+ 'GOSTR94': 'GOST',
}
@classmethod
diff --git a/python/policygenerators/java.py b/python/policygenerators/java.py
index fd48b91..1f21a45 100644
--- a/python/policygenerators/java.py
+++ b/python/policygenerators/java.py
@@ -21,7 +21,8 @@ class JavaGenerator(ConfigGenerator):
'SHA3-256':'SHA3_256',
'SHA3-384':'SHA3_384',
'SHA3-512':'SHA3_512',
- 'GOST':''
+ 'GOST':'',
+ 'GOSTR94': ''
}
cipher_not_map = {
diff --git a/python/policygenerators/nss.py b/python/policygenerators/nss.py
index 86bd308..325a70b 100644
--- a/python/policygenerators/nss.py
+++ b/python/policygenerators/nss.py
@@ -36,7 +36,8 @@ class NSSGenerator(ConfigGenerator):
'SHA3-256':'',
'SHA3-384':'',
'SHA3-512':'',
- 'GOST':''
+ 'GOST':'',
+ 'GOSTR94': ''
}
curve_map = {
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
index c3b5385..5f98aa1 100644
--- a/python/policygenerators/openssl.py
+++ b/python/policygenerators/openssl.py
@@ -2,11 +2,33 @@
# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+import platform
from subprocess import check_output, CalledProcessError
from .configgenerator import ConfigGenerator
+arch, links = platform.architecture()
+library_path = '64'
+if arch == '32bit':
+ library_path = ''
+
+GOST_MODULE_ENABLE = '''
+
+[ default_modules ]
+engines = engine_gost
+
+[ engine_gost ]
+gost = gost_section
+
+[ gost_section ]
+engine_id = gost
+dynamic_path = /usr/lib%s/engines-1.1/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+
+''' % (library_path)
+
class OpenSSLGenerator(ConfigGenerator):
CONFIG_NAME = 'openssl'
@@ -38,7 +60,8 @@ class OpenSSLGenerator(ConfigGenerator):
'DHE-PSK':'kDHEPSK',
'DHE-RSA':'kEDH',
'DHE-DSS':'',
- 'ECDHE-PSK':'kECDHEPSK'
+ 'ECDHE-PSK':'kECDHEPSK',
+ 'VKO-GOST-2012': 'kGOST'
}
key_exchange_not_map = {
@@ -65,6 +88,8 @@ class OpenSSLGenerator(ConfigGenerator):
'CHACHA20-POLY1305':'TLS_CHACHA20_POLY1305_SHA256',
'AES-128-CCM':'TLS_AES_128_CCM_SHA256',
'AES-128-CCM8':'TLS_AES_128_CCM_8_SHA256',
+ 'GOST28147-TC26Z-CNT': 'GOST2012-GOST8912-GOST8912',
+ 'GOST28147-CPA-CNT': 'GOST2001-GOST89-GOST89'
}
@classmethod
@@ -222,6 +247,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
for i in p['sign'] if i in cls.sign_map]
s += 'SignatureAlgorithms = ' + ':'.join(sig_algs)
+ if 'GOST' in p['action_do']:
+ s += GOST_MODULE_ENABLE
+
return s
@classmethod
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
new file mode 100755
index 0000000..5b2ecad
--- /dev/null
+++ b/scripts/auth_apply.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/bash
+exec 1> /var/log/crypto-cmc/auth.log 2>&1
+set -x
+# Скрипт настройки профиля authselect для crypto-policy
+# Примеры запуска:
+# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля
+# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp
+# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect
+# и считать, что сгенерированный конфиг лежит в каталоге tmpconf
+
+CONF_PATH=/etc/authselect/
+AUTH_SEL_BAK=authselect.conf.policy
+AUTH_CONFIG=authselect.conf
+EMPTY=0
+TEST=""
+AUTH_BACKUP_NAME="auth_saved_profile"
+USE_PATCH="$CONF_PATH/autheslect.patch"
+
+function set_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth
+
+}
+
+function set_no_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth
+}
+
+function get_auth_options
+{
+ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' '
+}
+
+function save_restored_profile
+{
+ if [ ! -e /etc/authselect/custom/restored ];then
+ /usr/bin/authselect create-profile restored
+ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/
+ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf
+ fi
+}
+
+while getopts ':et:p:h' VAL ; do
+ case $VAL in
+ e ) EMPTY=1 ;;
+ p ) CONF_PATH="$OPTARG" ;;
+ t ) TEST="$OPTARG" ;;
+ : )
+ echo "Необходим параметр - путь к опции $OPTARG"
+ exit 255
+ ;;
+ * )
+ echo "Неизвестный параметр $OPTARG"
+ exit 255
+ ;;
+ esac
+done
+shift $((OPTIND -1))
+
+# Если заданный путь к кинфигурации authselect заканчивается на /
+# то удалим этот символ
+LAST_SYMBOL=${CONF_PATH: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ CONF_PATH=${CONF_PATH%?}
+fi
+LAST_SYMBOL=${TEST: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ TEST=${TEST%?}
+fi
+
+if [ -z "$TEST" ];then
+ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config
+else
+ POLICY_CONFIG="$TEST/auth.config"
+ if [[ "$POLICY_CONFIG" == "/*" ]];then
+ :
+ else
+ CUR_DIR=$(pwd)
+ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG"
+ fi
+fi
+
+PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK"
+PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG"
+
+# Дополнительная проверка, файл authselect.conf не должен быть пустым
+# или соедржать слово empty--data, иначе это признак empty
+if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs)
+ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then
+ EMPTY=1
+ fi
+else
+ EMPTY=2
+fi
+
+# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией
+NEED_PATCH=0
+if [ -e "$POLICY_CONFIG" ];then
+ RES=$(cat "$POLICY_CONFIG")
+ if [ "$RES" = "patch" ];then
+ NEED_PATCH=1
+ fi
+fi
+
+# Если задан параметр empty, это значит, что применяется профиль
+# без настройки для authselect, в этом случае нужно восстановить
+# старый заданный профиль
+# TODO: возможно даже воспользоватьс командой
+# authselect backup-restore auth_saved_profile
+# данный снимок создается при профиля через crypto-policy
+if [ "$EMPTY" = "1" ];then
+# Если есть файл authselect.patch, значит профиль был пропатчен,
+# а не установлен через профиль
+ if [ -e "$USE_PATCH" ];then
+ set_no_gost
+ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed"
+ else
+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then
+# Только root может восстанавливать конфигурацию из резервной копии
+# дабыизбежать подлога и восстановления файла, созданного пользователем
+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK")
+ if [ "$OWNER_UID" = "0" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG"
+ fi
+ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG")
+# Есди файл настроек authselect пустой после восстановления
+# значит он создан ранее скриптом и его нужно убрать
+ if [ -z "$AUTH_CONT" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ else
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ /usr/bin/authselect apply-changes
+ else
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME"
+ else
+ if [ -e /etc/authselect/custom/resored ];then
+ /usr/bin/authselect select custom/restored --force
+ fi
+ fi
+ fi
+ fi
+ exit 0
+fi
+
+# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла
+# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас
+if [ "$EMPTY" = "2" ];then
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+ OPTS_FOR_EXECUTE=$(get_auth_options)
+ if [ -n "$OPTS_FOR_EXECUTE" ];then
+ save_restored_profile
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force
+ else
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile
+ fi
+ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ touch "$PATH_TO_AUTH_SEL_BAK"
+ fi
+ fi
+else
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+# Если не найден файл маркер, то создается файл бэкапа для authselect
+# а так же создается файл маркер
+ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK"
+ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG")
+ if [ -n "$EMPTY_AUTH" ];then
+ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME"
+ fi
+ fi
+ fi
+
+ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG")
+ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then
+ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ #fi
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ fi
+fi
+
+exit 0
\ No newline at end of file
diff --git a/tests/gnutls.pl b/tests/gnutls.pl
index c0901d3..57a42ef 100755
--- a/tests/gnutls.pl
+++ b/tests/gnutls.pl
@@ -19,6 +19,7 @@ foreach my $policyfile (@gnutlspolicies) {
$policy =~ s/-[^-]+$//;
print "Checking policy $policy\n";
+ next if $policy =~ /^GOST-ONLY/;
my $tmp = do {
local $/ = undef;
diff --git a/tests/java.pl b/tests/java.pl
index cbe26df..91158d2 100755
--- a/tests/java.pl
+++ b/tests/java.pl
@@ -57,7 +57,7 @@ foreach my $policyfile (@javapolicies) {
exit 1;
}
- if ($lines <= 1) {
+ if ($lines <= 1 and not("$policy" =~ "^GOST-ONLY") ) {
print "Policy $policy has no ciphersuites!\n";
system("cat $TMPFILE");
exit 1;
diff --git a/tests/nss.py b/tests/nss.py
index dbbf8e8..d5d7ef8 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -32,7 +32,7 @@ print('Checking the NSS configuration')
for policy_path in glob.glob('tests/outputs/*-nss.txt'):
policy = os.path.basename(policy_path)[:-len('-nss.txt')]
print(f'Checking policy {policy}')
- if policy not in ('EMPTY', 'GOST-ONLY'):
+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'):
p = subprocess.Popen(['nss-policy-check', policy_path],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
diff --git a/tests/openssl.pl b/tests/openssl.pl
index c43c337..72e6888 100755
--- a/tests/openssl.pl
+++ b/tests/openssl.pl
@@ -26,8 +26,10 @@ foreach my $policyfile (@opensslpolicies) {
or die "could not open $file: $!";
<$fh>;
};
+
+ my %skip_test = map {$_ => 1} ("EMPTY", "GOST-ONLY", "GOST-ONLY-PAM");
- system("openssl ciphers $tmp >$TMPFILE 2>&1") if $policy ne 'EMPTY';
+ system("openssl ciphers $tmp >$TMPFILE 2>&1") unless exists $skip_test{$policy};
if ($? != 0) {
print "Error in OpenSSL policy for $policy\n";
diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT-bind.txt b/tests/outputs/DEFAULT-bind.txt
index aad9c13..dd1929f 100644
--- a/tests/outputs/DEFAULT-bind.txt
+++ b/tests/outputs/DEFAULT-bind.txt
@@ -6,4 +6,5 @@ NSEC3DSA;
};
disable-ds-digests "." {
GOST;
+GOST;
};
diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt
new file mode 100644
index 0000000..aad9c13
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-bind.txt
@@ -0,0 +1,9 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt
new file mode 100644
index 0000000..1f36982
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt
new file mode 100644
index 0000000..baafc5b
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt
new file mode 100644
index 0000000..8a92aec
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt
new file mode 100644
index 0000000..1d8ffd9
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt
@@ -0,0 +1,5 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt
new file mode 100644
index 0000000..11c0ffc
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt
new file mode 100644
index 0000000..846beb2
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt
new file mode 100644
index 0000000..6d30013
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssh.txt
@@ -0,0 +1,6 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt
new file mode 100644
index 0000000..b43a591
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt
new file mode 100644
index 0000000..05615c7
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
new file mode 100644
index 0000000..f61edd1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -0,0 +1,20 @@
+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
+
+[ default_modules ]
+engines = engine_gost
+
+[ engine_gost ]
+gost = gost_section
+
+[ gost_section ]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-1.1/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+
diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
new file mode 100644
index 0000000..cec1d15
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt
new file mode 100644
index 0000000..135997c
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:NO-SHA1-auth.txt b/tests/outputs/DEFAULT:NO-SHA1-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:NO-SHA1-bind.txt b/tests/outputs/DEFAULT:NO-SHA1-bind.txt
index 293b4c9..d77b344 100644
--- a/tests/outputs/DEFAULT:NO-SHA1-bind.txt
+++ b/tests/outputs/DEFAULT:NO-SHA1-bind.txt
@@ -9,4 +9,5 @@ NSEC3DSA;
disable-ds-digests "." {
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
new file mode 100644
index 0000000..dd1929f
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
@@ -0,0 +1,10 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+GOST;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..1f36982
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt
new file mode 100644
index 0000000..baafc5b
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
new file mode 100644
index 0000000..8a92aec
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..1d8ffd9
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
@@ -0,0 +1,5 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
new file mode 100644
index 0000000..11c0ffc
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
new file mode 100644
index 0000000..846beb2
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
new file mode 100644
index 0000000..6d30013
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
@@ -0,0 +1,6 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..b43a591
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
new file mode 100644
index 0000000..1691be8
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..3a15cad
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
@@ -0,0 +1,7 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
new file mode 100644
index 0000000..dbcae14
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
@@ -0,0 +1 @@
+patch
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
new file mode 100644
index 0000000..dd1929f
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
@@ -0,0 +1,10 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+GOST;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..1f36982
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
new file mode 100644
index 0000000..baafc5b
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..8a92aec
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..1d8ffd9
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
@@ -0,0 +1,5 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..11c0ffc
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
new file mode 100644
index 0000000..846beb2
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..6d30013
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
@@ -0,0 +1,6 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..b43a591
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..1691be8
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..3a15cad
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,7 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
new file mode 100644
index 0000000..4884073
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
@@ -0,0 +1,4 @@
+custom/sssd_gost
+with-gost
+with-fingerprint
+with-silent-lastlog
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
new file mode 100644
index 0000000..dd1929f
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
@@ -0,0 +1,10 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+GOST;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..1f36982
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
new file mode 100644
index 0000000..baafc5b
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..8a92aec
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..1d8ffd9
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
@@ -0,0 +1,5 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..11c0ffc
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
new file mode 100644
index 0000000..846beb2
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..6d30013
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
@@ -0,0 +1,6 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..b43a591
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..1691be8
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..3a15cad
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,7 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
\ No newline at end of file
diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/EMPTY-bind.txt b/tests/outputs/EMPTY-bind.txt
index cbba221..54afa34 100644
--- a/tests/outputs/EMPTY-bind.txt
+++ b/tests/outputs/EMPTY-bind.txt
@@ -19,4 +19,5 @@ SHA-256;
SHA-384;
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS-bind.txt b/tests/outputs/FIPS-bind.txt
index d70f4ae..0fc1346 100644
--- a/tests/outputs/FIPS-bind.txt
+++ b/tests/outputs/FIPS-bind.txt
@@ -11,4 +11,5 @@ ED448;
disable-ds-digests "." {
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-bind.txt b/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
index d70f4ae..0fc1346 100644
--- a/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
+++ b/tests/outputs/FIPS:ECDHE-ONLY-bind.txt
@@ -11,4 +11,5 @@ ED448;
disable-ds-digests "." {
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:OSPP-bind.txt b/tests/outputs/FIPS:OSPP-bind.txt
index d70f4ae..0fc1346 100644
--- a/tests/outputs/FIPS:OSPP-bind.txt
+++ b/tests/outputs/FIPS:OSPP-bind.txt
@@ -11,4 +11,5 @@ ED448;
disable-ds-digests "." {
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FUTURE-bind.txt b/tests/outputs/FUTURE-bind.txt
index 293b4c9..d77b344 100644
--- a/tests/outputs/FUTURE-bind.txt
+++ b/tests/outputs/FUTURE-bind.txt
@@ -9,4 +9,5 @@ NSEC3DSA;
disable-ds-digests "." {
SHA-1;
GOST;
+GOST;
};
diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
new file mode 100644
index 0000000..cbba221
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
@@ -0,0 +1,22 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
new file mode 100644
index 0000000..2563be5
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-SHA1:-SHA256:-SHA384:-SHA512:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-SECP521R1:-GROUP-X448:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE8192:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-RSA-SHA256:-SIGN-DSA-SHA256:-SIGN-ECDSA-SHA256:-SIGN-RSA-SHA384:-SIGN-DSA-SHA384:-SIGN-ECDSA-SHA384:-SIGN-RSA-SHA512:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512:+CIPHER-ALL:-AES-256-GCM:-AES-256-CCM:-AES-128-GCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-DTLS1.2:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
new file mode 100644
index 0000000..a2c07ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt
new file mode 100644
index 0000000..15ddb71
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt
@@ -0,0 +1 @@
+GSSAPIKeyExchange no
diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
new file mode 100644
index 0000000..dfe971d
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oGSSAPIKeyExchange=no'
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt
new file mode 100644
index 0000000..2acf9bf
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
new file mode 100644
index 0000000..aff0062
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+
+[ default_modules ]
+engines = engine_gost
+
+[ engine_gost ]
+gost = gost_section
+
+[ gost_section ]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-1.1/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+
diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
new file mode 100644
index 0000000..cbba221
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-bind.txt
@@ -0,0 +1,22 @@
+disable-algorithms "." {
+RSAMD5;
+ECCGOST;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt
new file mode 100644
index 0000000..2563be5
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-gnutls.txt
@@ -0,0 +1 @@
+SYSTEM=NONE:+MAC-ALL:-SHA1:-SHA256:-SHA384:-SHA512:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-SECP256R1:-GROUP-SECP384R1:-GROUP-SECP521R1:-GROUP-X448:-GROUP-FFDHE2048:-GROUP-FFDHE3072:-GROUP-FFDHE4096:-GROUP-FFDHE8192:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-RSA-SHA256:-SIGN-DSA-SHA256:-SIGN-ECDSA-SHA256:-SIGN-RSA-SHA384:-SIGN-DSA-SHA384:-SIGN-ECDSA-SHA384:-SIGN-RSA-SHA512:-SIGN-DSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512:+CIPHER-ALL:-AES-256-GCM:-AES-256-CCM:-AES-128-GCM:-AES-128-CCM:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-DTLS1.2:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
new file mode 100644
index 0000000..a2c07ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-java.txt
@@ -0,0 +1,4 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
+jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv3, SSLv2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt
new file mode 100644
index 0000000..108de3d
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-javasystem.txt
@@ -0,0 +1 @@
+jdk.tls.ephemeralDHKeySize=2048
diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt
new file mode 100644
index 0000000..15ddb71
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssh.txt
@@ -0,0 +1 @@
+GSSAPIKeyExchange no
diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt
new file mode 100644
index 0000000..dfe971d
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensshserver.txt
@@ -0,0 +1 @@
+CRYPTO_POLICY='-oGSSAPIKeyExchange=no'
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt
new file mode 100644
index 0000000..2acf9bf
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt
new file mode 100644
index 0000000..aff0062
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+
+[ default_modules ]
+engines = engine_gost
+
+[ engine_gost ]
+gost = gost_section
+
+[ gost_section ]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-1.1/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+
diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/LEGACY-bind.txt b/tests/outputs/LEGACY-bind.txt
index 050ab92..c08435b 100644
--- a/tests/outputs/LEGACY-bind.txt
+++ b/tests/outputs/LEGACY-bind.txt
@@ -4,4 +4,5 @@ ECCGOST;
};
disable-ds-digests "." {
GOST;
+GOST;
};
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-bind.txt b/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
index 050ab92..c08435b 100644
--- a/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
+++ b/tests/outputs/LEGACY:AD-SUPPORT-bind.txt
@@ -4,4 +4,5 @@ ECCGOST;
};
disable-ds-digests "." {
GOST;
+GOST;
};
--
2.43.5
Reference in new issue View Git Blame Copy Permalink