You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
crypto-policies/SOURCES/0001-Added-GOST-9.5-policy-...

3254 lines
156 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

From f929e72a42bd205c933320ec8d4e828ced4a0050 Mon Sep 17 00:00:00 2001
From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
Date: Mon, 14 Oct 2024 18:08:55 +0300
Subject: [PATCH] Added GOST 9.5 policy also added experimental PAM generator
---
Makefile | 12 ++
authselect_policies/minimal_gost/README | 84 ++++++++
authselect_policies/minimal_gost/REQUIREMENTS | 0
authselect_policies/minimal_gost/dconf-db | 3 +
authselect_policies/minimal_gost/dconf-locks | 2 +
.../minimal_gost/fingerprint-auth | 16 ++
.../minimal_gost/nsswitch.conf | 14 ++
.../minimal_gost/password-auth | 15 ++
authselect_policies/minimal_gost/postlogin | 4 +
.../minimal_gost/smartcard-auth | 16 ++
authselect_policies/minimal_gost/system-auth | 15 ++
authselect_policies/sssd_gost/README | 145 +++++++++++++
authselect_policies/sssd_gost/REQUIREMENTS | 29 +++
authselect_policies/sssd_gost/dconf-db | 9 +
authselect_policies/sssd_gost/dconf-locks | 4 +
.../sssd_gost/fingerprint-auth | 28 +++
authselect_policies/sssd_gost/nsswitch.conf | 7 +
authselect_policies/sssd_gost/password-auth | 39 ++++
authselect_policies/sssd_gost/postlogin | 4 +
authselect_policies/sssd_gost/smartcard-auth | 26 +++
authselect_policies/sssd_gost/system-auth | 46 ++++
policies/GOST-ONLY-PAM.pol | 29 +++
policies/GOST-ONLY.pol | 28 +++
policies/modules/GOST.pmod | 18 ++
policies/modules/PAM-GOST.pmod | 3 +
policies/modules/PATCH-PAM-GOST.pmod | 3 +
policies/modules/SSSD-PAM-GOST.pmod | 3 +
python/build-crypto-policies.py | 8 +-
python/cryptopolicies/alg_lists.py | 19 +-
python/cryptopolicies/cryptopolicies.py | 7 +-
python/policygenerators/__init__.py | 2 +
python/policygenerators/auth.py | 36 ++++
.../fedora-crypto-policies.code-workspace | 0
python/policygenerators/openssl.py | 23 ++
scripts/auth_apply.sh | 204 ++++++++++++++++++
tests/alternative-policies/GOST-ONLY.pol | 30 +++
tests/alternative-policies/modules/GOST.pmod | 18 ++
tests/gnutls.py | 3 +-
tests/java.py | 3 +-
tests/nss.py | 2 +-
tests/openssl.py | 2 +-
tests/outputs/DEFAULT-auth.txt | 0
tests/outputs/DEFAULT:GOST-auth.txt | 0
tests/outputs/DEFAULT:GOST-bind.txt | 10 +
tests/outputs/DEFAULT:GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:GOST-java.txt | 4 +
tests/outputs/DEFAULT:GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:GOST-libreswan.txt | 6 +
tests/outputs/DEFAULT:GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:GOST-nss.txt | 6 +
tests/outputs/DEFAULT:GOST-openssh.txt | 7 +
tests/outputs/DEFAULT:GOST-opensshserver.txt | 8 +
tests/outputs/DEFAULT:GOST-openssl.txt | 1 +
tests/outputs/DEFAULT:GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:GOST-opensslcnf.txt | 20 ++
tests/outputs/DEFAULT:GOST-rpm-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:GOST-sequoia.txt | 51 +++++
tests/outputs/DEFAULT:PAM-GOST-auth.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-bind.txt | 12 ++
tests/outputs/DEFAULT:PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PAM-GOST-java.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-krb5.txt | 2 +
tests/outputs/DEFAULT:PAM-GOST-libreswan.txt | 6 +
tests/outputs/DEFAULT:PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PAM-GOST-nss.txt | 6 +
tests/outputs/DEFAULT:PAM-GOST-openssh.txt | 7 +
.../DEFAULT:PAM-GOST-opensshserver.txt | 8 +
tests/outputs/DEFAULT:PAM-GOST-openssl.txt | 1 +
.../outputs/DEFAULT:PAM-GOST-openssl_fips.txt | 4 +
tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt | 1 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:PATCH-PAM-GOST-libreswan.txt | 6 +
.../outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt | 6 +
.../DEFAULT:PATCH-PAM-GOST-openssh.txt | 7 +
.../DEFAULT:PATCH-PAM-GOST-opensshserver.txt | 8 +
.../DEFAULT:PATCH-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:PATCH-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:PATCH-PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/DEFAULT:SHA1-auth.txt | 0
tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt | 4 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt | 12 ++
.../outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt | 105 +++++++++
tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-javasystem.txt | 2 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt | 2 +
.../DEFAULT:SSSD-PAM-GOST-libreswan.txt | 6 +
.../outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt | 5 +
tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt | 6 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt | 7 +
.../DEFAULT:SSSD-PAM-GOST-opensshserver.txt | 8 +
.../outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt | 1 +
.../DEFAULT:SSSD-PAM-GOST-openssl_fips.txt | 4 +
.../DEFAULT:SSSD-PAM-GOST-opensslcnf.txt | 8 +
tests/outputs/EMPTY-auth.txt | 0
tests/outputs/FIPS-auth.txt | 0
tests/outputs/FIPS:ECDHE-ONLY-auth.txt | 0
tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt | 0
tests/outputs/FIPS:OSPP-auth.txt | 0
tests/outputs/FUTURE-auth.txt | 0
tests/outputs/FUTURE:AD-SUPPORT-auth.txt | 0
tests/outputs/GOST-ONLY-PAM-auth.txt | 2 +
tests/outputs/GOST-ONLY-PAM-bind.txt | 18 ++
tests/outputs/GOST-ONLY-PAM-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-PAM-java.txt | 4 +
tests/outputs/GOST-ONLY-PAM-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-PAM-krb5.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-PAM-libssh.txt | 0
tests/outputs/GOST-ONLY-PAM-nss.txt | 6 +
tests/outputs/GOST-ONLY-PAM-openssh.txt | 2 +
tests/outputs/GOST-ONLY-PAM-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-PAM-openssl.txt | 1 +
tests/outputs/GOST-ONLY-PAM-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-PAM-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-auth.txt | 0
tests/outputs/GOST-ONLY-bind.txt | 18 ++
tests/outputs/GOST-ONLY-gnutls.txt | 13 ++
tests/outputs/GOST-ONLY-java.txt | 4 +
tests/outputs/GOST-ONLY-javasystem.txt | 2 +
tests/outputs/GOST-ONLY-krb5.txt | 2 +
tests/outputs/GOST-ONLY-libreswan.txt | 2 +
tests/outputs/GOST-ONLY-libssh.txt | 0
tests/outputs/GOST-ONLY-nss.txt | 6 +
tests/outputs/GOST-ONLY-openssh.txt | 2 +
tests/outputs/GOST-ONLY-opensshserver.txt | 2 +
tests/outputs/GOST-ONLY-openssl.txt | 1 +
tests/outputs/GOST-ONLY-openssl_fips.txt | 4 +
tests/outputs/GOST-ONLY-opensslcnf.txt | 18 ++
tests/outputs/GOST-ONLY-rpm-sequoia.txt | 51 +++++
tests/outputs/GOST-ONLY-sequoia.txt | 51 +++++
tests/outputs/LEGACY-auth.txt | 0
.../outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt | 0
140 files changed, 2000 insertions(+), 10 deletions(-)
create mode 100644 authselect_policies/minimal_gost/README
create mode 100644 authselect_policies/minimal_gost/REQUIREMENTS
create mode 100644 authselect_policies/minimal_gost/dconf-db
create mode 100644 authselect_policies/minimal_gost/dconf-locks
create mode 100644 authselect_policies/minimal_gost/fingerprint-auth
create mode 100644 authselect_policies/minimal_gost/nsswitch.conf
create mode 100644 authselect_policies/minimal_gost/password-auth
create mode 100644 authselect_policies/minimal_gost/postlogin
create mode 100644 authselect_policies/minimal_gost/smartcard-auth
create mode 100644 authselect_policies/minimal_gost/system-auth
create mode 100644 authselect_policies/sssd_gost/README
create mode 100644 authselect_policies/sssd_gost/REQUIREMENTS
create mode 100644 authselect_policies/sssd_gost/dconf-db
create mode 100644 authselect_policies/sssd_gost/dconf-locks
create mode 100644 authselect_policies/sssd_gost/fingerprint-auth
create mode 100644 authselect_policies/sssd_gost/nsswitch.conf
create mode 100644 authselect_policies/sssd_gost/password-auth
create mode 100644 authselect_policies/sssd_gost/postlogin
create mode 100644 authselect_policies/sssd_gost/smartcard-auth
create mode 100644 authselect_policies/sssd_gost/system-auth
create mode 100644 policies/GOST-ONLY-PAM.pol
create mode 100644 policies/GOST-ONLY.pol
create mode 100644 policies/modules/GOST.pmod
create mode 100644 policies/modules/PAM-GOST.pmod
create mode 100644 policies/modules/PATCH-PAM-GOST.pmod
create mode 100644 policies/modules/SSSD-PAM-GOST.pmod
create mode 100644 python/policygenerators/auth.py
create mode 100644 python/policygenerators/fedora-crypto-policies.code-workspace
create mode 100755 scripts/auth_apply.sh
create mode 100644 tests/alternative-policies/GOST-ONLY.pol
create mode 100644 tests/alternative-policies/modules/GOST.pmod
create mode 100644 tests/outputs/DEFAULT-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:GOST-sequoia.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/DEFAULT:SHA1-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
create mode 100644 tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
create mode 100644 tests/outputs/EMPTY-auth.txt
create mode 100644 tests/outputs/FIPS-auth.txt
create mode 100644 tests/outputs/FIPS:ECDHE-ONLY-auth.txt
create mode 100644 tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
create mode 100644 tests/outputs/FIPS:OSPP-auth.txt
create mode 100644 tests/outputs/FUTURE-auth.txt
create mode 100644 tests/outputs/FUTURE:AD-SUPPORT-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-java.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-auth.txt
create mode 100644 tests/outputs/GOST-ONLY-bind.txt
create mode 100644 tests/outputs/GOST-ONLY-gnutls.txt
create mode 100644 tests/outputs/GOST-ONLY-java.txt
create mode 100644 tests/outputs/GOST-ONLY-javasystem.txt
create mode 100644 tests/outputs/GOST-ONLY-krb5.txt
create mode 100644 tests/outputs/GOST-ONLY-libreswan.txt
create mode 100644 tests/outputs/GOST-ONLY-libssh.txt
create mode 100644 tests/outputs/GOST-ONLY-nss.txt
create mode 100644 tests/outputs/GOST-ONLY-openssh.txt
create mode 100644 tests/outputs/GOST-ONLY-opensshserver.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl.txt
create mode 100644 tests/outputs/GOST-ONLY-openssl_fips.txt
create mode 100644 tests/outputs/GOST-ONLY-opensslcnf.txt
create mode 100644 tests/outputs/GOST-ONLY-rpm-sequoia.txt
create mode 100644 tests/outputs/GOST-ONLY-sequoia.txt
create mode 100644 tests/outputs/LEGACY-auth.txt
create mode 100644 tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
diff --git a/Makefile b/Makefile
index 5b584b3..467807d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,10 @@
VERSION=$(shell git log -1|grep commit|cut -f 2 -d ' '|head -c 7)
DIR?=/usr/share/crypto-policies
+DIRSCR?=/usr/share/crypto-policies-scripts
BINDIR?=/usr/bin
MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
+AUTHSELECTDIR?=/etc/authselect/custom
LIBEXECDIR?=/usr/libexec
DESTDIR?=
MAN7PAGES=crypto-policies.7
@@ -30,11 +32,14 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(LIBEXECDIR)
+ mkdir -p $(DESTDIR)$(AUTHSELECTDIR)
install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
install -p -m 755 $(LIBEXEC_SCRIPTS) $(DESTDIR)$(LIBEXECDIR)
mkdir -p $(DESTDIR)$(DIR)/
+ mkdir -p $(DESTDIR)$(DIRSCR)/
+ install -p -m 755 scripts/auth_apply.sh $(DESTDIR)$(DIRSCR)
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
for f in $$(find output -name '*.txt') ; do d=$$(dirname $$f | cut -f 2- -d '/') ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
@@ -42,6 +47,7 @@ install: $(MANPAGES)
for f in $$(find python -name '*.py') ; do d=$$(dirname $$f) ; install -p -m 644 -D -t $(DESTDIR)$(DIR)/$$d $$f ; done
chmod 755 $(DESTDIR)$(DIR)/python/update-crypto-policies.py
chmod 755 $(DESTDIR)$(DIR)/python/build-crypto-policies.py
+ for f in $$(find authselect_policies -name '*' -type f,l) ; do d=$$(basename $$(dirname $$f)) ; install -p -m 644 -D -t $(DESTDIR)$(AUTHSELECTDIR)/$$d $$f ; done
runruff:
ruff check
@@ -65,6 +71,11 @@ check:
python/build-crypto-policies.py --strict --policy FIPS:NO-ENFORCE-EMS --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy FUTURE:AD-SUPPORT --test --flat policies tests/outputs
python/build-crypto-policies.py --strict --policy LEGACY:AD-SUPPORT-LEGACY --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy GOST-ONLY --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:PATCH-PAM-GOST --test --flat policies tests/outputs
+ python/build-crypto-policies.py --strict --policy DEFAULT:SSSD-PAM-GOST --test --flat policies tests/outputs
tests/openssl.py
tests/gnutls.py
tests/nss.py
@@ -118,6 +129,7 @@ diff-outputs:
python/build-crypto-policies.py --policy FIPS:ECDHE-ONLY --test --flat policies output/current || true
python/build-crypto-policies.py --policy FIPS:NO-ENFORCE-EMS --test --flat policies output/current || true
python/build-crypto-policies.py --policy LEGACY:AD-SUPPORT --test --flat policies output/current || true
+ python/build-crypto-policies.py --policy DEFAULT:GOST --test --flat policies output/current || true
$(DIFFTOOL) tests/outputs output/current
clean:
diff --git a/authselect_policies/minimal_gost/README b/authselect_policies/minimal_gost/README
new file mode 100644
index 0000000..9839669
--- /dev/null
+++ b/authselect_policies/minimal_gost/README
@@ -0,0 +1,84 @@
+Local users only for minimal installations and gost support
+===========================================================
+
+Selecting this profile will enable local files as the source of identity
+and authentication providers.
+
+This profile can be used on systems that require minimal installation to
+save disk and memory space. It serves only local users and groups directly
+from system files instead of going through other authentication providers.
+Therefore SSSD, winbind and fprintd packages can be safely removed.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-aliases::
+Ignore "aliases" map set by the profile.
+
+with-custom-automount::
+Ignore "automount" map set by the profile.
+
+with-custom-ethers::
+Ignore "ethers" map set by the profile.
+
+with-custom-group::
+Ignore "group" map set by the profile.
+
+with-custom-hosts::
+Ignore "hosts" map set by the profile.
+
+with-custom-initgroups::
+Ignore "initgroups" map set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" map set by the profile.
+
+with-custom-networks::
+Ignore "networks" map set by the profile.
+
+with-custom-passwd::
+Ignore "passwd" map set by the profile.
+
+with-custom-protocols::
+Ignore "protocols" map set by the profile.
+
+with-custom-publickey::
+Ignore "publickey" map set by the profile.
+
+with-custom-rpc::
+Ignore "rpc" map set by the profile.
+
+with-custom-services::
+Ignore "services" map set by the profile.
+
+with-custom-shadow::
+Ignore "shadow" map set by the profile.
+
+EXAMPLES
+--------
+
+* Enable minimal profile
+
+ authselect select minimal
+
+SEE ALSO
+--------
+* man passwd(5)
+* man group(5)
diff --git a/authselect_policies/minimal_gost/REQUIREMENTS b/authselect_policies/minimal_gost/REQUIREMENTS
new file mode 100644
index 0000000..e69de29
diff --git a/authselect_policies/minimal_gost/dconf-db b/authselect_policies/minimal_gost/dconf-db
new file mode 100644
index 0000000..a3868b7
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-db
@@ -0,0 +1,3 @@
+[org/gnome/login-screen]
+enable-smartcard-authentication=false
+enable-fingerprint-authentication=false
diff --git a/authselect_policies/minimal_gost/dconf-locks b/authselect_policies/minimal_gost/dconf-locks
new file mode 100644
index 0000000..8a36fa9
--- /dev/null
+++ b/authselect_policies/minimal_gost/dconf-locks
@@ -0,0 +1,2 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/authselect_policies/minimal_gost/fingerprint-auth b/authselect_policies/minimal_gost/fingerprint-auth
new file mode 100644
index 0000000..ca152fb
--- /dev/null
+++ b/authselect_policies/minimal_gost/fingerprint-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth sufficient pam_fprintd.so
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/nsswitch.conf b/authselect_policies/minimal_gost/nsswitch.conf
new file mode 100644
index 0000000..f1f5941
--- /dev/null
+++ b/authselect_policies/minimal_gost/nsswitch.conf
@@ -0,0 +1,14 @@
+passwd: sss files systemd {exclude if "with-custom-passwd"}
+shadow: files {exclude if "with-custom-shadow"}
+group: sss files systemd {exclude if "with-custom-group"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
+services: files sss {exclude if "with-custom-services"}
+netgroup: sss {exclude if "with-custom-netgroup"}
+automount: files sss {exclude if "with-custom-automount"}
+aliases: files {exclude if "with-custom-aliases"}
+ethers: files {exclude if "with-custom-ethers"}
+gshadow: files
+networks: files dns {exclude if "with-custom-networks"}
+protocols: files {exclude if "with-custom-protocols"}
+publickey: files {exclude if "with-custom-publickey"}
+rpc: files {exclude if "with-custom-rpc"}
diff --git a/authselect_policies/minimal_gost/password-auth b/authselect_policies/minimal_gost/password-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/password-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/postlogin b/authselect_policies/minimal_gost/postlogin
new file mode 100644
index 0000000..8d9bfd0
--- /dev/null
+++ b/authselect_policies/minimal_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/minimal_gost/smartcard-auth b/authselect_policies/minimal_gost/smartcard-auth
new file mode 100644
index 0000000..f0843be
--- /dev/null
+++ b/authselect_policies/minimal_gost/smartcard-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/minimal_gost/system-auth b/authselect_policies/minimal_gost/system-auth
new file mode 100644
index 0000000..5da3730
--- /dev/null
+++ b/authselect_policies/minimal_gost/system-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass {if not "without-nullok":nullok}
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok {if not "without-nullok":nullok} {if "with-gost":gost_yescrypt|sha512} shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/authselect_policies/sssd_gost/README b/authselect_policies/sssd_gost/README
new file mode 100644
index 0000000..02daa76
--- /dev/null
+++ b/authselect_policies/sssd_gost/README
@@ -0,0 +1,145 @@
+Enable SSSD with GOST support for system authentication (also for local users only)
+=================================================================
+
+Selecting this profile will enable SSSD with GOST as the source of identity
+and authentication providers.
+
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos, FreeIPA or AD. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page:
+https://sssd.io
+
+However, if you do not want to keep SSSD running on your machine, you can
+keep this profile selected and just disable SSSD service. The resulting
+configuration will still work correctly even with SSSD disabled and local users
+and groups will be read from local files directly.
+
+SSSD CONFIGURATION
+------------------
+
+Authselect does not touch SSSD's configuration. Please, read SSSD's
+documentation to see how to configure it manually. Only local users
+will be available on the system if there is no existing SSSD configuration.
+
+AVAILABLE OPTIONAL FEATURES
+---------------------------
+
+with-faillock::
+ Enable account locking in case of too many consecutive
+ authentication failures.
+
+with-mkhomedir::
+ Enable automatic creation of home directories for users on their
+ first login.
+
+with-smartcard::
+ Enable authentication with smartcards through SSSD. Please note that
+ smartcard support must be also explicitly enabled within
+ SSSD's configuration.
+
+with-smartcard-lock-on-removal::
+ Lock screen when a smartcard is removed.
+
+with-smartcard-required::
+ Smartcard authentication is required. No other means of authentication
+ (including password) will be enabled.
+
+with-fingerprint::
+ Enable authentication with fingerprint reader through *pam_fprintd*.
+
+with-pam-gnome-keyring::
+ Enable pam-gnome-keyring support.
+
+with-pam-u2f::
+ Enable authentication via u2f dongle through *pam_u2f*.
+
+with-pam-u2f-2fa::
+ Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
+
+without-pam-u2f-nouserok::
+ Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
+ *WARNING*: Omitting nouserok argument means that users without pam-u2f
+ authentication configured will not be able to log in *INCLUDING* root.
+ Make sure you are able to log in before losing root privileges.
+
+with-silent-lastlog::
+ Do not produce pam_lastlog message during login.
+
+with-sudo::
+ Allow sudo to use SSSD as a source for sudo rules in addition of /etc/sudoers.
+
+with-pamaccess::
+ Check access.conf during account authorization.
+
+with-pwhistory::
+ Enable pam_pwhistory module for local users.
+
+with-files-domain::
+ If set, SSSD will be contacted before "files" when resolving users and
+ groups. The order in nsswitch.conf will be set to "sss files" instead of
+ "files sss" for passwd and group maps.
+
+with-files-access-provider::
+ If set, account management for local users is handled also by pam_sss. This
+ is needed if there is an explicitly configured domain with id_provider=files
+ and non-empty access_provider setting in sssd.conf.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
+with-gssapi::
+ If set, pam_sss_gss module is enabled to perform user authentication over
+ GSSAPI.
+
+with-subid::
+ Enable SSSD as a source of subid database in /etc/nsswitch.conf.
+
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
+with-gost::
+ Use GOST hash for shadow password instead of sha512
+
+DISABLE SPECIFIC NSSWITCH DATABASES
+-----------------------------------
+
+Normally, nsswitch databases set by the profile overwrites values set in
+user-nsswitch.conf. The following options can force authselect to
+ignore value set by the profile and use the one set in user-nsswitch.conf
+instead.
+
+with-custom-passwd::
+Ignore "passwd" database set by the profile.
+
+with-custom-group::
+Ignore "group" database set by the profile.
+
+with-custom-netgroup::
+Ignore "netgroup" database set by the profile.
+
+with-custom-automount::
+Ignore "automount" database set by the profile.
+
+with-custom-services::
+Ignore "services" database set by the profile.
+
+EXAMPLES
+--------
+
+* Enable SSSD with sudo and smartcard support
+
+ authselect select sssd with-sudo with-smartcard
+
+* Enable SSSD with sudo support and create home directories for users on their
+ first login
+
+ authselect select sssd with-mkhomedir with-sudo
+
+SEE ALSO
+--------
+* man sssd.conf(5)
diff --git a/authselect_policies/sssd_gost/REQUIREMENTS b/authselect_policies/sssd_gost/REQUIREMENTS
new file mode 100644
index 0000000..396287e
--- /dev/null
+++ b/authselect_policies/sssd_gost/REQUIREMENTS
@@ -0,0 +1,29 @@
+Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
+ {include if "with-smartcard"}
+- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: {include if "with-smartcard"}
+ - set "pam_cert_auth = True" in [pam] section {include if "with-smartcard"}
+ {include if "with-fingerprint"}
+- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"}
+ {include if "with-pam-gnome-keyring"}
+- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"}
+ is present. {include if "with-pam-gnome-keyring"}
+ {include if "with-pam-u2f"}
+- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"}
+ {include if "with-pam-u2f-2fa"}
+- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"}
+ - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"}
+ {include if "with-mkhomedir"}
+- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"}
+ is present and oddjobd service is enabled and active {include if "with-mkhomedir"}
+ - systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
+ {include if "with-files-domain"}
+- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"}
+ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"}
+ - or create a custom domain with id_provider=files {include if "with-files-domain"}
+ {include if "with-gssapi"}
+- with-gssapi is selected, make sure that GSSAPI authenticaiton is enabled in SSSD {include if "with-gssapi"}
+ - set pam_gssapi_services to a list of allowed services in /etc/sssd/sssd.conf {include if "with-gssapi"}
+ - see additional information in pam_sss_gss(8) {include if "with-gssapi"}
+ {include if "with-gost"}
+- with-gost is selected, make sure that openssl-gost-engine installed {include if "with-gost"}
diff --git a/authselect_policies/sssd_gost/dconf-db b/authselect_policies/sssd_gost/dconf-db
new file mode 100644
index 0000000..66c9949
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-db
@@ -0,0 +1,9 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+{imply "with-smartcard" if "with-smartcard-lock-on-removal"}
+[org/gnome/login-screen]
+enable-smartcard-authentication={if "with-smartcard":true|false}
+enable-fingerprint-authentication={if "with-fingerprint":true|false}
+enable-password-authentication={if "with-smartcard-required":false|true}
+
+[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
+removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/dconf-locks b/authselect_policies/sssd_gost/dconf-locks
new file mode 100644
index 0000000..6bf15d0
--- /dev/null
+++ b/authselect_policies/sssd_gost/dconf-locks
@@ -0,0 +1,4 @@
+/org/gnome/login-screen/enable-smartcard-authentication
+/org/gnome/login-screen/enable-fingerprint-authentication
+/org/gnome/login-screen/enable-password-authentication
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action {include if "with-smartcard-lock-on-removal"}
diff --git a/authselect_policies/sssd_gost/fingerprint-auth b/authselect_policies/sssd_gost/fingerprint-auth
new file mode 100644
index 0000000..dc7befe
--- /dev/null
+++ b/authselect_policies/sssd_gost/fingerprint-auth
@@ -0,0 +1,28 @@
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"}
+{continue if "with-fingerprint"}
+auth required pam_env.so
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=done default=bad] pam_fprintd.so
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/nsswitch.conf b/authselect_policies/sssd_gost/nsswitch.conf
new file mode 100644
index 0000000..f9e4e54
--- /dev/null
+++ b/authselect_policies/sssd_gost/nsswitch.conf
@@ -0,0 +1,7 @@
+passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"}
+group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"}
+netgroup: sss files {exclude if "with-custom-netgroup"}
+automount: sss files {exclude if "with-custom-automount"}
+services: sss files {exclude if "with-custom-services"}
+sudoers: files sss {include if "with-sudo"}
+subid: sss {include if "with-subid"}
diff --git a/authselect_policies/sssd_gost/password-auth b/authselect_policies/sssd_gost/password-auth
new file mode 100644
index 0000000..7832fb7
--- /dev/null
+++ b/authselect_policies/sssd_gost/password-auth
@@ -0,0 +1,39 @@
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/postlogin b/authselect_policies/sssd_gost/postlogin
new file mode 100644
index 0000000..04a11f0
--- /dev/null
+++ b/authselect_policies/sssd_gost/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/authselect_policies/sssd_gost/smartcard-auth b/authselect_policies/sssd_gost/smartcard-auth
new file mode 100644
index 0000000..754847f
--- /dev/null
+++ b/authselect_policies/sssd_gost/smartcard-auth
@@ -0,0 +1,26 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_debug.so auth=authinfo_unavail {exclude if "with-smartcard"}
+{continue if "with-smartcard"}
+auth required pam_env.so
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth sufficient pam_sss.so allow_missing_name {if "with-smartcard-required":require_cert_auth}
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/authselect_policies/sssd_gost/system-auth b/authselect_policies/sssd_gost/system-auth
new file mode 100644
index 0000000..31d4ee1
--- /dev/null
+++ b/authselect_policies/sssd_gost/system-auth
@@ -0,0 +1,46 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth required pam_faillock.so preauth silent {include if "with-faillock"}
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
+auth sufficient pam_fprintd.so {include if "with-fingerprint"}
+auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
+auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
+auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
+auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
+auth sufficient pam_sss_gss.so {include if "with-gssapi"}
+auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
+auth sufficient pam_sss.so forward_pass
+auth required pam_faillock.so authfail {include if "with-faillock"}
+auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
+auth required pam_deny.so
+
+account required pam_access.so {include if "with-pamaccess"}
+account required pam_faillock.so {include if "with-faillock"}
+account required pam_unix.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
+account sufficient pam_usertype.so issystem
+account [default=bad success=ok user_unknown=ignore] pam_sss.so
+account required pam_permit.so
+
+password requisite pam_pwquality.so local_users_only
+password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
+password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
+password sufficient pam_unix.so {if "with-gost":gost_yescrypt|sha512} shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
+password sufficient pam_sss.so use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+session optional pam_sss.so
+session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
diff --git a/policies/GOST-ONLY-PAM.pol b/policies/GOST-ONLY-PAM.pol
new file mode 100644
index 0000000..fce3bdb
--- /dev/null
+++ b/policies/GOST-ONLY-PAM.pol
@@ -0,0 +1,29 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/GOST-ONLY.pol b/policies/GOST-ONLY.pol
new file mode 100644
index 0000000..37e478b
--- /dev/null
+++ b/policies/GOST-ONLY.pol
@@ -0,0 +1,28 @@
+# Next generation GOST algorithms
+
+mac = AEAD HMAC-STREEBOG-256 HMAC-STREEBOG-512 MAGMA-OMAC KUZNYECHIK-OMAC MAGMA-OMAC-ACPKM KUZNYECHIK-OMAC-ACPKM GOST28147-TC26Z-IMIT GOST28147-CPA-IMIT
+
+group = GOST-GC256A GOST-GC256B GOST-GC256C GOST-GC256D GOST-GC512A GOST-GC512B GOST-GC512C
+
+hash = GOSTR94 STREEBOG-256 STREEBOG-512
+
+sign = GOSTR341001 GOSTR341012-256 GOSTR341012-512
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-CPA-CFB GOST28147-CPB-CFB GOST28147-CPC-CFB GOST28147-CPD-CFB GOST28147-TC26Z-CFB
+
+key_exchange = VKO-GOST-2001 VKO-GOST-2012 VKO-GOST-KDF
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
diff --git a/policies/modules/GOST.pmod b/policies/modules/GOST.pmod
new file mode 100644
index 0000000..b9021ea
--- /dev/null
+++ b/policies/modules/GOST.pmod
@@ -0,0 +1,18 @@
+# Adds GOST algorithms.
+#
+
+mac = +HMAC-STREEBOG-256 +HMAC-STREEBOG-512 +MAGMA-OMAC +KUZNYECHIK-OMAC +MAGMA-OMAC-ACPKM +KUZNYECHIK-OMAC-ACPKM +GOST28147-TC26Z-IMIT +GOST28147-CPA-IMIT +AEAD
+
+group = +GOST-GC256A +GOST-GC256B +GOST-GC256C +GOST-GC256D +GOST-GC512A +GOST-GC512B +GOST-GC512C
+
+hash = +STREEBOG-256 +STREEBOG-512 GOSTR94+
+
+sign = +GOSTR341012-256 +GOSTR341012-512 GOSTR341001+
+
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
+
+key_exchange = +VKO-GOST-2001 +VKO-GOST-2012 +VKO-GOST-KDF
+
+action_do = +GOST
diff --git a/policies/modules/PAM-GOST.pmod b/policies/modules/PAM-GOST.pmod
new file mode 100644
index 0000000..06d92c5
--- /dev/null
+++ b/policies/modules/PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/minimal_gost with-gost
diff --git a/policies/modules/PATCH-PAM-GOST.pmod b/policies/modules/PATCH-PAM-GOST.pmod
new file mode 100644
index 0000000..a79abd0
--- /dev/null
+++ b/policies/modules/PATCH-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = patch
diff --git a/policies/modules/SSSD-PAM-GOST.pmod b/policies/modules/SSSD-PAM-GOST.pmod
new file mode 100644
index 0000000..f28939e
--- /dev/null
+++ b/policies/modules/SSSD-PAM-GOST.pmod
@@ -0,0 +1,3 @@
+#Add shadow gost support
+
+authopt@AUTH = custom/sssd_gost with-gost with-fingerprint with-silent-lastlog
diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
index 2853c65..4b3d83c 100755
--- a/python/build-crypto-policies.py
+++ b/python/build-crypto-policies.py
@@ -9,6 +9,7 @@ import argparse
import os
import sys
import warnings
+import platform
import cryptopolicies
import policygenerators
@@ -62,6 +63,11 @@ def save_config(cmdline, policy_name, config_name, config):
try:
with open(path, encoding='utf-8') as f:
old_config = f.read()
+ if '[gost_section]' in config:
+ arch, links = platform.architecture()
+ if arch == '32bit':
+ #Make test expected file same for x86 and x86_64 systems
+ config = config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
if old_config != config:
eprint(f'Config for {config_name} for policy {policy_name} '
'differs from the existing one')
@@ -100,7 +106,7 @@ def build_policy(cmdline, policy_name, subpolicy_names=None):
gen = cls()
config = gen.generate_config(cp.scoped(gen.SCOPES))
- if policy_name in {'EMPTY', 'GOST-ONLY'} or gen.test_config(config):
+ if policy_name in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM') or gen.test_config(config):
try:
name = ':'.join([policy_name, *subpolicy_names])
if not save_config(cmdline, name, gen.CONFIG_NAME, config):
diff --git a/python/cryptopolicies/alg_lists.py b/python/cryptopolicies/alg_lists.py
index 259f61a..c1cf35c 100644
--- a/python/cryptopolicies/alg_lists.py
+++ b/python/cryptopolicies/alg_lists.py
@@ -94,6 +94,12 @@ DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9')
IKE_PROTOCOLS = ('IKEv2', 'IKEv1')
ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS
+# List of action do algoritms, for non standard libraries
+IACTION_OPT = 'action_do'
+ALL_ACTION_DO = ( 'GOST', 'NONE' )
+
+AUTH_PROFILES_OPT = 'authopt'
+ALL_AUTH_PROFILES = ()
ALL = {
'cipher': ALL_CIPHERS,
@@ -103,6 +109,8 @@ ALL = {
'mac': ALL_MACS,
'protocol': ALL_PROTOCOLS,
'sign': ALL_SIGN,
+ IACTION_OPT: ALL_ACTION_DO,
+ AUTH_PROFILES_OPT: ALL_AUTH_PROFILES
}
@@ -116,10 +124,13 @@ def glob(pattern, alg_class):
if alg_class not in ALL:
raise validation.alg_lists.AlgorithmClassUnknownError(alg_class)
- r = fnmatch.filter(ALL[alg_class], pattern)
- if not r:
- raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
- return r
+ if alg_class == AUTH_PROFILES_OPT:
+ return [pattern]
+ else:
+ r = fnmatch.filter(ALL[alg_class], pattern)
+ if not r:
+ raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class)
+ return r
def earliest_occurrence(needles, ordered_haystack):
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
index a580ce8..0f50792 100644
--- a/python/cryptopolicies/cryptopolicies.py
+++ b/python/cryptopolicies/cryptopolicies.py
@@ -42,7 +42,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
'ipsec', 'ike', 'libreswan',
'kerberos', 'krb5',
- 'dnssec', 'bind',
+ 'dnssec', 'bind', 'auth'
)
DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'bind': {'bind', 'dnssec'},
@@ -55,6 +55,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'openssh-client': {'openssh-client', 'openssh', 'ssh'},
'openssh-server': {'openssh-server', 'openssh', 'ssh'},
'openssl': {'openssl', 'tls', 'ssl'},
+ 'auth': {'auth'},
}
@@ -466,6 +467,8 @@ class UnscopedCryptoPolicy:
**generic_scoped.integers,
**generic_scoped.enums}
for prop_name, value in generic_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
s += fmt(prop_name, value)
anything_scope_specific = False
for scope_name, scope_set in DUMPABLE_SCOPES.items():
@@ -474,6 +477,8 @@ class UnscopedCryptoPolicy:
**specific_scoped.integers,
**specific_scoped.enums}
for prop_name, value in specific_all.items():
+ if prop_name in (alg_lists.IACTION_OPT, alg_lists.AUTH_PROFILES_OPT):
+ continue
if value != generic_all[prop_name]:
if not anything_scope_specific:
s += ('# Scope-specific properties '
diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py
index be516b2..ae756f0 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -16,6 +16,7 @@ from .openssl import (
OpenSSLFIPSGenerator,
OpenSSLGenerator,
)
+from .auth import AuthGenerator
__all__ = [
'BindGenerator',
@@ -31,4 +32,5 @@ __all__ = [
'OpenSSLConfigGenerator',
'OpenSSLFIPSGenerator',
'OpenSSLGenerator',
+ 'AuthGenerator',
]
diff --git a/python/policygenerators/auth.py b/python/policygenerators/auth.py
new file mode 100644
index 0000000..eb6bda5
--- /dev/null
+++ b/python/policygenerators/auth.py
@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# Copyright (c) 2019 Red Hat, Inc.
+# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+
+import os.path
+
+from .configgenerator import ConfigGenerator
+
+class AuthGenerator(ConfigGenerator):
+ CONFIG_NAME = 'auth'
+ SCOPES = {'auth'}
+
+ RELOAD_CMD = '/usr/share/crypto-policies-scripts/auth_apply.sh 2>/dev/null || :\n'
+
+ @classmethod
+ def generate_config(cls, policy):
+ p = policy.enabled
+ sep = '\n'
+ s = ''
+ authopt_data = p['authopt']
+ if len(authopt_data) > 0:
+ auth_profile = authopt_data.pop(0)
+ opt_list = []
+ for item in authopt_data:
+ if item not in opt_list:
+ if item.startswith('with'):
+ opt_list.append(item)
+ s = cls.append(s, auth_profile, sep)
+ for item in opt_list:
+ s = cls.append(s, item, sep)
+ return s
+
+ @classmethod
+ def test_config(cls, config): # pylint: disable=unused-argument
+ return True
diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/python/policygenerators/fedora-crypto-policies.code-workspace
new file mode 100644
index 0000000..e69de29
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
index fcee9ec..a97502a 100644
--- a/python/policygenerators/openssl.py
+++ b/python/policygenerators/openssl.py
@@ -2,6 +2,7 @@
# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
+import platform
from subprocess import CalledProcessError, check_output
@@ -21,6 +22,25 @@ tls1-prf-ems-check = {}
activate = 1
'''
+arch, links = platform.architecture()
+library_path = '64'
+if arch == '32bit':
+ library_path = ''
+
+GOST_MODULE_ENABLE = '''
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib%s/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+''' % (library_path)
+
class OpenSSLGenerator(ConfigGenerator):
CONFIG_NAME = 'openssl'
@@ -264,6 +284,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
if 'SHA1' in p['hash']:
s += RH_ALLOW_SHA1
+
+ if 'GOST' in p['action_do']:
+ s += GOST_MODULE_ENABLE
return s
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
new file mode 100755
index 0000000..5b2ecad
--- /dev/null
+++ b/scripts/auth_apply.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/bash
+exec 1> /var/log/crypto-cmc/auth.log 2>&1
+set -x
+# Скрипт настройки профиля authselect для crypto-policy
+# Примеры запуска:
+# auth_apply.sh -e - восстановить конфигурацию без указания auth профиля
+# auth_apply.sh -p tmp/ - считать что конфигурационные файлы authselect лежат в каталоге tmp
+# auth_apply.sh -p /tmp -t /tmpconf - аналигично предыдущему, но еще не вызывать authselect
+# и считать, что сгенерированный конфиг лежит в каталоге tmpconf
+
+CONF_PATH=/etc/authselect/
+AUTH_SEL_BAK=authselect.conf.policy
+AUTH_CONFIG=authselect.conf
+EMPTY=0
+TEST=""
+AUTH_BACKUP_NAME="auth_saved_profile"
+USE_PATCH="$CONF_PATH/autheslect.patch"
+
+function set_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|\byescrypt\b/gost_yescrypt/' /etc/pam.d/password-auth
+
+}
+
+function set_no_gost
+{
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/system-auth
+ /usr/bin/sed --in-place --follow-symlinks 's/sha512\|gost_yescrypt/yescrypt/' /etc/pam.d/password-auth
+}
+
+function get_auth_options
+{
+ /usr/bin/cat /etc/crypto-policies/back-ends/auth.config | tr '\n' ' '
+}
+
+function save_restored_profile
+{
+ if [ ! -e /etc/authselect/custom/restored ];then
+ /usr/bin/authselect create-profile restored
+ [ -e /etc/pam.d/fingerprint-auth ] && /usr/bin/cp -f /etc/pam.d/fingerprint-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/password-auth ] && /usr/bin/cp -f /etc/pam.d/password-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/postlogin ] && /usr/bin/cp -f /etc/pam.d/postlogin /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/smartcard-auth ] && /usr/bin/cp -f /etc/pam.d/smartcard-auth /etc/authselect/custom/restored/
+ [ -e /etc/pam.d/system-auth ] && /usr/bin/cp -f /etc/pam.d/system-auth /etc/authselect/custom/restored/
+ [ -e /etc/authselect/user-nsswitch.conf ] && /usr/bin/cp -f /etc/authselect/user-nsswitch.conf /etc/authselect/custom/restored/nsswitch.conf
+ fi
+}
+
+while getopts ':et:p:h' VAL ; do
+ case $VAL in
+ e ) EMPTY=1 ;;
+ p ) CONF_PATH="$OPTARG" ;;
+ t ) TEST="$OPTARG" ;;
+ : )
+ echo "Необходим параметр - путь к опции $OPTARG"
+ exit 255
+ ;;
+ * )
+ echo "Неизвестный параметр $OPTARG"
+ exit 255
+ ;;
+ esac
+done
+shift $((OPTIND -1))
+
+# Если заданный путь к кинфигурации authselect заканчивается на /
+# то удалим этот символ
+LAST_SYMBOL=${CONF_PATH: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ CONF_PATH=${CONF_PATH%?}
+fi
+LAST_SYMBOL=${TEST: -1}
+if [ "$LAST_SYMBOL" = "/" ];then
+ TEST=${TEST%?}
+fi
+
+if [ -z "$TEST" ];then
+ POLICY_CONFIG=/etc/crypto-policies/back-ends/auth.config
+else
+ POLICY_CONFIG="$TEST/auth.config"
+ if [[ "$POLICY_CONFIG" == "/*" ]];then
+ :
+ else
+ CUR_DIR=$(pwd)
+ POLICY_CONFIG="$CUR_DIR/$POLICY_CONFIG"
+ fi
+fi
+
+PATH_TO_AUTH_SEL_BAK="$CONF_PATH/$AUTH_SEL_BAK"
+PATH_TO_AUTH_CONFIG="$CONF_PATH/$AUTH_CONFIG"
+
+# Дополнительная проверка, файл authselect.conf не должен быть пустым
+# или соедржать слово empty--data, иначе это признак empty
+if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ AUTH_CONF_CONT=$(/usr/bin/cat "$POLICY_CONFIG" | /usr/bin/xargs)
+ if [ -z "$AUTH_CONF_CONT" -o "$AUTH_CONF_CONT" = "empty--data" ];then
+ EMPTY=1
+ fi
+else
+ EMPTY=2
+fi
+
+# Проверим, нужно ли накладывать патч. Установлено ли это конфигурацией
+NEED_PATCH=0
+if [ -e "$POLICY_CONFIG" ];then
+ RES=$(cat "$POLICY_CONFIG")
+ if [ "$RES" = "patch" ];then
+ NEED_PATCH=1
+ fi
+fi
+
+# Если задан параметр empty, это значит, что применяется профиль
+# без настройки для authselect, в этом случае нужно восстановить
+# старый заданный профиль
+# TODO: возможно даже воспользоватьс командой
+# authselect backup-restore auth_saved_profile
+# данный снимок создается при профиля через crypto-policy
+if [ "$EMPTY" = "1" ];then
+# Если есть файл authselect.patch, значит профиль был пропатчен,
+# а не установлен через профиль
+ if [ -e "$USE_PATCH" ];then
+ set_no_gost
+ /usr/bin/mv -f "$USE_PATCH" "$USE_PATCH.removed"
+ else
+ if [ -e "$PATH_TO_AUTH_SEL_BAK" ];then
+# Только root может восстанавливать конфигурацию из резервной копии
+# дабыизбежать подлога и восстановления файла, созданного пользователем
+ OWNER_UID=$(/usr/bin/stat -c "%u" "$PATH_TO_AUTH_SEL_BAK")
+ if [ "$OWNER_UID" = "0" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_SEL_BAK" "$PATH_TO_AUTH_CONFIG"
+ fi
+ AUTH_CONT=$(cat "$PATH_TO_AUTH_CONFIG")
+# Есди файл настроек authselect пустой после восстановления
+# значит он создан ранее скриптом и его нужно убрать
+ if [ -z "$AUTH_CONT" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ else
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_CONFIG.removed"
+ fi
+ if [ -e "$PATH_TO_AUTH_CONFIG" ];then
+ /usr/bin/authselect apply-changes
+ else
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect backup-restore "$AUTH_BACKUP_NAME"
+ else
+ if [ -e /etc/authselect/custom/resored ];then
+ /usr/bin/authselect select custom/restored --force
+ fi
+ fi
+ fi
+ fi
+ exit 0
+fi
+
+# Здесь проверяется куда указывает симлинк(если создан) конфигурационного файла
+# если он смотрит на policy конфигурационный файл, то ничего не делаем, т.к. все уже сделано до нас
+if [ "$EMPTY" = "2" ];then
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+ OPTS_FOR_EXECUTE=$(get_auth_options)
+ if [ -n "$OPTS_FOR_EXECUTE" ];then
+ save_restored_profile
+ if [ -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force
+ else
+ /usr/bin/authselect select $OPTS_FOR_EXECUTE --force --backup=auth_saved_profile
+ fi
+ #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ touch "$PATH_TO_AUTH_SEL_BAK"
+ fi
+ fi
+else
+ if [ "$NEED_PATCH" = "1" ];then
+ set_gost
+ touch "$USE_PATCH"
+ else
+# Если не найден файл маркер, то создается файл бэкапа для authselect
+# а так же создается файл маркер
+ if [ ! -e "$PATH_TO_AUTH_SEL_BAK" ];then
+ /usr/bin/mv -f "$PATH_TO_AUTH_CONFIG" "$PATH_TO_AUTH_SEL_BAK"
+ EMPTY_AUTH=$(/usr/bin/cat "$PATH_TO_AUTH_CONFIG")
+ if [ -n "$EMPTY_AUTH" ];then
+ if [ ! -e /var/lib/authselect/backups/"$AUTH_BACKUP_NAME" ];then
+ /usr/bin/authselect apply-changes --backup="$AUTH_BACKUP_NAME"
+ fi
+ fi
+ fi
+
+ #LINK_VALUE=$(/usr/bin/readlink "$PATH_TO_AUTH_CONFIG")
+ #if [ "$LINK_VALUE" != "$POLICY_CONFIG" ];then
+ # #/usr/bin/ln -sf "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ #fi
+ /usr/bin/cp -f "$POLICY_CONFIG" "$PATH_TO_AUTH_CONFIG"
+ /usr/bin/authselect apply-changes
+ fi
+fi
+
+exit 0
\ No newline at end of file
diff --git a/tests/alternative-policies/GOST-ONLY.pol b/tests/alternative-policies/GOST-ONLY.pol
new file mode 100644
index 0000000..6238020
--- /dev/null
+++ b/tests/alternative-policies/GOST-ONLY.pol
@@ -0,0 +1,30 @@
+# Next generation GOST algorithms
+
+mac = AEAD *STREEBOG* *-OMAC *-OMAC-ACPKM *GOST*
+
+group = *GOST*
+
+hash = *GOST* *STREEBOG*
+
+sign = *GOST*
+
+cipher@TLS = GOST28147-TC26Z-CNT GOST28147-CPA-CFB MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = GOST28147-TC26Z-CNT MAGMA-CTR-ACPKM KUZNYECHIK-CTR-ACPKM GOST28147-C*
+
+key_exchange = *GOST*
+
+protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0
+
+min_tls_version = TLS1.0
+
+# Parameter sizes
+# GOST ciphersuites don't use DH params. The value is set to fit SECLEVEL=2 for OpenSSL
+min_dh_size = 2048
+min_dsa_size = 2048
+min_rsa_size = 2048
+
+# GnuTLS only for now
+sha1_in_certs = 0
+
+action_do = GOST
diff --git a/tests/alternative-policies/modules/GOST.pmod b/tests/alternative-policies/modules/GOST.pmod
new file mode 100644
index 0000000..4280cad
--- /dev/null
+++ b/tests/alternative-policies/modules/GOST.pmod
@@ -0,0 +1,18 @@
+# Adds GOST algorithms.
+# This is an example subpolicy, the algorithm names might differ in reality.
+
+mac = +*STREEBOG-* +*-OMAC +*-OMAC-ACPKM +GOST28147* +AEAD
+
+group = +*GOST*
+
+hash = +*STREEBOG* +*GOST*
+
+sign = +*GOST*
+
+cipher@TLS = +GOST28147-TC26Z-CNT +GOST28147-CPA-CFB +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM
+
+cipher@!TLS = +GOST28147-TC26Z-CNT +MAGMA-CTR-ACPKM +KUZNYECHIK-CTR-ACPKM +GOST28147-CPA-CFB +GOST28147-CPB-CFB +GOST28147-CPC-CFB +GOST28147-CPD-CFB +GOST28147-TC26Z-CFB
+
+key_exchange = +*GOST*
+
+action_do = +GOST
\ No newline at end of file
diff --git a/tests/gnutls.py b/tests/gnutls.py
index 5833639..28db664 100755
--- a/tests/gnutls.py
+++ b/tests/gnutls.py
@@ -3,6 +3,7 @@
import os
import subprocess
import sys
+import re
from pathlib import Path
if os.getenv('OLD_GNUTLS') == '1':
@@ -13,7 +14,7 @@ print('Checking the GnuTLS configuration')
for policy_path in Path('tests', 'outputs').glob('*-gnutls.txt'):
policy = policy_path.name.removesuffix('-gnutls.txt')
- if policy == 'GOST-ONLY':
+ if re.match(r'^GOST-ONLY', policy):
continue
print(f'Checking policy {policy}')
diff --git a/tests/java.py b/tests/java.py
index 97968c7..52b2d87 100755
--- a/tests/java.py
+++ b/tests/java.py
@@ -2,6 +2,7 @@
import subprocess
import sys
+import re
from pathlib import Path
print('Checking the Java configuration')
@@ -38,7 +39,7 @@ for policy_path in Path('tests', 'outputs').glob('*-java.txt'):
lines = out.split('\n')
line_count = out.count('\n')
- if policy in {'EMPTY', 'GOST-ONLY'}:
+ if re.match(r'^GOST-ONLY', policy) or policy in {'EMPTY'}:
if line_count >= 2: # we allow SCSV # noqa: PLR2004
print('Empty policy has ciphersuites!', file=sys.stderr)
print(p.stdout, file=sys.stderr)
diff --git a/tests/nss.py b/tests/nss.py
index fda2275..f22c701 100755
--- a/tests/nss.py
+++ b/tests/nss.py
@@ -35,7 +35,7 @@ print('Checking the NSS configuration')
for policy_path in Path('tests', 'outputs').glob('*-nss.txt'):
policy = policy_path.name.removesuffix('-nss.txt')
print(f'Checking policy {policy}')
- if policy not in {'EMPTY', 'GOST-ONLY'}:
+ if policy not in ('EMPTY', 'GOST-ONLY', 'GOST-ONLY-PAM'):
try:
p = subprocess.run(['nss-policy-check', # noqa: S607
*options, policy_path],
diff --git a/tests/openssl.py b/tests/openssl.py
index c0504f6..69b2468 100755
--- a/tests/openssl.py
+++ b/tests/openssl.py
@@ -8,7 +8,7 @@ print('Checking the OpenSSL configuration')
for policy_path in Path('tests', 'outputs').glob('*-openssl.txt'):
policy = policy_path.name.removesuffix('-openssl.txt')
- if policy in {'EMPTY', 'GOST-ONLY'}:
+ if policy in {'EMPTY', 'GOST-ONLY', "GOST-ONLY-PAM"}:
continue
print(f'Checking policy {policy}')
diff --git a/tests/outputs/DEFAULT-auth.txt b/tests/outputs/DEFAULT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:GOST-auth.txt b/tests/outputs/DEFAULT:GOST-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:GOST-bind.txt b/tests/outputs/DEFAULT:GOST-bind.txt
new file mode 100644
index 0000000..09fb3f1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-bind.txt
@@ -0,0 +1,10 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+};
+disable-ds-digests "." {
+SHA-1;
+};
diff --git a/tests/outputs/DEFAULT:GOST-gnutls.txt b/tests/outputs/DEFAULT:GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:GOST-java.txt b/tests/outputs/DEFAULT:GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:GOST-javasystem.txt b/tests/outputs/DEFAULT:GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:GOST-krb5.txt b/tests/outputs/DEFAULT:GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:GOST-libreswan.txt b/tests/outputs/DEFAULT:GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:GOST-libssh.txt b/tests/outputs/DEFAULT:GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:GOST-nss.txt b/tests/outputs/DEFAULT:GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:GOST-openssh.txt b/tests/outputs/DEFAULT:GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:GOST-opensshserver.txt b/tests/outputs/DEFAULT:GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:GOST-openssl.txt b/tests/outputs/DEFAULT:GOST-openssl.txt
new file mode 100644
index 0000000..239566f
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:GOST-openssl_fips.txt b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:GOST-opensslcnf.txt b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
new file mode 100644
index 0000000..6fe6291
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -0,0 +1,20 @@
+CipherString = @SECLEVEL=2:kGOST:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
new file mode 100644
index 0000000..cec1d15
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:GOST-sequoia.txt b/tests/outputs/DEFAULT:GOST-sequoia.txt
new file mode 100644
index 0000000..135997c
--- /dev/null
+++ b/tests/outputs/DEFAULT:GOST-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/DEFAULT:PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:PAM-GOST-java.txt b/tests/outputs/DEFAULT:PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
new file mode 100644
index 0000000..dbcae14
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-auth.txt
@@ -0,0 +1 @@
+patch
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:PATCH-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/DEFAULT:SHA1-auth.txt b/tests/outputs/DEFAULT:SHA1-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
new file mode 100644
index 0000000..4884073
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-auth.txt
@@ -0,0 +1,4 @@
+custom/sssd_gost
+with-gost
+with-fingerprint
+with-silent-lastlog
\ No newline at end of file
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
new file mode 100644
index 0000000..9ec8420
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-bind.txt
@@ -0,0 +1,12 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+ECCGOST;
+};
+disable-ds-digests "." {
+SHA-1;
+GOST;
+};
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
new file mode 100644
index 0000000..9a04550
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-gnutls.txt
@@ -0,0 +1,105 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = SHA256
+secure-hash = SHA384
+secure-hash = SHA512
+secure-hash = SHA3-256
+secure-hash = SHA3-384
+secure-hash = SHA3-512
+secure-hash = SHA224
+secure-hash = SHA3-224
+secure-hash = SHAKE-256
+tls-enabled-mac = AEAD
+tls-enabled-mac = SHA1
+tls-enabled-mac = SHA512
+tls-enabled-group = GROUP-X25519
+tls-enabled-group = GROUP-SECP256R1
+tls-enabled-group = GROUP-X448
+tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-FFDHE2048
+tls-enabled-group = GROUP-FFDHE3072
+tls-enabled-group = GROUP-FFDHE4096
+tls-enabled-group = GROUP-FFDHE6144
+tls-enabled-group = GROUP-FFDHE8192
+secure-sig = ECDSA-SHA3-256
+secure-sig = ECDSA-SHA256
+secure-sig = ECDSA-SECP256R1-SHA256
+secure-sig = ECDSA-SHA3-384
+secure-sig = ECDSA-SHA384
+secure-sig = ECDSA-SECP384R1-SHA384
+secure-sig = ECDSA-SHA3-512
+secure-sig = ECDSA-SHA512
+secure-sig = ECDSA-SECP521R1-SHA512
+secure-sig = EdDSA-Ed25519
+secure-sig = EdDSA-Ed448
+secure-sig = RSA-PSS-SHA256
+secure-sig = RSA-PSS-SHA384
+secure-sig = RSA-PSS-SHA512
+secure-sig = RSA-PSS-RSAE-SHA256
+secure-sig = RSA-PSS-RSAE-SHA384
+secure-sig = RSA-PSS-RSAE-SHA512
+secure-sig = RSA-SHA3-256
+secure-sig = RSA-SHA256
+secure-sig = RSA-SHA3-384
+secure-sig = RSA-SHA384
+secure-sig = RSA-SHA3-512
+secure-sig = RSA-SHA512
+secure-sig = ECDSA-SHA224
+secure-sig = RSA-SHA224
+secure-sig = ECDSA-SHA3-224
+secure-sig = RSA-SHA3-224
+secure-sig-for-cert = ECDSA-SHA3-256
+secure-sig-for-cert = ECDSA-SHA256
+secure-sig-for-cert = ECDSA-SECP256R1-SHA256
+secure-sig-for-cert = ECDSA-SHA3-384
+secure-sig-for-cert = ECDSA-SHA384
+secure-sig-for-cert = ECDSA-SECP384R1-SHA384
+secure-sig-for-cert = ECDSA-SHA3-512
+secure-sig-for-cert = ECDSA-SHA512
+secure-sig-for-cert = ECDSA-SECP521R1-SHA512
+secure-sig-for-cert = EdDSA-Ed25519
+secure-sig-for-cert = EdDSA-Ed448
+secure-sig-for-cert = RSA-PSS-SHA256
+secure-sig-for-cert = RSA-PSS-SHA384
+secure-sig-for-cert = RSA-PSS-SHA512
+secure-sig-for-cert = RSA-PSS-RSAE-SHA256
+secure-sig-for-cert = RSA-PSS-RSAE-SHA384
+secure-sig-for-cert = RSA-PSS-RSAE-SHA512
+secure-sig-for-cert = RSA-SHA3-256
+secure-sig-for-cert = RSA-SHA256
+secure-sig-for-cert = RSA-SHA3-384
+secure-sig-for-cert = RSA-SHA384
+secure-sig-for-cert = RSA-SHA3-512
+secure-sig-for-cert = RSA-SHA512
+secure-sig-for-cert = ECDSA-SHA224
+secure-sig-for-cert = RSA-SHA224
+secure-sig-for-cert = ECDSA-SHA3-224
+secure-sig-for-cert = RSA-SHA3-224
+enabled-curve = X25519
+enabled-curve = SECP256R1
+enabled-curve = X448
+enabled-curve = SECP521R1
+enabled-curve = SECP384R1
+enabled-curve = Ed25519
+enabled-curve = Ed448
+tls-enabled-cipher = AES-256-GCM
+tls-enabled-cipher = AES-256-CCM
+tls-enabled-cipher = CHACHA20-POLY1305
+tls-enabled-cipher = AES-256-CBC
+tls-enabled-cipher = AES-128-GCM
+tls-enabled-cipher = AES-128-CCM
+tls-enabled-cipher = AES-128-CBC
+tls-enabled-kx = ECDHE-RSA
+tls-enabled-kx = ECDHE-ECDSA
+tls-enabled-kx = RSA
+tls-enabled-kx = DHE-RSA
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = DTLS1.2
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
new file mode 100644
index 0000000..ed6f632
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA, SHA1withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, TLSv1.1, TLSv1, SSLv3, SSLv2, DTLSv1.0, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacMD5
+jdk.disabled.namedCurves=brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
new file mode 100644
index 0000000..7d5cfd6
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=x25519, secp256r1, x448, secp521r1, secp384r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
new file mode 100644
index 0000000..415dcb3
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
new file mode 100644
index 0000000..9f2f5db
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libreswan.txt
@@ -0,0 +1,6 @@
+conn %default
+ ikev2=insist
+ pfs=yes
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
+ authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
new file mode 100644
index 0000000..49d8251
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-libssh.txt
@@ -0,0 +1,5 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
new file mode 100644
index 0000000..b8bf74a
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
new file mode 100644
index 0000000..47d352e
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssh.txt
@@ -0,0 +1,7 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
new file mode 100644
index 0000000..8105750
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensshserver.txt
@@ -0,0 +1,8 @@
+Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
+CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
+RequiredRSASize 2048
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
new file mode 100644
index 0000000..952c651
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
new file mode 100644
index 0000000..8f18d1e
--- /dev/null
+++ b/tests/outputs/DEFAULT:SSSD-PAM-GOST-opensslcnf.txt
@@ -0,0 +1,8 @@
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+TLS.MinProtocol = TLSv1.2
+TLS.MaxProtocol = TLSv1.3
+DTLS.MinProtocol = DTLSv1.2
+DTLS.MaxProtocol = DTLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
diff --git a/tests/outputs/EMPTY-auth.txt b/tests/outputs/EMPTY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS-auth.txt b/tests/outputs/FIPS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-auth.txt b/tests/outputs/FIPS:ECDHE-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FIPS:OSPP-auth.txt b/tests/outputs/FIPS:OSPP-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FUTURE-auth.txt b/tests/outputs/FUTURE-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/FUTURE:AD-SUPPORT-auth.txt b/tests/outputs/FUTURE:AD-SUPPORT-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-auth.txt b/tests/outputs/GOST-ONLY-PAM-auth.txt
new file mode 100644
index 0000000..110527f
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-auth.txt
@@ -0,0 +1,2 @@
+custom/minimal_gost
+with-gost
\ No newline at end of file
diff --git a/tests/outputs/GOST-ONLY-PAM-bind.txt b/tests/outputs/GOST-ONLY-PAM-bind.txt
new file mode 100644
index 0000000..e701c5c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-bind.txt
@@ -0,0 +1,18 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+};
diff --git a/tests/outputs/GOST-ONLY-PAM-gnutls.txt b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
new file mode 100644
index 0000000..59c9ae0
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-gnutls.txt
@@ -0,0 +1,13 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+tls-enabled-mac = AEAD
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = TLS1.1
+enabled-version = TLS1.0
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/GOST-ONLY-PAM-java.txt b/tests/outputs/GOST-ONLY-PAM-java.txt
new file mode 100644
index 0000000..a306242
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-PAM-javasystem.txt b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
new file mode 100644
index 0000000..408e8dd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=
diff --git a/tests/outputs/GOST-ONLY-PAM-krb5.txt b/tests/outputs/GOST-ONLY-PAM-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-PAM-libreswan.txt b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-PAM-libssh.txt b/tests/outputs/GOST-ONLY-PAM-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-PAM-nss.txt b/tests/outputs/GOST-ONLY-PAM-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-PAM-openssh.txt b/tests/outputs/GOST-ONLY-PAM-openssh.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssh.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-PAM-opensshserver.txt b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensshserver.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl.txt b/tests/outputs/GOST-ONLY-PAM-openssl.txt
new file mode 100644
index 0000000..abeab8c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
new file mode 100644
index 0000000..c5c1f47
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-PAM-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+Groups =
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/GOST-ONLY-auth.txt b/tests/outputs/GOST-ONLY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-bind.txt b/tests/outputs/GOST-ONLY-bind.txt
new file mode 100644
index 0000000..e701c5c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-bind.txt
@@ -0,0 +1,18 @@
+disable-algorithms "." {
+RSAMD5;
+RSASHA1;
+NSEC3RSASHA1;
+DSA;
+NSEC3DSA;
+RSASHA256;
+ECDSAP256SHA256;
+ECDSAP384SHA384;
+RSASHA512;
+ED25519;
+ED448;
+};
+disable-ds-digests "." {
+SHA-256;
+SHA-384;
+SHA-1;
+};
diff --git a/tests/outputs/GOST-ONLY-gnutls.txt b/tests/outputs/GOST-ONLY-gnutls.txt
new file mode 100644
index 0000000..59c9ae0
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-gnutls.txt
@@ -0,0 +1,13 @@
+[global]
+override-mode = allowlist
+
+[overrides]
+tls-enabled-mac = AEAD
+enabled-version = TLS1.3
+enabled-version = TLS1.2
+enabled-version = TLS1.1
+enabled-version = TLS1.0
+min-verification-profile = medium
+
+[priorities]
+SYSTEM=NONE
diff --git a/tests/outputs/GOST-ONLY-java.txt b/tests/outputs/GOST-ONLY-java.txt
new file mode 100644
index 0000000..a306242
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-java.txt
@@ -0,0 +1,4 @@
+jdk.certpath.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5
+jdk.tls.disabledAlgorithms=MD2, MD5withDSA, MD5withECDSARIPEMD160withRSA, RIPEMD160withECDSA, RIPEMD160withRSAandMGF1, MD5withRSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, SHA384withDSA, SHA384withECDSA, SHA512withRSA, SHA512withDSA, SHA512withECDSA, Ed25519, Ed448, SHA1withRSAandMGF1, SHA224withRSAandMGF1, SHA256withRSAandMGF1, SHA384withRSAandMGF1, SHA512withRSAandMGF1, RSA keySize < 2048, DSA keySize < 2048, DH keySize < 2048, EC keySize < 256, include jdk.disabled.namedCurves, SSLv3, SSLv2, DTLSv1.0, RSAPSK, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, ChaCha20-Poly1305, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, anon, NULL, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5
+jdk.disabled.namedCurves=x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2tnb359v1, c2tnb431r1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, brainpoolP320r1
+jdk.tls.legacyAlgorithms=
diff --git a/tests/outputs/GOST-ONLY-javasystem.txt b/tests/outputs/GOST-ONLY-javasystem.txt
new file mode 100644
index 0000000..408e8dd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-javasystem.txt
@@ -0,0 +1,2 @@
+jdk.tls.ephemeralDHKeySize=2048
+jdk.tls.namedGroups=
diff --git a/tests/outputs/GOST-ONLY-krb5.txt b/tests/outputs/GOST-ONLY-krb5.txt
new file mode 100644
index 0000000..b0b1480
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-krb5.txt
@@ -0,0 +1,2 @@
+[libdefaults]
+permitted_enctypes =
diff --git a/tests/outputs/GOST-ONLY-libreswan.txt b/tests/outputs/GOST-ONLY-libreswan.txt
new file mode 100644
index 0000000..7dc12cd
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-libreswan.txt
@@ -0,0 +1,2 @@
+conn %default
+ pfs=yes
diff --git a/tests/outputs/GOST-ONLY-libssh.txt b/tests/outputs/GOST-ONLY-libssh.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/GOST-ONLY-nss.txt b/tests/outputs/GOST-ONLY-nss.txt
new file mode 100644
index 0000000..bf6f1ca
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-nss.txt
@@ -0,0 +1,6 @@
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=ALL allow=tls-version-min=tls1.0:dtls-version-min=0:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+
+
diff --git a/tests/outputs/GOST-ONLY-openssh.txt b/tests/outputs/GOST-ONLY-openssh.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssh.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-opensshserver.txt b/tests/outputs/GOST-ONLY-opensshserver.txt
new file mode 100644
index 0000000..89e06ad
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensshserver.txt
@@ -0,0 +1,2 @@
+GSSAPIKeyExchange no
+RequiredRSASize 2048
diff --git a/tests/outputs/GOST-ONLY-openssl.txt b/tests/outputs/GOST-ONLY-openssl.txt
new file mode 100644
index 0000000..abeab8c
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl.txt
@@ -0,0 +1 @@
+@SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
diff --git a/tests/outputs/GOST-ONLY-openssl_fips.txt b/tests/outputs/GOST-ONLY-openssl_fips.txt
new file mode 100644
index 0000000..c69d6e1
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-openssl_fips.txt
@@ -0,0 +1,4 @@
+
+[fips_sect]
+tls1-prf-ems-check = 1
+activate = 1
diff --git a/tests/outputs/GOST-ONLY-opensslcnf.txt b/tests/outputs/GOST-ONLY-opensslcnf.txt
new file mode 100644
index 0000000..c5c1f47
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -0,0 +1,18 @@
+CipherString = @SECLEVEL=2:kGOST:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = GOST2012-GOST8912-GOST8912
+TLS.MinProtocol = TLSv1
+TLS.MaxProtocol = TLSv1.3
+SignatureAlgorithms =
+Groups =
+
+[openssl_init]
+engines = engine_gost
+
+[engine_gost]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = /usr/lib64/engines-3/gost.so
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
diff --git a/tests/outputs/GOST-ONLY-rpm-sequoia.txt b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-rpm-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/GOST-ONLY-sequoia.txt b/tests/outputs/GOST-ONLY-sequoia.txt
new file mode 100644
index 0000000..3ec0b96
--- /dev/null
+++ b/tests/outputs/GOST-ONLY-sequoia.txt
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "never"
+sha1.second_preimage_resistance = "never"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "never"
+sha224.second_preimage_resistance = "never"
+sha256.collision_resistance = "never"
+sha256.second_preimage_resistance = "never"
+sha384.collision_resistance = "never"
+sha384.second_preimage_resistance = "never"
+sha512.collision_resistance = "never"
+sha512.second_preimage_resistance = "never"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "never"
+aes192 = "never"
+aes256 = "never"
+twofish = "never"
+camellia128 = "never"
+camellia192 = "never"
+camellia256 = "never"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "never"
+rsa3072 = "never"
+rsa4096 = "never"
+dsa1024 = "never"
+dsa2048 = "never"
+dsa3072 = "never"
+dsa4096 = "never"
+nistp256 = "never"
+nistp384 = "never"
+nistp521 = "never"
+cv25519 = "never"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
diff --git a/tests/outputs/LEGACY-auth.txt b/tests/outputs/LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt
new file mode 100644
index 0000000..e69de29
--
2.39.3