asda?‰PNG  IHDR ? f ??C1 sRGB ??é gAMA ±? üa pHYs ? ??o¨d GIDATx^íüL”÷e÷Y?a?("Bh?_ò???¢§?q5k?*:t0A-o??¥]VkJ¢M??f?±8\k2íll£1]q?ù???T PKեe[AzKK FIPS/java.txtnu[jdk.tls.ephemeralDHKeySize=2048 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[`9 FIPS/krb5.txtnu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 PKեe[sggFIPS/libreswan.txtnu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18 esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[J=@SSFIPS/opensslcnf.txtnu[CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224PKեe[ʀmVVFIPS/openssh.txtnu[Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 GSSAPIKeyExchange no KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 PKեe[9ypp FIPS/nss.txtnu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" PKեe[ȄFIPS/openssl.txtnu[@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[aFIPS/libssh.txtnu[Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PKեe[," FIPS/bind.txtnu[disable-algorithms "." { RSAMD5; ECCGOST; RSASHA1; NSEC3RSASHA1; DSA; NSEC3DSA; ED25519; ED448; }; disable-ds-digests "." { SHA-1; GOST; }; PKեe[e%^FIPS/gnutls.txtnu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM PKեe[$jFIPS/opensshserver.txtnu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'PKեe[,reload-cmds.shnu[systemctl try-reload-or-restart bind.service 2>/dev/null || : systemctl try-restart ipsec.service 2>/dev/null || : systemctl try-restart sshd.service 2>/dev/null || : PKեe[ȗJ٨default-confignu[# This file should contain a single keyword, the crypto policy to # be applied by default to applications. The available policies are # restricted to the following profiles. # # * LEGACY: Ensures maximum compatibility with legacy systems (64-bit # security). # # * DEFAULT: A reasonable default for today's standards (112-bit security). # # * FUTURE: A policy to provide security on a conservative level that is # believed to withstand any near-term future attacks (128-bit security). # # * FIPS: Policy that enables only FIPS 140 approved or allowed algorithms. # # After modifying this file, you need to run update-crypto-policies # for the changes to propagate. # DEFAULT PKեe[3ͅDEFAULT/java.txtnu[jdk.tls.ephemeralDHKeySize=2048 jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[DDEFAULT/krb5.txtnu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac PKեe[)DEFAULT/libreswan.txtnu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18 esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[OY߇DEFAULT/opensslcnf.txtnu[CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1PKեe[/0DEFAULT/openssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa PKեe[KnDEFAULT/nss.txtnu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" PKեe[DEFAULT/openssl.txtnu[@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[յ,,DEFAULT/libssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com PKեe[0A^^DEFAULT/bind.txtnu[disable-algorithms "." { RSAMD5; ECCGOST; DSA; NSEC3DSA; }; disable-ds-digests "." { GOST; }; PKեe[kHDEFAULT/gnutls.txtnu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM PKեe[,BDEFAULT/opensshserver.txtnu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'PKեe[{ѻpZZ!policies/modules/NO-CAMELLIA.pmodnu[# This is an example policy dropping the Camellia support altogether cipher = -CAMELLIA-* PKեe[9{{policies/modules/NO-SHA1.pmodnu[# This is an example subpolicy dropping the SHA1 hash and signature support hash = -SHA1 sign = -*-SHA1 sha1_in_certs = 0 PKեe[BB policies/modules/AD-SUPPORT.pmodnu[# AD-SUPPORT policy module is intended to be used in Active Directory # environments where either accounts or trusted domain objects were not yet # migrated to AES or future encryption types. Active Directory implicitly # requires RC4 encryption in Kerberos by default. cipher@kerberos = RC4-128+ mac@kerberos = HMAC-MD5+ PKեe[R;yy policies/modules/ECDHE-ONLY.pmodnu[# This is an example of policy module enforcing ECDHE and ECDHE with PSK # key exchanges key_exchange = ECDHE ECDHE-PSK PKեe[Bpolicies/modules/OSPP.pmodnu[# Restrict FIPS policy for the Common Criteria OSPP profile. # SSH (upper limit) # Ciphers: aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, aes128-gcm@openssh.com, aes256-gcm@openssh.com # PubkeyAcceptedKeyTypes: rsa-sha2-256, rsa‑sha2‑512, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 # MACs: hmac-sha2-256, hmac-sha2-512, implicit for aes128-gcm@openssh.com, aes256-gcm@openssh.com # KexAlgorithms: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512 # TLS ciphers (suggested minimal set for openssl) # * TLS_RSA_WITH_AES_128_CBC_SHA - excluded by FIPS, uses RSA key exchange # * TLS_RSA_WITH_AES_256_CBC_SHA - excluded by FIPS, uses RSA key exchange # * TLS_RSA_WITH_AES_128_CBC_SHA256 - excluded by FIPS, uses RSA key exchange # * TLS_RSA_WITH_AES_256_CBC_SHA256 - excluded by FIPS, uses RSA key exchange # * TLS_RSA_WITH_AES_128_GCM_SHA256 - excluded by FIPS, uses RSA key exchange # * TLS_RSA_WITH_AES_256_GCM_SHA384 - excluded by FIPS, uses RSA key exchange # * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 # * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 # * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 # * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 # * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 # * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 # * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - disabled in openssl itself # * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - disabled in openssl itself # * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # Supported Groups Extension in ClientHello: secp256r1, secp384r1, secp521r1 mac = -HMAC-SHA1 # see above, both SSH and TLS ended up not using it hash = -SHA2-224 -SHA3-* sign = -*-SHA2-224 cipher = -AES-*-CCM cipher@!{ssh,tls} = -AES-*-CTR ssh_certs = 0 ssh_etm = 0 protocol@TLS = -TLS1.3 arbitrary_dh_groups = 0 PKեe[policies/FIPS.polnu[# Only FIPS approved or allowed algorithms. It does not provide FIPS compliace # by itself, the FIPS validated crypto modules must be properly installed # and the machine must be booted into the FIPS mode. # MACs: all HMAC with SHA1 or better # Curves: all prime >= 256 bits # Signature algorithms: with SHA224 hash or better (no DSA) # TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including AES-CBC) # non-TLS Ciphers: same # key exchange: ECDHE, RSA, DHE (no DHE-DSS) # DH params size: >= 2048 # RSA params size: >= 2048 # TLS protocols: TLS >= 1.2, DTLS >= 1.2 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512 mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 group = SECP256R1 SECP384R1 SECP521R1 \ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 \ ECDSA-SHA3-384 ECDSA-SHA2-384 \ ECDSA-SHA3-512 ECDSA-SHA2-512 \ RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \ RSA-SHA3-256 RSA-SHA2-256 \ RSA-SHA3-384 RSA-SHA2-384 \ RSA-SHA3-512 RSA-SHA2-512 \ ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-256-CBC \ AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC cipher@TLS = AES-256-GCM AES-256-CCM AES-256-CBC \ AES-128-GCM AES-128-CCM AES-128-CBC key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 protocol@IKE = IKEv2 # Parameter sizes min_dh_size = 2048 min_dsa_size = 2048 min_rsa_size = 2048 # GnuTLS only for now sha1_in_certs = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 PKեe[66policies/FUTURE.polnu[# A level that will provide security on a conservative level that is # believed to withstand any near-term future attacks. And also provide # some (not complete) preparation for post quantum encryption support # in form of 256 bit symmetric encryption requirement. # It provides at least an 128-bit security. This level may prevent # communication with many used systems that provide weaker security levels # (e.g., systems that use SHA-1 as signature algorithm). # MACs: all HMAC with SHA256 or better + all modern MACs (Poly1305 etc) # Curves: all prime >= 255 bits (including Bernstein curves) # Signature algorithms: with SHA-256 hash or better (no DSA) # TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers, no CBC ciphers # non-TLS Ciphers: same as TLS Ciphers with added non AE ciphers, CBC only for Kerberos # key exchange: ECDHE, DHE (no DHE-DSS) # DH params size: >= 3072 # RSA params size: >= 3072 # TLS protocols: TLS >= 1.2, DTLS >= 1.2 mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \ FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 \ ECDSA-SHA3-384 ECDSA-SHA2-384 \ ECDSA-SHA3-512 ECDSA-SHA2-512 \ EDDSA-ED25519 EDDSA-ED448 \ RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \ RSA-SHA3-256 RSA-SHA2-256 \ RSA-SHA3-384 RSA-SHA2-384 \ RSA-SHA3-512 RSA-SHA2-512 cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM \ AES-256-CTR cipher@Kerberos = AES-256-CBC+ CAMELLIA-256-CBC+ cipher@TLS = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 protocol@IKE = IKEv2 # Parameter sizes min_dh_size = 3072 min_dsa_size = 3072 min_rsa_size = 3072 # GnuTLS only for now sha1_in_certs = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 PKեe[}sr  policies/EMPTY.polnu[# Just an empty policy for testing mac = group = hash = sign = cipher = key_exchange = #protocol = # Parameter sizes min_dh_size = 0 min_dsa_size = 0 min_rsa_size = 0 # GnuTLS only for now sha1_in_certs = 0 arbitrary_dh_groups = 0 ssh_certs = 0 ssh_etm = 0 PKեe[Aiipolicies/DEFAULT.polnu[# A reasonable default for today's standards. It should provide # 112-bit security with the exception of SHA1 signatures needed for DNSSec # and other still prevalent legacy use of SHA1 signatures. # MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc) # Curves: all prime >= 255 bits (including Bernstein curves) # Signature algorithms: with SHA-1 hash or better (no DSA) # TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC) # non-TLS Ciphers: as TLS Ciphers with added Camellia # key exchange: ECDHE, RSA, DHE (no DHE-DSS) # DH params size: >= 2048 # RSA params size: >= 2048 # TLS protocols: TLS >= 1.2, DTLS >= 1.2 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 \ ECDSA-SHA3-384 ECDSA-SHA2-384 \ ECDSA-SHA3-512 ECDSA-SHA2-512 \ EDDSA-ED25519 EDDSA-ED448 \ RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \ RSA-SHA3-256 RSA-SHA2-256 \ RSA-SHA3-384 RSA-SHA2-384 \ RSA-SHA3-512 RSA-SHA2-512 \ ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 \ ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1 cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM \ AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM \ CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC cipher@TLS = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC \ AES-128-GCM AES-128-CCM AES-128-CBC # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have # interoperability issues in TLS. key_exchange = ECDHE RSA DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 protocol@IKE = IKEv2 # Parameter sizes min_dh_size = 2048 min_dsa_size = 2048 min_rsa_size = 2048 # GnuTLS only for now sha1_in_certs = 1 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 PKեe[V'G policies/LEGACY.polnu[# Provides settings for ensuring maximum compatibility with legacy systems. # This policy is less secure and intended to be a easy way to switch system # to be compatible with older systems. # It should provide at least 64-bit security and include RC4 and 3DES. # MACs: all HMAC with SHA1 or better + all modern MACs (Poly1305 etc) # Curves: all prime >= 255 bits (including Bernstein curves) # Signature algorithms: with SHA-1 hash or better (DSA allowed) # TLS Ciphers: all available > 112-bit key, >= 128-bit block (including RC4 and 3DES) # non-TLS Ciphers: as TLS Ciphers with added Camellia # key exchange: ECDHE, RSA, DHE # DH params size: >= 1023 # RSA params size: >= 1023 # DSA params size: >= 1023 # TLS protocols: TLS >= 1.0 DTLS >= 1.0 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512 HMAC-SHA1 group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536 group@SSH = FFDHE-1024+ hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 \ ECDSA-SHA3-384 ECDSA-SHA2-384 \ ECDSA-SHA3-512 ECDSA-SHA2-512 \ EDDSA-ED25519 EDDSA-ED448 \ RSA-PSS-SHA2-256 RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 \ RSA-SHA3-256 RSA-SHA2-256 \ RSA-SHA3-384 RSA-SHA2-384 \ RSA-SHA3-512 RSA-SHA2-512 \ ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 \ DSA-SHA2-256 DSA-SHA2-384 DSA-SHA2-512 DSA-SHA2-224 \ DSA-SHA3-256 DSA-SHA3-384 DSA-SHA3-512 \ ECDSA-SHA1 RSA-PSS-SHA1 RSA-SHA1 DSA-SHA1 cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM \ AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM \ CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC \ 3DES-CBC RC4-128 cipher@TLS = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC \ AES-128-GCM AES-128-CCM AES-128-CBC 3DES-CBC RC4-128 # 'RSA' is intentionally before DHE ciphersuites, as the DHE ciphersuites have # interoperability issues in TLS. key_exchange = ECDHE RSA DHE DHE-RSA DHE-DSS PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS protocol@TLS = TLS1.3 TLS1.2 TLS1.1 TLS1.0 DTLS1.2 DTLS1.0 protocol@IKE = IKEv2 # Parameter sizes min_dh_size = 1023 min_dsa_size = 1023 min_rsa_size = 1023 # GnuTLS only for now sha1_in_certs = 1 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 PKեe[3EMPTY/java.txtnu[jdk.tls.ephemeralDHKeySize=0 jdk.certpath.disabledAlgorithms=MD2, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512, SHA224, SHA1, MD5, DSA, RSA keySize < 0 jdk.tls.disabledAlgorithms=DH keySize < 0, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, ECDHE, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_RSA, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_256_GCM, AES_256_CCM, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[$$EMPTY/krb5.txtnu[[libdefaults] permitted_enctypes = PKեe[)EMPTY/libreswan.txtnu[conn %default pfs=yes PKեe[eSEMPTY/opensslcnf.txtnu[CipherString = @SECLEVEL=0:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = SignatureAlgorithms = PKեe[n>EMPTY/openssh.txtnu[GSSAPIKeyExchange no PKեe[/'ɓ EMPTY/nss.txtnu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=tls-version-min=0:dtls-version-min=0:DH-MIN=0:DSA-MIN=0:RSA-MIN=0" PKեe[aEMPTY/openssl.txtnu[@SECLEVEL=0:-kPSK:-kDHEPSK:-kECDHEPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[EMPTY/libssh.txtnu[PKեe[ǫ?EMPTY/bind.txtnu[disable-algorithms "." { RSAMD5; ECCGOST; RSASHA1; NSEC3RSASHA1; DSA; NSEC3DSA; RSASHA256; ECDSAP256SHA256; ECDSAP384SHA384; RSASHA512; ED25519; ED448; ECDSAP256SHA256; ECDSAP384SHA384; }; disable-ds-digests "." { SHA-256; SHA-384; SHA-1; GOST; }; PKեe[Q**EMPTY/gnutls.txtnu[SYSTEM=NONE:+COMP-NULL:%PROFILE_VERY_WEAK PKեe[Q&Q&&EMPTY/opensshserver.txtnu[CRYPTO_POLICY='-oGSSAPIKeyExchange=no'PKեe[6ּFUTURE/java.txtnu[jdk.tls.ephemeralDHKeySize=3072 jdk.certpath.disabledAlgorithms=MD2, SHA224, SHA1, MD5, DSA, RSA keySize < 3072 jdk.tls.disabledAlgorithms=DH keySize < 3072, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[kkFUTURE/krb5.txtnu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 camellia256-cts-cmac pkinit_dh_min_bits=4096 PKեe[1DFUTURE/libreswan.txtnu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18 esp=aes_gcm256,chacha20_poly1305 PKեe[N./>DDFUTURE/opensslcnf.txtnu[CipherString = @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512PKեe[5qFUTURE/openssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr MACs hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 PKեe[df[[FUTURE/nss.txtnu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072" PKեe[KJFUTURE/openssl.txtnu[@SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[^))FUTURE/libssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PKեe[#>||FUTURE/bind.txtnu[disable-algorithms "." { RSAMD5; ECCGOST; RSASHA1; NSEC3RSASHA1; DSA; NSEC3DSA; }; disable-ds-digests "." { SHA-1; GOST; }; PKեe[)FUTURE/gnutls.txtnu[SYSTEM=NONE:+MAC-ALL:-SHA1:-MD5:+GROUP-ALL:-GROUP-FFDHE2048:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+CIPHER-ALL:-AES-128-GCM:-AES-128-CCM:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_HIGH PKեe[@@FUTURE/opensshserver.txtnu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr -oMACs=hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512'PKեe[=eeLEGACY/java.txtnu[jdk.tls.ephemeralDHKeySize=1023 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1023 jdk.tls.disabledAlgorithms=DH keySize < 1023, SSLv3, SSLv2, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, DES_CBC, RC4_40, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms=3DES_EDE_CBC, RC4_128 PKեe[DLEGACY/krb5.txtnu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac PKեe[O7ALEGACY/libreswan.txtnu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5 esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[QULEGACY/opensslcnf.txtnu[CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1PKեe[\sKKLEGACY/openssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss PKեe[}hjLEGACY/nss.txtnu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" PKեe[ G}}LEGACY/openssl.txtnu[@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[_亪LEGACY/libssh.txtnu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com PKեe[\zOOLEGACY/bind.txtnu[disable-algorithms "." { RSAMD5; ECCGOST; }; disable-ds-digests "." { GOST; }; PKեe[ZOOLEGACY/gnutls.txtnu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:+SIGN-RSA-SHA1:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:+3DES-CBC:+ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW PKեe[WLEGACY/opensshserver.txtnu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss'PKեe[)0!0! python/update-crypto-policies.pynuȯ#!/usr/libexec/platform-python # SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz import sys import argparse import os import subprocess from tempfile import mkstemp import glob import warnings import cryptopolicies import cryptopolicies.validation import policygenerators warnings.formatwarning = lambda msg, category, *a, **kwa: \ f'{category.__name__}: {str(msg).capitalize()}\n' DEFAULT_PROFILE_DIR = '/usr/share/crypto-policies' DEFAULT_BASE_DIR = '/etc/crypto-policies' RELOAD_CMD_NAME = 'reload-cmds.sh' FIPS_MODE_FLAG = '/proc/sys/crypto/fips_enabled' def eprint(*args, **kwargs): print(*args, file=sys.stderr, **kwargs) try: profile_dir = os.environ['profile_dir'] cryptopolicies.UnscopedCryptoPolicy.SHARE_DIR = profile_dir except KeyError: profile_dir = DEFAULT_PROFILE_DIR try: base_dir = os.environ['base_dir'] cryptopolicies.UnscopedCryptoPolicy.CONFIG_DIR = base_dir except KeyError: base_dir = DEFAULT_BASE_DIR local_dir = os.path.join(base_dir, 'local.d') backend_config_dir = os.path.join(base_dir, 'back-ends') state_dir = os.path.join(base_dir, 'state') reload_cmd_path = os.path.join(profile_dir, RELOAD_CMD_NAME) def parse_args(): "Parse the command line" parser = argparse.ArgumentParser(allow_abbrev=False) group = parser.add_mutually_exclusive_group() group.add_argument('--set', nargs='?', default='', metavar='POLICY', help='set the policy POLICY') group.add_argument('--show', action='store_true', help='show the current policy from the configuration') group.add_argument('--is-applied', action='store_true', help='check whether the current policy is applied') parser.add_argument('--no-check', action='store_true', help=argparse.SUPPRESS) parser.add_argument('--no-reload', action='store_true', help='do not run the reload scripts when setting a policy') return parser.parse_args() def is_applied(): try: time1 = os.stat(os.path.join(state_dir, 'current')).st_mtime time2 = os.stat(os.path.join(base_dir, 'config')).st_mtime except OSError: sys.exit(77) if time1 >= time2: print("The configured policy is applied") sys.exit(0) print("The configured policy is NOT applied") sys.exit(1) def setup_directories(): try: os.makedirs(backend_config_dir) os.makedirs(state_dir) except OSError: pass def fips_mode(): try: with open(FIPS_MODE_FLAG) as f: return int(f.read()) > 0 except OSError: return False def safe_write(directory, filename, contents): (fd, path) = mkstemp(prefix=filename, dir=directory) os.write(fd, bytes(contents, 'utf-8')) os.fsync(fd) os.fchmod(fd, 0o644) try: os.rename(path, os.path.join(directory, filename)) except OSError as e: os.unlink(path) os.close(fd) raise e finally: os.close(fd) def safe_symlink(directory, filename, target): (fd, path) = mkstemp(prefix=filename, dir=directory) os.close(fd) os.unlink(path) os.symlink(target, path) try: os.rename(path, os.path.join(directory, filename)) except OSError as e: os.unlink(path) raise e def save_config(pconfig, cfgname, cfgdata, cfgdir, localdir, profiledir, policy_was_empty): local_cfg_path = os.path.join(localdir, cfgname + '-*.config') local_cfgs = sorted(glob.glob(local_cfg_path)) local_cfg_present = False for lcfg in local_cfgs: if os.path.exists(lcfg): local_cfg_present = True profilepath = os.path.join(profiledir, str(pconfig), cfgname + '.txt') profilepath_exists = os.access(profilepath, os.R_OK) if not local_cfg_present and profilepath_exists: safe_symlink(cfgdir, cfgname + '.config', profilepath) return if profilepath_exists and not pconfig.subpolicies and policy_was_empty: # special case: if the policy has no directives, has files on disk, # and no subpolicy is used, but local.d modifications are present, # we'll concatenate the externally supplied policy with local.d# we'll concatenate the externally supplied policy with local.d with open(profilepath) as f_pre: cfgdata = f_pre.read() safe_write(cfgdir, cfgname + '.config', cfgdata) if local_cfg_present: cfgfile = os.path.join(cfgdir, cfgname + '.config') for lcfg in local_cfgs: try: with open(lcfg, 'r') as lf: local_data = lf.read() except OSError: eprint("Cannot read local policy file " + cfgname) continue try: with open(cfgfile, 'a') as cf: cf.write(local_data) except OSError: eprint("Error applying local configuration to " + cfgname) class ProfileConfig: def __init__(self): self.policy = '' self.subpolicies = [] def parse_string(self, s, subpolicy=False): l = s.upper().split(':') if l[0] and not subpolicy: self.policy = l[0] l = l[1:] l = [i for i in l if l] if subpolicy: self.subpolicies.append(l) else: self.subpolicies = l def parse_file(self, filename): subpolicy = False with open(filename) as f: for line in f: line = line.split('#', 1)[0] line = line.strip() if line: self.parse_string(line, subpolicy) subpolicy = True def remove_subpolicies(self, s): l = s.upper().split(':') self.subpolicies = [i for i in self.subpolicies if i not in l] def __str__(self): s = self.policy subs = ':'.join(self.subpolicies) if subs: s = s + ':' + subs return s def show(self): print(str(self)) def main(): "The actual command implementation" cmdline = parse_args() if cmdline.is_applied: is_applied() sys.exit(0) err = 0 setup_directories() pconfig = ProfileConfig() set_config = False configfile = os.path.join(base_dir, 'config') if os.access(configfile, os.R_OK): pconfig.parse_file(configfile) elif fips_mode(): pconfig.parse_string('FIPS') else: pconfig.parse_file(os.path.join(profile_dir, 'default-config')) if cmdline.show: pconfig.show() sys.exit(0) profile = cmdline.set if profile: oldpolicy = pconfig.policy pconfig.parse_string(profile) set_config = True # FIPS profile is a special case if pconfig.policy != oldpolicy: if pconfig.policy == 'FIPS': eprint("Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for") eprint(" FIPS compliance.") eprint(" Use 'fips-mode-setup --enable' command instead.") elif fips_mode(): eprint("Warning: Using 'update-crypto-policies --set' in FIPS mode will make the system") eprint(" non-compliant with FIPS.") eprint(" It can also break the ssh access to the system.") eprint(" Use 'fips-mode-setup --disable' to disable the system FIPS mode.") if base_dir == DEFAULT_BASE_DIR: if not os.geteuid() == 0: eprint("You must be root to run update-crypto-policies.") sys.exit(1) try: cp = cryptopolicies.UnscopedCryptoPolicy(pconfig.policy, *pconfig.subpolicies) except cryptopolicies.validation.PolicyFileNotFoundError as ex: eprint(ex) sys.exit(1) except cryptopolicies.validation.PolicySyntaxError as ex: eprint(f'Errors found in policy, first one: \n{ex}') sys.exit(1) print("Setting system policy to " + str(pconfig)) generators = [g for g in dir(policygenerators) if 'Generator' in g] for g in generators: cls = policygenerators.__dict__[g] gen = cls() try: config = gen.generate_config(cp.scoped(gen.SCOPES)) except LookupError: eprint('Error generating config for ' + gen.CONFIG_NAME) eprint('Keeping original configuration') err = 1 try: save_config(pconfig, gen.CONFIG_NAME, config, backend_config_dir, local_dir, profile_dir, policy_was_empty=cp.is_empty()) except OSError: eprint('Error saving config for ' + gen.CONFIG_NAME) eprint('Keeping original configuration') err = 1 if set_config: try: safe_write(base_dir, 'config', str(pconfig) + '\n') except OSError: eprint('Error setting the current policy configuration') err = 3 try: safe_write(state_dir, 'current', str(pconfig) + '\n') except OSError: eprint('Error updating current policy marker') err = 2 try: safe_write(state_dir, 'CURRENT.pol', str(cp)) except OSError: eprint('Error updating current policy dump') err = 2 print("Note: System-wide crypto policies are applied on application start-up.") print("It is recommended to restart the system for the change of policies") print("to fully take place.") if not cmdline.no_reload: subprocess.call(['/bin/bash', reload_cmd_path]) sys.exit(err) # Entry point if __name__ == "__main__": main() PKեe[:E6.."python/cryptopolicies/alg_lists.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz """ Lists of algorithms and globbing among them. """ import fnmatch from . import validation ALL_CIPHERS = ( 'AES-256-GCM', 'AES-256-CCM', 'AES-192-GCM', 'AES-192-CCM', 'AES-128-GCM', 'AES-128-CCM', 'CHACHA20-POLY1305', 'CAMELLIA-256-GCM', 'CAMELLIA-128-GCM', 'AES-256-CTR', 'AES-256-CBC', 'AES-192-CTR', 'AES-192-CBC', 'AES-128-CTR', 'AES-128-CBC', 'CAMELLIA-256-CBC', 'CAMELLIA-128-CBC', '3DES-CBC', 'DES-CBC', 'RC4-40', 'RC4-128', 'DES40-CBC', 'RC2-CBC', 'IDEA-CBC', 'SEED-CBC', 'NULL', ) ALL_MACS = ( 'AEAD', 'UMAC-128', 'HMAC-SHA1', 'HMAC-SHA2-256', 'HMAC-SHA2-384', 'HMAC-SHA2-512', 'UMAC-64', 'HMAC-MD5', ) ALL_HASHES = ( 'SHA2-256', 'SHA2-384', 'SHA2-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'SHA2-224', 'SHA1', 'MD5', 'GOST', ) # we disable curves <= 256 bits by default in Fedora ALL_GROUPS = ( 'X25519', 'SECP256R1', 'SECP384R1', 'SECP521R1', 'X448', 'FFDHE-1536', 'FFDHE-2048', 'FFDHE-3072', 'FFDHE-4096', 'FFDHE-6144', 'FFDHE-8192', 'FFDHE-1024', ) ALL_SIGN = ( 'RSA-MD5', 'RSA-SHA1', 'DSA-SHA1', 'ECDSA-SHA1', 'RSA-SHA2-224', 'DSA-SHA2-224', 'ECDSA-SHA2-224', 'RSA-SHA2-256', 'DSA-SHA2-256', 'ECDSA-SHA2-256', 'ECDSA-SHA2-256-FIDO', 'RSA-SHA2-384', 'DSA-SHA2-384', 'ECDSA-SHA2-384', 'RSA-SHA2-512', 'DSA-SHA2-512', 'ECDSA-SHA2-512', 'RSA-SHA3-256', 'DSA-SHA3-256', 'ECDSA-SHA3-256', 'RSA-SHA3-384', 'DSA-SHA3-384', 'ECDSA-SHA3-384', 'RSA-SHA3-512', 'DSA-SHA3-512', 'ECDSA-SHA3-512', 'EDDSA-ED25519', 'EDDSA-ED25519-FIDO', 'EDDSA-ED448', 'RSA-PSS-SHA1', 'RSA-PSS-SHA2-224', 'RSA-PSS-SHA2-256', 'RSA-PSS-SHA2-384', 'RSA-PSS-SHA2-512', 'RSA-PSS-RSAE-SHA1', 'RSA-PSS-RSAE-SHA2-224', 'RSA-PSS-RSAE-SHA2-256', 'RSA-PSS-RSAE-SHA2-384', 'RSA-PSS-RSAE-SHA2-512', ) ALL_KEY_EXCHANGES = ( 'PSK', 'DHE-PSK', 'ECDHE-PSK', 'ECDHE', 'RSA', 'DHE', 'DHE-RSA', 'DHE-DSS', 'EXPORT', 'ANON', 'DH', 'ECDH', 'DHE-GSS', 'ECDHE-GSS', ) # Order matters, see preprocess_text TLS_PROTOCOLS = ('TLS1.3', 'TLS1.2', 'TLS1.1', 'TLS1.0', 'SSL3.0', 'SSL2.0') DTLS_PROTOCOLS = ('DTLS1.2', 'DTLS1.0', 'DTLS0.9') IKE_PROTOCOLS = ('IKEv2', 'IKEv1') ALL_PROTOCOLS = TLS_PROTOCOLS + DTLS_PROTOCOLS + IKE_PROTOCOLS ALL = { 'cipher': ALL_CIPHERS, 'group': ALL_GROUPS, 'hash': ALL_HASHES, 'key_exchange': ALL_KEY_EXCHANGES, 'mac': ALL_MACS, 'protocol': ALL_PROTOCOLS, 'sign': ALL_SIGN, } def glob(pattern, alg_class): """ Lists algorithms matching a glob, in order of appearance in ALL[alg_class]. For more examples, refer to tests/unit/parsing/test_alg_lists.py >>> glob('RC4-*', 'cipher') ['RC4-40', 'RC4-128'] """ if alg_class not in ALL: raise validation.alg_lists.AlgorithmClassUnknownError(alg_class) r = fnmatch.filter(ALL[alg_class], pattern) if not r: raise validation.alg_lists.AlgorithmEmptyMatchError(pattern, alg_class) return r def earliest_occurrence(needles, ordered_haystack): """ >>> earliest_occurrence('test', 'abcdefghijklmnopqrstuvwxyz') 'e' """ intersection = [n for n in needles if n in ordered_haystack] if not intersection: return None indices = (ordered_haystack.index(n) for n in intersection) return ordered_haystack[min(indices)] def min_tls_version(versions): """ >>> min_tls_version(['SSL3.0', 'TLS1.2']) 'SSL3.0' """ return earliest_occurrence(versions, TLS_PROTOCOLS[::-1]) def min_dtls_version(versions): """ >>> min_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.0' """ return earliest_occurrence(versions, DTLS_PROTOCOLS[::-1]) def max_tls_version(versions): """ >>> max_tls_version(['SSL3.0', 'TLS1.2']) 'TLS1.2' """ return earliest_occurrence(versions, TLS_PROTOCOLS) def max_dtls_version(versions): """ >>> max_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.2' """ return earliest_occurrence(versions, DTLS_PROTOCOLS) PKեe[c-python/cryptopolicies/validation/alg_lists.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2021 Red Hat, Inc. from .general import PolicySyntaxError class AlgorithmClassSyntaxError(PolicySyntaxError): pass class AlgorithmClassUnknownError(AlgorithmClassSyntaxError): def __init__(self, alg_class): # The wording follows the previous versions super().__init__(f'Unknown policy property: `{alg_class}`') class AlgorithmEmptyMatchError(AlgorithmClassSyntaxError): def __init__(self, glob, alg_class): # The wording follows the previous versions super().__init__(f'Bad value of policy property `{alg_class}`: ' f'`{glob}`') PKեe['_ɐ)python/cryptopolicies/validation/rules.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2021 Red Hat, Inc. from .general import PolicySyntaxError class MalformedLine(PolicySyntaxError): def __init__(self, line): super().__init__(f'malformed line `{line}`') class MixedDifferentialNonDifferentialError(PolicySyntaxError): def __init__(self, rhs): super().__init__('cannot initialize list and modify it at once ' f'(`{rhs}`)') class IntPropertyNonIntValueError(PolicySyntaxError): def __init__(self, int_property_name): # wording follows previous versions super().__init__(f'Bad value of policy property `{int_property_name}`:' ' value must be an integer') class NonIntPropertyIntValueError(PolicySyntaxError): def __init__(self, alg_class): # wording follows previous versions super().__init__(f'Bad value of policy property `{alg_class}`:' ' value must not be an integer') def count_equals_signs(line): if line.count('=') != 1: raise MalformedLine(line) def empty_lhs(lhs, line): if not lhs: raise MalformedLine(line) PKեe[sPKեe[Xǭ Apython/cryptopolicies/validation/__pycache__/scope.cpython-36.pycnu[3 ."d@sddlZddlmZGdddeZGdddeZGdd d eZGd d d eZGd d d eZGdddeZGdddeZ ddZ ddZ ddZ dS)N)PolicySyntaxErrorc@s eZdZdS)ScopeSyntaxErrorN)__name__ __module__ __qualname__rrE./usr/share/crypto-policies/python/cryptopolicies/validation/scope.pyr srcseZdZfddZZS)ScopeUnknownErrorcstjd|dS)Nzunknown scope )super__init__)selfZ scope_glob) __class__rr r szScopeUnknownError.__init__)rrrr __classcell__rr)rr r sr cseZdZfddZZS)ScopeSelectorEmptyErrorcstjddS)Nzempty scope selector)r r )r )rrr r sz ScopeSelectorEmptyError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)"ScopeSelectorIllegalCharacterErrorcstjd|ddS)Nz%illegal character in scope selector ``)r r )r Zselector)rrr r sz+ScopeSelectorIllegalCharacterError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)ScopeSelectorCurlyBracketsErrorcstjd|ddS)Nz%unsupported curly brackets usage in `r)r r )r pattern)rrr r sz(ScopeSelectorCurlyBracketsError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)ScopeSelectorCommaErrorcstjd|ddS)Nzunsupported comma usage in `r)r r )r r)rrr r #sz ScopeSelectorCommaError.__init__)rrrr rrr)rr r"srcseZdZfddZZS) ScopeSelectorMatchedNothingErrorcstjd|ddS)Nzscope selector `z` matches no scope)r r )r r)rrr r (sz)ScopeSelectorMatchedNothingError.__init__)rrrr rrr)rr r'srcCstdd|Dst|dS)Ncss|]}|jp|dkVqdS)z{,}*_-N)isalnum).0crrr -sz%illegal_characters..)allr)poriginal_patternrrr illegal_characters,srcCsP|jd|jdfdksD|jdr.|jd sD|jd rL|jdrLt|dS)N{}rrrrrr)r!r")count startswithendswithr)rrrrr curly_brackets1sr&cCsZtdd|Drt|x:|D]2}|s.ttj||s d|krJt|t|q WdS)Ncss|]}d|kVqdS),Nr)rgrrr r9sz"resulting_globs..*)anyrrfnmatchfilterrr )ZglobsZ all_scopesrr(rrr resulting_globs8s  r-) r+Zgeneralrrr rrrrrrr&r-rrrr s PKեe[Apython/cryptopolicies/validation/__pycache__/rules.cpython-36.pycnu[3 ."d@s`ddlmZGdddeZGdddeZGdddeZGdd d eZd d Zd d ZdS))PolicySyntaxErrorcseZdZfddZZS) MalformedLinecstjd|ddS)Nzmalformed line ``)super__init__)selfline) __class__E./usr/share/crypto-policies/python/cryptopolicies/validation/rules.pyr szMalformedLine.__init__)__name__ __module__ __qualname__r __classcell__r r )r r rsrcseZdZfddZZS)%MixedDifferentialNonDifferentialErrorcstjd|ddS)Nz/cannot initialize list and modify it at once (`z`))rr)rZrhs)r r r rsz.MixedDifferentialNonDifferentialError.__init__)r r rrrr r )r r r srcseZdZfddZZS)IntPropertyNonIntValueErrorcstjd|ddS)NzBad value of policy property `z`: value must be an integer)rr)rZint_property_name)r r r rsz$IntPropertyNonIntValueError.__init__)r r rrrr r )r r rsrcseZdZfddZZS)NonIntPropertyIntValueErrorcstjd|ddS)NzBad value of policy property `z`: value must not be an integer)rr)rZ alg_class)r r r rsz$NonIntPropertyIntValueError.__init__)r r rrrr r )r r rsrcCs|jddkrt|dS)N=r)countr)rr r r count_equals_signs!srcCs|s t|dS)N)r)Zlhsrr r r empty_lhs&srN)Zgeneralrrrrrrrr r r r s PKեe[nddDpython/cryptopolicies/validation/__pycache__/__init__.cpython-36.pycnu[3 ."d@s6ddlmZmZmZddlmZmZdddddgZdS) ) alg_listsrulesscope)PolicySyntaxErrorPolicyFileNotFoundErrorrrrrrN)rrrZgeneralrr__all__r r H./usr/share/crypto-policies/python/cryptopolicies/validation/__init__.pysPKեe[nddJpython/cryptopolicies/validation/__pycache__/__init__.cpython-36.opt-1.pycnu[3 ."d@s6ddlmZmZmZddlmZmZdddddgZdS) ) alg_listsrulesscope)PolicySyntaxErrorPolicyFileNotFoundErrorrrrrrN)rrrZgeneralrr__all__r r H./usr/share/crypto-policies/python/cryptopolicies/validation/__init__.pysPKեe[BrooEpython/cryptopolicies/validation/__pycache__/alg_lists.cpython-36.pycnu[3 ."d@s@ddlmZGdddeZGdddeZGdddeZdS) )PolicySyntaxErrorc@s eZdZdS)AlgorithmClassSyntaxErrorN)__name__ __module__ __qualname__rrI./usr/share/crypto-policies/python/cryptopolicies/validation/alg_lists.pyrsrcseZdZfddZZS)AlgorithmClassUnknownErrorcstjd|ddS)NzUnknown policy property: ``)super__init__)self alg_class) __class__rrr sz#AlgorithmClassUnknownError.__init__)rrrr __classcell__rr)rrr sr cseZdZfddZZS)AlgorithmEmptyMatchErrorcstjd|d|ddS)NzBad value of policy property `z`: `r )r r )r Zglobr)rrrr sz!AlgorithmEmptyMatchError.__init__)rrrr rrr)rrrsrN)Zgeneralrrr rrrrrs PKեe[V&DIpython/cryptopolicies/validation/__pycache__/general.cpython-36.opt-1.pycnu[3 ."ds@s&GdddeeZGdddeZdS)c@s eZdZdS)PolicySyntaxErrorN)__name__ __module__ __qualname__rrG./usr/share/crypto-policies/python/cryptopolicies/validation/general.pyrsrcseZdZfddZZS)PolicyFileNotFoundErrorcs*tjd|d|ddj|ddS)NzUnknown policy `z `: file `z` not found in (z, ))super__init__join)selfZpnamefnamepaths) __class__rrr sz PolicyFileNotFoundError.__init__)rrrr __classcell__rr)rrr srN) ValueError UserWarningrFileNotFoundErrorrrrrrsPKեe[Xǭ Gpython/cryptopolicies/validation/__pycache__/scope.cpython-36.opt-1.pycnu[3 ."d@sddlZddlmZGdddeZGdddeZGdd d eZGd d d eZGd d d eZGdddeZGdddeZ ddZ ddZ ddZ dS)N)PolicySyntaxErrorc@s eZdZdS)ScopeSyntaxErrorN)__name__ __module__ __qualname__rrE./usr/share/crypto-policies/python/cryptopolicies/validation/scope.pyr srcseZdZfddZZS)ScopeUnknownErrorcstjd|dS)Nzunknown scope )super__init__)selfZ scope_glob) __class__rr r szScopeUnknownError.__init__)rrrr __classcell__rr)rr r sr cseZdZfddZZS)ScopeSelectorEmptyErrorcstjddS)Nzempty scope selector)r r )r )rrr r sz ScopeSelectorEmptyError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)"ScopeSelectorIllegalCharacterErrorcstjd|ddS)Nz%illegal character in scope selector ``)r r )r Zselector)rrr r sz+ScopeSelectorIllegalCharacterError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)ScopeSelectorCurlyBracketsErrorcstjd|ddS)Nz%unsupported curly brackets usage in `r)r r )r pattern)rrr r sz(ScopeSelectorCurlyBracketsError.__init__)rrrr rrr)rr rsrcseZdZfddZZS)ScopeSelectorCommaErrorcstjd|ddS)Nzunsupported comma usage in `r)r r )r r)rrr r #sz ScopeSelectorCommaError.__init__)rrrr rrr)rr r"srcseZdZfddZZS) ScopeSelectorMatchedNothingErrorcstjd|ddS)Nzscope selector `z` matches no scope)r r )r r)rrr r (sz)ScopeSelectorMatchedNothingError.__init__)rrrr rrr)rr r'srcCstdd|Dst|dS)Ncss|]}|jp|dkVqdS)z{,}*_-N)isalnum).0crrr -sz%illegal_characters..)allr)poriginal_patternrrr illegal_characters,srcCsP|jd|jdfdksD|jdr.|jd sD|jd rL|jdrLt|dS)N{}rrrrrr)r!r")count startswithendswithr)rrrrr curly_brackets1sr&cCsZtdd|Drt|x:|D]2}|s.ttj||s d|krJt|t|q WdS)Ncss|]}d|kVqdS),Nr)rgrrr r9sz"resulting_globs..*)anyrrfnmatchfilterrr )ZglobsZ all_scopesrr(rrr resulting_globs8s  r-) r+Zgeneralrrr rrrrrrr&r-rrrr s PKեe[Gpython/cryptopolicies/validation/__pycache__/rules.cpython-36.opt-1.pycnu[3 ."d@s`ddlmZGdddeZGdddeZGdddeZGdd d eZd d Zd d ZdS))PolicySyntaxErrorcseZdZfddZZS) MalformedLinecstjd|ddS)Nzmalformed line ``)super__init__)selfline) __class__E./usr/share/crypto-policies/python/cryptopolicies/validation/rules.pyr szMalformedLine.__init__)__name__ __module__ __qualname__r __classcell__r r )r r rsrcseZdZfddZZS)%MixedDifferentialNonDifferentialErrorcstjd|ddS)Nz/cannot initialize list and modify it at once (`z`))rr)rZrhs)r r r rsz.MixedDifferentialNonDifferentialError.__init__)r r rrrr r )r r r srcseZdZfddZZS)IntPropertyNonIntValueErrorcstjd|ddS)NzBad value of policy property `z`: value must be an integer)rr)rZint_property_name)r r r rsz$IntPropertyNonIntValueError.__init__)r r rrrr r )r r rsrcseZdZfddZZS)NonIntPropertyIntValueErrorcstjd|ddS)NzBad value of policy property `z`: value must not be an integer)rr)rZ alg_class)r r r rsz$NonIntPropertyIntValueError.__init__)r r rrrr r )r r rsrcCs|jddkrt|dS)N=r)countr)rr r r count_equals_signs!srcCs|s t|dS)N)r)Zlhsrr r r empty_lhs&srN)Zgeneralrrrrrrrr r r r s PKեe[BrooKpython/cryptopolicies/validation/__pycache__/alg_lists.cpython-36.opt-1.pycnu[3 ."d@s@ddlmZGdddeZGdddeZGdddeZdS) )PolicySyntaxErrorc@s eZdZdS)AlgorithmClassSyntaxErrorN)__name__ __module__ __qualname__rrI./usr/share/crypto-policies/python/cryptopolicies/validation/alg_lists.pyrsrcseZdZfddZZS)AlgorithmClassUnknownErrorcstjd|ddS)NzUnknown policy property: ``)super__init__)self alg_class) __class__rrr sz#AlgorithmClassUnknownError.__init__)rrrr __classcell__rr)rrr sr cseZdZfddZZS)AlgorithmEmptyMatchErrorcstjd|d|ddS)NzBad value of policy property `z`: `r )r r )r Zglobr)rrrr sz!AlgorithmEmptyMatchError.__init__)rrrr rrr)rrrsrN)Zgeneralrrr rrrrrs PKեe[6F)python/cryptopolicies/validation/scope.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2021 Red Hat, Inc. import fnmatch from .general import PolicySyntaxError class ScopeSyntaxError(PolicySyntaxError): pass class ScopeUnknownError(ScopeSyntaxError): def __init__(self, scope_glob): super().__init__(f'unknown scope {scope_glob}') class ScopeSelectorEmptyError(ScopeSyntaxError): def __init__(self): super().__init__('empty scope selector') class ScopeSelectorIllegalCharacterError(ScopeSyntaxError): def __init__(self, selector): super().__init__(f'illegal character in scope selector `{selector}`') class ScopeSelectorCurlyBracketsError(ScopeSyntaxError): def __init__(self, pattern): super().__init__(f'unsupported curly brackets usage in `{pattern}`') class ScopeSelectorCommaError(ScopeSyntaxError): def __init__(self, pattern): super().__init__(f'unsupported comma usage in `{pattern}`') class ScopeSelectorMatchedNothingError(ScopeSyntaxError): def __init__(self, pattern): super().__init__(f'scope selector `{pattern}` matches no scope') def illegal_characters(p, original_pattern): if not all(c.isalnum() or c in '{,}*_-' for c in p): raise ScopeSelectorIllegalCharacterError(original_pattern) def curly_brackets(p, original_pattern): if ((p.count('{'), p.count('}')) not in [(0, 0), (1, 1)] or p.startswith('{') and not p.endswith('}') or not p.startswith('{') and p.endswith('}')): raise ScopeSelectorCurlyBracketsError(original_pattern) def resulting_globs(globs, all_scopes, original_pattern): if any(',' in g for g in globs): raise ScopeSelectorCommaError(original_pattern) for g in globs: if not g: raise ScopeSelectorEmptyError() if not fnmatch.filter(all_scopes, g): if '*' in g: raise ScopeSelectorMatchedNothingError(g) raise ScopeUnknownError(g) PKեe[#G,python/cryptopolicies/validation/__init__.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2021 Red Hat, Inc. from . import alg_lists, rules, scope from .general import PolicySyntaxError, PolicyFileNotFoundError __all__ = [ 'alg_lists', 'rules', 'scope', 'PolicySyntaxError', 'PolicyFileNotFoundError' ] PKեe[# CBCB'python/cryptopolicies/cryptopolicies.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz import collections import enum import fnmatch import os import re import warnings from . import alg_lists from . import validation # moved out of the way to not obscure the flow # Defaults of integer property values (doubles as an allowlist) INT_DEFAULTS = {k: 0 for k in ( 'arbitrary_dh_groups', 'min_dh_size', 'min_dsa_size', 'min_rsa_size', 'sha1_in_certs', 'ssh_certs', 'ssh_etm', )} # Scopes (`@!ipsec`) and matching them SCOPE_ANY = '*' ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing 'tls', 'ssl', 'openssl', 'nss', 'gnutls', 'java-tls', 'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh', 'ipsec', 'ike', 'libreswan', 'kerberos', 'krb5', 'dnssec', 'bind', ) DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things 'bind': {'bind', 'dnssec'}, 'gnutls': {'gnutls', 'tls', 'ssl'}, 'java-tls': {'java-tls', 'tls', 'ssl'}, 'krb5': {'krb5', 'kerberos'}, 'libreswan': {'ipsec', 'ike', 'libreswan'}, 'libssh': {'libssh', 'openssh', 'ssh'}, 'nss': {'nss', 'tls', 'ssl'}, 'openssh-client': {'openssh-client', 'openssh', 'ssh'}, 'openssh-server': {'openssh-server', 'openssh', 'ssh'}, 'openssl': {'openssl', 'tls', 'ssl'}, } class ScopeSelector: def __init__(self, pattern=SCOPE_ANY): """ Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True """ self.pattern = pattern = pattern.lower() self._positive = not pattern.startswith('!') p = pattern if self._positive else pattern[1:] validation.scope.illegal_characters(p, original_pattern=self.pattern) validation.scope.curly_brackets(p, original_pattern=self.pattern) self._globs = p[1:-1].split(',') if p.startswith('{') else [p] validation.scope.resulting_globs(self._globs, ALL_SCOPES, original_pattern=self.pattern) def __str__(self): return f'' def matches(self, scopes): """ Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False """ if self.pattern == SCOPE_ANY: # matches even an empty set return True scopes = [s.lower() for s in scopes] assert all(s in ALL_SCOPES for s in scopes) # supplied by backends if self._positive: return any(fnmatch.filter(scopes, g) for g in self._globs) return all(not fnmatch.filter(scopes, g) for g in self._globs) # Operations: interpreting right hand sides of (sub)policy files class Operation(enum.Enum): """ An operation that comes with the right-hand value of the directive. """ RESET = 1 # cipher = PREPEND = 2 # cipher = +NULL APPEND = 3 # cipher = NULL+ OMIT = 4 # cipher = -NULL SET_INT = 5 # sha1_in_certs = 0; setting to something that's all digits def parse_rhs(rhs, prop_name): """ Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(, None), (, 'IDEA-CBC'), (, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(, 'DES-CBC'), (, '3DES-CBC')] """ def differential(v): return v.startswith('+') or v.endswith('+') or v.startswith('-') if rhs.isdigit(): if prop_name not in alg_lists.ALL and prop_name in INT_DEFAULTS: return [(Operation.SET_INT, int(rhs))] elif prop_name in alg_lists.ALL: raise validation.rules.NonIntPropertyIntValueError(prop_name) else: assert prop_name not in alg_lists.ALL assert prop_name not in INT_DEFAULTS # pass for now, it's gonna be caught as non-existing algclass else: if prop_name in INT_DEFAULTS: raise validation.rules.IntPropertyNonIntValueError(prop_name) values = rhs.split() if not any(differential(v) for v in values): # Setting something anew values = sum([alg_lists.glob(v, prop_name) for v in values], []) return ([(Operation.RESET, None)] + [(Operation.APPEND, v) for v in values]) elif all(differential(v) for v in values): # Modifying an existing list operations = [] for value in values: if value.startswith('+'): op = Operation.PREPEND unglob = alg_lists.glob(value[1:], prop_name)[::-1] elif value.endswith('+'): op = Operation.APPEND unglob = alg_lists.glob(value[:-1], prop_name)[::-1] else: assert value.startswith('-') op = Operation.OMIT unglob = alg_lists.glob(value[1:], prop_name) operations.extend([(op, v) for v in unglob]) return operations else: # Forbidden to mix them on one line raise validation.rules.MixedDifferentialNonDifferentialError(rhs) # Directives: interpreting lines of (sub)policy files Directive = collections.namedtuple('Directive', ( 'prop_name', 'scope', 'operation', 'value' )) def parse_line(line): """ Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=, value=None), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=, value='NULL')] """ if not line.strip(): return [] validation.rules.count_equals_signs(line) lhs, rhs = line.split('=') lhs, rhs = lhs.strip(), rhs.strip() validation.rules.empty_lhs(lhs, line) prop_name, scope = lhs.split('@', 1) if '@' in lhs else (lhs, SCOPE_ANY) return [Directive(prop_name=prop_name, scope=scope.lower(), operation=operation, value=value) for operation, value in parse_rhs(rhs, prop_name)] def syntax_check_line(line, warn=False): try: l = parse_line(line) for d in l: ScopeSelector(d.scope) # attempt parsing except validation.PolicySyntaxError as ex: if not warn: raise warnings.warn(ex) class PolicySyntaxDeprecationWarning(FutureWarning): def __init__(self, deprecated, replacement): replacement = replacement.replace('\n', ' and ') msg = f'option {deprecated} is deprecated' msg += f', please rewrite your rules using {replacement}; ' msg += 'be advised that it is not always a 1-1 replacement' super().__init__(msg) def preprocess_text(text): r""" Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' """ text = re.sub(r'#.*', '', text) text = text.replace('=', ' = ') text = '\n'.join((l.strip() for l in text.split('\n'))) text = text.replace('\\\n', '') text = '\n'.join((l.strip() for l in text.split('\n'))) text = '\n'.join((re.sub(r'\s+', ' ', l) for l in text.split('\n'))) text = re.sub('\n+', '\n', text).strip() if re.findall(r'\bprotocol\s*=', text): warnings.warn(PolicySyntaxDeprecationWarning('protocol', 'protocol@TLS')) POSTFIX_REPLACEMENTS = { 'tls_cipher': 'cipher@TLS', 'ssh_cipher': 'cipher@SSH', 'ssh_group': 'group@SSH', 'ike_protocol': 'protocol@IKE', } for fr, to in POSTFIX_REPLACEMENTS.items(): regex = r'\b' + fr + r'\s*=(.*)' ms = re.findall(regex, text) if ms: warnings.warn(PolicySyntaxDeprecationWarning(fr, to)) text = re.sub(regex, '', text) for m in ms: text += f'\n\n{to} ={m}' text = re.sub('\n+', '\n', text).strip() PLAIN_REPLACEMENTS = { 'sha1_in_dnssec = 0': 'hash@DNSSec = -SHA1\nsign@DNSSec = -RSA-SHA1 -ECDSA-SHA1', 'sha1_in_dnssec = 1': 'hash@DNSSec = SHA1+\nsign@DNSSec = RSA-SHA1+ ECDSA-SHA1+', } for fr, to in PLAIN_REPLACEMENTS.items(): regex = r'\b' + fr + r'\b' if re.search(regex, text): warnings.warn(PolicySyntaxDeprecationWarning(fr, to)) text = re.sub(regex, to, text) dtls_versions = list(alg_lists.DTLS_PROTOCOLS[::-1]) while dtls_versions: neg = " ".join(("-" + v for v in dtls_versions[:-1])) text = re.sub(r'\bmin_dtls_version = ' + dtls_versions[-1] + r'\b', f'protocol@TLS = {neg}' if neg else '', text) dtls_versions.pop() text = re.sub(r'\bmin_dtls_version = 0\b', '', text) tls_versions = list(alg_lists.TLS_PROTOCOLS[::-1]) while tls_versions: neg = " ".join(("-" + v for v in tls_versions[:-1])) text = re.sub(r'\bmin_tls_version = ' + tls_versions[-1] + r'\b', f'protocol@TLS = {neg}' if neg else '', text) tls_versions.pop() text = re.sub(r'\bmin_tls_version = 0\b', '', text) return text # Finally, constructing a policy class ScopedPolicy: """ An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-256-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 """ def __init__(self, directives, relevant_scopes=None): relevant_scopes = relevant_scopes or set() self.integers = INT_DEFAULTS.copy() self.enabled = {prop_name: [] for prop_name in alg_lists.ALL} for directive in directives: # TODO: validate that the target exists ss = ScopeSelector(directive.scope) if ss.matches(relevant_scopes): if directive.operation == Operation.RESET: self.enabled[directive.prop_name] = [] elif directive.operation == Operation.APPEND: enabled = self.enabled[directive.prop_name] if directive.value not in enabled: enabled.append(directive.value) elif directive.operation == Operation.PREPEND: enabled = self.enabled[directive.prop_name] # in case of duplicates, remove the latter, lower-prio ones if directive.value in enabled: enabled.remove(directive.value) enabled.insert(0, directive.value) elif directive.operation == Operation.OMIT: self.enabled[directive.prop_name] = [ e for e in self.enabled[directive.prop_name] if e != directive.value ] else: assert directive.operation == Operation.SET_INT self.integers[directive.prop_name] = directive.value assert len(self.enabled) == len(set(self.enabled)) self.disabled = {prop_name: [e for e in alg_lists.ALL[prop_name] if e not in self.enabled[prop_name]] for prop_name in alg_lists.ALL} @property def min_tls_version(self): return alg_lists.min_tls_version(self.enabled['protocol']) @property def max_tls_version(self): return alg_lists.max_tls_version(self.enabled['protocol']) @property def min_dtls_version(self): return alg_lists.min_dtls_version(self.enabled['protocol']) @property def max_dtls_version(self): return alg_lists.max_dtls_version(self.enabled['protocol']) # Locating policy files def lookup_file(policyname, fname, paths): for d in paths: p = os.path.join(d, fname) if os.access(p, os.R_OK): return p raise validation.PolicyFileNotFoundError(policyname, fname, paths) # main class class UnscopedCryptoPolicy: CONFIG_DIR = '/etc/crypto-policies' SHARE_DIR = '/usr/share/crypto-policies' def __init__(self, policy_name, *subpolicy_names, policydir=None): self.policydir = policydir self.policyname = ':'.join((policy_name,) + subpolicy_names) self.lines = [] directives = self.read_policy_file(policy_name) for subpolicy_name in subpolicy_names: directives += self.read_policy_file(subpolicy_name, subpolicy=True) self._directives = directives def is_empty(self): return not self._directives def scoped(self, scopes=None): return ScopedPolicy(self._directives, scopes or {}) def read_policy_file(self, name, subpolicy=False): pdir = self.policydir or 'policies' if subpolicy: pdir = os.path.join(pdir, 'modules') p = lookup_file(name, name + ('.pol' if not subpolicy else '.pmod'), ( os.path.curdir, pdir, os.path.join(self.CONFIG_DIR, pdir), os.path.join(self.SHARE_DIR, pdir), )) # TODO: error handling with open(p) as f: text = f.read() text = preprocess_text(text) lines = text.split('\n') for l in lines: # display several warnings at once syntax_check_line(l, warn=True) for l in lines: # crash syntax_check_line(l) return sum([parse_line(l) for l in lines], []) def __str__(self): def fmt(key, value): s = ' '.join(value) if isinstance(value, list) else str(value) return f'{key} = {s}'.rstrip() + '\n' generic_scoped = self.scoped() s = f'# Policy {self.policyname} dump\n' s += '#\n' s += '# Do not parse the contents of this file with automated tools,\n' s += '# it is provided for review convenience only.\n' s += '#\n' s += '# Baseline values for all scopes:\n' generic_all = {**generic_scoped.enabled, **generic_scoped.integers} for prop_name, value in generic_all.items(): s += fmt(prop_name, value) anything_scope_specific = False for scope_name, scope_set in DUMPABLE_SCOPES.items(): specific_scoped = self.scoped(scopes=scope_set) specific_all = {**specific_scoped.enabled, **specific_scoped.integers} for prop_name, value in specific_all.items(): if value != generic_all[prop_name]: if not anything_scope_specific: s += ('# Scope-specific properties ' 'derived for select backends:\n') anything_scope_specific = True s += fmt(f'{prop_name}@{scope_name}', value) if not anything_scope_specific: s += '# No scope-specific properties found.\n' return s PKեe["~9python/cryptopolicies/__pycache__/__init__.cpython-36.pycnu[3 ."d@sddlmZdgZdS))UnscopedCryptoPolicyrN)Zcryptopoliciesr__all__rr=./usr/share/crypto-policies/python/cryptopolicies/__init__.pys PKեe["~?python/cryptopolicies/__pycache__/__init__.cpython-36.opt-1.pycnu[3 ."d@sddlmZdgZdS))UnscopedCryptoPolicyrN)Zcryptopoliciesr__all__rr=./usr/share/crypto-policies/python/cryptopolicies/__init__.pys PKեe[U:python/cryptopolicies/__pycache__/alg_lists.cpython-36.pycnu[3 ."d.'@sdZddlZddlmZdZdZdZdZdZdZ dZ dZ dZ e e e Z eeee ee ed}Zd~dZddZddZddZddZddZdS)z. Lists of algorithms and globbing among them. N) validation AES-256-GCM AES-256-CCM AES-192-GCM AES-192-CCM AES-128-GCM AES-128-CCMCHACHA20-POLY1305CAMELLIA-256-GCMCAMELLIA-128-GCM AES-256-CTR AES-256-CBC AES-192-CTR AES-192-CBC AES-128-CTR AES-128-CBCCAMELLIA-256-CBCCAMELLIA-128-CBC3DES-CBCDES-CBCRC4-40RC4-128 DES40-CBCRC2-CBCIDEA-CBCSEED-CBCNULLAEADUMAC-128 HMAC-SHA1 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512UMAC-64HMAC-MD5SHA2-256SHA2-384SHA2-512SHA3-256SHA3-384SHA3-512SHA2-224SHA1MD5GOSTX25519 SECP256R1 SECP384R1 SECP521R1X448 FFDHE-1536 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1024RSA-MD5RSA-SHA1DSA-SHA1 ECDSA-SHA1 RSA-SHA2-224 DSA-SHA2-224ECDSA-SHA2-224 RSA-SHA2-256 DSA-SHA2-256ECDSA-SHA2-256ECDSA-SHA2-256-FIDO RSA-SHA2-384 DSA-SHA2-384ECDSA-SHA2-384 RSA-SHA2-512 DSA-SHA2-512ECDSA-SHA2-512 RSA-SHA3-256 DSA-SHA3-256ECDSA-SHA3-256 RSA-SHA3-384 DSA-SHA3-384ECDSA-SHA3-384 RSA-SHA3-512 DSA-SHA3-512ECDSA-SHA3-512 EDDSA-ED25519EDDSA-ED25519-FIDO EDDSA-ED448 RSA-PSS-SHA1RSA-PSS-SHA2-224RSA-PSS-SHA2-256RSA-PSS-SHA2-384RSA-PSS-SHA2-512RSA-PSS-RSAE-SHA1RSA-PSS-RSAE-SHA2-224RSA-PSS-RSAE-SHA2-256RSA-PSS-RSAE-SHA2-384RSA-PSS-RSAE-SHA2-512PSKDHE-PSK ECDHE-PSKECDHERSADHEDHE-RSADHE-DSSEXPORTANONDHECDHDHE-GSS ECDHE-GSSTLS1.3TLS1.2TLS1.1TLS1.0SSL3.0SSL2.0DTLS1.2DTLS1.0DTLS0.9IKEv2IKEv1)ZciphergrouphashZ key_exchangeZmacZprotocolZsigncCs:|tkrtjj|tjt||}|s6tjj|||S)z Lists algorithms matching a glob, in order of appearance in ALL[alg_class]. For more examples, refer to tests/unit/parsing/test_alg_lists.py >>> glob('RC4-*', 'cipher') ['RC4-40', 'RC4-128'] )ALLrZ alg_listsZAlgorithmClassUnknownErrorfnmatchfilterZAlgorithmEmptyMatchError)patternZ alg_classrr>./usr/share/crypto-policies/python/cryptopolicies/alg_lists.pyglobYs  rcs8fdd|D}|sdSfdd|D}t|S)zO >>> earliest_occurrence('test', 'abcdefghijklmnopqrstuvwxyz') 'e' csg|]}|kr|qSrr).0n)ordered_haystackrr nsz'earliest_occurrence..Nc3s|]}j|VqdS)N)index)rr)rrr qsz&earliest_occurrence..)min)Zneedlesr intersectionindicesr)rrearliest_occurrenceis rcCst|tdddS)z@ >>> min_tls_version(['SSL3.0', 'TLS1.2']) 'SSL3.0' Nr)r TLS_PROTOCOLS)versionsrrrmin_tls_versionusrcCst|tdddS)zD >>> min_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.0' Nrr)rDTLS_PROTOCOLS)rrrrmin_dtls_version}srcCs t|tS)z@ >>> max_tls_version(['SSL3.0', 'TLS1.2']) 'TLS1.2' )rr)rrrrmax_tls_versionsrcCs t|tS)zD >>> max_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.2' )rr)rrrrmax_dtls_versionsr)rrrrrr r r r r rrrrrrrrrrrrrrrr)rrr r!r"r#r$r%) r&r'r(r)r*r+r,r-r.r/) r0r1r2r3r4r5r6r7r8r9r:r;)'r<r=r>r?r@rArBrCrDrErFrGrHrIrJrKrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r\r]r^r_r`rarb)rcrdrerfrgrhrirjrkrlrmrnrorp)rqrrrsrtrurv)rwrxry)rzr{)__doc__rrZ ALL_CIPHERSZALL_MACSZ ALL_HASHESZ ALL_GROUPSZALL_SIGNZALL_KEY_EXCHANGESrrZ IKE_PROTOCOLSZ ALL_PROTOCOLSr~rrrrrrrrrrsn   PKեe[>>Epython/cryptopolicies/__pycache__/cryptopolicies.cpython-36.opt-1.pycnu[3 ."dCB@s6ddlZddlZddlZddlZddlZddlZddlmZddlmZdddZd-d.Zd?d0d1ZGd2d3d3eZd4d5ZGd6d7d7Zd8d9ZGd:d;d;ZdS)@N) alg_lists) validationcCsi|] }d|qS)r).0krrC./usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py sr arbitrary_dh_groups min_dh_size min_dsa_size min_rsa_size sha1_in_certs ssh_certsssh_etm*tlssslopensslnssgnutlsjava-tlssshopensshopenssh-serveropenssh-clientlibsshipsecike libreswankerberoskrb5dnssecbind) r#rzjava-tlsr!rrrzopenssh-clientzopenssh-serverrc@s(eZdZefddZddZddZdS) ScopeSelectorcCs|j|_}|jd |_|jr&|n |dd}tjj||jdtjj||jd|jdrr|ddjdn|g|_ tjj |j t |jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True !rN)Zoriginal_pattern{,) lowerpattern startswith _positiverscopeZillegal_charactersZcurly_bracketssplit_globsZresulting_globs ALL_SCOPES)selfr*prrr__init__5s$ zScopeSelector.__init__cCsdt|jdS)Nz)reprr*)r1rrr__str__PszScopeSelector.__str__csR|jtkrdSddD|jr:tfdd|jDStfdd|jDS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|] }|jqSr)r))rsrrr ^sz)ScopeSelector.matches..c3s|]}tj|VqdS)N)fnmatchfilter)rg)scopesrr asz(ScopeSelector.matches..c3s|]}tj| VqdS)N)r9r:)rr;)r<rrr=bs)r* SCOPE_ANYr,anyr/all)r1r<r)r<rmatchesSs zScopeSelector.matchesN)__name__ __module__ __qualname__r>r3r6rArrrrr$4s r$c@s$eZdZdZdZdZdZdZdZdS) OperationzM An operation that comes with the right-hand value of the directive. rN) rBrCrD__doc__RESETPREPENDAPPENDOMITSET_INTrrrrrEgs rEcsdd|jrLtjkr2tkr2tjt|fgStjkr`tjj q`ntkr`tjj |j }t fdd|Dst fdd|Dg}tjdfgdd|DStfd d|Drtg}x|D]}|jd rtjtj|d dddd }nL|jd r:tjtj|ddddd}ntjtj|d d}|jfd d|DqW|Stjj|dS)a7 Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(, None), (, 'IDEA-CBC'), (, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(, 'DES-CBC'), (, '3DES-CBC')] cSs|jdp|jdp|jdS)N+-)r+endswith)vrrr differentialszparse_rhs..differentialc3s|]}|VqdS)Nr)rrS)rTrrr=szparse_rhs..csg|]}tj|qSr)rglob)rrS) prop_namerrr8szparse_rhs..NcSsg|]}tj|fqSr)rErM)rrSrrrr8sc3s|]}|VqdS)Nr)rrS)rTrrr=srPrcsg|] }|fqSrr)rrS)oprrr8sr(r(r()isdigitrALL INT_DEFAULTSrErOintrrulesZNonIntPropertyIntValueErrorZIntPropertyNonIntValueErrorr.r?sumrKr@r+rLrUrRrMrNextendZ%MixedDifferentialNonDifferentialError)rhsrVvaluesZ operationsvalueZunglobr)rTrWrVr parse_rhsrs8        rb DirectiverVr- operationracs|js gStjj||jd\}}|j|j}}tjj||d|krZ|jddn|tf\fddt|DS)ae Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=, value=None), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=, value='NULL')] =@rcs$g|]\}}tj||dqS))rVr-rdra)rcr))rrdra)rVr-rrr8szparse_line..)striprr\Zcount_equals_signsr.Z empty_lhsr>rb)lineZlhsr_r)rVr-r parse_lines   riFcCs^y$t|}x|D]}t|jqWWn4tjk rX}z|s>tj|WYdd}~XnXdS)N)rir$r-rZPolicySyntaxErrorwarningswarn)rhrkldexrrrsyntax_check_lines rocseZdZfddZZS)PolicySyntaxDeprecationWarningcs@|jdd}d|d}|d|d7}|d7}tj|dS)N z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)replacesuperr3)r1Z deprecatedZ replacementmsg) __class__rrr3s   z'PolicySyntaxDeprecationWarning.__init__)rBrCrDr3 __classcell__rr)rurrpsrpc Cstjdd|}|jdd}djdd|jdD}|jdd}djd d|jdD}djd d|jdD}tjd d|j}tjd |rtjt d dddddd}xr|j D]f\}}d|d}tj||}|rtjt ||tj|d|}x"|D]}|d|d|7}qWqWtjd d|j}ddd}xN|j D]B\}}d|d}tj ||r|tjt ||tj|||}qJWt t jddd%}xZ|rdjdd|dd&D} tjd|d'd| rd | nd|}|jqWtjd!d|}t t jddd(} xZ| r|djd"d| dd)D} tjd#| d*d| rhd | nd|}| jq$Wtjd$d|}|S)+a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*rez = rqcss|]}|jVqdS)N)rg)rrlrrrr=sz"preprocess_text..z\ css|]}|jVqdS)N)rg)rrlrrrr=scss|]}tjdd|VqdS)z\s+ N)resub)rrlrrrr=sz +z\bprotocol\s*=protocolz protocol@TLSz cipher@TLSz cipher@SSHz group@SSHz protocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZ ike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+)zsha1_in_dnssec = 0zsha1_in_dnssec = 1Nrrxcss|]}d|VqdS)rQNr)rrSrrrr=sz\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdS)rQNr)rrSrrrr=$sz\bmin_tls_version = z\bmin_tls_version = 0\br(r(r(r(r(r()ryrzrrjoinr.rgfindallrjrkrpitemssearchlistrZDTLS_PROTOCOLSpopZ TLS_PROTOCOLS) textZPOSTFIX_REPLACEMENTSfrZtoZregexZmsmZPLAIN_REPLACEMENTSZ dtls_versionsnegZ tls_versionsrrrpreprocess_textsZ       rc@sJeZdZdZd ddZeddZeddZed d Zed d Z dS) ScopedPolicya An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-256-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 Ncs(|pt}tj_ddtjD_x|D]މtj}|j |r,j t j kr^gjj <q,j t jkrjj }j|kr|jjq,j t jkr̈jj }j|kr|jj|jdjq,j t jkrfddjj Djj <q,jjj <q,WfddtjD_dS)NcSsi|] }g|qSrr)rrVrrrr >sz)ScopedPolicy.__init__..rcsg|]}|jkr|qSr)ra)re) directiverrr8Rsz)ScopedPolicy.__init__..cs(i|] fddtjDqS)csg|]}|jkr|qSr)enabled)rr)rVr1rrr8Zsz4ScopedPolicy.__init__...)rrY)r)r1)rVrr Zs)setrZcopyintegersrrYrr$r-rArdrErKrVrMraappendrLremoveinsertrNZdisabled)r1 directivesZrelevant_scopesZssrr)rr1rr3;s,              $ zScopedPolicy.__init__cCstj|jdS)Nr{)rmin_tls_versionr)r1rrrr^szScopedPolicy.min_tls_versioncCstj|jdS)Nr{)rmax_tls_versionr)r1rrrrbszScopedPolicy.max_tls_versioncCstj|jdS)Nr{)rmin_dtls_versionr)r1rrrrfszScopedPolicy.min_dtls_versioncCstj|jdS)Nr{)rmax_dtls_versionr)r1rrrrjszScopedPolicy.max_dtls_version)N) rBrCrDrJr3propertyrrrrrrrrr/s   #   rcCs@x,|D]$}tjj||}tj|tjr|SqWtj|||dS)N)ospathr|accessR_OKrZPolicyFileNotFoundError) policynamefnamepathsrmr2rrr lookup_fileqs  rc@sFeZdZdZdZddddZddZdd d Zdd d ZddZ dS)UnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN) policydircGsR||_dj|f||_g|_|j|}x|D]}||j|dd7}q.W||_dS)N:T) subpolicy)rr|rlinesread_policy_file _directives)r1Z policy_namerZsubpolicy_namesrZsubpolicy_namerrrr3s  zUnscopedCryptoPolicy.__init__cCs|j S)N)r)r1rrris_emptyszUnscopedCryptoPolicy.is_emptycCst|j|p iS)N)rr)r1r<rrrscopedszUnscopedCryptoPolicy.scopedFc Cs|jpd}|rtjj|d}t|||s*dndtjj|tjj|j|tjj|j|f}t|}|j }WdQRXt |}|j d}x|D]}t |ddqWx|D] }t |qWt dd |DgS) NZpoliciesmodulesz.polz.pmodrqT)rkcSsg|] }t|qSr)ri)rrlrrrr8sz9UnscopedCryptoPolicy.read_policy_file..)rrrr|rcurdir CONFIG_DIR SHARE_DIRopenreadrr.ror]) r1namerZpdirr2frrrlrrrrs$      z%UnscopedCryptoPolicy.read_policy_filec Csdd}|j}d|jd}|d7}|d7}|d7}|d7}|d7}|j|j}x"|jD]\}}||||7}q\Wd }xvtjD]j\}} |j| d } | j| j} xH| jD]<\}}|||kr|s|d 7}d }|||d ||7}qWqW|s|d7}|S)NcSs2t|trdj|nt|}|d|jdS)Nrxz = rq) isinstancerr|strrstrip)keyrar7rrrfmtsz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: F)r<z9# Scope-specific properties derived for select backends: Trfz&# No scope-specific properties found. )rrrrr~DUMPABLE_SCOPES) r1rZgeneric_scopedr7Z generic_allrVraZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZ specific_allrrrr6s2    zUnscopedCryptoPolicy.__str__)N)F) rBrCrDrrr3rrrr6rrrrr{s   r)r r r r rrr)rrrrrrrrrrrrrrr r!r"r#)rVr-rdra)F) collectionsenumr9rryrjrwrrrZr>r0rr$EnumrErb namedtuplercriro FutureWarningrprrrrrrrrsP  3 ;  LB PKեe[q5]???python/cryptopolicies/__pycache__/cryptopolicies.cpython-36.pycnu[3 ."dCB@s6ddlZddlZddlZddlZddlZddlZddlmZddlmZdddZd-d.Zd?d0d1ZGd2d3d3eZd4d5ZGd6d7d7Zd8d9ZGd:d;d;ZdS)@N) alg_lists) validationcCsi|] }d|qS)r).0krrC./usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py sr arbitrary_dh_groups min_dh_size min_dsa_size min_rsa_size sha1_in_certs ssh_certsssh_etm*tlssslopensslnssgnutlsjava-tlssshopensshopenssh-serveropenssh-clientlibsshipsecike libreswankerberoskrb5dnssecbind) r#rzjava-tlsr!rrrzopenssh-clientzopenssh-serverrc@s(eZdZefddZddZddZdS) ScopeSelectorcCs|j|_}|jd |_|jr&|n |dd}tjj||jdtjj||jd|jdrr|ddjdn|g|_ tjj |j t |jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True !rN)Zoriginal_pattern{,) lowerpattern startswith _positiverscopeZillegal_charactersZcurly_bracketssplit_globsZresulting_globs ALL_SCOPES)selfr*prrr__init__5s$ zScopeSelector.__init__cCsdt|jdS)Nz)reprr*)r1rrr__str__PszScopeSelector.__str__csh|jtkrdSddDtddDs2t|jrPtfdd|jDStfdd|jDS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|] }|jqSr)r))rsrrr ^sz)ScopeSelector.matches..css|]}|tkVqdS)N)r0)rr7rrr _sz(ScopeSelector.matches..c3s|]}tj|VqdS)N)fnmatchfilter)rg)scopesrrr9asc3s|]}tj| VqdS)N)r:r;)rr<)r=rrr9bs)r* SCOPE_ANYallAssertionErrorr,anyr/)r1r=r)r=rmatchesSs zScopeSelector.matchesN)__name__ __module__ __qualname__r>r3r6rBrrrrr$4s r$c@s$eZdZdZdZdZdZdZdZdS) OperationzM An operation that comes with the right-hand value of the directive. rN) rCrDrE__doc__RESETPREPENDAPPENDOMITSET_INTrrrrrFgs rFcsdd|jrftjkr2tkr2tjt|fgStjkrJtjj qztjksXt tkszt ntkrztjj |j }t fdd|Dstfdd|Dg}tjdfgdd|DStfd d|Drg}x|D]}|jd r"tjtj|d dddd}n\|jd rTtjtj|ddddd}n*|jd sdt tjtj|d d}|jfd d|DqW|Stjj|dS)a7 Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(, None), (, 'IDEA-CBC'), (, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(, 'DES-CBC'), (, '3DES-CBC')] cSs|jdp|jdp|jdS)N+-)r+endswith)vrrr differentialszparse_rhs..differentialc3s|]}|VqdS)Nr)rrT)rUrrr9szparse_rhs..csg|]}tj|qSr)rglob)rrT) prop_namerrr8szparse_rhs..NcSsg|]}tj|fqSr)rFrN)rrTrrrr8sc3s|]}|VqdS)Nr)rrT)rUrrr9srQrrRcsg|] }|fqSrr)rrT)oprrr8sr(r(r()isdigitrALL INT_DEFAULTSrFrPintrrulesZNonIntPropertyIntValueErrorr@ZIntPropertyNonIntValueErrorr.rAsumrLr?r+rMrVrSrNrOextendZ%MixedDifferentialNonDifferentialError)rhsrWvaluesZ operationsvalueZunglobr)rUrXrWr parse_rhsrs<        rc DirectiverWr- operationrbcs|js gStjj||jd\}}|j|j}}tjj||d|krZ|jddn|tf\fddt|DS)ae Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=, value=None), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=, value='NULL')] =@rcs$g|]\}}tj||dqS))rWr-rerb)rdr))rrerb)rWr-rrr8szparse_line..)striprr]Zcount_equals_signsr.Z empty_lhsr>rc)lineZlhsr`r)rWr-r parse_lines   rjFcCs^y$t|}x|D]}t|jqWWn4tjk rX}z|s>tj|WYdd}~XnXdS)N)rjr$r-rZPolicySyntaxErrorwarningswarn)rirlldexrrrsyntax_check_lines rpcseZdZfddZZS)PolicySyntaxDeprecationWarningcs@|jdd}d|d}|d|d7}|d7}tj|dS)N z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)replacesuperr3)r1Z deprecatedZ replacementmsg) __class__rrr3s   z'PolicySyntaxDeprecationWarning.__init__)rCrDrEr3 __classcell__rr)rvrrqsrqc Cstjdd|}|jdd}djdd|jdD}|jdd}djd d|jdD}djd d|jdD}tjd d|j}tjd |rtjt d dddddd}xr|j D]f\}}d|d}tj||}|rtjt ||tj|d|}x"|D]}|d|d|7}qWqWtjd d|j}ddd}xN|j D]B\}}d|d}tj ||r|tjt ||tj|||}qJWt t jddd%}xZ|rdjdd|dd&D} tjd|d'd| rd | nd|}|jqWtjd!d|}t t jddd(} xZ| r|djd"d| dd)D} tjd#| d*d| rhd | nd|}| jq$Wtjd$d|}|S)+a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*rfz = rrcss|]}|jVqdS)N)rh)rrmrrrr9sz"preprocess_text..z\ css|]}|jVqdS)N)rh)rrmrrrr9scss|]}tjdd|VqdS)z\s+ N)resub)rrmrrrr9sz +z\bprotocol\s*=protocolz protocol@TLSz cipher@TLSz cipher@SSHz group@SSHz protocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZ ike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+)zsha1_in_dnssec = 0zsha1_in_dnssec = 1Nrrycss|]}d|VqdS)rRNr)rrTrrrr9sz\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdS)rRNr)rrTrrrr9$sz\bmin_tls_version = z\bmin_tls_version = 0\br(r(r(r(r(r()rzr{rsjoinr.rhfindallrkrlrqitemssearchlistrZDTLS_PROTOCOLSpopZ TLS_PROTOCOLS) textZPOSTFIX_REPLACEMENTSfrZtoZregexZmsmZPLAIN_REPLACEMENTSZ dtls_versionsnegZ tls_versionsrrrpreprocess_textsZ       rc@sJeZdZdZd ddZeddZeddZed d Zed d Z dS) ScopedPolicya An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-256-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 NcsX|pt}tj_ddtjD_x|D]tj}|j |r,j t j kr^gjj <q,j t jkrjj }j|kr|jjq,j t jkr̈jj }j|kr|jj|jdjq,j t jkrfddjj Djj <q,j t jkstjjj <q,Wtjttjks>tfddtjD_dS)NcSsi|] }g|qSrr)rrWrrrr >sz)ScopedPolicy.__init__..rcsg|]}|jkr|qSr)rb)re) directiverrr8Rsz)ScopedPolicy.__init__..cs(i|] fddtjDqS)csg|]}|jkr|qSr)enabled)rr)rWr1rrr8Zsz4ScopedPolicy.__init__...)rrZ)r)r1)rWrr Zs)setr[copyintegersrrZrr$r-rBrerFrLrWrNrbappendrMremoveinsertrOrPr@lenZdisabled)r1 directivesZrelevant_scopesZssrr)rr1rr3;s0              $ zScopedPolicy.__init__cCstj|jdS)Nr|)rmin_tls_versionr)r1rrrr^szScopedPolicy.min_tls_versioncCstj|jdS)Nr|)rmax_tls_versionr)r1rrrrbszScopedPolicy.max_tls_versioncCstj|jdS)Nr|)rmin_dtls_versionr)r1rrrrfszScopedPolicy.min_dtls_versioncCstj|jdS)Nr|)rmax_dtls_versionr)r1rrrrjszScopedPolicy.max_dtls_version)N) rCrDrErKr3propertyrrrrrrrrr/s   #   rcCs@x,|D]$}tjj||}tj|tjr|SqWtj|||dS)N)ospathr}accessR_OKrZPolicyFileNotFoundError) policynamefnamepathsrnr2rrr lookup_fileqs  rc@sFeZdZdZdZddddZddZdd d Zdd d ZddZ dS)UnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN) policydircGsR||_dj|f||_g|_|j|}x|D]}||j|dd7}q.W||_dS)N:T) subpolicy)rr}rlinesread_policy_file _directives)r1Z policy_namerZsubpolicy_namesrZsubpolicy_namerrrr3s  zUnscopedCryptoPolicy.__init__cCs|j S)N)r)r1rrris_emptyszUnscopedCryptoPolicy.is_emptycCst|j|p iS)N)rr)r1r=rrrscopedszUnscopedCryptoPolicy.scopedFc Cs|jpd}|rtjj|d}t|||s*dndtjj|tjj|j|tjj|j|f}t|}|j }WdQRXt |}|j d}x|D]}t |ddqWx|D] }t |qWt dd |DgS) NZpoliciesmodulesz.polz.pmodrrT)rlcSsg|] }t|qSr)rj)rrmrrrr8sz9UnscopedCryptoPolicy.read_policy_file..)rrrr}rcurdir CONFIG_DIR SHARE_DIRopenreadrr.rpr^) r1namerZpdirr2frrrmrrrrs$      z%UnscopedCryptoPolicy.read_policy_filec Csdd}|j}d|jd}|d7}|d7}|d7}|d7}|d7}|j|j}x"|jD]\}}||||7}q\Wd }xvtjD]j\}} |j| d } | j| j} xH| jD]<\}}|||kr|s|d 7}d }|||d ||7}qWqW|s|d7}|S)NcSs2t|trdj|nt|}|d|jdS)Nryz = rr) isinstancerr}strrstrip)keyrbr7rrrfmtsz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: F)r=z9# Scope-specific properties derived for select backends: Trgz&# No scope-specific properties found. )rrrrrDUMPABLE_SCOPES) r1rZgeneric_scopedr7Z generic_allrWrbZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZ specific_allrrrr6s2    zUnscopedCryptoPolicy.__str__)N)F) rCrDrErrr3rrrr6rrrrr{s   r)r r r r rrr)rrrrrrrrrrrrrrr r!r"r#)rWr-rerb)F) collectionsenumr:rrzrkrxrrr[r>r0rr$EnumrFrc namedtuplerdrjrp FutureWarningrqrrrrrrrrsP  3 ;  LB PKեe[U@python/cryptopolicies/__pycache__/alg_lists.cpython-36.opt-1.pycnu[3 ."d.'@sdZddlZddlmZdZdZdZdZdZdZ dZ dZ dZ e e e Z eeee ee ed}Zd~dZddZddZddZddZddZdS)z. Lists of algorithms and globbing among them. N) validation AES-256-GCM AES-256-CCM AES-192-GCM AES-192-CCM AES-128-GCM AES-128-CCMCHACHA20-POLY1305CAMELLIA-256-GCMCAMELLIA-128-GCM AES-256-CTR AES-256-CBC AES-192-CTR AES-192-CBC AES-128-CTR AES-128-CBCCAMELLIA-256-CBCCAMELLIA-128-CBC3DES-CBCDES-CBCRC4-40RC4-128 DES40-CBCRC2-CBCIDEA-CBCSEED-CBCNULLAEADUMAC-128 HMAC-SHA1 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512UMAC-64HMAC-MD5SHA2-256SHA2-384SHA2-512SHA3-256SHA3-384SHA3-512SHA2-224SHA1MD5GOSTX25519 SECP256R1 SECP384R1 SECP521R1X448 FFDHE-1536 FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1024RSA-MD5RSA-SHA1DSA-SHA1 ECDSA-SHA1 RSA-SHA2-224 DSA-SHA2-224ECDSA-SHA2-224 RSA-SHA2-256 DSA-SHA2-256ECDSA-SHA2-256ECDSA-SHA2-256-FIDO RSA-SHA2-384 DSA-SHA2-384ECDSA-SHA2-384 RSA-SHA2-512 DSA-SHA2-512ECDSA-SHA2-512 RSA-SHA3-256 DSA-SHA3-256ECDSA-SHA3-256 RSA-SHA3-384 DSA-SHA3-384ECDSA-SHA3-384 RSA-SHA3-512 DSA-SHA3-512ECDSA-SHA3-512 EDDSA-ED25519EDDSA-ED25519-FIDO EDDSA-ED448 RSA-PSS-SHA1RSA-PSS-SHA2-224RSA-PSS-SHA2-256RSA-PSS-SHA2-384RSA-PSS-SHA2-512RSA-PSS-RSAE-SHA1RSA-PSS-RSAE-SHA2-224RSA-PSS-RSAE-SHA2-256RSA-PSS-RSAE-SHA2-384RSA-PSS-RSAE-SHA2-512PSKDHE-PSK ECDHE-PSKECDHERSADHEDHE-RSADHE-DSSEXPORTANONDHECDHDHE-GSS ECDHE-GSSTLS1.3TLS1.2TLS1.1TLS1.0SSL3.0SSL2.0DTLS1.2DTLS1.0DTLS0.9IKEv2IKEv1)ZciphergrouphashZ key_exchangeZmacZprotocolZsigncCs:|tkrtjj|tjt||}|s6tjj|||S)z Lists algorithms matching a glob, in order of appearance in ALL[alg_class]. For more examples, refer to tests/unit/parsing/test_alg_lists.py >>> glob('RC4-*', 'cipher') ['RC4-40', 'RC4-128'] )ALLrZ alg_listsZAlgorithmClassUnknownErrorfnmatchfilterZAlgorithmEmptyMatchError)patternZ alg_classrr>./usr/share/crypto-policies/python/cryptopolicies/alg_lists.pyglobYs  rcs8fdd|D}|sdSfdd|D}t|S)zO >>> earliest_occurrence('test', 'abcdefghijklmnopqrstuvwxyz') 'e' csg|]}|kr|qSrr).0n)ordered_haystackrr nsz'earliest_occurrence..Nc3s|]}j|VqdS)N)index)rr)rrr qsz&earliest_occurrence..)min)Zneedlesr intersectionindicesr)rrearliest_occurrenceis rcCst|tdddS)z@ >>> min_tls_version(['SSL3.0', 'TLS1.2']) 'SSL3.0' Nr)r TLS_PROTOCOLS)versionsrrrmin_tls_versionusrcCst|tdddS)zD >>> min_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.0' Nrr)rDTLS_PROTOCOLS)rrrrmin_dtls_version}srcCs t|tS)z@ >>> max_tls_version(['SSL3.0', 'TLS1.2']) 'TLS1.2' )rr)rrrrmax_tls_versionsrcCs t|tS)zD >>> max_dtls_version(['DTLS1.2', 'DTLS1.0']) 'DTLS1.2' )rr)rrrrmax_dtls_versionsr)rrrrrr r r r r rrrrrrrrrrrrrrrr)rrr r!r"r#r$r%) r&r'r(r)r*r+r,r-r.r/) r0r1r2r3r4r5r6r7r8r9r:r;)'r<r=r>r?r@rArBrCrDrErFrGrHrIrJrKrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r\r]r^r_r`rarb)rcrdrerfrgrhrirjrkrlrmrnrorp)rqrrrsrtrurv)rwrxry)rzr{)__doc__rrZ ALL_CIPHERSZALL_MACSZ ALL_HASHESZ ALL_GROUPSZALL_SIGNZALL_KEY_EXCHANGESrrZ IKE_PROTOCOLSZ ALL_PROTOCOLSr~rrrrrrrrrrsn   PKեe[D!python/cryptopolicies/__init__.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from .cryptopolicies import UnscopedCryptoPolicy __all__ = ['UnscopedCryptoPolicy'] PKեe[u>"">python/__pycache__/update-crypto-policies.cpython-36.opt-1.pycnu[3 ."d$!@spddlZddlZddlZddlZddlmZddlZddlZddlZddl Zddl Z dde_ dZ dZ dZdZd d Zyejd Zeej_Wnek re ZYnXyejd Zeej_Wnek re ZYnXejjed ZejjedZejjedZejjeeZddZddZddZ ddZ!ddZ"ddZ#ddZ$GdddZ%d d!Z&e'd"krle&dS)#N)mkstempcOs|jdt|jdS)Nz:  )__name__str capitalize)msgcategoryaZkwar <./usr/share/crypto-policies/python/update-crypto-policies.pysr z/usr/share/crypto-policiesz/etc/crypto-policieszreload-cmds.shz/proc/sys/crypto/fips_enabledcOst|dtji|dS)Nfile)printsysstderr)argskwargsr r r eprint sr profile_dirbase_dirzlocal.dz back-endsstatecCsrtjdd}|j}|jdddddd|jd d d d |jd d dd |jdd tjd |jdd dd |jS)zParse the command lineF)Z allow_abbrevz--set?ZPOLICYzset the policy POLICY)nargsdefaultmetavarhelpz--show store_truez.show the current policy from the configuration)actionrz --is-appliedz+check whether the current policy is appliedz --no-checkz --no-reloadz3do not run the reload scripts when setting a policy)argparseArgumentParserZadd_mutually_exclusive_group add_argumentZSUPPRESS parse_args)parsergroupr r r r"8s   r"c Csy0tjtjjtdj}tjtjjtdj}Wntk rNtj dYnX||krjt dtj dt dtj ddS)NcurrentconfigMz The configured policy is appliedrz$The configured policy is NOT applied) osstatpathjoin state_dirst_mtimerOSErrorrexitr)Ztime1Ztime2r r r is_appliedIs r1c Cs2ytjttjtWntk r,YnXdS)N)r)makedirsbackend_config_dirr-r/r r r r setup_directoriesWs  r4cCs>y$tt}t|jdkSQRXWntk r8dSXdS)NrF)openFIPS_MODE_FLAGintreadr/)fr r r fips_mode_s  r:cCst||d\}}tj|t|dtj|tj|dzZytj|tjj||Wn:t k r}ztj |tj ||WYdd}~XnXWdtj |XdS)N)prefixdirzutf-8i) rr)writebytesfsyncfchmodrenamer+r,r/unlinkclose) directoryfilenamecontentsfdr+er r r safe_writegs    rIcCst||d\}}tj|tj|tj||ytj|tjj||Wn0tk rz}ztj||WYdd}~XnXdS)N)r;r<) rr)rCrBsymlinkrAr+r,r/)rDrEtargetrGr+rHr r r safe_symlinkvs    rLc$Cs|tjj||d}ttj|}d} x|D]} tjj| r*d} q*Wtjj|t||d} tj| tj} | r| rt ||d| dS| r|j r|rt | } | j }WdQRXt ||d|| rxtjj||d}x|D]} y"t | d}|j }WdQRXWn$tk r*td|wYnXy$t |d}|j|WdQRXWqtk rrtd |YqXqWdS) Nz -*.configFTz.txtz.configrzCannot read local policy file r z&Error applying local configuration to )r)r+r,sortedglobexistsraccessR_OKrL subpoliciesr5r8rIr/rr=)pconfigZcfgnameZcfgdataZcfgdirZlocaldirZ profiledirpolicy_was_emptyZlocal_cfg_pathZ local_cfgsZlocal_cfg_presentZlcfgZ profilepathZprofilepath_existsZf_preZcfgfileZlfZ local_dataZcfr r r save_configs:        rVc@s>eZdZddZdddZddZdd Zd d Zd d ZdS) ProfileConfigcCsd|_g|_dS)Nr)policyrS)selfr r r __init__szProfileConfig.__init__Fcs`|jjddr2| r2d|_ddfddD|rV|jjn|_dS)N:rr(csg|] }r|qSr r ).0i)lr r sz.ProfileConfig.parse_string..)uppersplitrXrSappend)rYs subpolicyr )r^r parse_strings  zProfileConfig.parse_stringc CsVd}t|@}x8|D]0}|jddd}|j}|r|j||d}qWWdQRXdS)NF#r(rT)r5rastripre)rYrErdr9liner r r parse_files   zProfileConfig.parse_filecs(|jjdfdd|jD|_dS)Nr[csg|]}|kr|qSr r )r\r])r^r r r_sz4ProfileConfig.remove_subpolicies..)r`rarS)rYrcr )r^r remove_subpoliciessz ProfileConfig.remove_subpoliciescCs&|j}dj|j}|r"|d|}|S)Nr[)rXr,rS)rYrcZsubsr r r __str__s   zProfileConfig.__str__cCstt|dS)N)rr)rYr r r showszProfileConfig.showN)F) r __module__ __qualname__rZrerirjrkrlr r r r rWs   rWc)Cst}|jrttjdd}tt}d}tjjt d}tj |tj rX|j |n&t rj|jdn|j tjjtd|jr|jtjd|j}|r|j}|j|d}|j|kr|jdkrtdtdtd n(t rtd td td td t tkr8tjdks8tdtjdytj|jf|j}Wnxtjjk r}zt|tjdWYdd}~Xn@tjjk r}ztd|tjdWYdd}~XnXtdt|ddttD} x| D]} tj | } | } y| j!|j"| j#} Wn0t$k rLtd| j%tdd}YnXy t&|| j%| t't(t|j)dWn0t*k rtd| j%tdd}YnXqW|ryt+t dt|dWn"t*k rtdd}YnXyt+t,dt|dWn"t*k r"tdd}YnXyt+t,dt|Wn"t*k rZtd d}YnXtd!td"td#|j-st.j/d$t0gtj|dS)%z!The actual command implementationrFr&ZFIPSzdefault-configTzHWarning: Using 'update-crypto-policies --set FIPS' is not sufficient forz FIPS compliance.z8 Use 'fips-mode-setup --enable' command instead.zOWarning: Using 'update-crypto-policies --set' in FIPS mode will make the systemz! non-compliant with FIPS.z8 It can also break the ssh access to the system.zI Use 'fips-mode-setup --disable' to disable the system FIPS mode.z/You must be root to run update-crypto-policies.r(Nz%Errors found in policy, first one: zSetting system policy to cSsg|]}d|kr|qS) Generatorr )r\gr r r r_szmain..zError generating config for zKeeping original configuration)rUzError saving config for rz.Error setting the current policy configurationr%z$Error updating current policy markerz CURRENT.polz"Error updating current policy dumpzFNote: System-wide crypto policies are applied on application start-up.zBIt is recommended to restart the system for the change of policieszto fully take place.z /bin/bash)1r"r1rr0r4rWr)r+r,rrQrRrir:rerrlsetrXrDEFAULT_BASE_DIRgeteuidcryptopoliciesUnscopedCryptoPolicyrSZ validationZPolicyFileNotFoundErrorZPolicySyntaxErrorrrr<policygenerators__dict__Zgenerate_configZscopedZSCOPES LookupErrorZ CONFIG_NAMErVr3 local_dirZis_emptyr/rIr-Z no_reload subprocessZcallreload_cmd_path)ZcmdlineerrrTZ set_configZ configfileZprofileZ oldpolicyZcpexZ generatorsrpclsgenr&r r r mains                  r__main__)(rrr)r|ZtempfilerrOwarningsrvZcryptopolicies.validationrx formatwarningZDEFAULT_PROFILE_DIRrtZRELOAD_CMD_NAMEr6renvironrrwZ SHARE_DIRKeyErrorrZ CONFIG_DIRr+r,r{r3r-r}r"r1r4r:rIrLrVrWrrr r r r sP         +)s PKեe[u>""8python/__pycache__/update-crypto-policies.cpython-36.pycnu[3 ."d$!@spddlZddlZddlZddlZddlmZddlZddlZddlZddl Zddl Z dde_ dZ dZ dZdZd d Zyejd Zeej_Wnek re ZYnXyejd Zeej_Wnek re ZYnXejjed ZejjedZejjedZejjeeZddZddZddZ ddZ!ddZ"ddZ#ddZ$GdddZ%d d!Z&e'd"krle&dS)#N)mkstempcOs|jdt|jdS)Nz:  )__name__str capitalize)msgcategoryaZkwar <./usr/share/crypto-policies/python/update-crypto-policies.pysr z/usr/share/crypto-policiesz/etc/crypto-policieszreload-cmds.shz/proc/sys/crypto/fips_enabledcOst|dtji|dS)Nfile)printsysstderr)argskwargsr r r eprint sr profile_dirbase_dirzlocal.dz back-endsstatecCsrtjdd}|j}|jdddddd|jd d d d |jd d dd |jdd tjd |jdd dd |jS)zParse the command lineF)Z allow_abbrevz--set?ZPOLICYzset the policy POLICY)nargsdefaultmetavarhelpz--show store_truez.show the current policy from the configuration)actionrz --is-appliedz+check whether the current policy is appliedz --no-checkz --no-reloadz3do not run the reload scripts when setting a policy)argparseArgumentParserZadd_mutually_exclusive_group add_argumentZSUPPRESS parse_args)parsergroupr r r r"8s   r"c Csy0tjtjjtdj}tjtjjtdj}Wntk rNtj dYnX||krjt dtj dt dtj ddS)NcurrentconfigMz The configured policy is appliedrz$The configured policy is NOT applied) osstatpathjoin state_dirst_mtimerOSErrorrexitr)Ztime1Ztime2r r r is_appliedIs r1c Cs2ytjttjtWntk r,YnXdS)N)r)makedirsbackend_config_dirr-r/r r r r setup_directoriesWs  r4cCs>y$tt}t|jdkSQRXWntk r8dSXdS)NrF)openFIPS_MODE_FLAGintreadr/)fr r r fips_mode_s  r:cCst||d\}}tj|t|dtj|tj|dzZytj|tjj||Wn:t k r}ztj |tj ||WYdd}~XnXWdtj |XdS)N)prefixdirzutf-8i) rr)writebytesfsyncfchmodrenamer+r,r/unlinkclose) directoryfilenamecontentsfdr+er r r safe_writegs    rIcCst||d\}}tj|tj|tj||ytj|tjj||Wn0tk rz}ztj||WYdd}~XnXdS)N)r;r<) rr)rCrBsymlinkrAr+r,r/)rDrEtargetrGr+rHr r r safe_symlinkvs    rLc$Cs|tjj||d}ttj|}d} x|D]} tjj| r*d} q*Wtjj|t||d} tj| tj} | r| rt ||d| dS| r|j r|rt | } | j }WdQRXt ||d|| rxtjj||d}x|D]} y"t | d}|j }WdQRXWn$tk r*td|wYnXy$t |d}|j|WdQRXWqtk rrtd |YqXqWdS) Nz -*.configFTz.txtz.configrzCannot read local policy file r z&Error applying local configuration to )r)r+r,sortedglobexistsraccessR_OKrL subpoliciesr5r8rIr/rr=)pconfigZcfgnameZcfgdataZcfgdirZlocaldirZ profiledirpolicy_was_emptyZlocal_cfg_pathZ local_cfgsZlocal_cfg_presentZlcfgZ profilepathZprofilepath_existsZf_preZcfgfileZlfZ local_dataZcfr r r save_configs:        rVc@s>eZdZddZdddZddZdd Zd d Zd d ZdS) ProfileConfigcCsd|_g|_dS)Nr)policyrS)selfr r r __init__szProfileConfig.__init__Fcs`|jjddr2| r2d|_ddfddD|rV|jjn|_dS)N:rr(csg|] }r|qSr r ).0i)lr r sz.ProfileConfig.parse_string..)uppersplitrXrSappend)rYs subpolicyr )r^r parse_strings  zProfileConfig.parse_stringc CsVd}t|@}x8|D]0}|jddd}|j}|r|j||d}qWWdQRXdS)NF#r(rT)r5rastripre)rYrErdr9liner r r parse_files   zProfileConfig.parse_filecs(|jjdfdd|jD|_dS)Nr[csg|]}|kr|qSr r )r\r])r^r r r_sz4ProfileConfig.remove_subpolicies..)r`rarS)rYrcr )r^r remove_subpoliciessz ProfileConfig.remove_subpoliciescCs&|j}dj|j}|r"|d|}|S)Nr[)rXr,rS)rYrcZsubsr r r __str__s   zProfileConfig.__str__cCstt|dS)N)rr)rYr r r showszProfileConfig.showN)F) r __module__ __qualname__rZrerirjrkrlr r r r rWs   rWc)Cst}|jrttjdd}tt}d}tjjt d}tj |tj rX|j |n&t rj|jdn|j tjjtd|jr|jtjd|j}|r|j}|j|d}|j|kr|jdkrtdtdtd n(t rtd td td td t tkr8tjdks8tdtjdytj|jf|j}Wnxtjjk r}zt|tjdWYdd}~Xn@tjjk r}ztd|tjdWYdd}~XnXtdt|ddttD} x| D]} tj | } | } y| j!|j"| j#} Wn0t$k rLtd| j%tdd}YnXy t&|| j%| t't(t|j)dWn0t*k rtd| j%tdd}YnXqW|ryt+t dt|dWn"t*k rtdd}YnXyt+t,dt|dWn"t*k r"tdd}YnXyt+t,dt|Wn"t*k rZtd d}YnXtd!td"td#|j-st.j/d$t0gtj|dS)%z!The actual command implementationrFr&ZFIPSzdefault-configTzHWarning: Using 'update-crypto-policies --set FIPS' is not sufficient forz FIPS compliance.z8 Use 'fips-mode-setup --enable' command instead.zOWarning: Using 'update-crypto-policies --set' in FIPS mode will make the systemz! non-compliant with FIPS.z8 It can also break the ssh access to the system.zI Use 'fips-mode-setup --disable' to disable the system FIPS mode.z/You must be root to run update-crypto-policies.r(Nz%Errors found in policy, first one: zSetting system policy to cSsg|]}d|kr|qS) Generatorr )r\gr r r r_szmain..zError generating config for zKeeping original configuration)rUzError saving config for rz.Error setting the current policy configurationr%z$Error updating current policy markerz CURRENT.polz"Error updating current policy dumpzFNote: System-wide crypto policies are applied on application start-up.zBIt is recommended to restart the system for the change of policieszto fully take place.z /bin/bash)1r"r1rr0r4rWr)r+r,rrQrRrir:rerrlsetrXrDEFAULT_BASE_DIRgeteuidcryptopoliciesUnscopedCryptoPolicyrSZ validationZPolicyFileNotFoundErrorZPolicySyntaxErrorrrr<policygenerators__dict__Zgenerate_configZscopedZSCOPES LookupErrorZ CONFIG_NAMErVr3 local_dirZis_emptyr/rIr-Z no_reload subprocessZcallreload_cmd_path)ZcmdlineerrrTZ set_configZ configfileZprofileZ oldpolicyZcpexZ generatorsrpclsgenr&r r r mains                  r__main__)(rrr)r|ZtempfilerrOwarningsrvZcryptopolicies.validationrx formatwarningZDEFAULT_PROFILE_DIRrtZRELOAD_CMD_NAMEr6renvironrrwZ SHARE_DIRKeyErrorrZ CONFIG_DIRr+r,r{r3r-r}r"r1r4r:rIrLrVrWrrr r r r sP         +)s PKեe[ߺh7python/__pycache__/build-crypto-policies.cpython-36.pycnu[3 ."d@sxddlZddlZddlZddlZddlZddlZdZddZddZddZ dd d Z d d Z d dZ e dkrte dS)Nzreload-cmds.shcOst|dtji|dS)Nfile)printsysstderr)argskwargsr;./usr/share/crypto-policies/python/build-crypto-policies.pyeprintsr cCstjdd}|jdddd|jdddd|jd td d d |jd ddd|jdddd|jddd|jddd|jS)zParse the command lineF)Z allow_abbrevz--flat store_truez1put all the generated files in a single directory)actionhelpz--testz7compare the generated config file with the existing onez--policyZPOLICYz"generate the specified policy only)typemetavarr z --reloadcmdszDalso save reload cmds into reload-cmds.sh script in output directoryz--strictzfail on warnings policydirz5a directory with base policy definition files (*.pol))r outputdirz.a target directory with generated config files)argparseArgumentParser add_argumentstr parse_args)parserrrr rs   rcCs<|jr tjj|jdj||}n`tjj|j|}tjj|snytj|Wn"tk rlt dj|dSXtjj||d}|j ry@t |dd}|j }WdQRX||krt dj||dSdSt k rYn$tk rt d j|dSXtd j||t |d d}|j|WdQRXtdS) Nz {}-{}.txtz%Cannot create directory for policy {}Fz.txtr)modez9Config for {} for policy {} differs from the existing oneTzError reading generated file {}z"Saving config for {} for policy {}w)ZflatospathjoinrformatisdirmkdirOSErrorr ZtestopenreadFileNotFoundErrorrwrite)cmdline policy_nameZ config_nameconfigrdirpathfZ old_configrrr save_config-s8 r+c Cs(d}|dkrg}ytj|f||d|ji}Wn0tk r^}ztdt|dSd}~XnXddttD}x|D]}tj|}|} | j |j | j } |dks| j | ry(dj |f|} t|| | j| sd }Wn0tk r td | jtd d }YnXqxtd | jd}qxW|S)NrrzError: cSsg|]}d|kr|qS) Generatorr).0grrr \sz build_policy..ZEMPTY:zError saving config for zKeeping original configurationzError testing config for )cryptopoliciesZUnscopedCryptoPolicyr ValueErrorr rdirpolicygenerators__dict__Zgenerate_configZscopedZSCOPESZ test_configrr+Z CONFIG_NAMEr!) r&r'subpolicy_nameserrZcpe generatorsr/clsgenr(namerrr build_policyOs6   rAcCsd}ddttD}tjj|jt}y@t|dd*}x"|D]}tj|}|j |j q.r)rzError saving reload cmds) r7r8rrrrRELOAD_CMD_NAMEr"r9r%Z RELOAD_CMDr!r )r&r;r=rr*r/r>rrr save_reload_cmdsrs   rDc Cst}d}|jrtjd|jrHtd|jjjd^}}t|||}nft j |j T}xL|D]D}|j j d r\|jr\t jj|j \}}|dkr\t||}|r\Pq\WWdQRX| r|jrt|}tj|dS)z!The actual command implementationrerrorNr1.z.pol)rstrictwarningsfilterwarningsZpolicyfilteruppersplitrArscandirrr@ startswithis_filersplitextZ reloadcmdsrDrexit)r&r;r'r:ZsdiZextrrr mains$    rS__main__)N)rrrrHr5r8rCr rr+rArDrS__name__rrrr s" #PKեe[ߺh=python/__pycache__/build-crypto-policies.cpython-36.opt-1.pycnu[3 ."d@sxddlZddlZddlZddlZddlZddlZdZddZddZddZ dd d Z d d Z d dZ e dkrte dS)Nzreload-cmds.shcOst|dtji|dS)Nfile)printsysstderr)argskwargsr;./usr/share/crypto-policies/python/build-crypto-policies.pyeprintsr cCstjdd}|jdddd|jdddd|jd td d d |jd ddd|jdddd|jddd|jddd|jS)zParse the command lineF)Z allow_abbrevz--flat store_truez1put all the generated files in a single directory)actionhelpz--testz7compare the generated config file with the existing onez--policyZPOLICYz"generate the specified policy only)typemetavarr z --reloadcmdszDalso save reload cmds into reload-cmds.sh script in output directoryz--strictzfail on warnings policydirz5a directory with base policy definition files (*.pol))r outputdirz.a target directory with generated config files)argparseArgumentParser add_argumentstr parse_args)parserrrr rs   rcCs<|jr tjj|jdj||}n`tjj|j|}tjj|snytj|Wn"tk rlt dj|dSXtjj||d}|j ry@t |dd}|j }WdQRX||krt dj||dSdSt k rYn$tk rt d j|dSXtd j||t |d d}|j|WdQRXtdS) Nz {}-{}.txtz%Cannot create directory for policy {}Fz.txtr)modez9Config for {} for policy {} differs from the existing oneTzError reading generated file {}z"Saving config for {} for policy {}w)ZflatospathjoinrformatisdirmkdirOSErrorr ZtestopenreadFileNotFoundErrorrwrite)cmdline policy_nameZ config_nameconfigrdirpathfZ old_configrrr save_config-s8 r+c Cs(d}|dkrg}ytj|f||d|ji}Wn0tk r^}ztdt|dSd}~XnXddttD}x|D]}tj|}|} | j |j | j } |dks| j | ry(dj |f|} t|| | j| sd }Wn0tk r td | jtd d }YnXqxtd | jd}qxW|S)NrrzError: cSsg|]}d|kr|qS) Generatorr).0grrr \sz build_policy..ZEMPTY:zError saving config for zKeeping original configurationzError testing config for )cryptopoliciesZUnscopedCryptoPolicyr ValueErrorr rdirpolicygenerators__dict__Zgenerate_configZscopedZSCOPESZ test_configrr+Z CONFIG_NAMEr!) r&r'subpolicy_nameserrZcpe generatorsr/clsgenr(namerrr build_policyOs6   rAcCsd}ddttD}tjj|jt}y@t|dd*}x"|D]}tj|}|j |j q.r)rzError saving reload cmds) r7r8rrrrRELOAD_CMD_NAMEr"r9r%Z RELOAD_CMDr!r )r&r;r=rr*r/r>rrr save_reload_cmdsrs   rDc Cst}d}|jrtjd|jrHtd|jjjd^}}t|||}nft j |j T}xL|D]D}|j j d r\|jr\t jj|j \}}|dkr\t||}|r\Pq\WWdQRX| r|jrt|}tj|dS)z!The actual command implementationrerrorNr1.z.pol)rstrictwarningsfilterwarningsZpolicyfilteruppersplitrArscandirrr@ startswithis_filersplitextZ reloadcmdsrDrexit)r&r;r'r:ZsdiZextrrr mains$    rS__main__)N)rrrrHr5r8rCr rr+rArDrS__name__rrrr s" #PKեe[python/build-crypto-policies.pynuȯ#!/usr/libexec/platform-python # SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz import argparse import os import sys import warnings import cryptopolicies import policygenerators RELOAD_CMD_NAME = 'reload-cmds.sh' def eprint(*args, **kwargs): print(*args, file=sys.stderr, **kwargs) def parse_args(): "Parse the command line" parser = argparse.ArgumentParser(allow_abbrev=False) parser.add_argument('--flat', action='store_true', help='put all the generated files in a single directory') parser.add_argument('--test', action='store_true', help='compare the generated config file with the existing one') parser.add_argument('--policy', type=str, metavar='POLICY', help='generate the specified policy only') parser.add_argument('--reloadcmds', action='store_true', help='also save reload cmds into reload-cmds.sh script in output directory') parser.add_argument('--strict', action='store_true', help='fail on warnings') parser.add_argument('policydir', help='a directory with base policy definition files (*.pol)') parser.add_argument('outputdir', help='a target directory with generated config files') return parser.parse_args() def save_config(cmdline, policy_name, config_name, config): if cmdline.flat: path = os.path.join(cmdline.outputdir, '{}-{}.txt'.format(policy_name, config_name)) else: dirpath = os.path.join(cmdline.outputdir, policy_name) if not os.path.isdir(dirpath): try: os.mkdir(dirpath) except OSError: eprint('Cannot create directory for policy {}'.format(policy_name)) return False path = os.path.join(dirpath, config_name + '.txt') if cmdline.test: try: with open(path, mode='r') as f: old_config = f.read() if old_config != config: eprint('Config for {} for policy {} differs from the existing one'.format(config_name, policy_name)) return False return True except FileNotFoundError: pass except OSError: eprint('Error reading generated file {}'.format(path)) return False print('Saving config for {} for policy {}'.format(config_name, policy_name)) with open(path, mode='w') as f: f.write(config) print() return True def build_policy(cmdline, policy_name, subpolicy_names=None): err = 0 if subpolicy_names is None: subpolicy_names = [] try: cp = cryptopolicies.UnscopedCryptoPolicy(policy_name, *subpolicy_names,*subpolicy_names, policydir=cmdline.policydir) except ValueError as e: # TODO: catch specific thing eprint('Error: ' + str(e)) return 1 generators = [g for g in dir(policygenerators) if 'Generator' in g] for g in generators: cls = policygenerators.__dict__[g] gen = cls() config = gen.generate_config(cp.scoped(gen.SCOPES)) if policy_name == 'EMPTY' or gen.test_config(config): try: name = ':'.join([policy_name, *subpolicy_names]) if not save_config(cmdline, name, gen.CONFIG_NAME, config): err = 5 except OSError: eprint('Error saving config for ' + gen.CONFIG_NAME) eprint('Keeping original configuration') err = 4 else: eprint('Error testing config for ' + gen.CONFIG_NAME) err = 3 return err def save_reload_cmds(cmdline): err = 0 generators = [g for g in dir(policygenerators) if 'Generator' in g] path = os.path.join(cmdline.outputdir, RELOAD_CMD_NAME) try: with open(path, mode='w') as f: for g in generators: cls = policygenerators.__dict__[g] f.write(cls.RELOAD_CMD) except OSError: eprint('Error saving reload cmds') err = 6 return err def main(): "The actual command implementation" cmdline = parse_args() err = 0 if cmdline.strict: warnings.filterwarnings("error") if cmdline.policy: (policy_name, *subpolicy_names) = filter(None, cmdline.policy.upper().split(':')) err = build_policy(cmdline, policy_name, subpolicy_names) else: with os.scandir(cmdline.policydir) as sd: for i in sd: if not i.name.startswith('.') and i.is_file(): (policy_name, ext) = os.path.splitext(i.name) if ext == '.pol': err = build_policy(cmdline, policy_name) if err: break if not err and cmdline.reloadcmds: err = save_reload_cmds(cmdline) sys.exit(err) # Entry point if __name__ == "__main__": main() PKեe['pppython/policygenerators/krb5.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from .configgenerator import ConfigGenerator class KRB5Generator(ConfigGenerator): CONFIG_NAME = 'krb5' SCOPES = {'kerberos', 'krb5'} cipher_map = { 'CAMELLIA-256-CBC':'camellia256-cts-cmac', 'CAMELLIA-128-CBC':'camellia128-cts-cmac', 'CAMELLIA-128-CTS':'camellia128-cts-cmac' } cipher_mac_map = { 'AES-256-CBC-HMAC-SHA1':'aes256-cts-hmac-sha1-96', 'AES-256-CBC-HMAC-SHA2-384':'aes256-cts-hmac-sha384-192', 'AES-128-CBC-HMAC-SHA1':'aes128-cts-hmac-sha1-96', 'AES-128-CBC-HMAC-SHA2-256':'aes128-cts-hmac-sha256-128', # 'RC4-128-HMAC-MD5':'arcfour-hmac-md5' # forced last, see below } @classmethod def generate_config(cls, policy): p = policy.enabled sep = ' ' cfg = '[libdefaults]\n' cfg += 'permitted_enctypes = ' s = '' for j in p['mac']: for i in p['cipher']: try: s = cls.append(s, cls.cipher_mac_map[i + '-' + j], sep) except KeyError: pass for i in p['cipher']: try: s = cls.append(s, cls.cipher_map[i], sep) except KeyError: pass if 'RC4-128' in p['cipher'] and 'HMAC-MD5' in p['mac']: s = cls.append(s, 'arcfour-hmac-md5', sep) cfg += s + '\n' # By default libkrb5 sets the min_bits to 2048, don't # go lower than that. if policy.integers['min_dh_size'] > 2048: # $string .= "pkinit_dh_min_bits=$min_dh_size\n"; # krb5.conf only accepts 2048 or 4096 cfg += 'pkinit_dh_min_bits=4096\n' return cfg @classmethod def test_config(cls, config): # pylint: disable=unused-argument return True PKեe[y!SSpython/policygenerators/java.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from .configgenerator import ConfigGenerator class JavaGenerator(ConfigGenerator): CONFIG_NAME = 'java' SCOPES = {'tls', 'ssl', 'java-tls'} hash_not_map = { 'MD2' :'MD2', 'MD5' :'MD5', 'SHA1':'SHA1', 'SHA2-224':'SHA224', 'SHA2-256':'SHA256', 'SHA2-384':'SHA384', 'SHA2-512':'SHA512', 'SHA3-256':'SHA3_256', 'SHA3-384':'SHA3_384', 'SHA3-512':'SHA3_512', 'GOST':'' } cipher_not_map = { 'AES-256-CTR':'', 'AES-128-CTR':'', 'CHACHA20-POLY1305':'', 'CAMELLIA-256-GCM':'', 'CAMELLIA-128-GCM':'', 'CAMELLIA-256-CBC':'', 'CAMELLIA-128-CBC':'', 'AES-256-CBC':'AES_256_CBC', 'AES-128-CBC':'AES_128_CBC', 'AES-256-GCM':'AES_256_GCM', 'AES-128-GCM':'AES_128_GCM', 'AES-256-CCM':'AES_256_CCM', 'AES-128-CCM':'AES_128_CCM', 'RC4-128':'RC4_128', 'RC4-40':'RC4_40', 'RC2-CBC':'RC2', 'DES-CBC':'DES_CBC', 'DES40-CBC':'DES40_CBC', '3DES-CBC' :'3DES_EDE_CBC', 'SEED-CBC' :'', 'IDEA-CBC' :'', 'NULL':'' } cipher_legacy_map = { 'RC4-128':'RC4_128', '3DES-CBC':'3DES_EDE_CBC', } key_exchange_not_map = { 'EXPORT':'RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT', 'DH':'DH_RSA, DH_DSS', 'ANON':'DH_anon, ECDH_anon', 'RSA':'TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256', 'DHE-RSA':'DHE_RSA', 'DHE-DSS':'DHE_DSS', 'ECDHE':'ECDHE', 'ECDH':'ECDH', 'PSK':'', 'DHE-PSK':'', 'ECDHE-PSK':'' } sign_not_map = { # we handle signature algorithms via disabled hashes 'DSA-SHA1':'DSA', 'RSA-SHA1':'', 'ECDSA-SHA1':'', 'RSA-MD5':'' } protocol_not_map = { 'SSL2.0':'SSLv2', 'SSL3.0':'SSLv3', 'TLS1.0':'TLSv1', 'TLS1.1':'TLSv1.1', 'TLS1.2':'TLSv1.2', 'DTLS1.0':'', 'DTLS1.2':'' } mac_not_map = { 'AEAD':'', 'HMAC-MD5':'HmacMD5', 'HMAC-SHA1':'HmacSHA1', 'HMAC-SHA2-256':'HmacSHA256', 'HMAC-SHA2-384':'HmacSHA384', 'HMAC-SHA2-512':'HmacSHA512', } @classmethod def generate_config(cls, policy): p = policy.enabled ip = policy.disabled sep = ', ' cfg = 'jdk.tls.ephemeralDHKeySize=' + str(policy.integers['min_dh_size']) + '\n' cfg += 'jdk.certpath.disabledAlgorithms=' s = '' s = cls.append(s, 'MD2', sep) for i in ip['hash']: try: s = cls.append(s, cls.hash_not_map[i], sep) except KeyError: pass for i in ip['sign']: try: s = cls.append(s, cls.sign_not_map[i], sep) except KeyError: pass s = cls.append(s, 'RSA keySize < ' + str(policy.integers['min_rsa_size']), sep) cfg += s cfg += '\njdk.tls.disabledAlgorithms=' s = '' s = cls.append(s, 'DH keySize < ' + str(policy.integers['min_dh_size']), sep) for i in ip['protocol']: try: s = cls.append(s, cls.protocol_not_map[i], sep) except KeyError: pass for i in ip['key_exchange']: try: s = cls.append(s, cls.key_exchange_not_map[i], sep) except KeyError: pass for i in ip['cipher']: try: s = cls.append(s, cls.cipher_not_map[i], sep) except KeyError: pass for i in ip['mac']: try: s = cls.append(s, cls.mac_not_map[i], sep) except KeyError: pass cfg += s cfg += '\njdk.tls.legacyAlgorithms=' s = '' for i in p['cipher']: try: s = cls.append(s, cls.cipher_legacy_map[i], sep) except KeyError: pass cfg += s cfg += '\n' return cfg @classmethod def test_config(cls, config): # pylint: disable=unused-argument return True PKեe[ 6@$python/policygenerators/libreswan.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import call, CalledProcessError from tempfile import mkstemp import os from .configgenerator import ConfigGenerator class LibreswanGenerator(ConfigGenerator): CONFIG_NAME = 'libreswan' SCOPES = {'ipsec', 'ike', 'libreswan'} RELOAD_CMD = 'systemctl try-restart ipsec.service 2>/dev/null || :\n' group_map = { 'X448':'', 'X25519':'', # Disabled for now as it cannot be prioritized over others # 'X25519':'dh31', 'SECP256R1':'dh19', 'SECP384R1':'dh20', 'SECP521R1':'dh21', 'FFDHE-6144':'', 'FFDHE-1536':'dh5', 'FFDHE-2048':'dh14', 'FFDHE-3072':'dh15', 'FFDHE-4096':'dh16', 'FFDHE-8192':'dh18' } cipher_map = { 'AES-256-CBC':'aes256', 'AES-192-CBC':'aes192', 'AES-128-CBC':'aes128', 'AES-256-GCM':'aes_gcm256', 'AES-192-GCM':'aes_gcm192', 'AES-128-GCM':'aes_gcm128', 'CHACHA20-POLY1305':'chacha20_poly1305' # Unused for IKEv2 # '3DES-CBC':'3des' } cipher_prf_map = { 'AES-256-CBC-HMAC-SHA2-512':'sha2_512', 'AES-256-CBC-HMAC-SHA2-256':'sha2_256', 'AES-192-CBC-HMAC-SHA2-512':'sha2_512', 'AES-192-CBC-HMAC-SHA2-256':'sha2_256', 'AES-128-CBC-HMAC-SHA2-256':'sha2_256', # Not needed for IKEv2 # 'AES-256-CBC-HMAC-SHA1':'sha1', # 'AES-128-CBC-HMAC-SHA1':'sha1', 'AES-256-GCM-HMAC-SHA2-512':'sha2_512', 'AES-256-GCM-HMAC-SHA2-256':'sha2_256', 'AES-192-GCM-HMAC-SHA2-512':'sha2_512', 'AES-192-GCM-HMAC-SHA2-256':'sha2_256', 'AES-128-GCM-HMAC-SHA2-512':'sha2_512', 'AES-128-GCM-HMAC-SHA2-256':'sha2_256', 'CHACHA20-POLY1305-HMAC-SHA2-512':'sha2_512', 'CHACHA20-POLY1305-HMAC-SHA2-256':'sha2_256' # '3DES-CBC-HMAC-SHA1':'sha1' } cipher_mac_map = { 'AES-256-CBC-HMAC-SHA2-512':'sha2_512', 'AES-192-CBC-HMAC-SHA2-512':'sha2_512', 'AES-256-CBC-HMAC-SHA2-256':'sha2_256', 'AES-192-CBC-HMAC-SHA2-256':'sha2_256', 'AES-128-CBC-HMAC-SHA2-256':'sha2_256', 'AES-256-CBC-HMAC-SHA1':'sha1', 'AES-192-CBC-HMAC-SHA1':'sha1', 'AES-128-CBC-HMAC-SHA1':'sha1', 'AES-256-GCM-AEAD':'', 'AES-192-GCM-AEAD':'', 'AES-128-GCM-AEAD':'', 'CHACHA20-POLY1305-AEAD':'' # '3DES-CBC-HMAC-SHA1':'3des-sha1' } mac_ike_prio_map = { 'AEAD':0, 'HMAC-SHA2-512':1, 'HMAC-SHA2-256':2, 'HMAC-SHA1':3 } mac_esp_prio_map = { 'AEAD':0, 'HMAC-SHA2-512':1, 'HMAC-SHA1':2, 'HMAC-SHA2-256':3 } @classmethod def __get_ike_prio(cls, key): if key not in cls.mac_ike_prio_map: return 99 return cls.mac_ike_prio_map[key] @classmethod def __get_esp_prio(cls, key): if key not in cls.mac_esp_prio_map: return 99 return cls.mac_esp_prio_map[key] @classmethod def generate_config(cls, policy): cfg = 'conn %default\n' sep = ',' p = policy.enabled s = '' proto = p['protocol'] if 'IKEv2' in proto: s = 'ikev2=insist' elif 'IKEv1' in proto: # and 'IKEv2' not in proto s = 'ikev2=never' if s: cfg += '\t' + s + '\n' cfg += '\tpfs=yes\n' sorted_macs = sorted(p['mac'], key=cls.__get_ike_prio) tmp = '' for cipher in p['cipher']: try: cm = cls.cipher_map[cipher] except KeyError: continue combo = cm + '-' s = '' for mac in sorted_macs: try: mm = cls.cipher_prf_map[cipher + '-' + mac] except KeyError: continue s = cls.append(s, mm, '+') if not s: continue combo += s s = '' for i in p['group']: try: group = cls.group_map[i] except KeyError: continue s = cls.append(s, group, '+') combo = cls.append(combo, s, '-') tmp = cls.append(tmp, combo, sep) if tmp: cfg += '\tike=' + tmp + '\n' sorted_macs = sorted(p['mac'], key=cls.__get_esp_prio) tmp = '' for cipher in p['cipher']: try: cm = cls.cipher_map[cipher] except KeyError: continue combo = cm + '-' s = '' for mac in sorted_macs: try: mm = cls.cipher_mac_map[cipher + '-' + mac] except KeyError: continue if not mm: # Special handling for AEAD combo = cm break s = cls.append(s, mm, '+') combo += s if combo[-1:] == '-': continue tmp = cls.append(tmp, combo, sep) if tmp: cfg += '\tesp=' + tmp + '\n' return cfg @classmethod def test_config(cls, config): if not os.access('/usr/sbin/ipsec', os.X_OK): return True fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = call('/usr/sbin/ipsec readwriteconf --config ' + path + ' >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/sbin/ipsec: Execution failed") finally: os.unlink(path) if ret: cls.eprint("There is an error in libreswan generated policy") cls.eprint("Policy:\n%s" % config) return False return True PKեe[hiP!python/policygenerators/gnutls.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import call, CalledProcessError from tempfile import mkstemp import os from .configgenerator import ConfigGenerator class GnuTLSGenerator(ConfigGenerator): CONFIG_NAME = 'gnutls' SCOPES = {'tls', 'ssl', 'gnutls'} mac_not_map = { 'AEAD':'-AEAD', 'HMAC-SHA1':'-SHA1', 'HMAC-MD5':'-MD5', 'HMAC-SHA2-256':'-SHA256', 'HMAC-SHA2-384':'-SHA384', 'HMAC-SHA2-512':'-SHA512' } group_not_map = { 'X448':'-GROUP-X448', 'X25519':'-GROUP-X25519', 'SECP256R1':'-GROUP-SECP256R1', 'SECP384R1':'-GROUP-SECP384R1', 'SECP521R1':'-GROUP-SECP521R1', 'FFDHE-6144':'', 'FFDHE-2048':'-GROUP-FFDHE2048', 'FFDHE-3072':'-GROUP-FFDHE3072', 'FFDHE-4096':'-GROUP-FFDHE4096', 'FFDHE-8192':'-GROUP-FFDHE8192' } sign_not_map = { 'RSA-MD5':'-SIGN-RSA-MD5', 'RSA-SHA1':'-SIGN-RSA-SHA1', 'DSA-SHA1':'-SIGN-DSA-SHA1', 'ECDSA-SHA1':'-SIGN-ECDSA-SHA1', 'RSA-SHA2-224':'-SIGN-RSA-SHA224', 'DSA-SHA2-224':'-SIGN-DSA-SHA224', 'ECDSA-SHA2-224':'-SIGN-ECDSA-SHA224', 'RSA-SHA2-256':'-SIGN-RSA-SHA256', 'DSA-SHA2-256':'-SIGN-DSA-SHA256', 'ECDSA-SHA2-256':'-SIGN-ECDSA-SHA256', 'RSA-SHA2-384':'-SIGN-RSA-SHA384', 'DSA-SHA2-384':'-SIGN-DSA-SHA384', 'ECDSA-SHA2-384':'-SIGN-ECDSA-SHA384', 'RSA-SHA2-512':'-SIGN-RSA-SHA512', 'DSA-SHA2-512':'-SIGN-DSA-SHA512', 'ECDSA-SHA2-512':'-SIGN-ECDSA-SHA512', # These are only available under 3.6.3+ 'RSA-PSS-SHA2-256':'-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256', 'RSA-PSS-SHA2-384':'-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384', 'RSA-PSS-SHA2-512':'-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512', 'EDDSA-ED448':'-SIGN-EDDSA-ED448', 'EDDSA-ED25519':'-SIGN-EDDSA-ED25519' } legacy_sign_map = { 'DSA-SHA1':'+SIGN-DSA-SHA1', 'RSA-SHA1':'+SIGN-RSA-SHA1' } cipher_not_map = { 'AES-256-CTR':'', 'AES-128-CTR':'', 'AES-256-GCM':'-AES-256-GCM', 'AES-128-GCM':'-AES-128-GCM', 'AES-256-CCM':'-AES-256-CCM', 'AES-128-CCM':'-AES-128-CCM', 'AES-256-CBC':'-AES-256-CBC', 'AES-128-CBC':'-AES-128-CBC', 'CAMELLIA-256-GCM':'-CAMELLIA-256-GCM', 'CAMELLIA-128-GCM':'-CAMELLIA-128-GCM', 'CAMELLIA-256-CBC':'-CAMELLIA-256-CBC', 'CAMELLIA-128-CBC':'-CAMELLIA-128-CBC', 'CHACHA20-POLY1305':'-CHACHA20-POLY1305', '3DES-CBC':'-3DES-CBC', 'RC4-128':'-ARCFOUR-128' } cipher_force_map = { '3DES-CBC':'+3DES-CBC', 'RC4-128':'+ARCFOUR-128' } key_exchange_map = { 'RSA':'+RSA', 'ECDHE':'+ECDHE-RSA:+ECDHE-ECDSA', 'DHE-RSA':'+DHE-RSA', 'DHE-DSS':'+DHE-DSS', 'PSK':'', 'DHE-PSK':'', 'ECDHE-PSK':'' } protocol_not_map = { 'SSL3.0':'-VERS-SSL3.0', 'TLS1.0':'-VERS-TLS1.0', 'TLS1.1':'-VERS-TLS1.1', 'TLS1.2':'-VERS-TLS1.2', 'TLS1.3':'-VERS-TLS1.3', 'DTLS1.0':'-VERS-DTLS1.0', 'DTLS1.2':'-VERS-DTLS1.2' } @classmethod def generate_config(cls, policy): s = 'SYSTEM=NONE' p = policy.enabled ip = policy.disabled if p['mac']: s = cls.append(s, '+MAC-ALL') for i in ip['mac']: try: s = cls.append(s, cls.mac_not_map[i]) except KeyError: pass if p['group']: s = cls.append(s, '+GROUP-ALL') for i in ip['group']: try: s = cls.append(s, cls.group_not_map[i]) except KeyError: pass if p['sign']: s = cls.append(s, '+SIGN-ALL') for i in ip['sign']: try: s = cls.append(s, cls.sign_not_map[i]) except KeyError: pass for i in p['sign']: try: s = cls.append(s, cls.legacy_sign_map[i]) except KeyError: pass if policy.integers['sha1_in_certs']: s = cls.append(s, '%VERIFY_ALLOW_SIGN_WITH_SHA1') if p['cipher']: s = cls.append(s, '+CIPHER-ALL') for i in ip['cipher']: try: s = cls.append(s, cls.cipher_not_map[i]) except KeyError: pass for i in p['cipher']: try: s = cls.append(s, cls.cipher_force_map[i]) except KeyError: pass for i in p['key_exchange']: try: s = cls.append(s, cls.key_exchange_map[i]) except KeyError: pass if p['protocol']: s = cls.append(s, '+VERS-ALL:-VERS-DTLS0.9') for i in ip['protocol']: try: s = cls.append(s, cls.protocol_not_map[i]) except KeyError: pass s = cls.append(s, '+COMP-NULL') # We cannot separate RSA strength from DH params. min_rsa_size = policy.integers['min_rsa_size'] min_dh_size = policy.integers['min_dh_size'] if min_dh_size <= 768 or min_rsa_size <= 768: s = cls.append(s, '%PROFILE_VERY_WEAK') elif min_dh_size <= 1024 or min_rsa_size <= 1024: s = cls.append(s, '%PROFILE_LOW') elif min_dh_size <= 2048 or min_rsa_size <= 2048: s = cls.append(s, '%PROFILE_MEDIUM') elif min_dh_size <= 3072 or min_rsa_size <= 3072: s = cls.append(s, '%PROFILE_HIGH') elif min_dh_size <= 8192 or min_rsa_size <= 8192: s = cls.append(s, '%PROFILE_ULTRA') else: s = cls.append(s, '%PROFILE_FUTURE') s += '\n' return s @classmethod def test_config(cls, config): if not os.access('/usr/bin/gnutls-cli', os.X_OK): return True fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = call('/usr/bin/gnutls-cli -l --priority $(cat ' + path + ' | sed \'s/SYSTEM=//g\' | tr --delete \'\n\') >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/bin/gnutls-cli: Execution failed") finally: os.unlink(path) if ret: cls.eprint("There is an error in gnutls generated policy") cls.eprint("Policy:\n%s" % config) return False return True PKեe[!python/policygenerators/libssh.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from .configgenerator import ConfigGenerator class LibsshGenerator(ConfigGenerator): CONFIG_NAME = 'libssh' SCOPES = {'ssh', 'libssh'} cipher_map = { 'AES-256-GCM':'aes256-gcm@openssh.com', 'AES-256-CTR':'aes256-ctr', 'AES-192-GCM':'', # not supported 'AES-192-CTR':'aes192-ctr', 'AES-128-GCM':'aes128-gcm@openssh.com', 'AES-128-CTR':'aes128-ctr', 'CHACHA20-POLY1305':'chacha20-poly1305@openssh.com', 'CAMELLIA-256-GCM':'', 'AES-256-CCM':'', 'AES-192-CCM':'', 'AES-128-CCM':'', 'CAMELLIA-128-GCM':'', 'AES-256-CBC':'aes256-cbc', 'AES-192-CBC':'aes192-cbc', 'AES-128-CBC':'aes128-cbc', 'CAMELLIA-256-CBC':'', 'CAMELLIA-128-CBC':'', 'RC4-128':'', 'DES-CBC':'', 'CAMELLIA-128-CTS':'', '3DES-CBC':'3des-cbc' } mac_map_etm = { 'HMAC-MD5':'', 'UMAC-64':'', 'UMAC-128':'', 'HMAC-SHA1':'hmac-sha1-etm@openssh.com', 'HMAC-SHA2-256':'hmac-sha2-256-etm@openssh.com', 'HMAC-SHA2-512':'hmac-sha2-512-etm@openssh.com' } mac_map = { 'HMAC-MD5':'', 'UMAC-64':'', 'UMAC-128':'', 'HMAC-SHA1':'hmac-sha1', 'HMAC-SHA2-256':'hmac-sha2-256', 'HMAC-SHA2-512':'hmac-sha2-512' } kx_map = { 'ECDHE-SECP521R1-SHA2-512':'ecdh-sha2-nistp521', 'ECDHE-SECP384R1-SHA2-384':'ecdh-sha2-nistp384', 'ECDHE-SECP256R1-SHA2-256':'ecdh-sha2-nistp256', 'ECDHE-X25519-SHA2-256':'curve25519-sha256,curve25519-sha256@libssh.org', 'DHE-FFDHE-1024-SHA1':'diffie-hellman-group1-sha1', 'DHE-FFDHE-2048-SHA1':'diffie-hellman-group14-sha1', 'DHE-FFDHE-2048-SHA2-256':'diffie-hellman-group14-sha256', 'DHE-FFDHE-4096-SHA2-512':'diffie-hellman-group16-sha512', 'DHE-FFDHE-8192-SHA2-512':'diffie-hellman-group18-sha512', } gx_map = { 'DHE-SHA1':'diffie-hellman-group-exchange-sha1', 'DHE-SHA2-256':'diffie-hellman-group-exchange-sha256', } sign_map = { 'RSA-SHA1':'ssh-rsa', 'DSA-SHA1':'ssh-dss', 'RSA-SHA2-256':'rsa-sha2-256', 'RSA-SHA2-512':'rsa-sha2-512', 'ECDSA-SHA2-256':'ecdsa-sha2-nistp256', 'ECDSA-SHA2-384':'ecdsa-sha2-nistp384', 'ECDSA-SHA2-512':'ecdsa-sha2-nistp521', 'EDDSA-ED25519':'ssh-ed25519', } sign_map_certs = { 'RSA-SHA1':'ssh-rsa-cert-v01@openssh.com', 'DSA-SHA1':'ssh-dss-cert-v01@openssh.com', 'RSA-SHA2-256':'rsa-sha2-256-cert-v01@openssh.com', 'RSA-SHA2-512':'rsa-sha2-512-cert-v01@openssh.com', 'ECDSA-SHA2-256':'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ECDSA-SHA2-384':'ecdsa-sha2-nistp384-cert-v01@openssh.com', 'ECDSA-SHA2-512':'ecdsa-sha2-nistp521-cert-v01@openssh.com', 'EDDSA-ED25519':'ssh-ed25519-cert-v01@openssh.com', } @classmethod def generate_config(cls, policy): p = policy.enabled cfg = '' sep = ',' s = '' for i in p['cipher']: try: s = cls.append(s, cls.cipher_map[i], sep) except KeyError: pass if s: cfg += 'Ciphers ' + s + '\n' s = '' if policy.integers['ssh_etm']: for i in p['mac']: try: s = cls.append(s, cls.mac_map_etm[i], sep) except KeyError: pass for i in p['mac']: try: s = cls.append(s, cls.mac_map[i], sep) except KeyError: pass if s: cfg += 'MACs ' + s + '\n' s = '' for kx in p['key_exchange']: for h in p['hash']: if policy.integers['arbitrary_dh_groups'] == 1: try: val = cls.gx_map[kx + '-' + h] s = cls.append(s, val, sep) except KeyError: pass for g in p['group']: try: val = cls.kx_map[kx + '-' + g + '-' + h] s = cls.append(s, val, sep) except KeyError: pass if s: cfg += 'KexAlgorithms ' + s + '\n' s = '' for i in p['sign']: try: s = cls.append(s, cls.sign_map[i], sep) except KeyError: pass if policy.integers['ssh_certs']: try: s = cls.append(s, cls.sign_map_certs[i], sep) except KeyError: pass if s: cfg += 'HostKeyAlgorithms ' + s + '\n' cfg += 'PubkeyAcceptedKeyTypes ' + s + '\n' return cfg @classmethod def test_config(cls, config): # pylint: disable=unused-argument return True PKեe[ "python/policygenerators/openssh.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import call, CalledProcessError from tempfile import mkstemp import os from .configgenerator import ConfigGenerator class OpenSSHGenerator(ConfigGenerator): _FORMAT_STRING = '' cipher_map = { 'AES-256-GCM':'aes256-gcm@openssh.com', 'AES-256-CTR':'aes256-ctr', 'AES-192-GCM':'', # not supported 'AES-192-CTR':'aes192-ctr', 'AES-128-GCM':'aes128-gcm@openssh.com', 'AES-128-CTR':'aes128-ctr', 'CHACHA20-POLY1305':'chacha20-poly1305@openssh.com', 'CAMELLIA-256-GCM':'', 'AES-256-CCM':'', 'AES-192-CCM':'', 'AES-128-CCM':'', 'CAMELLIA-128-GCM':'', 'AES-256-CBC':'aes256-cbc', 'AES-192-CBC':'aes192-cbc', 'AES-128-CBC':'aes128-cbc', 'CAMELLIA-256-CBC':'', 'CAMELLIA-128-CBC':'', 'RC4-128':'', 'DES-CBC':'', 'CAMELLIA-128-CTS':'', '3DES-CBC':'3des-cbc' } mac_map_etm = { 'HMAC-MD5':'hmac-md5-etm@openssh.com', 'UMAC-64':'umac-64-etm@openssh.com', 'UMAC-128':'umac-128-etm@openssh.com', 'HMAC-SHA1':'hmac-sha1-etm@openssh.com', 'HMAC-SHA2-256':'hmac-sha2-256-etm@openssh.com', 'HMAC-SHA2-512':'hmac-sha2-512-etm@openssh.com' } mac_map = { 'HMAC-MD5':'hmac-md5', 'UMAC-64':'umac-64@openssh.com', 'UMAC-128':'umac-128@openssh.com', 'HMAC-SHA1':'hmac-sha1', 'HMAC-SHA2-256':'hmac-sha2-256', 'HMAC-SHA2-512':'hmac-sha2-512' } kx_map = { 'ECDHE-SECP521R1-SHA2-512':'ecdh-sha2-nistp521', 'ECDHE-SECP384R1-SHA2-384':'ecdh-sha2-nistp384', 'ECDHE-SECP256R1-SHA2-256':'ecdh-sha2-nistp256', 'ECDHE-X25519-SHA2-256':'curve25519-sha256,curve25519-sha256@libssh.org', 'DHE-FFDHE-1024-SHA1':'diffie-hellman-group1-sha1', 'DHE-FFDHE-2048-SHA1':'diffie-hellman-group14-sha1', 'DHE-FFDHE-2048-SHA2-256':'diffie-hellman-group14-sha256', 'DHE-FFDHE-4096-SHA2-512':'diffie-hellman-group16-sha512', 'DHE-FFDHE-8192-SHA2-512':'diffie-hellman-group18-sha512', } gx_map = { 'DHE-SHA1':'diffie-hellman-group-exchange-sha1', 'DHE-SHA2-256':'diffie-hellman-group-exchange-sha256', } gss_kx_map = { 'DHE-GSS-SHA1':'gss-gex-sha1-', 'DHE-GSS-FFDHE-1024-SHA1':'gss-group1-sha1-', 'DHE-GSS-FFDHE-2048-SHA1':'gss-group14-sha1-', 'DHE-GSS-FFDHE-2048-SHA2-256':'gss-group14-sha256-', 'ECDHE-GSS-SECP256R1-SHA2-256':'gss-nistp256-sha256-', 'ECDHE-GSS-X25519-SHA2-256':'gss-curve25519-sha256-', 'DHE-GSS-FFDHE-4096-SHA2-512':'gss-group16-sha512-', } sign_map = { 'RSA-SHA1':'ssh-rsa', 'DSA-SHA1':'ssh-dss', 'RSA-SHA2-256':'rsa-sha2-256', 'RSA-SHA2-512':'rsa-sha2-512', 'ECDSA-SHA2-256':'ecdsa-sha2-nistp256', 'ECDSA-SHA2-384':'ecdsa-sha2-nistp384', 'ECDSA-SHA2-512':'ecdsa-sha2-nistp521', 'EDDSA-ED25519':'ssh-ed25519', } sign_map_certs = { 'RSA-SHA1':'ssh-rsa-cert-v01@openssh.com', 'DSA-SHA1':'ssh-dss-cert-v01@openssh.com', 'RSA-SHA2-256':'rsa-sha2-256-cert-v01@openssh.com', 'RSA-SHA2-512':'rsa-sha2-512-cert-v01@openssh.com', 'ECDSA-SHA2-256':'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ECDSA-SHA2-384':'ecdsa-sha2-nistp384-cert-v01@openssh.com', 'ECDSA-SHA2-512':'ecdsa-sha2-nistp521-cert-v01@openssh.com', 'EDDSA-ED25519':'ssh-ed25519-cert-v01@openssh.com', } @classmethod def generate_options(cls, policy, local_kx_map, local_gss_kx_map, do_host_key): p = policy.enabled cfg = '' sep = ',' s = '' for i in p['cipher']: try: s = cls.append(s, cls.cipher_map[i], sep) except KeyError: pass if s: cfg += cls._FORMAT_STRING.format('Ciphers', s) s = '' if policy.integers['ssh_etm']: for i in p['mac']: try: s = cls.append(s, cls.mac_map_etm[i], sep) except KeyError: pass for i in p['mac']: try: s = cls.append(s, cls.mac_map[i], sep) except KeyError: pass if s: cfg += cls._FORMAT_STRING.format('MACs', s) s = '' gss = '' for kx in p['key_exchange']: for h in p['hash']: if policy.integers['arbitrary_dh_groups']: try: val = cls.gx_map[kx + '-' + h] s = cls.append(s, val, sep) except KeyError: pass try: val = local_gss_kx_map[kx + '-' + h] gss = cls.append(gss, val, sep) except KeyError: pass for g in p['group']: try: val = local_kx_map[kx + '-' + g + '-' + h] s = cls.append(s, val, sep) except KeyError: pass try: val = local_gss_kx_map[kx + '-' + g + '-' + h] gss = cls.append(gss, val, sep) except KeyError: pass if gss: cfg += cls._FORMAT_STRING.format('GSSAPIKexAlgorithms', gss) else: cfg += cls._FORMAT_STRING.format('GSSAPIKeyExchange', 'no') if s: cfg += cls._FORMAT_STRING.format('KexAlgorithms', s) s = '' for i in p['sign']: try: s = cls.append(s, cls.sign_map[i], sep) except KeyError: pass if policy.integers['ssh_certs'] == 1: try: s = cls.append(s, cls.sign_map_certs[i], sep) except KeyError: pass if s: # As OpenSSH currently ignores existing known host # entries with this setting we cannot use it on client. # Otherwise we could break existing users. if do_host_key: cfg += cls._FORMAT_STRING.format('HostKeyAlgorithms', s) cfg += cls._FORMAT_STRING.format('PubkeyAcceptedKeyTypes', s) s = '' for i in p['sign']: try: s = cls.append(s, cls.sign_map[i], sep) except KeyError: pass if s: cfg += cls._FORMAT_STRING.format('CASignatureAlgorithms', s) return cfg class OpenSSHClientGenerator(OpenSSHGenerator): CONFIG_NAME = 'openssh' SCOPES = {'ssh', 'openssh', 'openssh-client'} _FORMAT_STRING = '{0} {1}\n' @classmethod def generate_config(cls, policy): local_kx_map = dict(cls.kx_map) local_gss_kx_map = dict(cls.gss_kx_map) return cls.generate_options(policy, local_kx_map, local_gss_kx_map, False) @classmethod def test_config(cls, config): if not os.access('/usr/bin/ssh', os.X_OK): return True fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = call('/usr/bin/ssh -G -F ' + path + ' bogus654_server >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/bin/ssh: Execution failed") finally: os.unlink(path) if ret: cls.eprint("There is an error in OpenSSH generated policy") cls.eprint("Policy:\n%s" % config) return False return True class OpenSSHServerGenerator(OpenSSHGenerator): CONFIG_NAME = 'opensshserver' SCOPES = {'ssh', 'openssh', 'openssh-server'} # We need restart here, since systemd needs to pick up new command line options RELOAD_CMD = 'systemctl try-restart sshd.service 2>/dev/null || :\n' _FORMAT_STRING = '-o{0}={1} ' @classmethod def generate_config(cls, policy): # Difference from client, keep group1 disabled on server local_kx_map = dict(cls.kx_map) local_gss_kx_map = dict(cls.gss_kx_map) del local_kx_map['DHE-FFDHE-1024-SHA1'] del local_gss_kx_map['DHE-GSS-FFDHE-1024-SHA1'] cfg = cls.generate_options(policy, local_kx_map, local_gss_kx_map, True) cfg = cfg.rstrip() return 'CRYPTO_POLICY=\'' + cfg + '\'' @classmethod def _test_setup(cls): _fd, path = mkstemp() os.unlink(path) ret = 255 try: ret = call('/usr/bin/ssh-keygen -t rsa -b 2048 -f ' + path + ' -N "" >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/bin/ssh-keygen: Execution failed") if ret: cls.eprint("SSH Keygen failed when testing OpenSSH server policy") return '' return path @classmethod def _test_cleanup(cls, path): if path: os.unlink(path) @classmethod def test_config(cls, config): if not os.access('/usr/sbin/sshd', os.X_OK): return True host_key_filename = cls._test_setup() if not host_key_filename: return False fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = call('/usr/bin/bash -c \'source ' + path + ' && /usr/sbin/sshd -T $CRYPTO_POLICY -h ' + host_key_filename + ' -f /dev/null\' >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/sbin/sshd: Execution failed") finally: os.unlink(path) cls._test_cleanup(host_key_filename) if ret: cls.eprint("There is an error in OpenSSH server generated policy") cls.eprint("Policy:\n%s" % config) return False return True PKեe[Ypython/policygenerators/bind.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import check_output, CalledProcessError from tempfile import mkstemp import os from .configgenerator import ConfigGenerator class BindGenerator(ConfigGenerator): CONFIG_NAME = 'bind' SCOPES = {'dnssec', 'bind'} RELOAD_CMD = 'systemctl try-reload-or-restart bind.service 2>/dev/null || :\n' sign_not_map = { 'DSA-SHA1': ('DSA', 'NSEC3DSA'), 'RSA-SHA1': ('RSASHA1', 'NSEC3RSASHA1'), 'RSA-SHA2-256': ('RSASHA256',), 'RSA-SHA2-512': ('RSASHA512',), 'ECDSA-SHA2-256': ('ECDSAP256SHA256',), # + custom handling below 'ECDSA-SHA2-384': ('ECDSAP384SHA384',), # + custom handling below 'EDDSA-ED25519': ('ED25519',), 'EDDSA-ED448': ('ED448',), } hash_not_map = { 'SHA1': 'SHA-1', 'SHA2-256': 'SHA-256', 'SHA2-384': 'SHA-384', 'GOST': 'GOST', } @classmethod def generate_config(cls, policy): ip = policy.disabled s = '' s += 'disable-algorithms "." {\n' s += 'RSAMD5;\n' # deprecated, disabled unconditionally s += 'ECCGOST;\n' # deprecated, disabled unconditionally, no such knob for i in ip['sign']: try: for disabled_sign in cls.sign_not_map[i]: s += f'{disabled_sign};\n' except KeyError: pass if 'ECDSA-SHA256' not in ip['sign'] and 'SECP256R1' in ip['group']: s += 'ECDSAP256SHA256;\n' # additionally disabled on lack of P-256 if 'ECDSA-SHA384' not in ip['sign'] and 'SECP384R1' in ip['group']: s += 'ECDSAP384SHA384;\n' # additionally disabled on lack of P-384 s += '};\n' s += 'disable-ds-digests "." {\n' for i in ip['hash']: try: s += f'{cls.hash_not_map[i]};\n' except KeyError: pass s += '};\n' return s @classmethod def test_config(cls, config): fd, path = mkstemp() try: with os.fdopen(fd, 'w') as f: f.write('options {\n') f.write(config) f.write('\n};\n') try: _ = check_output(["/usr/sbin/named-checkconf", path]) except CalledProcessError: cls.eprint("There is an error in bind generated policy") cls.eprint("Policy:\n%s" % config) return False except OSError: # Ignore missing check command pass finally: os.unlink(path) return True PKեe[9 7python/policygenerators/__pycache__/java.cpython-36.pycnu[3 ."dS@s ddlmZGdddeZdS))ConfigGeneratorc@seZdZdZdddhZddddd d d d d ddd ZdddddddddddddddddddddddZdddZdd d!d"d#d$d%d&dddd' Zd(dddd)Z d*d+d,d-d.ddd/Z dd0d1d2d3d4d5Z e d6d7Z e d8d9Zd:S); JavaGeneratorjavaZtlsZsslzjava-tlsMD2MD5SHA1ZSHA224ZSHA256ZSHA384ZSHA512ZSHA3_256ZSHA3_384ZSHA3_512) rrrzSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512ZGOSTZ AES_256_CBCZ AES_128_CBCZ AES_256_GCMZ AES_128_GCMZ AES_256_CCMZ AES_128_CCMZRC4_128ZRC4_40ZRC2ZDES_CBCZ DES40_CBCZ 3DES_EDE_CBC)z AES-256-CTRz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMzCAMELLIA-128-GCMzCAMELLIA-256-CBCzCAMELLIA-128-CBCz AES-256-CBCz AES-128-CBCz AES-256-GCMz AES-128-GCMz AES-256-CCMz AES-128-CCMzRC4-128zRC4-40zRC2-CBCzDES-CBCz DES40-CBCz3DES-CBCzSEED-CBCzIDEA-CBCZNULL)zRC4-128z3DES-CBCzHRSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORTzDH_RSA, DH_DSSzDH_anon, ECDH_anonzTLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256ZDHE_RSAZDHE_DSSECDHEECDH) ZEXPORTZDHZANONZRSAzDHE-RSAzDHE-DSSr r ZPSKzDHE-PSKz ECDHE-PSKZDSA)zDSA-SHA1zRSA-SHA1z ECDSA-SHA1zRSA-MD5ZSSLv2ZSSLv3ZTLSv1zTLSv1.1zTLSv1.2)zSSL2.0zSSL3.0zTLS1.0zTLS1.1zTLS1.2zDTLS1.0zDTLS1.2ZHmacMD5ZHmacSHA1Z HmacSHA256Z HmacSHA384Z HmacSHA512)ZAEADzHMAC-MD5z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512c Cs|j}|j}d}dt|jdd}|d7}d}|j|d|}x>|dD]2}y|j||j||}WqJtk rzYqJXqJWx>|d D]2}y|j||j||}Wqtk rYqXqW|j|d t|jd |}||7}|d 7}d}|j|d t|jd|}xB|dD]6}y|j||j||}Wntk rHYnXqWxB|dD]6}y|j||j ||}Wntk rYnXqZWxB|dD]6}y|j||j ||}Wntk rYnXqWxB|dD]6}y|j||j ||}Wntk rYnXqW||7}|d7}d}xB|dD]6}y|j||j ||}Wntk rlYnXq:W||7}|d7}|S)Nz, zjdk.tls.ephemeralDHKeySize=Z min_dh_size z jdk.certpath.disabledAlgorithms=rrhashZsignzRSA keySize < Z min_rsa_sizez jdk.tls.disabledAlgorithms=z DH keySize < ZprotocolZ key_exchangeZcipherZmacz jdk.tls.legacyAlgorithms=) ZenabledZdisabledstrZintegersappend hash_not_mapKeyError sign_not_mapprotocol_not_mapkey_exchange_not_mapcipher_not_map mac_not_mapcipher_legacy_map)clsZpolicypZipsepZcfgsir;./usr/share/crypto-policies/python/policygenerators/java.pygenerate_configbsj       zJavaGenerator.generate_configcCsdS)NTr)rconfigrrr test_configszJavaGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrrr classmethodrr rrrrr s  GrN)Zconfiggeneratorrrrrrrs PKեe[b!:python/policygenerators/__pycache__/openssh.cpython-36.pycnu[3 ."d @sdddlmZmZddlmZddlZddlmZGdddeZGdd d eZ Gd d d eZ dS) )callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddddddddddddd d dddddd d Zd ddddddZdddddddZddddddd d!d"d# Zd$d%d&Zd'd(d)d*d+d,d-d.Z d/d0d1d2d3d4d5d6d7Z d8d9d:d;dd?d7Z e d@dAZ dBS)COpenSSHGeneratorzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-md5-etm@openssh.comzumac-64-etm@openssh.comzumac-128-etm@openssh.comzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512zhmac-md5zumac-64@openssh.comzumac-128@openssh.comz hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256z gss-gex-sha1-zgss-group1-sha1-zgss-group14-sha1-zgss-group14-sha256-zgss-nistp256-sha256-zgss-curve25519-sha256-zgss-group16-sha512-)z DHE-GSS-SHA1zDHE-GSS-FFDHE-1024-SHA1zDHE-GSS-FFDHE-2048-SHA1zDHE-GSS-FFDHE-2048-SHA2-256zECDHE-GSS-SECP256R1-SHA2-256zECDHE-GSS-X25519-SHA2-256zDHE-GSS-FFDHE-4096-SHA2-512zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256zecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519)zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comc&Cs|j}d}d}d}x>|dD]2} y|j||j| |}Wqtk rLYqXqW|rh||jjd|7}d}|jdrx>|dD]2} y|j||j| |}Wqtk rYqXqWx>|dD]2} y|j||j| |}Wqtk rYqXqW|r||jjd|7}d}d} xF|dD]8} x.|d D] } |jd ry$|j | d | } |j|| |}Wntk rYnXy"|| d | } |j| | |} Wntk rYnXx|d D]}y*|| d |d | } |j|| |}Wntk r YnXy*|| d |d | } |j| | |} Wntk rLYnXqWq4Wq"W| rz||jjd | 7}n||jjdd7}|r||jjd|7}d}x|dD]v} y|j||j | |}Wntk rYnX|jddkry|j||j | |}Wntk r$YnXqW|r\|rJ||jjd|7}||jjd|7}d}xB|dD]6} y|j||j | |}Wntk rYnXqjW|r||jjd|7}|S)Nr,ZcipherZCiphersZssh_etmZmacZMACsZ key_exchangehashZarbitrary_dh_groups-groupZGSSAPIKexAlgorithmsZGSSAPIKeyExchangenoZ KexAlgorithmsZsignZ ssh_certsrZHostKeyAlgorithmsZPubkeyAcceptedKeyTypesZCASignatureAlgorithms) Zenabledappend cipher_mapKeyError_FORMAT_STRINGformatZintegers mac_map_etmmac_mapgx_mapsign_mapsign_map_certs)clspolicy local_kx_maplocal_gss_kx_mapZ do_host_keypcfgsepsiZgssZkxhvalgr$>./usr/share/crypto-policies/python/policygenerators/openssh.pygenerate_optionsls       z!OpenSSHGenerator.generate_optionsN)__name__ __module__ __qualname__rrrrkx_mapr gss_kx_maprr classmethodr&r$r$r$r%rsrc@s6eZdZdZdddhZdZeddZeddZd S) OpenSSHClientGeneratoropensshsshzopenssh-clientz{0} {1} cCs$t|j}t|j}|j|||dS)NF)dictr*r+r&)rrrrr$r$r%generate_configs  z&OpenSSHClientGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz /usr/bin/sshTwz/usr/bin/ssh -G -F z bogus654_server >/dev/null)shellz/usr/bin/ssh: Execution failedz-There is an error in OpenSSH generated policyz Policy: %sF) osaccessX_OKrfdopenwriterreprintunlink)rconfigfdpathretfr$r$r% test_configs&    z"OpenSSHClientGenerator.test_configN) r'r(r) CONFIG_NAMESCOPESrr,r1rAr$r$r$r%r-s   r-c@sReZdZdZdddhZdZdZeddZed d Z ed d Z ed dZ dS)OpenSSHServerGeneratorZ opensshserverr/r.zopenssh-serverz4systemctl try-restart sshd.service 2>/dev/null || : z -o{0}={1} cCsDt|j}t|j}|d=|d=|j|||d}|j}d|dS)NzDHE-FFDHE-1024-SHA1zDHE-GSS-FFDHE-1024-SHA1TzCRYPTO_POLICY='')r0r*r+r&rstrip)rrrrrr$r$r%r1s  z&OpenSSHServerGenerator.generate_configc Csft\}}tj|d}ytd|ddd}Wntk rN|jdYnX|rb|jddS|S) Nr2z&/usr/bin/ssh-keygen -t rsa -b 2048 -f z -N "" >/dev/nullT)r4z%/usr/bin/ssh-keygen: Execution failedz4SSH Keygen failed when testing OpenSSH server policyr)rr5r;rrr:)rZ_fdr>r?r$r$r% _test_setup s    z"OpenSSHServerGenerator._test_setupcCs|rtj|dS)N)r5r;)rr>r$r$r% _test_cleanupsz$OpenSSHServerGenerator._test_cleanupcCstjdtjsdS|j}|s"dSt\}}d}zftj|d}|j|WdQRXy td|d|ddd }Wntk r|j d YnXWdtj ||j |X|r|j d |j d |dSdS) Nz/usr/sbin/sshdTFr2r3z/usr/bin/bash -c 'source z( && /usr/sbin/sshd -T $CRYPTO_POLICY -h z -f /dev/null' >/dev/null)r4z /usr/sbin/sshd: Execution failedz4There is an error in OpenSSH server generated policyz Policy: %s) r5r6r7rGrr8r9rrr:r;rH)rr<Zhost_key_filenamer=r>r?r@r$r$r%rA#s0     z"OpenSSHServerGenerator.test_configN) r'r(r)rBrCZ RELOAD_CMDrr,r1rGrHrAr$r$r$r%rDs   rD) subprocessrrZtempfilerr5Zconfiggeneratorrrr-rDr$r$r$r%s  C(PKեe[oc779python/policygenerators/__pycache__/libssh.cpython-36.pycnu[3 ."d@s ddlmZGdddeZdS))ConfigGeneratorc@seZdZdZddhZddddddd dddddd d d dddddd dZdddddddZdddddddZdddddddddd Zd d!d"Z d#d$d%d&d'd(d)d*d+Z d,d-d.d/d0d1d2d3d+Z e d4d5Z e d6d7Zd8S)9LibsshGeneratorZlibsshZsshzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512z hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256zecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519)zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comc Cs|j}d}d}d}x>|dD]2}y|j||j||}Wqtk rLYqXqW|rf|d|d7}d}|jdrx>|dD]2}y|j||j||}Wq~tk rYq~Xq~Wx>|dD]2}y|j||j||}Wqtk rYqXqW|r |d|d7}d}x|d D]}x|d D]}|jd d krvy$|j|d |} |j|| |}Wntk rtYnXxV|dD]J} y,|j|d | d |} |j|| |}Wntk rYnXqWq&WqW|r|d|d7}d}x~|dD]r}y|j||j ||}Wntk r0YnX|jdry|j||j ||}Wntk rlYnXqW|r|d|d7}|d|d7}|S)Nr,ZcipherzCiphers  Zssh_etmZmaczMACs Z key_exchangehashZarbitrary_dh_groupsr-groupzKexAlgorithms ZsignZ ssh_certszHostKeyAlgorithms zPubkeyAcceptedKeyTypes ) Zenabledappend cipher_mapKeyErrorZintegers mac_map_etmmac_mapgx_mapkx_mapsign_mapsign_map_certs) clsZpolicypZcfgsepsiZkxhvalgr=./usr/share/crypto-policies/python/policygenerators/libssh.pygenerate_config^sr      zLibsshGenerator.generate_configcCsdS)NTr)rconfigrrr test_configszLibsshGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESr r rrrrr classmethodrrrrrrr s ErN)Zconfiggeneratorrrrrrrs PKեe[F9007python/policygenerators/__pycache__/krb5.cpython-36.pycnu[3 ."dp@s ddlmZGdddeZdS))ConfigGeneratorc@sJeZdZdZddhZddddZdddd d Zed d Zed dZ dS) KRB5GeneratorZkrb5Zkerberoszcamellia256-cts-cmaczcamellia128-cts-cmac)zCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-128-CTSzaes256-cts-hmac-sha1-96zaes256-cts-hmac-sha384-192zaes128-cts-hmac-sha1-96zaes128-cts-hmac-sha256-128)zAES-256-CBC-HMAC-SHA1zAES-256-CBC-HMAC-SHA2-384zAES-128-CBC-HMAC-SHA1zAES-128-CBC-HMAC-SHA2-256c Cs|j}d}d}|d7}d}xX|dD]L}xF|dD]:}y |j||j|d||}Wq2tk rjYq2Xq2Wq$Wx>|dD]2}y|j||j||}Wq~tk rYq~Xq~Wd|dkrd |dkr|j|d |}||d 7}|jd d kr|d7}|S)N z[libdefaults] zpermitted_enctypes = ZmacZcipher-zRC4-128zHMAC-MD5zarcfour-hmac-md5 Z min_dh_sizeizpkinit_dh_min_bits=4096 )Zenabledappendcipher_mac_mapKeyError cipher_mapZintegers)clsZpolicypsepZcfgsjir;./usr/share/crypto-policies/python/policygenerators/krb5.pygenerate_configs,   zKRB5Generator.generate_configcCsdS)NTr)r configrrr test_config<szKRB5Generator.test_configN) __name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESr r classmethodrrrrrrr s !rN)Zconfiggeneratorrrrrrrs PKեe[1#G;python/policygenerators/__pycache__/__init__.cpython-36.pycnu[3 ."dE @sddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZdd lmZd d dddddddddg ZdS)) BindGenerator)GnuTLSGenerator) JavaGenerator) KRB5Generator)LibreswanGenerator)LibsshGenerator) NSSGenerator)OpenSSHClientGenerator)OpenSSHServerGenerator)OpenSSLConfigGenerator)OpenSSLGeneratorrrrrrrrr r r r N)ZbindrZgnutlsrjavarZkrb5rZ libreswanrZlibsshrZnssrZopensshr r Zopensslr r __all__rr?./usr/share/crypto-policies/python/policygenerators/__init__.pys*           PKեe[1#GApython/policygenerators/__pycache__/__init__.cpython-36.opt-1.pycnu[3 ."dE @sddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZdd lmZd d dddddddddg ZdS)) BindGenerator)GnuTLSGenerator) JavaGenerator) KRB5Generator)LibreswanGenerator)LibsshGenerator) NSSGenerator)OpenSSHClientGenerator)OpenSSHServerGenerator)OpenSSLConfigGenerator)OpenSSLGeneratorrrrrrrrr r r r N)ZbindrZgnutlsrjavarZkrb5rZ libreswanrZlibsshrZnssrZopensshr r Zopensslr r __all__rr?./usr/share/crypto-policies/python/policygenerators/__init__.pys*           PKեe[6!<python/policygenerators/__pycache__/nss.cpython-36.opt-1.pycnu[3 ."d$@sTddlmZmZddlmZddlZddlZddlZddlm Z Gddde Z dS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdddddd d Zd d d dddddddd ZddddddZdddddddddddddddd d!Zdddd"d#d$d%d&d'd( Z d)d*d+d,d-d.d/d0Z d1d2d3d4d5Z e d6d7Z e d8d9Zd:S); NSSGeneratorZnssZtlsZsslz HMAC-SHA1zHMAC-MD5z HMAC-SHA256z HMAC-SHA384z HMAC-SHA512)ZAEADz HMAC-SHA1zHMAC-MD5z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512SHA1MD5ZSHA224ZSHA256ZSHA384ZSHA512) r r zSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512ZGOSTZ CURVE25519 SECP256R1 SECP384R1 SECP521R1)ZX25519ZX448r r r Zrc2Zrc4z aes256-gcmz aes128-gcmz aes256-cbcz aes128-cbczcamellia256-cbczcamellia128-cbczchacha20-poly1305z des-ede3-cbc)z AES-256-CTRz AES-128-CTRzRC2-CBCzRC4-128z AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMz AES-256-CCMz AES-128-CCMzCHACHA20-POLY1305z3DES-CBCRSAzDHE-RSAzDHE-DSSzECDHE-RSA:ECDHE-ECDSAzECDH-RSA:ECDH-ECDSAz DH-RSA:DH-DSS) ZPSKzDHE-PSKz ECDHE-PSKrzDHE-RSAzDHE-DSSZECDHEZECDHZDHzssl3.0ztls1.0ztls1.1ztls1.2ztls1.3zdtls1.0zdtls1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA-PSSzRSA-PKCSZECDSADSA)zRSA-PSS-zRSA-zECDSA-zDSA-c Cs|j}d}|d7}|d7}|d7}d}x<|dD]0}y|j||j|}Wq0tk r^Yq0Xq0Wx<|dD]0}y|j||j|}Wqntk rYqnXqnWx<|dD]0}y|j||j|}Wqtk rYqXqWx>|d D]2}y|j||j|}Wqtk rYqXqWx@|d D]4}y|j||j|}Wntk rZYnXq*Wd d |d D}|r|j|d}t}xZ|d D]N}xF|j j D]8\}} |j |r| |kr|j | |j|| }PqWqW|j r|j|j } |j|d| }n |j|d}|jr@|j|j} |j|d| }n |j|d}|j|dt|jd}|j|dt|jd}|j|dt|jd}||d7}|S)Nz library= z name=Policy zNSS=flags=policyOnly,moduleDB zconfig="disallow=ALL allow=rZmacgroupZcipherhashZ key_exchangecSsg|]}|jddkr|qS)zDSA-r)find).0ir:./usr/share/crypto-policies/python/policygenerators/nss.py sz0NSSGenerator.generate_config..Zsignrztls-version-min=ztls-version-min=0zdtls-version-min=zdtls-version-min=0zDH-MIN=Z min_dh_sizezDSA-MIN=Z min_dsa_sizezRSA-MIN=Z min_rsa_sizez" )Zenabledappendmac_mapKeyError curve_map cipher_maphash_mapkey_exchange_mapsetsign_prefix_ordmapitems startswithaddZmin_tls_version protocol_mapZmin_dtls_versionstrZintegers) clsZpolicypZcfgsrZdsaZenabled_sigalgsprefixZsigalgZminverrrrgenerate_configdsn               zNSSGenerator.generate_configc Csy2tjjd}tj|}|jds0|jddSWntk rP|jdYnXtjdtj sddSt \}}d}z^tj |d}|j |WdQRXyt d |d dd }Wntk r|jd YnXWdtj|X|r|jd |jd|dSdS)NZnss3s3.66z:Skipping nss-policy-check due to nss being older than 3.66Tz(Cannot determine nss version with ctypesz/usr/bin/nss-policy-checkwz/usr/bin/nss-policy-check z >/dev/null)shellz+/usr/bin/nss-policy-check: Execution failedz)There is an error in NSS generated policyz Policy: %sF)ctypesutilZ find_libraryZCDLLZNSS_VersionCheckZeprintAttributeErrorosaccessX_OKrfdopenwriterrunlink)r&configZnss_pathZnss_libfdpathZretfrrr test_configs6        zNSSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrr$r classmethodr*r;rrrrrsz  Hr) subprocessrrZtempfilerr.Z ctypes.utilr1Zconfiggeneratorrrrrrrs   PKեe[ɨBpython/policygenerators/__pycache__/libreswan.cpython-36.opt-1.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdZddddddd d d d d d ZddddddddZdddddddddddddd Zddddddddddddd Z ddddd Z ddddd!Z e d"d#Z e d$d%Ze d&d'Ze d(d)Zd*S)+LibreswanGeneratorZ libreswanZipsecZikez5systemctl try-restart ipsec.service 2>/dev/null || : Zdh19Zdh20Zdh21Zdh5Zdh14Zdh15Zdh16Zdh18) ZX448ZX25519Z SECP256R1Z SECP384R1Z SECP521R1z FFDHE-6144z FFDHE-1536z FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-8192Zaes256Zaes192Zaes128Z aes_gcm256Z aes_gcm192Z aes_gcm128Zchacha20_poly1305)z AES-256-CBCz AES-192-CBCz AES-128-CBCz AES-256-GCMz AES-192-GCMz AES-128-GCMzCHACHA20-POLY1305Zsha2_512Zsha2_256) zAES-256-CBC-HMAC-SHA2-512zAES-256-CBC-HMAC-SHA2-256zAES-192-CBC-HMAC-SHA2-512zAES-192-CBC-HMAC-SHA2-256zAES-128-CBC-HMAC-SHA2-256zAES-256-GCM-HMAC-SHA2-512zAES-256-GCM-HMAC-SHA2-256zAES-192-GCM-HMAC-SHA2-512zAES-192-GCM-HMAC-SHA2-256zAES-128-GCM-HMAC-SHA2-512zAES-128-GCM-HMAC-SHA2-256zCHACHA20-POLY1305-HMAC-SHA2-512zCHACHA20-POLY1305-HMAC-SHA2-256Zsha1) zAES-256-CBC-HMAC-SHA2-512zAES-192-CBC-HMAC-SHA2-512zAES-256-CBC-HMAC-SHA2-256zAES-192-CBC-HMAC-SHA2-256zAES-128-CBC-HMAC-SHA2-256zAES-256-CBC-HMAC-SHA1zAES-192-CBC-HMAC-SHA1zAES-128-CBC-HMAC-SHA1zAES-256-GCM-AEADzAES-192-GCM-AEADzAES-128-GCM-AEADzCHACHA20-POLY1305-AEADrr)AEADz HMAC-SHA2-512z HMAC-SHA2-256z HMAC-SHA1)r z HMAC-SHA2-512z HMAC-SHA1z HMAC-SHA2-256cCs||jkrdS|j|S)Nc)mac_ike_prio_map)clskeyr@./usr/share/crypto-policies/python/policygenerators/libreswan.pyZ__get_ike_priobs z!LibreswanGenerator.__get_ike_priocCs||jkrdS|j|S)Nr )mac_esp_prio_map)rrrrrZ__get_esp_priohs z!LibreswanGenerator.__get_esp_priocCsd}d}|j}d}|d}d|kr(d}n d|kr4d}|rH|d |d 7}|d 7}t|d |jd }d}x|dD]} y|j| } Wntk rwrYnX| d} d}xH|D]@} y|j| d| } Wntk rwYnX|j|| d}qW|sqr| |7} d}xJ|dD]>}y|j|}Wntk r:wYnX|j||d}qW|j| |d} |j|| |}qrW|r|d|d 7}t|d |jd }d}x|dD]} y|j| } Wntk rwYnX| d} d}xZ|D]R} y|j | d| } Wntk rwYnX| s(| } P|j|| d}qW| |7} | dddkrZq|j|| |}qW|r|d|d 7}|S)Nzconn %default ,rZprotocolZIKEv2z ikev2=insistZIKEv1z ikev2=never  z pfs=yes mac)rcipher-+groupz ike=rz esp=) Zenabledsorted!_LibreswanGenerator__get_ike_prio cipher_mapKeyErrorcipher_prf_mapappend group_map!_LibreswanGenerator__get_esp_priocipher_mac_map)rZpolicyZcfgseppsprotoZ sorted_macsZtmprcmZcomborZmmirrrrgenerate_configns      z"LibreswanGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz/usr/sbin/ipsecTwz'/usr/sbin/ipsec readwriteconf --config z >/dev/null)shellz!/usr/sbin/ipsec: Execution failedz/There is an error in libreswan generated policyz Policy: %sF) osaccessX_OKrfdopenwriterrZeprintunlink)rconfigfdpathZretfrrr test_configs&    zLibreswanGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESZ RELOAD_CMDr"rr r$r r classmethodrr#r+r9rrrrrst    Pr) subprocessrrZtempfilerr/Zconfiggeneratorrrrrrrs  PKեe[6!6python/policygenerators/__pycache__/nss.cpython-36.pycnu[3 ."d$@sTddlmZmZddlmZddlZddlZddlZddlm Z Gddde Z dS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdddddd d Zd d d dddddddd ZddddddZdddddddddddddddd d!Zdddd"d#d$d%d&d'd( Z d)d*d+d,d-d.d/d0Z d1d2d3d4d5Z e d6d7Z e d8d9Zd:S); NSSGeneratorZnssZtlsZsslz HMAC-SHA1zHMAC-MD5z HMAC-SHA256z HMAC-SHA384z HMAC-SHA512)ZAEADz HMAC-SHA1zHMAC-MD5z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512SHA1MD5ZSHA224ZSHA256ZSHA384ZSHA512) r r zSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512ZGOSTZ CURVE25519 SECP256R1 SECP384R1 SECP521R1)ZX25519ZX448r r r Zrc2Zrc4z aes256-gcmz aes128-gcmz aes256-cbcz aes128-cbczcamellia256-cbczcamellia128-cbczchacha20-poly1305z des-ede3-cbc)z AES-256-CTRz AES-128-CTRzRC2-CBCzRC4-128z AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMz AES-256-CCMz AES-128-CCMzCHACHA20-POLY1305z3DES-CBCRSAzDHE-RSAzDHE-DSSzECDHE-RSA:ECDHE-ECDSAzECDH-RSA:ECDH-ECDSAz DH-RSA:DH-DSS) ZPSKzDHE-PSKz ECDHE-PSKrzDHE-RSAzDHE-DSSZECDHEZECDHZDHzssl3.0ztls1.0ztls1.1ztls1.2ztls1.3zdtls1.0zdtls1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA-PSSzRSA-PKCSZECDSADSA)zRSA-PSS-zRSA-zECDSA-zDSA-c Cs|j}d}|d7}|d7}|d7}d}x<|dD]0}y|j||j|}Wq0tk r^Yq0Xq0Wx<|dD]0}y|j||j|}Wqntk rYqnXqnWx<|dD]0}y|j||j|}Wqtk rYqXqWx>|d D]2}y|j||j|}Wqtk rYqXqWx@|d D]4}y|j||j|}Wntk rZYnXq*Wd d |d D}|r|j|d}t}xZ|d D]N}xF|j j D]8\}} |j |r| |kr|j | |j|| }PqWqW|j r|j|j } |j|d| }n |j|d}|jr@|j|j} |j|d| }n |j|d}|j|dt|jd}|j|dt|jd}|j|dt|jd}||d7}|S)Nz library= z name=Policy zNSS=flags=policyOnly,moduleDB zconfig="disallow=ALL allow=rZmacgroupZcipherhashZ key_exchangecSsg|]}|jddkr|qS)zDSA-r)find).0ir:./usr/share/crypto-policies/python/policygenerators/nss.py sz0NSSGenerator.generate_config..Zsignrztls-version-min=ztls-version-min=0zdtls-version-min=zdtls-version-min=0zDH-MIN=Z min_dh_sizezDSA-MIN=Z min_dsa_sizezRSA-MIN=Z min_rsa_sizez" )Zenabledappendmac_mapKeyError curve_map cipher_maphash_mapkey_exchange_mapsetsign_prefix_ordmapitems startswithaddZmin_tls_version protocol_mapZmin_dtls_versionstrZintegers) clsZpolicypZcfgsrZdsaZenabled_sigalgsprefixZsigalgZminverrrrgenerate_configdsn               zNSSGenerator.generate_configc Csy2tjjd}tj|}|jds0|jddSWntk rP|jdYnXtjdtj sddSt \}}d}z^tj |d}|j |WdQRXyt d |d dd }Wntk r|jd YnXWdtj|X|r|jd |jd|dSdS)NZnss3s3.66z:Skipping nss-policy-check due to nss being older than 3.66Tz(Cannot determine nss version with ctypesz/usr/bin/nss-policy-checkwz/usr/bin/nss-policy-check z >/dev/null)shellz+/usr/bin/nss-policy-check: Execution failedz)There is an error in NSS generated policyz Policy: %sF)ctypesutilZ find_libraryZCDLLZNSS_VersionCheckZeprintAttributeErrorosaccessX_OKrfdopenwriterrunlink)r&configZnss_pathZnss_libfdpathZretfrrr test_configs6        zNSSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrr$r classmethodr*r;rrrrrsz  Hr) subprocessrrZtempfilerr.Z ctypes.utilr1Zconfiggeneratorrrrrrrs   PKեe[ɨ<python/policygenerators/__pycache__/libreswan.cpython-36.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdZddddddd d d d d d ZddddddddZdddddddddddddd Zddddddddddddd Z ddddd Z ddddd!Z e d"d#Z e d$d%Ze d&d'Ze d(d)Zd*S)+LibreswanGeneratorZ libreswanZipsecZikez5systemctl try-restart ipsec.service 2>/dev/null || : Zdh19Zdh20Zdh21Zdh5Zdh14Zdh15Zdh16Zdh18) ZX448ZX25519Z SECP256R1Z SECP384R1Z SECP521R1z FFDHE-6144z FFDHE-1536z FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-8192Zaes256Zaes192Zaes128Z aes_gcm256Z aes_gcm192Z aes_gcm128Zchacha20_poly1305)z AES-256-CBCz AES-192-CBCz AES-128-CBCz AES-256-GCMz AES-192-GCMz AES-128-GCMzCHACHA20-POLY1305Zsha2_512Zsha2_256) zAES-256-CBC-HMAC-SHA2-512zAES-256-CBC-HMAC-SHA2-256zAES-192-CBC-HMAC-SHA2-512zAES-192-CBC-HMAC-SHA2-256zAES-128-CBC-HMAC-SHA2-256zAES-256-GCM-HMAC-SHA2-512zAES-256-GCM-HMAC-SHA2-256zAES-192-GCM-HMAC-SHA2-512zAES-192-GCM-HMAC-SHA2-256zAES-128-GCM-HMAC-SHA2-512zAES-128-GCM-HMAC-SHA2-256zCHACHA20-POLY1305-HMAC-SHA2-512zCHACHA20-POLY1305-HMAC-SHA2-256Zsha1) zAES-256-CBC-HMAC-SHA2-512zAES-192-CBC-HMAC-SHA2-512zAES-256-CBC-HMAC-SHA2-256zAES-192-CBC-HMAC-SHA2-256zAES-128-CBC-HMAC-SHA2-256zAES-256-CBC-HMAC-SHA1zAES-192-CBC-HMAC-SHA1zAES-128-CBC-HMAC-SHA1zAES-256-GCM-AEADzAES-192-GCM-AEADzAES-128-GCM-AEADzCHACHA20-POLY1305-AEADrr)AEADz HMAC-SHA2-512z HMAC-SHA2-256z HMAC-SHA1)r z HMAC-SHA2-512z HMAC-SHA1z HMAC-SHA2-256cCs||jkrdS|j|S)Nc)mac_ike_prio_map)clskeyr@./usr/share/crypto-policies/python/policygenerators/libreswan.pyZ__get_ike_priobs z!LibreswanGenerator.__get_ike_priocCs||jkrdS|j|S)Nr )mac_esp_prio_map)rrrrrZ__get_esp_priohs z!LibreswanGenerator.__get_esp_priocCsd}d}|j}d}|d}d|kr(d}n d|kr4d}|rH|d |d 7}|d 7}t|d |jd }d}x|dD]} y|j| } Wntk rwrYnX| d} d}xH|D]@} y|j| d| } Wntk rwYnX|j|| d}qW|sqr| |7} d}xJ|dD]>}y|j|}Wntk r:wYnX|j||d}qW|j| |d} |j|| |}qrW|r|d|d 7}t|d |jd }d}x|dD]} y|j| } Wntk rwYnX| d} d}xZ|D]R} y|j | d| } Wntk rwYnX| s(| } P|j|| d}qW| |7} | dddkrZq|j|| |}qW|r|d|d 7}|S)Nzconn %default ,rZprotocolZIKEv2z ikev2=insistZIKEv1z ikev2=never  z pfs=yes mac)rcipher-+groupz ike=rz esp=) Zenabledsorted!_LibreswanGenerator__get_ike_prio cipher_mapKeyErrorcipher_prf_mapappend group_map!_LibreswanGenerator__get_esp_priocipher_mac_map)rZpolicyZcfgseppsprotoZ sorted_macsZtmprcmZcomborZmmirrrrgenerate_configns      z"LibreswanGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz/usr/sbin/ipsecTwz'/usr/sbin/ipsec readwriteconf --config z >/dev/null)shellz!/usr/sbin/ipsec: Execution failedz/There is an error in libreswan generated policyz Policy: %sF) osaccessX_OKrfdopenwriterrZeprintunlink)rconfigfdpathZretfrrr test_configs&    zLibreswanGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESZ RELOAD_CMDr"rr r$r r classmethodrr#r+r9rrrrrst    Pr) subprocessrrZtempfilerr/Zconfiggeneratorrrrrrrs  PKեe[[:python/policygenerators/__pycache__/openssl.cpython-36.pycnu[3 ."d@s@ddlmZmZddlmZGdddeZGdddeZdS) ) check_outputCalledProcessError)ConfigGeneratorc@seZdZdZdddhZdddddddd d d ddd d dddZddddddddZddddddddddd Zd d!d"Zd#d$d%d&d'd(Z e d)d*Z e d+d,Z e d-d.Z e d/d0Zd1S)2OpenSSLGeneratoropensslZtlsZsslz-AES256z-AES128z-SHA256z -CHACHA20z-SEEDz!IDEAz!DESz-3DESz!RC4z!RC2z !eNULL:!aNULL)z AES-256-CTRz AES-128-CTRz AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCHACHA20-POLY1305zSEED-CBCzIDEA-CBCzDES-CBCzRC4-40z DES40-CBCz3DES-CBCzRC4-128zRC2-CBCZNULLZkRSAZkEECDHZkPSKZkDHEPSKZkEDHZ kECDHEPSK)RSAECDHEPSKzDHE-PSKzDHE-RSAzDHE-DSSz ECDHE-PSKz-kRSAz-kEECDHz-aRSAz-aDSSz-kPSKz-kDHEPSKz -kECDHEPSK) ZANONZDHZECDHr r zDHE-RSAzDHE-DSSr zDHE-PSKz ECDHE-PSKz!MD5z-SHA1)zHMAC-MD5z HMAC-SHA1ZTLS_AES_256_GCM_SHA384ZTLS_AES_128_GCM_SHA256ZTLS_CHACHA20_POLY1305_SHA256ZTLS_AES_128_CCM_SHA256ZTLS_AES_128_CCM_8_SHA256)z AES-256-GCMz AES-128-GCMzCHACHA20-POLY1305z AES-128-CCMz AES-128-CCM8c Csd}|j}|j}|jd}|jd}|dks4|dkrB|j|d}nH|dksR|dkr`|j|d}n*|dksp|dkr~|j|d }n |j|d }x<|d D]0}y|j||j|}Wqtk rYqXqWx>|d D]2}y|j||j|}Wqtk rYqXqWx@|d D]4}y|j||j|}Wntk rBYnXqWd |d krrd|d krr|j|d}x@|dD]4}y|j||j|}Wntk rYnXq|W|j|d}|j|d}|j|d}|j|d}|S)Nr min_dh_size min_rsa_sizeiz @SECLEVEL=0iz @SECLEVEL=1i z @SECLEVEL=2z @SECLEVEL=3Z key_exchangecipherz AES-128-CCMz AES-256-CCMz-AESCCMZmacz-SHA384z -CAMELLIAz-ARIAz-AESCCM8) enabledZdisabledZintegersappendkey_exchange_mapKeyErrorkey_exchange_not_mapcipher_not_map mac_not_map)clspolicyspZipr r ir>./usr/share/crypto-policies/python/policygenerators/openssl.pygenerate_ciphersFsN            z!OpenSSLGenerator.generate_ciphersc CsLd}|j}x<|dD]0}y|j||j|}Wqtk rBYqXqW|S)Nrr)rrciphersuite_mapr)rrrrrrrrgenerate_ciphersuites{s z&OpenSSLGenerator.generate_ciphersuitescCs |j|S)N)r)rrrrrgenerate_configsz OpenSSLGenerator.generate_configc Csd}ytdd|g}Wn>tk rB|jd|jd|dStk rTdSXd|ksfd |kr|jd |jd |dSdS) NrZciphersz-There is an error in openssl generated policyz policy: %sFTsNULLsADHz0There is NULL or ADH in openssl generated policyz Policy: %s)rrZeprintOSError)rconfigoutputrrr test_configs  zOpenSSLGenerator.test_configN)__name__ __module__ __qualname__ CONFIG_NAMEZSCOPESrrrrr classmethodrrr r%rrrrr s\  5 rc@sleZdZdZdddddddd d Zd d d ddddddddddddddddddZed d!Zed"d#Zd$S)%OpenSSLConfigGeneratorZ opensslcnfrZSSLv3ZTLSv1zTLSv1.1zTLSv1.2zTLSv1.3ZDTLSv1zDTLSv1.2)NzSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA+SHA1zDSA+SHA1z ECDSA+SHA1z RSA+SHA224z DSA+SHA224z ECDSA+SHA224z RSA+SHA256z DSA+SHA256z ECDSA+SHA256z RSA+SHA384z DSA+SHA384z ECDSA+SHA384z RSA+SHA512z DSA+SHA512z ECDSA+SHA512z&rsa_pss_pss_sha256:rsa_pss_rsae_sha256z&rsa_pss_pss_sha384:rsa_pss_rsae_sha384z&rsa_pss_pss_sha512:rsa_pss_rsae_sha512Zed25519Zed448)zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512z EDDSA-ED25519z EDDSA-ED448cs|j}d}|j|7}|d7}|d7}|j|7}|d7}|jrd|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}fd d |d D}|d d j|7}|S)NzCipherString =  zCiphersuites = zTLS.MinProtocol = zTLS.MaxProtocol =zDTLS.MinProtocol =zDTLS.MaxProtocol =cs g|]}|jkrj|qSr)sign_map).0r)rrr sz:OpenSSLConfigGenerator.generate_config..ZsignzSignatureAlgorithms = :) rrrZmin_tls_version protocol_mapZmax_tls_versionZmin_dtls_versionZmax_dtls_versionjoin)rrrrZsig_algsr)rrr s.  z&OpenSSLConfigGenerator.generate_configcCsdS)NTr)rr#rrrr%sz"OpenSSLConfigGenerator.test_configN) r&r'r(r)r2r.r*r r%rrrrr+s> r+N) subprocessrrZconfiggeneratorrrr+rrrrs PKեe[/$~~?python/policygenerators/__pycache__/gnutls.cpython-36.opt-1.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdddddd d Zd d d dddddddd Zddddddddddd d!d"d#d$d%d&d'd(d)d*d+Zd,d-d.Zddd/d0d1d2d3d4d5d6d7d8d9d:d;d<Z d=d>d?Z d@dAdBdCddddDZ dEdFdGdHdIdJdKdLZ e dMdNZe dOdPZdQS)RGnuTLSGeneratorZgnutlsZtlsZsslz-AEADz-SHA1z-MD5z-SHA256z-SHA384z-SHA512)ZAEADz HMAC-SHA1zHMAC-MD5z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512z -GROUP-X448z -GROUP-X25519z-GROUP-SECP256R1z-GROUP-SECP384R1z-GROUP-SECP521R1z-GROUP-FFDHE2048z-GROUP-FFDHE3072z-GROUP-FFDHE4096z-GROUP-FFDHE8192) ZX448ZX25519Z SECP256R1Z SECP384R1Z SECP521R1z FFDHE-6144z FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-8192z -SIGN-RSA-MD5z-SIGN-RSA-SHA1z-SIGN-DSA-SHA1z-SIGN-ECDSA-SHA1z-SIGN-RSA-SHA224z-SIGN-DSA-SHA224z-SIGN-ECDSA-SHA224z-SIGN-RSA-SHA256z-SIGN-DSA-SHA256z-SIGN-ECDSA-SHA256z-SIGN-RSA-SHA384z-SIGN-DSA-SHA384z-SIGN-ECDSA-SHA384z-SIGN-RSA-SHA512z-SIGN-DSA-SHA512z-SIGN-ECDSA-SHA512z.-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256z.-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384z.-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512z-SIGN-EDDSA-ED448z-SIGN-EDDSA-ED25519)zRSA-MD5zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512z EDDSA-ED448z EDDSA-ED25519z+SIGN-DSA-SHA1z+SIGN-RSA-SHA1)zDSA-SHA1zRSA-SHA1z -AES-256-GCMz -AES-128-GCMz -AES-256-CCMz -AES-128-CCMz -AES-256-CBCz -AES-128-CBCz-CAMELLIA-256-GCMz-CAMELLIA-128-GCMz-CAMELLIA-256-CBCz-CAMELLIA-128-CBCz-CHACHA20-POLY1305z -3DES-CBCz -ARCFOUR-128)z AES-256-CTRz AES-128-CTRz AES-256-GCMz AES-128-GCMz AES-256-CCMz AES-128-CCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCHACHA20-POLY1305z3DES-CBCzRC4-128z +3DES-CBCz +ARCFOUR-128)z3DES-CBCzRC4-128z+RSAz+ECDHE-RSA:+ECDHE-ECDSAz+DHE-RSAz+DHE-DSS)ZRSAZECDHEzDHE-RSAzDHE-DSSZPSKzDHE-PSKz ECDHE-PSKz -VERS-SSL3.0z -VERS-TLS1.0z -VERS-TLS1.1z -VERS-TLS1.2z -VERS-TLS1.3z -VERS-DTLS1.0z -VERS-DTLS1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2c Cszd}|j}|j}|drb|j|d}x<|dD]0}y|j||j|}Wq.tk r\Yq.Xq.W|dr|j|d}x<|dD]0}y|j||j|}Wqtk rYqXqW|drL|j|d}x>|dD]2}y|j||j|}Wqtk rYqXqWx@|dD]4}y|j||j|}Wntk rDYnXqW|jdrd|j|d }|d r|j|d }x@|d D]4}y|j||j |}Wntk rYnXqWx@|d D]4}y|j||j |}Wntk rYnXqWx@|d D]4}y|j||j |}Wntk r8YnXqW|d r|j|d}x@|d D]4}y|j||j |}Wntk rYnXq`W|j|d}|jd}|jd}|dks|dkr|j|d}n|dks|dkr|j|d}nr|dks|dkr|j|d}nP|dks2|dkr@|j|d}n.|dksT|dkrb|j|d}n |j|d}|d7}|S)Nz SYSTEM=NONEZmacz+MAC-ALLgroupz +GROUP-ALLZsignz +SIGN-ALLZ sha1_in_certsz%VERIFY_ALLOW_SIGN_WITH_SHA1Zcipherz +CIPHER-ALLZ key_exchangeZprotocolz+VERS-ALL:-VERS-DTLS0.9z +COMP-NULL min_rsa_size min_dh_sizeiz%PROFILE_VERY_WEAKiz %PROFILE_LOWiz%PROFILE_MEDIUMi z %PROFILE_HIGHi z%PROFILE_ULTRAz%PROFILE_FUTURE ) ZenabledZdisabledappend mac_not_mapKeyError group_not_map sign_not_maplegacy_sign_mapZintegerscipher_not_mapcipher_force_mapkey_exchange_mapprotocol_not_map)clsZpolicyspZipir r r=./usr/share/crypto-policies/python/policygenerators/gnutls.pygenerate_configqs                      zGnuTLSGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz/usr/bin/gnutls-cliTwz(/usr/bin/gnutls-cli -l --priority $(cat z3 | sed 's/SYSTEM=//g' | tr --delete ' ') >/dev/null)shellz%/usr/bin/gnutls-cli: Execution failedz,There is an error in gnutls generated policyz Policy: %sF) osaccessX_OKrfdopenwriterrZeprintunlink)rconfigfdpathZretfrrr test_configs&    zGnuTLSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrrrr classmethodrr+rrrrrs  Vr) subprocessrrZtempfilerr!Zconfiggeneratorrrrrrrs  PKեe[oc77?python/policygenerators/__pycache__/libssh.cpython-36.opt-1.pycnu[3 ."d@s ddlmZGdddeZdS))ConfigGeneratorc@seZdZdZddhZddddddd dddddd d d dddddd dZdddddddZdddddddZdddddddddd Zd d!d"Z d#d$d%d&d'd(d)d*d+Z d,d-d.d/d0d1d2d3d+Z e d4d5Z e d6d7Zd8S)9LibsshGeneratorZlibsshZsshzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512z hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256zecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519)zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comc Cs|j}d}d}d}x>|dD]2}y|j||j||}Wqtk rLYqXqW|rf|d|d7}d}|jdrx>|dD]2}y|j||j||}Wq~tk rYq~Xq~Wx>|dD]2}y|j||j||}Wqtk rYqXqW|r |d|d7}d}x|d D]}x|d D]}|jd d krvy$|j|d |} |j|| |}Wntk rtYnXxV|dD]J} y,|j|d | d |} |j|| |}Wntk rYnXqWq&WqW|r|d|d7}d}x~|dD]r}y|j||j ||}Wntk r0YnX|jdry|j||j ||}Wntk rlYnXqW|r|d|d7}|d|d7}|S)Nr,ZcipherzCiphers  Zssh_etmZmaczMACs Z key_exchangehashZarbitrary_dh_groupsr-groupzKexAlgorithms ZsignZ ssh_certszHostKeyAlgorithms zPubkeyAcceptedKeyTypes ) Zenabledappend cipher_mapKeyErrorZintegers mac_map_etmmac_mapgx_mapkx_mapsign_mapsign_map_certs) clsZpolicypZcfgsepsiZkxhvalgr=./usr/share/crypto-policies/python/policygenerators/libssh.pygenerate_config^sr      zLibsshGenerator.generate_configcCsdS)NTr)rconfigrrr test_configszLibsshGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESr r rrrrr classmethodrrrrrrr s ErN)Zconfiggeneratorrrrrrrs PKեe[˿Hpython/policygenerators/__pycache__/configgenerator.cpython-36.opt-1.pycnu[3 ."d@sddlZGdddZdS)Nc@s*eZdZdZedddZeddZdS) ConfigGenerator:cCs|r|r|||S|S|S)N)svalseprrF./usr/share/crypto-policies/python/policygenerators/configgenerator.pyappend s  zConfigGenerator.appendcOst|dtji|dS)Nfile)printsysstderr)argskwargsrrr eprintszConfigGenerator.eprintN)r)__name__ __module__ __qualname__Z RELOAD_CMD staticmethodr rrrrr r s r)r rrrrr sPKեe[77python/policygenerators/__pycache__/bind.cpython-36.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS)) check_outputCalledProcessError)mkstempN)ConfigGeneratorc @sXeZdZdZddhZdZdddddddd dZdddddZeddZ eddZ dS)! BindGeneratorZbindZdnssecz>systemctl try-reload-or-restart bind.service 2>/dev/null || : DSANSEC3DSARSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512ECDSAP256SHA256ECDSAP384SHA384ED25519ED448)zDSA-SHA1zRSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384z EDDSA-ED25519z EDDSA-ED448zSHA-1zSHA-256zSHA-384GOST)ZSHA1zSHA2-256zSHA2-384rc Cs |j}d}|d7}|d7}|d7}xL|dD]@}y&x |j|D]}||d7}q>WWq,tk rjYq,Xq,Wd|dkrd|d kr|d 7}d |dkrd |d kr|d 7}|d7}|d7}x>|dD]2}y||j|d7}Wqtk rYqXqW|d7}|S)Nzdisable-algorithms "." { zRSAMD5; z ECCGOST; Zsignz; z ECDSA-SHA256Z SECP256R1groupzECDSAP256SHA256; z ECDSA-SHA384Z SECP384R1zECDSAP384SHA384; z}; zdisable-ds-digests "." { hash)Zdisabled sign_not_mapKeyError hash_not_map)clsZpolicyZipsiZ disabled_signr;./usr/share/crypto-policies/python/policygenerators/bind.pygenerate_config%s0  zBindGenerator.generate_configcCst\}}ztj|d$}|jd|j||jdWdQRXytd|g}Wn>tk r~|jd|jd|dStk rYnXWdtj|XdS) Nwz options { z }; z/usr/sbin/named-checkconfz*There is an error in bind generated policyz Policy: %sFT) rosfdopenwriterrZeprintOSErrorunlink)rconfigfdpathf_rrr test_configCs       zBindGenerator.test_configN)rr )r r )r )r )r)r)r)r) __name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESZ RELOAD_CMDrr classmethodrr*rrrrr s" r) subprocessrrZtempfilerr Zconfiggeneratorrrrrrrs  PKեe[9 =python/policygenerators/__pycache__/java.cpython-36.opt-1.pycnu[3 ."dS@s ddlmZGdddeZdS))ConfigGeneratorc@seZdZdZdddhZddddd d d d d ddd ZdddddddddddddddddddddddZdddZdd d!d"d#d$d%d&dddd' Zd(dddd)Z d*d+d,d-d.ddd/Z dd0d1d2d3d4d5Z e d6d7Z e d8d9Zd:S); JavaGeneratorjavaZtlsZsslzjava-tlsMD2MD5SHA1ZSHA224ZSHA256ZSHA384ZSHA512ZSHA3_256ZSHA3_384ZSHA3_512) rrrzSHA2-224zSHA2-256zSHA2-384zSHA2-512zSHA3-256zSHA3-384zSHA3-512ZGOSTZ AES_256_CBCZ AES_128_CBCZ AES_256_GCMZ AES_128_GCMZ AES_256_CCMZ AES_128_CCMZRC4_128ZRC4_40ZRC2ZDES_CBCZ DES40_CBCZ 3DES_EDE_CBC)z AES-256-CTRz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMzCAMELLIA-128-GCMzCAMELLIA-256-CBCzCAMELLIA-128-CBCz AES-256-CBCz AES-128-CBCz AES-256-GCMz AES-128-GCMz AES-256-CCMz AES-128-CCMzRC4-128zRC4-40zRC2-CBCzDES-CBCz DES40-CBCz3DES-CBCzSEED-CBCzIDEA-CBCZNULL)zRC4-128z3DES-CBCzHRSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORTzDH_RSA, DH_DSSzDH_anon, ECDH_anonzTLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256ZDHE_RSAZDHE_DSSECDHEECDH) ZEXPORTZDHZANONZRSAzDHE-RSAzDHE-DSSr r ZPSKzDHE-PSKz ECDHE-PSKZDSA)zDSA-SHA1zRSA-SHA1z ECDSA-SHA1zRSA-MD5ZSSLv2ZSSLv3ZTLSv1zTLSv1.1zTLSv1.2)zSSL2.0zSSL3.0zTLS1.0zTLS1.1zTLS1.2zDTLS1.0zDTLS1.2ZHmacMD5ZHmacSHA1Z HmacSHA256Z HmacSHA384Z HmacSHA512)ZAEADzHMAC-MD5z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512c Cs|j}|j}d}dt|jdd}|d7}d}|j|d|}x>|dD]2}y|j||j||}WqJtk rzYqJXqJWx>|d D]2}y|j||j||}Wqtk rYqXqW|j|d t|jd |}||7}|d 7}d}|j|d t|jd|}xB|dD]6}y|j||j||}Wntk rHYnXqWxB|dD]6}y|j||j ||}Wntk rYnXqZWxB|dD]6}y|j||j ||}Wntk rYnXqWxB|dD]6}y|j||j ||}Wntk rYnXqW||7}|d7}d}xB|dD]6}y|j||j ||}Wntk rlYnXq:W||7}|d7}|S)Nz, zjdk.tls.ephemeralDHKeySize=Z min_dh_size z jdk.certpath.disabledAlgorithms=rrhashZsignzRSA keySize < Z min_rsa_sizez jdk.tls.disabledAlgorithms=z DH keySize < ZprotocolZ key_exchangeZcipherZmacz jdk.tls.legacyAlgorithms=) ZenabledZdisabledstrZintegersappend hash_not_mapKeyError sign_not_mapprotocol_not_mapkey_exchange_not_mapcipher_not_map mac_not_mapcipher_legacy_map)clsZpolicypZipsepZcfgsir;./usr/share/crypto-policies/python/policygenerators/java.pygenerate_configbsj       zJavaGenerator.generate_configcCsdS)NTr)rconfigrrr test_configszJavaGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrrr classmethodrr rrrrr s  GrN)Zconfiggeneratorrrrrrrs PKեe[˿Bpython/policygenerators/__pycache__/configgenerator.cpython-36.pycnu[3 ."d@sddlZGdddZdS)Nc@s*eZdZdZedddZeddZdS) ConfigGenerator:cCs|r|r|||S|S|S)N)svalseprrF./usr/share/crypto-policies/python/policygenerators/configgenerator.pyappend s  zConfigGenerator.appendcOst|dtji|dS)Nfile)printsysstderr)argskwargsrrr eprintszConfigGenerator.eprintN)r)__name__ __module__ __qualname__Z RELOAD_CMD staticmethodr rrrrr r s r)r rrrrr sPKեe[F900=python/policygenerators/__pycache__/krb5.cpython-36.opt-1.pycnu[3 ."dp@s ddlmZGdddeZdS))ConfigGeneratorc@sJeZdZdZddhZddddZdddd d Zed d Zed dZ dS) KRB5GeneratorZkrb5Zkerberoszcamellia256-cts-cmaczcamellia128-cts-cmac)zCAMELLIA-256-CBCzCAMELLIA-128-CBCzCAMELLIA-128-CTSzaes256-cts-hmac-sha1-96zaes256-cts-hmac-sha384-192zaes128-cts-hmac-sha1-96zaes128-cts-hmac-sha256-128)zAES-256-CBC-HMAC-SHA1zAES-256-CBC-HMAC-SHA2-384zAES-128-CBC-HMAC-SHA1zAES-128-CBC-HMAC-SHA2-256c Cs|j}d}d}|d7}d}xX|dD]L}xF|dD]:}y |j||j|d||}Wq2tk rjYq2Xq2Wq$Wx>|dD]2}y|j||j||}Wq~tk rYq~Xq~Wd|dkrd |dkr|j|d |}||d 7}|jd d kr|d7}|S)N z[libdefaults] zpermitted_enctypes = ZmacZcipher-zRC4-128zHMAC-MD5zarcfour-hmac-md5 Z min_dh_sizeizpkinit_dh_min_bits=4096 )Zenabledappendcipher_mac_mapKeyError cipher_mapZintegers)clsZpolicypsepZcfgsjir;./usr/share/crypto-policies/python/policygenerators/krb5.pygenerate_configs,   zKRB5Generator.generate_configcCsdS)NTr)r configrrr test_config<szKRB5Generator.test_configN) __name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESr r classmethodrrrrrrr s !rN)Zconfiggeneratorrrrrrrs PKեe[[@python/policygenerators/__pycache__/openssl.cpython-36.opt-1.pycnu[3 ."d@s@ddlmZmZddlmZGdddeZGdddeZdS) ) check_outputCalledProcessError)ConfigGeneratorc@seZdZdZdddhZdddddddd d d ddd d dddZddddddddZddddddddddd Zd d!d"Zd#d$d%d&d'd(Z e d)d*Z e d+d,Z e d-d.Z e d/d0Zd1S)2OpenSSLGeneratoropensslZtlsZsslz-AES256z-AES128z-SHA256z -CHACHA20z-SEEDz!IDEAz!DESz-3DESz!RC4z!RC2z !eNULL:!aNULL)z AES-256-CTRz AES-128-CTRz AES-256-GCMz AES-128-GCMz AES-256-CBCz AES-128-CBCzCHACHA20-POLY1305zSEED-CBCzIDEA-CBCzDES-CBCzRC4-40z DES40-CBCz3DES-CBCzRC4-128zRC2-CBCZNULLZkRSAZkEECDHZkPSKZkDHEPSKZkEDHZ kECDHEPSK)RSAECDHEPSKzDHE-PSKzDHE-RSAzDHE-DSSz ECDHE-PSKz-kRSAz-kEECDHz-aRSAz-aDSSz-kPSKz-kDHEPSKz -kECDHEPSK) ZANONZDHZECDHr r zDHE-RSAzDHE-DSSr zDHE-PSKz ECDHE-PSKz!MD5z-SHA1)zHMAC-MD5z HMAC-SHA1ZTLS_AES_256_GCM_SHA384ZTLS_AES_128_GCM_SHA256ZTLS_CHACHA20_POLY1305_SHA256ZTLS_AES_128_CCM_SHA256ZTLS_AES_128_CCM_8_SHA256)z AES-256-GCMz AES-128-GCMzCHACHA20-POLY1305z AES-128-CCMz AES-128-CCM8c Csd}|j}|j}|jd}|jd}|dks4|dkrB|j|d}nH|dksR|dkr`|j|d}n*|dksp|dkr~|j|d }n |j|d }x<|d D]0}y|j||j|}Wqtk rYqXqWx>|d D]2}y|j||j|}Wqtk rYqXqWx@|d D]4}y|j||j|}Wntk rBYnXqWd |d krrd|d krr|j|d}x@|dD]4}y|j||j|}Wntk rYnXq|W|j|d}|j|d}|j|d}|j|d}|S)Nr min_dh_size min_rsa_sizeiz @SECLEVEL=0iz @SECLEVEL=1i z @SECLEVEL=2z @SECLEVEL=3Z key_exchangecipherz AES-128-CCMz AES-256-CCMz-AESCCMZmacz-SHA384z -CAMELLIAz-ARIAz-AESCCM8) enabledZdisabledZintegersappendkey_exchange_mapKeyErrorkey_exchange_not_mapcipher_not_map mac_not_map)clspolicyspZipr r ir>./usr/share/crypto-policies/python/policygenerators/openssl.pygenerate_ciphersFsN            z!OpenSSLGenerator.generate_ciphersc CsLd}|j}x<|dD]0}y|j||j|}Wqtk rBYqXqW|S)Nrr)rrciphersuite_mapr)rrrrrrrrgenerate_ciphersuites{s z&OpenSSLGenerator.generate_ciphersuitescCs |j|S)N)r)rrrrrgenerate_configsz OpenSSLGenerator.generate_configc Csd}ytdd|g}Wn>tk rB|jd|jd|dStk rTdSXd|ksfd |kr|jd |jd |dSdS) NrZciphersz-There is an error in openssl generated policyz policy: %sFTsNULLsADHz0There is NULL or ADH in openssl generated policyz Policy: %s)rrZeprintOSError)rconfigoutputrrr test_configs  zOpenSSLGenerator.test_configN)__name__ __module__ __qualname__ CONFIG_NAMEZSCOPESrrrrr classmethodrrr r%rrrrr s\  5 rc@sleZdZdZdddddddd d Zd d d ddddddddddddddddddZed d!Zed"d#Zd$S)%OpenSSLConfigGeneratorZ opensslcnfrZSSLv3ZTLSv1zTLSv1.1zTLSv1.2zTLSv1.3ZDTLSv1zDTLSv1.2)NzSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2zRSA+SHA1zDSA+SHA1z ECDSA+SHA1z RSA+SHA224z DSA+SHA224z ECDSA+SHA224z RSA+SHA256z DSA+SHA256z ECDSA+SHA256z RSA+SHA384z DSA+SHA384z ECDSA+SHA384z RSA+SHA512z DSA+SHA512z ECDSA+SHA512z&rsa_pss_pss_sha256:rsa_pss_rsae_sha256z&rsa_pss_pss_sha384:rsa_pss_rsae_sha384z&rsa_pss_pss_sha512:rsa_pss_rsae_sha512Zed25519Zed448)zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512z EDDSA-ED25519z EDDSA-ED448cs|j}d}|j|7}|d7}|d7}|j|7}|d7}|jrd|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}fd d |d D}|d d j|7}|S)NzCipherString =  zCiphersuites = zTLS.MinProtocol = zTLS.MaxProtocol =zDTLS.MinProtocol =zDTLS.MaxProtocol =cs g|]}|jkrj|qSr)sign_map).0r)rrr sz:OpenSSLConfigGenerator.generate_config..ZsignzSignatureAlgorithms = :) rrrZmin_tls_version protocol_mapZmax_tls_versionZmin_dtls_versionZmax_dtls_versionjoin)rrrrZsig_algsr)rrr s.  z&OpenSSLConfigGenerator.generate_configcCsdS)NTr)rr#rrrr%sz"OpenSSLConfigGenerator.test_configN) r&r'r(r)r2r.r*r r%rrrrr+s> r+N) subprocessrrZconfiggeneratorrrr+rrrrs PKեe[/$~~9python/policygenerators/__pycache__/gnutls.cpython-36.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS))callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddhZdddddd d Zd d d dddddddd Zddddddddddd d!d"d#d$d%d&d'd(d)d*d+Zd,d-d.Zddd/d0d1d2d3d4d5d6d7d8d9d:d;d<Z d=d>d?Z d@dAdBdCddddDZ dEdFdGdHdIdJdKdLZ e dMdNZe dOdPZdQS)RGnuTLSGeneratorZgnutlsZtlsZsslz-AEADz-SHA1z-MD5z-SHA256z-SHA384z-SHA512)ZAEADz HMAC-SHA1zHMAC-MD5z HMAC-SHA2-256z HMAC-SHA2-384z HMAC-SHA2-512z -GROUP-X448z -GROUP-X25519z-GROUP-SECP256R1z-GROUP-SECP384R1z-GROUP-SECP521R1z-GROUP-FFDHE2048z-GROUP-FFDHE3072z-GROUP-FFDHE4096z-GROUP-FFDHE8192) ZX448ZX25519Z SECP256R1Z SECP384R1Z SECP521R1z FFDHE-6144z FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-8192z -SIGN-RSA-MD5z-SIGN-RSA-SHA1z-SIGN-DSA-SHA1z-SIGN-ECDSA-SHA1z-SIGN-RSA-SHA224z-SIGN-DSA-SHA224z-SIGN-ECDSA-SHA224z-SIGN-RSA-SHA256z-SIGN-DSA-SHA256z-SIGN-ECDSA-SHA256z-SIGN-RSA-SHA384z-SIGN-DSA-SHA384z-SIGN-ECDSA-SHA384z-SIGN-RSA-SHA512z-SIGN-DSA-SHA512z-SIGN-ECDSA-SHA512z.-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-RSAE-SHA256z.-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-RSAE-SHA384z.-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA512z-SIGN-EDDSA-ED448z-SIGN-EDDSA-ED25519)zRSA-MD5zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512z EDDSA-ED448z EDDSA-ED25519z+SIGN-DSA-SHA1z+SIGN-RSA-SHA1)zDSA-SHA1zRSA-SHA1z -AES-256-GCMz -AES-128-GCMz -AES-256-CCMz -AES-128-CCMz -AES-256-CBCz -AES-128-CBCz-CAMELLIA-256-GCMz-CAMELLIA-128-GCMz-CAMELLIA-256-CBCz-CAMELLIA-128-CBCz-CHACHA20-POLY1305z -3DES-CBCz -ARCFOUR-128)z AES-256-CTRz AES-128-CTRz AES-256-GCMz AES-128-GCMz AES-256-CCMz AES-128-CCMz AES-256-CBCz AES-128-CBCzCAMELLIA-256-GCMzCAMELLIA-128-GCMzCAMELLIA-256-CBCzCAMELLIA-128-CBCzCHACHA20-POLY1305z3DES-CBCzRC4-128z +3DES-CBCz +ARCFOUR-128)z3DES-CBCzRC4-128z+RSAz+ECDHE-RSA:+ECDHE-ECDSAz+DHE-RSAz+DHE-DSS)ZRSAZECDHEzDHE-RSAzDHE-DSSZPSKzDHE-PSKz ECDHE-PSKz -VERS-SSL3.0z -VERS-TLS1.0z -VERS-TLS1.1z -VERS-TLS1.2z -VERS-TLS1.3z -VERS-DTLS1.0z -VERS-DTLS1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS1.0zDTLS1.2c Cszd}|j}|j}|drb|j|d}x<|dD]0}y|j||j|}Wq.tk r\Yq.Xq.W|dr|j|d}x<|dD]0}y|j||j|}Wqtk rYqXqW|drL|j|d}x>|dD]2}y|j||j|}Wqtk rYqXqWx@|dD]4}y|j||j|}Wntk rDYnXqW|jdrd|j|d }|d r|j|d }x@|d D]4}y|j||j |}Wntk rYnXqWx@|d D]4}y|j||j |}Wntk rYnXqWx@|d D]4}y|j||j |}Wntk r8YnXqW|d r|j|d}x@|d D]4}y|j||j |}Wntk rYnXq`W|j|d}|jd}|jd}|dks|dkr|j|d}n|dks|dkr|j|d}nr|dks|dkr|j|d}nP|dks2|dkr@|j|d}n.|dksT|dkrb|j|d}n |j|d}|d7}|S)Nz SYSTEM=NONEZmacz+MAC-ALLgroupz +GROUP-ALLZsignz +SIGN-ALLZ sha1_in_certsz%VERIFY_ALLOW_SIGN_WITH_SHA1Zcipherz +CIPHER-ALLZ key_exchangeZprotocolz+VERS-ALL:-VERS-DTLS0.9z +COMP-NULL min_rsa_size min_dh_sizeiz%PROFILE_VERY_WEAKiz %PROFILE_LOWiz%PROFILE_MEDIUMi z %PROFILE_HIGHi z%PROFILE_ULTRAz%PROFILE_FUTURE ) ZenabledZdisabledappend mac_not_mapKeyError group_not_map sign_not_maplegacy_sign_mapZintegerscipher_not_mapcipher_force_mapkey_exchange_mapprotocol_not_map)clsZpolicyspZipir r r=./usr/share/crypto-policies/python/policygenerators/gnutls.pygenerate_configqs                      zGnuTLSGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz/usr/bin/gnutls-cliTwz(/usr/bin/gnutls-cli -l --priority $(cat z3 | sed 's/SYSTEM=//g' | tr --delete ' ') >/dev/null)shellz%/usr/bin/gnutls-cli: Execution failedz,There is an error in gnutls generated policyz Policy: %sF) osaccessX_OKrfdopenwriterrZeprintunlink)rconfigfdpathZretfrrr test_configs&    zGnuTLSGenerator.test_configN)__name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESrrrrrrrr classmethodrr+rrrrrs  Vr) subprocessrrZtempfilerr!Zconfiggeneratorrrrrrrs  PKեe[7=python/policygenerators/__pycache__/bind.cpython-36.opt-1.pycnu[3 ."d@sDddlmZmZddlmZddlZddlmZGdddeZdS)) check_outputCalledProcessError)mkstempN)ConfigGeneratorc @sXeZdZdZddhZdZdddddddd dZdddddZeddZ eddZ dS)! BindGeneratorZbindZdnssecz>systemctl try-reload-or-restart bind.service 2>/dev/null || : DSANSEC3DSARSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512ECDSAP256SHA256ECDSAP384SHA384ED25519ED448)zDSA-SHA1zRSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384z EDDSA-ED25519z EDDSA-ED448zSHA-1zSHA-256zSHA-384GOST)ZSHA1zSHA2-256zSHA2-384rc Cs |j}d}|d7}|d7}|d7}xL|dD]@}y&x |j|D]}||d7}q>WWq,tk rjYq,Xq,Wd|dkrd|d kr|d 7}d |dkrd |d kr|d 7}|d7}|d7}x>|dD]2}y||j|d7}Wqtk rYqXqW|d7}|S)Nzdisable-algorithms "." { zRSAMD5; z ECCGOST; Zsignz; z ECDSA-SHA256Z SECP256R1groupzECDSAP256SHA256; z ECDSA-SHA384Z SECP384R1zECDSAP384SHA384; z}; zdisable-ds-digests "." { hash)Zdisabled sign_not_mapKeyError hash_not_map)clsZpolicyZipsiZ disabled_signr;./usr/share/crypto-policies/python/policygenerators/bind.pygenerate_config%s0  zBindGenerator.generate_configcCst\}}ztj|d$}|jd|j||jdWdQRXytd|g}Wn>tk r~|jd|jd|dStk rYnXWdtj|XdS) Nwz options { z }; z/usr/sbin/named-checkconfz*There is an error in bind generated policyz Policy: %sFT) rosfdopenwriterrZeprintOSErrorunlink)rconfigfdpathf_rrr test_configCs       zBindGenerator.test_configN)rr )r r )r )r )r)r)r)r) __name__ __module__ __qualname__Z CONFIG_NAMEZSCOPESZ RELOAD_CMDrr classmethodrr*rrrrr s" r) subprocessrrZtempfilerr Zconfiggeneratorrrrrrrs  PKեe[b!@python/policygenerators/__pycache__/openssh.cpython-36.opt-1.pycnu[3 ."d @sdddlmZmZddlmZddlZddlmZGdddeZGdd d eZ Gd d d eZ dS) )callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddddddddddddd d dddddd d Zd ddddddZdddddddZddddddd d!d"d# Zd$d%d&Zd'd(d)d*d+d,d-d.Z d/d0d1d2d3d4d5d6d7Z d8d9d:d;dd?d7Z e d@dAZ dBS)COpenSSHGeneratorzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-md5-etm@openssh.comzumac-64-etm@openssh.comzumac-128-etm@openssh.comzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512zhmac-md5zumac-64@openssh.comzumac-128@openssh.comz hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256z gss-gex-sha1-zgss-group1-sha1-zgss-group14-sha1-zgss-group14-sha256-zgss-nistp256-sha256-zgss-curve25519-sha256-zgss-group16-sha512-)z DHE-GSS-SHA1zDHE-GSS-FFDHE-1024-SHA1zDHE-GSS-FFDHE-2048-SHA1zDHE-GSS-FFDHE-2048-SHA2-256zECDHE-GSS-SECP256R1-SHA2-256zECDHE-GSS-X25519-SHA2-256zDHE-GSS-FFDHE-4096-SHA2-512zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256zecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519)zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comc&Cs|j}d}d}d}x>|dD]2} y|j||j| |}Wqtk rLYqXqW|rh||jjd|7}d}|jdrx>|dD]2} y|j||j| |}Wqtk rYqXqWx>|dD]2} y|j||j| |}Wqtk rYqXqW|r||jjd|7}d}d} xF|dD]8} x.|d D] } |jd ry$|j | d | } |j|| |}Wntk rYnXy"|| d | } |j| | |} Wntk rYnXx|d D]}y*|| d |d | } |j|| |}Wntk r YnXy*|| d |d | } |j| | |} Wntk rLYnXqWq4Wq"W| rz||jjd | 7}n||jjdd7}|r||jjd|7}d}x|dD]v} y|j||j | |}Wntk rYnX|jddkry|j||j | |}Wntk r$YnXqW|r\|rJ||jjd|7}||jjd|7}d}xB|dD]6} y|j||j | |}Wntk rYnXqjW|r||jjd|7}|S)Nr,ZcipherZCiphersZssh_etmZmacZMACsZ key_exchangehashZarbitrary_dh_groups-groupZGSSAPIKexAlgorithmsZGSSAPIKeyExchangenoZ KexAlgorithmsZsignZ ssh_certsrZHostKeyAlgorithmsZPubkeyAcceptedKeyTypesZCASignatureAlgorithms) Zenabledappend cipher_mapKeyError_FORMAT_STRINGformatZintegers mac_map_etmmac_mapgx_mapsign_mapsign_map_certs)clspolicy local_kx_maplocal_gss_kx_mapZ do_host_keypcfgsepsiZgssZkxhvalgr$>./usr/share/crypto-policies/python/policygenerators/openssh.pygenerate_optionsls       z!OpenSSHGenerator.generate_optionsN)__name__ __module__ __qualname__rrrrkx_mapr gss_kx_maprr classmethodr&r$r$r$r%rsrc@s6eZdZdZdddhZdZeddZeddZd S) OpenSSHClientGeneratoropensshsshzopenssh-clientz{0} {1} cCs$t|j}t|j}|j|||dS)NF)dictr*r+r&)rrrrr$r$r%generate_configs  z&OpenSSHClientGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz /usr/bin/sshTwz/usr/bin/ssh -G -F z bogus654_server >/dev/null)shellz/usr/bin/ssh: Execution failedz-There is an error in OpenSSH generated policyz Policy: %sF) osaccessX_OKrfdopenwriterreprintunlink)rconfigfdpathretfr$r$r% test_configs&    z"OpenSSHClientGenerator.test_configN) r'r(r) CONFIG_NAMESCOPESrr,r1rAr$r$r$r%r-s   r-c@sReZdZdZdddhZdZdZeddZed d Z ed d Z ed dZ dS)OpenSSHServerGeneratorZ opensshserverr/r.zopenssh-serverz4systemctl try-restart sshd.service 2>/dev/null || : z -o{0}={1} cCsDt|j}t|j}|d=|d=|j|||d}|j}d|dS)NzDHE-FFDHE-1024-SHA1zDHE-GSS-FFDHE-1024-SHA1TzCRYPTO_POLICY='')r0r*r+r&rstrip)rrrrrr$r$r%r1s  z&OpenSSHServerGenerator.generate_configc Csft\}}tj|d}ytd|ddd}Wntk rN|jdYnX|rb|jddS|S) Nr2z&/usr/bin/ssh-keygen -t rsa -b 2048 -f z -N "" >/dev/nullT)r4z%/usr/bin/ssh-keygen: Execution failedz4SSH Keygen failed when testing OpenSSH server policyr)rr5r;rrr:)rZ_fdr>r?r$r$r% _test_setup s    z"OpenSSHServerGenerator._test_setupcCs|rtj|dS)N)r5r;)rr>r$r$r% _test_cleanupsz$OpenSSHServerGenerator._test_cleanupcCstjdtjsdS|j}|s"dSt\}}d}zftj|d}|j|WdQRXy td|d|ddd }Wntk r|j d YnXWdtj ||j |X|r|j d |j d |dSdS) Nz/usr/sbin/sshdTFr2r3z/usr/bin/bash -c 'source z( && /usr/sbin/sshd -T $CRYPTO_POLICY -h z -f /dev/null' >/dev/null)r4z /usr/sbin/sshd: Execution failedz4There is an error in OpenSSH server generated policyz Policy: %s) r5r6r7rGrr8r9rrr:r;rH)rr<Zhost_key_filenamer=r>r?r@r$r$r%rA#s0     z"OpenSSHServerGenerator.test_configN) r'r(r)rBrCZ RELOAD_CMDrr,r1rGrHrAr$r$r$r%rDs   rD) subprocessrrZtempfilerr5Zconfiggeneratorrrr-rDr$r$r$r%s  C(PKեe[R$$python/policygenerators/nss.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import call, CalledProcessError from tempfile import mkstemp import ctypes import ctypes.util import os from .configgenerator import ConfigGenerator class NSSGenerator(ConfigGenerator): CONFIG_NAME = 'nss' SCOPES = {'tls', 'ssl', 'nss'} mac_map = { 'AEAD':'', 'HMAC-SHA1':'HMAC-SHA1', 'HMAC-MD5':'HMAC-MD5', 'HMAC-SHA2-256':'HMAC-SHA256', 'HMAC-SHA2-384':'HMAC-SHA384', 'HMAC-SHA2-512':'HMAC-SHA512' } hash_map = { 'SHA1':'SHA1', 'MD5':'MD5', 'SHA2-224':'SHA224', 'SHA2-256':'SHA256', 'SHA2-384':'SHA384', 'SHA2-512':'SHA512', 'SHA3-256':'', 'SHA3-384':'', 'SHA3-512':'', 'GOST':'' } curve_map = { 'X25519':'CURVE25519', 'X448':'', 'SECP256R1':'SECP256R1', 'SECP384R1':'SECP384R1', 'SECP521R1':'SECP521R1' } cipher_map = { 'AES-256-CTR':'', 'AES-128-CTR':'', 'RC2-CBC':'rc2', 'RC4-128':'rc4', 'AES-256-GCM':'aes256-gcm', 'AES-128-GCM':'aes128-gcm', 'AES-256-CBC':'aes256-cbc', 'AES-128-CBC':'aes128-cbc', 'CAMELLIA-256-CBC':'camellia256-cbc', 'CAMELLIA-128-CBC':'camellia128-cbc', 'CAMELLIA-256-GCM':'', 'CAMELLIA-128-GCM':'', 'AES-256-CCM':'', 'AES-128-CCM':'', 'CHACHA20-POLY1305':'chacha20-poly1305', '3DES-CBC':'des-ede3-cbc' } key_exchange_map = { 'PSK':'', 'DHE-PSK':'', 'ECDHE-PSK':'', 'RSA':'RSA', 'DHE-RSA':'DHE-RSA', 'DHE-DSS':'DHE-DSS', 'ECDHE':'ECDHE-RSA:ECDHE-ECDSA', 'ECDH':'ECDH-RSA:ECDH-ECDSA', 'DH':'DH-RSA:DH-DSS' } protocol_map = { 'SSL3.0':'ssl3.0', 'TLS1.0':'tls1.0', 'TLS1.1':'tls1.1', 'TLS1.2':'tls1.2', 'TLS1.3':'tls1.3', 'DTLS1.0':'dtls1.0', 'DTLS1.2':'dtls1.2' } # Depends on a dict being ordered, # impl. detail in CPython 3.6, guaranteed starting from Python 3.7. sign_prefix_ordmap = { 'RSA-PSS-':'RSA-PSS', # must come before RSA- 'RSA-':'RSA-PKCS', 'ECDSA-':'ECDSA', 'DSA-':'DSA', } @classmethod def generate_config(cls, policy): p = policy.enabled cfg = 'library=\n' cfg += 'name=Policy\n' cfg += 'NSS=flags=policyOnly,moduleDB\n' cfg += 'config="disallow=ALL allow=' s = '' for i in p['mac']: try: s = cls.append(s, cls.mac_map[i]) except KeyError: pass for i in p['group']: try: s = cls.append(s, cls.curve_map[i]) except KeyError: pass for i in p['cipher']: try: s = cls.append(s, cls.cipher_map[i]) except KeyError: pass for i in p['hash']: try: s = cls.append(s, cls.hash_map[i]) except KeyError: pass for i in p['key_exchange']: try: s = cls.append(s, cls.key_exchange_map[i]) except KeyError: pass dsa = [i for i in p['sign'] if i.find('DSA-') == 0] if dsa: s = cls.append(s, 'DSA') enabled_sigalgs = set() for i in p['sign']: for prefix, sigalg in cls.sign_prefix_ordmap.items(): if i.startswith(prefix): if sigalg not in enabled_sigalgs: enabled_sigalgs.add(sigalg) s = cls.append(s, sigalg) break # limit to first match if policy.min_tls_version: minver = cls.protocol_map[policy.min_tls_version] s = cls.append(s, 'tls-version-min=' + minver) else: # FIXME, preserving behaviour, but this is wrong s = cls.append(s, 'tls-version-min=0') if policy.min_dtls_version: minver = cls.protocol_map[policy.min_dtls_version] s = cls.append(s, 'dtls-version-min=' + minver) else: # FIXME, preserving behaviour, but this is wrong s = cls.append(s, 'dtls-version-min=0') s = cls.append(s, 'DH-MIN=' + str(policy.integers['min_dh_size'])) s = cls.append(s, 'DSA-MIN=' + str(policy.integers['min_dsa_size'])) s = cls.append(s, 'RSA-MIN=' + str(policy.integers['min_rsa_size'])) cfg += s + '"\n\n\n' return cfg @classmethod def test_config(cls, config): try: nss_path = ctypes.util.find_library('nss3') nss_lib = ctypes.CDLL(nss_path) if not nss_lib.NSS_VersionCheck(b'3.66'): # Cannot validate with pre-3.59 NSS # that doesn't know ECDSA/RSA-PSS/RSA-PKCS # identifiers yet. Checking for 3.66 because # that's what we'll have in RHEL-8.5. cls.eprint('Skipping nss-policy-check due to ' 'nss being older than 3.66') return True except AttributeError: cls.eprint('Cannot determine nss version with ctypes') if not os.access('/usr/bin/nss-policy-check', os.X_OK): return True fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = call('/usr/bin/nss-policy-check ' + path + ' >/dev/null', shell=True) except CalledProcessError: cls.eprint("/usr/bin/nss-policy-check: Execution failed") finally: os.unlink(path) if ret: cls.eprint("There is an error in NSS generated policy") cls.eprint("Policy:\n%s" % config) return False return True PKեe[H‘*python/policygenerators/configgenerator.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz import sys class ConfigGenerator: RELOAD_CMD = '' @staticmethod def append(s, val, sep=':'): if s: if val: return s + sep + val return s return val @staticmethod def eprint(*args, **kwargs): print(*args, file=sys.stderr, **kwargs) PKեe[I"python/policygenerators/openssl.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from subprocess import check_output, CalledProcessError from .configgenerator import ConfigGenerator class OpenSSLGenerator(ConfigGenerator): CONFIG_NAME = 'openssl' SCOPES = {'tls', 'ssl', 'openssl'} cipher_not_map = { 'AES-256-CTR':'', 'AES-128-CTR':'', 'AES-256-GCM':'-AES256', 'AES-128-GCM':'-AES128', 'AES-256-CBC':'-SHA256', 'AES-128-CBC':'', 'CHACHA20-POLY1305':'-CHACHA20', 'SEED-CBC':'-SEED', 'IDEA-CBC':'!IDEA', 'DES-CBC':'!DES', 'RC4-40':'', 'DES40-CBC':'', '3DES-CBC':'-3DES', 'RC4-128':'!RC4', 'RC2-CBC':'!RC2', 'NULL':'!eNULL:!aNULL' } key_exchange_map = { 'RSA':'kRSA', 'ECDHE':'kEECDH', 'PSK':'kPSK', 'DHE-PSK':'kDHEPSK', 'DHE-RSA':'kEDH', 'DHE-DSS':'', 'ECDHE-PSK':'kECDHEPSK' } key_exchange_not_map = { 'ANON':'', 'DH':'', 'ECDH':'', 'RSA':'-kRSA', 'ECDHE':'-kEECDH', 'DHE-RSA':'-aRSA', 'DHE-DSS':'-aDSS', 'PSK':'-kPSK', 'DHE-PSK':'-kDHEPSK', 'ECDHE-PSK':'-kECDHEPSK' } mac_not_map = { 'HMAC-MD5':'!MD5', 'HMAC-SHA1':'-SHA1' } ciphersuite_map = { 'AES-256-GCM':'TLS_AES_256_GCM_SHA384', 'AES-128-GCM':'TLS_AES_128_GCM_SHA256', 'CHACHA20-POLY1305':'TLS_CHACHA20_POLY1305_SHA256', 'AES-128-CCM':'TLS_AES_128_CCM_SHA256', 'AES-128-CCM8':'TLS_AES_128_CCM_8_SHA256', } @classmethod def generate_ciphers(cls, policy): s = '' p = policy.enabled ip = policy.disabled # We cannot separate RSA strength from DH params. min_dh_size = policy.integers['min_dh_size'] min_rsa_size = policy.integers['min_rsa_size'] if min_dh_size < 1023 or min_rsa_size < 1023: s = cls.append(s, '@SECLEVEL=0') elif min_dh_size < 2048 or min_rsa_size < 2048: s = cls.append(s, '@SECLEVEL=1') elif min_dh_size < 3072 or min_rsa_size < 3072: s = cls.append(s, '@SECLEVEL=2') else: s = cls.append(s, '@SECLEVEL=3') for i in p['key_exchange']: try: s = cls.append(s, cls.key_exchange_map[i]) except KeyError: pass for i in ip['key_exchange']: try: s = cls.append(s, cls.key_exchange_not_map[i]) except KeyError: pass for i in ip['cipher']: try: s = cls.append(s, cls.cipher_not_map[i]) except KeyError: pass if 'AES-128-CCM' in ip['cipher'] and 'AES-256-CCM' in ip['cipher']: s = cls.append(s, '-AESCCM') for i in ip['mac']: try: s = cls.append(s, cls.mac_not_map[i]) except KeyError: pass # These ciphers are not necessary for any # policy level, and only increase the attack surface. # FIXME! must be fixed for custom policies s = cls.append(s, '-SHA384') s = cls.append(s, '-CAMELLIA') s = cls.append(s, '-ARIA') s = cls.append(s, '-AESCCM8') return s @classmethod def generate_ciphersuites(cls, policy): s = '' p = policy.enabled for i in p['cipher']: try: s = cls.append(s, cls.ciphersuite_map[i]) except KeyError: pass return s @classmethod def generate_config(cls, policy): return cls.generate_ciphers(policy) @classmethod def test_config(cls, config): output = b'' try: output = check_output(["openssl", "ciphers", config]) except CalledProcessError: cls.eprint("There is an error in openssl generated policy") cls.eprint("policy: %s" % config) return False except OSError: # Ignore missing openssl return True if b'NULL' in output or b'ADH' in output: cls.eprint("There is NULL or ADH in openssl generated policy") cls.eprint("Policy:\n%s" % config) return False return True class OpenSSLConfigGenerator(OpenSSLGenerator): CONFIG_NAME = 'opensslcnf' # has to cover everything c-p has protocol_map = { None: '', 'SSL3.0':'SSLv3', 'TLS1.0':'TLSv1', 'TLS1.1':'TLSv1.1', 'TLS1.2':'TLSv1.2', 'TLS1.3':'TLSv1.3', 'DTLS1.0':'DTLSv1', 'DTLS1.2':'DTLSv1.2' } sign_map = { 'RSA-SHA1':'RSA+SHA1', 'DSA-SHA1':'DSA+SHA1', 'ECDSA-SHA1':'ECDSA+SHA1', 'RSA-SHA2-224':'RSA+SHA224', 'DSA-SHA2-224':'DSA+SHA224', 'ECDSA-SHA2-224':'ECDSA+SHA224', 'RSA-SHA2-256':'RSA+SHA256', 'DSA-SHA2-256':'DSA+SHA256', 'ECDSA-SHA2-256':'ECDSA+SHA256', 'RSA-SHA2-384':'RSA+SHA384', 'DSA-SHA2-384':'DSA+SHA384', 'ECDSA-SHA2-384':'ECDSA+SHA384', 'RSA-SHA2-512':'RSA+SHA512', 'DSA-SHA2-512':'DSA+SHA512', 'ECDSA-SHA2-512':'ECDSA+SHA512', 'RSA-PSS-SHA2-256':'rsa_pss_pss_sha256:rsa_pss_rsae_sha256', 'RSA-PSS-SHA2-384':'rsa_pss_pss_sha384:rsa_pss_rsae_sha384', 'RSA-PSS-SHA2-512':'rsa_pss_pss_sha512:rsa_pss_rsae_sha512', 'EDDSA-ED25519':'ed25519', 'EDDSA-ED448':'ed448' } @classmethod def generate_config(cls, policy): p = policy.enabled s = 'CipherString = ' # This includes the seclevel s += cls.generate_ciphers(policy) s += '\n' s += 'Ciphersuites = ' s += cls.generate_ciphersuites(policy) s += '\n' if policy.min_tls_version: s += 'TLS.MinProtocol =' s += f' {cls.protocol_map[policy.min_tls_version]}\n' if policy.max_tls_version: s += 'TLS.MaxProtocol =' s += f' {cls.protocol_map[policy.max_tls_version]}\n' if policy.min_dtls_version: s += 'DTLS.MinProtocol =' s += f' {cls.protocol_map[policy.min_dtls_version]}\n' if policy.max_dtls_version: s += 'DTLS.MaxProtocol =' s += f' {cls.protocol_map[policy.max_dtls_version]}\n' sig_algs = [cls.sign_map[i] for i in p['sign'] if i in cls.sign_map] s += 'SignatureAlgorithms = ' + ':'.join(sig_algs) return s @classmethod def test_config(cls, config): # pylint: disable=unused-argument return True PKեe[Yb@EE#python/policygenerators/__init__.pynu[# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz from .bind import BindGenerator from .gnutls import GnuTLSGenerator from .java import JavaGenerator from .krb5 import KRB5Generator from .libreswan import LibreswanGenerator from .libssh import LibsshGenerator from .nss import NSSGenerator from .openssh import OpenSSHClientGenerator from .openssh import OpenSSHServerGenerator from .openssl import OpenSSLConfigGenerator from .openssl import OpenSSLGenerator __all__ = [ 'BindGenerator', 'GnuTLSGenerator', 'JavaGenerator', 'KRB5Generator', 'LibreswanGenerator', 'LibsshGenerator', 'NSSGenerator', 'OpenSSHClientGenerator', 'OpenSSHServerGenerator', 'OpenSSLConfigGenerator', 'OpenSSLGenerator', ] PKեe[9yppback-ends/FIPS/nss.confignu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" PKեe[Ȅback-ends/FIPS/openssl.confignu[@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[ʀmVVback-ends/FIPS/openssh.confignu[Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 GSSAPIKeyExchange no KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 PKեe[AzKKback-ends/FIPS/java.confignu[jdk.tls.ephemeralDHKeySize=2048 jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[,"back-ends/FIPS/bind.confignu[disable-algorithms "." { RSAMD5; ECCGOST; RSASHA1; NSEC3RSASHA1; DSA; NSEC3DSA; ED25519; ED448; }; disable-ds-digests "." { SHA-1; GOST; }; PKեe[sggback-ends/FIPS/libreswan.confignu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18 esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[e%^back-ends/FIPS/gnutls.confignu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM PKեe[J=@SS back-ends/FIPS/opensslcnf.confignu[CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224PKեe[`9back-ends/FIPS/krb5.confignu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 PKեe[aback-ends/FIPS/libssh.confignu[Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PKեe[$j#back-ends/FIPS/opensshserver.confignu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512'PKեe[Knback-ends/DEFAULT/nss.confignu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" PKեe[ back-ends/DEFAULT/openssl.confignu[@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[/0 back-ends/DEFAULT/openssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa PKեe[3ͅback-ends/DEFAULT/java.confignu[jdk.tls.ephemeralDHKeySize=2048 jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[0A^^back-ends/DEFAULT/bind.confignu[disable-algorithms "." { RSAMD5; ECCGOST; DSA; NSEC3DSA; }; disable-ds-digests "." { GOST; }; PKեe[)"back-ends/DEFAULT/libreswan.confignu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18 esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[kHback-ends/DEFAULT/gnutls.confignu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM PKեe[OY߇#back-ends/DEFAULT/opensslcnf.confignu[CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1PKեe[Dback-ends/DEFAULT/krb5.confignu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac PKեe[յ,,back-ends/DEFAULT/libssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com PKեe[,B&back-ends/DEFAULT/opensshserver.confignu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'PKեe[df[[back-ends/FUTURE/nss.confignu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072" PKեe[KJback-ends/FUTURE/openssl.confignu[@SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[5qback-ends/FUTURE/openssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr MACs hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 PKեe[6ּback-ends/FUTURE/java.confignu[jdk.tls.ephemeralDHKeySize=3072 jdk.certpath.disabledAlgorithms=MD2, SHA224, SHA1, MD5, DSA, RSA keySize < 3072 jdk.tls.disabledAlgorithms=DH keySize < 3072, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, AES_128_GCM, AES_128_CCM, AES_256_CBC, AES_128_CBC, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5 jdk.tls.legacyAlgorithms= PKեe[#>||back-ends/FUTURE/bind.confignu[disable-algorithms "." { RSAMD5; ECCGOST; RSASHA1; NSEC3RSASHA1; DSA; NSEC3DSA; }; disable-ds-digests "." { SHA-1; GOST; }; PKեe[1D!back-ends/FUTURE/libreswan.confignu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18 esp=aes_gcm256,chacha20_poly1305 PKեe[)back-ends/FUTURE/gnutls.confignu[SYSTEM=NONE:+MAC-ALL:-SHA1:-MD5:+GROUP-ALL:-GROUP-FFDHE2048:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+CIPHER-ALL:-AES-128-GCM:-AES-128-CCM:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_HIGH PKեe[N./>DD"back-ends/FUTURE/opensslcnf.confignu[CipherString = @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSA:-aDSS:-AES128:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512PKեe[kkback-ends/FUTURE/krb5.confignu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 camellia256-cts-cmac pkinit_dh_min_bits=4096 PKեe[^))back-ends/FUTURE/libssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com PKեe[@@%back-ends/FUTURE/opensshserver.confignu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr -oMACs=hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group16-sha512- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512'PKեe[}hjback-ends/LEGACY/nss.confignu[library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:DSA:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" PKեe[ G}}back-ends/LEGACY/openssl.confignu[@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8PKեe[\sKKback-ends/LEGACY/openssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1- KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss PKեe[=eeback-ends/LEGACY/java.confignu[jdk.tls.ephemeralDHKeySize=1023 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1023 jdk.tls.disabledAlgorithms=DH keySize < 1023, SSLv3, SSLv2, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, DES_CBC, RC4_40, DES40_CBC, RC2, HmacMD5 jdk.tls.legacyAlgorithms=3DES_EDE_CBC, RC4_128 PKեe[\zOOback-ends/LEGACY/bind.confignu[disable-algorithms "." { RSAMD5; ECCGOST; }; disable-ds-digests "." { GOST; }; PKեe[O7A!back-ends/LEGACY/libreswan.confignu[conn %default ikev2=insist pfs=yes ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18+dh5 esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256 PKեe[ZOOback-ends/LEGACY/gnutls.confignu[SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:+SIGN-RSA-SHA1:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:+3DES-CBC:+ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP-NULL:%PROFILE_LOW PKեe[QU"back-ends/LEGACY/opensslcnf.confignu[CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_rsae_sha256:rsa_pss_pss_sha384:rsa_pss_rsae_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1PKեe[Dback-ends/LEGACY/krb5.confignu[[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac PKեe[_亪back-ends/LEGACY/libssh.confignu[Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com PKեe[W%back-ends/LEGACY/opensshserver.confignu[CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,3des-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss'PKեe[AzKK FIPS/java.txtnu[PKեe[`9 FIPS/krb5.txtnu[PKեe[sggNFIPS/libreswan.txtnu[PKեe[J=@SSFIPS/opensslcnf.txtnu[PKեe[ʀmVVFIPS/openssh.txtnu[PKեe[9ypp # FIPS/nss.txtnu[PKեe[Ȅ FIPS/openssl.txtnu[PKեe[a FIPS/libssh.txtnu[PKեe[," FIPS/bind.txtnu[PKեe[e%^FIPS/gnutls.txtnu[PKեe[$jFIPS/opensshserver.txtnu[PKեe[,reload-cmds.shnu[PKեe[ȗJ٨default-confignu[PKեe[3ͅDEFAULT/java.txtnu[PKեe[DRDEFAULT/krb5.txtnu[PKեe[)E DEFAULT/libreswan.txtnu[PKեe[OY߇J"DEFAULT/opensslcnf.txtnu[PKեe[/0%DEFAULT/openssh.txtnu[PKեe[KnC*DEFAULT/nss.txtnu[PKեe[,DEFAULT/openssl.txtnu[PKեe[յ,,,DEFAULT/libssh.txtnu[PKեe[0A^^W2DEFAULT/bind.txtnu[PKեe[kH2DEFAULT/gnutls.txtnu[PKեe[,B4DEFAULT/opensshserver.txtnu[PKեe[{ѻpZZ!;policies/modules/NO-CAMELLIA.pmodnu[PKեe[9{{_<policies/modules/NO-SHA1.pmodnu[PKեe[BB '=policies/modules/AD-SUPPORT.pmodnu[PKեe[R;yy >policies/modules/ECDHE-ONLY.pmodnu[PKեe[B?policies/modules/OSPP.pmodnu[PKեe[Gpolicies/FIPS.polnu[PKեe[66Npolicies/FUTURE.polnu[PKեe[}sr  Wpolicies/EMPTY.polnu[PKեe[AiiSXpolicies/DEFAULT.polnu[PKեe[V'G apolicies/LEGACY.polnu[PKեe[3jEMPTY/java.txtnu[PKեe[$$=nEMPTY/krb5.txtnu[PKեe[)nEMPTY/libreswan.txtnu[PKեe[eSnEMPTY/opensslcnf.txtnu[PKեe[n>7pEMPTY/openssh.txtnu[PKեe[/'ɓ pEMPTY/nss.txtnu[PKեe[a]qEMPTY/openssl.txtnu[PKեe[brEMPTY/libssh.txtnu[PKեe[ǫ?rEMPTY/bind.txtnu[PKեe[Q**sEMPTY/gnutls.txtnu[PKեe[Q&Q&&BtEMPTY/opensshserver.txtnu[PKեe[6ּtFUTURE/java.txtnu[PKեe[kkwFUTURE/krb5.txtnu[PKեe[1D)xFUTURE/libreswan.txtnu[PKեe[N./>DD6yFUTURE/opensslcnf.txtnu[PKեe[5q{FUTURE/openssh.txtnu[PKեe[df[[FUTURE/nss.txtnu[PKեe[KJiFUTURE/openssl.txtnu[PKեe[^))PFUTURE/libssh.txtnu[PKեe[#>||FUTURE/bind.txtnu[PKեe[)uFUTURE/gnutls.txtnu[PKեe[@@ljFUTURE/opensshserver.txtnu[PKեe[=eeOLEGACY/java.txtnu[PKեe[DLEGACY/krb5.txtnu[PKեe[O7ALEGACY/libreswan.txtnu[PKեe[QULEGACY/opensslcnf.txtnu[PKեe[\sKKLEGACY/openssh.txtnu[PKեe[}hjvLEGACY/nss.txtnu[PKեe[ G}}kLEGACY/openssl.txtnu[PKեe[_亪*LEGACY/libssh.txtnu[PKեe[\zOOLEGACY/bind.txtnu[PKեe[ZOOLEGACY/gnutls.txtnu[PKեe[W#LEGACY/opensshserver.txtnu[PKեe[)0!0! Epython/update-crypto-policies.pynuȯPKեe[:E6.."python/cryptopolicies/alg_lists.pynu[PKեe[c-Epython/cryptopolicies/validation/alg_lists.pynu[PKեe['_ɐ)=python/cryptopolicies/validation/rules.pynu[PKեe[>E9python/cryptopolicies/__pycache__/cryptopolicies.cpython-36.opt-1.pycnu[PKեe[q5]???Apython/cryptopolicies/__pycache__/cryptopolicies.cpython-36.pycnu[PKեe[U@K python/cryptopolicies/__pycache__/alg_lists.cpython-36.opt-1.pycnu[PKեe[D!python/cryptopolicies/__init__.pynu[PKեe[u>"">python/__pycache__/update-crypto-policies.cpython-36.opt-1.pycnu[PKեe[u>""85Cpython/__pycache__/update-crypto-policies.cpython-36.pycnu[PKեe[ߺh7fpython/__pycache__/build-crypto-policies.cpython-36.pycnu[PKեe[ߺh=wpython/__pycache__/build-crypto-policies.cpython-36.opt-1.pycnu[PKեe[python/build-crypto-policies.pynuȯPKեe['pppython/policygenerators/krb5.pynu[PKեe[y!SSfpython/policygenerators/java.pynu[PKեe[ 6@$python/policygenerators/libreswan.pynu[PKեe[hiP!7python/policygenerators/gnutls.pynu[PKեe[!mpython/policygenerators/libssh.pynu[PKեe[ "python/policygenerators/openssh.pynu[PKեe[Y python/policygenerators/bind.pynu[PKեe[9 7python/policygenerators/__pycache__/java.cpython-36.pycnu[PKեe[b!:8!python/policygenerators/__pycache__/openssh.cpython-36.pycnu[PKեe[oc779`@python/policygenerators/__pycache__/libssh.cpython-36.pycnu[PKեe[F9007Ppython/policygenerators/__pycache__/krb5.cpython-36.pycnu[PKեe[1#G;Vpython/policygenerators/__pycache__/__init__.cpython-36.pycnu[PKեe[1#GAYpython/policygenerators/__pycache__/__init__.cpython-36.opt-1.pycnu[PKեe[6!<c]python/policygenerators/__pycache__/nss.cpython-36.opt-1.pycnu[PKեe[ɨBTopython/policygenerators/__pycache__/libreswan.cpython-36.opt-1.pycnu[PKեe[6!6ƀpython/policygenerators/__pycache__/nss.cpython-36.pycnu[PKեe[ɨ<python/policygenerators/__pycache__/libreswan.cpython-36.pycnu[PKեe[[:python/policygenerators/__pycache__/openssl.cpython-36.pycnu[PKեe[/$~~?)python/policygenerators/__pycache__/gnutls.cpython-36.opt-1.pycnu[PKեe[oc77?python/policygenerators/__pycache__/libssh.cpython-36.opt-1.pycnu[PKեe[˿Hpython/policygenerators/__pycache__/configgenerator.cpython-36.opt-1.pycnu[PKեe[77python/policygenerators/__pycache__/bind.cpython-36.pycnu[PKեe[9 =Ipython/policygenerators/__pycache__/java.cpython-36.opt-1.pycnu[PKեe[˿Bvpython/policygenerators/__pycache__/configgenerator.cpython-36.pycnu[PKեe[F900=python/policygenerators/__pycache__/krb5.cpython-36.opt-1.pycnu[PKեe[[@Ipython/policygenerators/__pycache__/openssl.cpython-36.opt-1.pycnu[PKեe[/$~~9[python/policygenerators/__pycache__/gnutls.cpython-36.pycnu[PKեe[7=B.python/policygenerators/__pycache__/bind.cpython-36.opt-1.pycnu[PKեe[b!@7python/policygenerators/__pycache__/openssh.cpython-36.opt-1.pycnu[PKեe[R$$Vpython/policygenerators/nss.pynu[PKեe[H‘*9jpython/policygenerators/configgenerator.pynu[PKեe[I"$lpython/policygenerators/openssl.pynu[PKեe[Yb@EE#Hpython/policygenerators/__init__.pynu[PKեe[9yppback-ends/FIPS/nss.confignu[PKեe[Ȅback-ends/FIPS/openssl.confignu[PKեe[ʀmVVback-ends/FIPS/openssh.confignu[PKեe[AzKK"back-ends/FIPS/java.confignu[PKեe[,"back-ends/FIPS/bind.confignu[PKեe[sggback-ends/FIPS/libreswan.confignu[PKեe[e%^Cback-ends/FIPS/gnutls.confignu[PKեe[J=@SS back-ends/FIPS/opensslcnf.confignu[PKեe[`9)back-ends/FIPS/krb5.confignu[PKեe[aback-ends/FIPS/libssh.confignu[PKեe[$j#Dback-ends/FIPS/opensshserver.confignu[PKեe[Kn1back-ends/DEFAULT/nss.confignu[PKեe[ back-ends/DEFAULT/openssl.confignu[PKեe[/0 back-ends/DEFAULT/openssh.confignu[PKեe[3ͅ*back-ends/DEFAULT/java.confignu[PKեe[0A^^back-ends/DEFAULT/bind.confignu[PKեe[)"back-ends/DEFAULT/libreswan.confignu[PKեe[kHback-ends/DEFAULT/gnutls.confignu[PKեe[OY߇#back-ends/DEFAULT/opensslcnf.confignu[PKեe[Dback-ends/DEFAULT/krb5.confignu[PKեe[յ,,back-ends/DEFAULT/libssh.confignu[PKեe[,B&back-ends/DEFAULT/opensshserver.confignu[PKեe[df[[back-ends/FUTURE/nss.confignu[PKեe[KJback-ends/FUTURE/openssl.confignu[PKեe[5qback-ends/FUTURE/openssh.confignu[PKեe[6ּback-ends/FUTURE/java.confignu[PKեe[#>|||back-ends/FUTURE/bind.confignu[PKեe[1D!Dback-ends/FUTURE/libreswan.confignu[PKեe[)^back-ends/FUTURE/gnutls.confignu[PKեe[N./>DD"back-ends/FUTURE/opensslcnf.confignu[PKեe[kkSback-ends/FUTURE/krb5.confignu[PKեe[^)) back-ends/FUTURE/libssh.confignu[PKեe[@@%back-ends/FUTURE/opensshserver.confignu[PKեe[}hjback-ends/LEGACY/nss.confignu[PKեe[ G}}back-ends/LEGACY/openssl.confignu[PKեe[\sKKback-ends/LEGACY/openssh.confignu[PKեe[=ee~back-ends/LEGACY/java.confignu[PKեe[\zOO/back-ends/LEGACY/bind.confignu[PKեe[O7A!back-ends/LEGACY/libreswan.confignu[PKեe[ZOOback-ends/LEGACY/gnutls.confignu[PKեe[QU"back-ends/LEGACY/opensslcnf.confignu[PKեe[Dback-ends/LEGACY/krb5.confignu[PKեe[_亪back-ends/LEGACY/libssh.confignu[PKեe[W%lback-ends/LEGACY/opensshserver.confignu[PKB