a if"@sXddlmZmZddlmZdZdZGdddeZGdd d eZGd d d eZ d S) )CalledProcessError check_output)ConfigGeneratorz^ [openssl_init] alg_section = evp_properties [evp_properties] rh-allow-sha1-signatures = yes z2 [fips_sect] tls1-prf-ems-check = {} activate = 1 c@seZdZdZhdZddddddddd d ddd d d ddZdddddddddd Zddddddddddd d! Zd"d#d$Zd%d&d'd(d)d*d+d,Z e d-d.Z e d/d0Z e d1d2Z e d3d4Zd5S)6OpenSSLGeneratoropensslrZsslZtlsz-AES256z-AES128z-SHA256z -CHACHA20z-SEEDz!IDEAz!DESz-3DESz!RC4z!RC2z !eNULL:!aNULL)z AES-256-CTRz AES-128-CTR AES-256-GCM AES-128-GCMz AES-256-CBCz AES-128-CBCCHACHA20-POLY1305zSEED-CBCzIDEA-CBCzDES-CBCzRC4-40z DES40-CBCz3DES-CBCzRC4-128zRC2-CBCZNULLZkRSAZkEECDHZkPSKZkDHEPSKZkEDHZ kECDHEPSKZkRSAPSKZkGOST) RSAECDHEPSKDHE-PSKDHE-RSADHE-DSS ECDHE-PSKRSA-PSKz VKO-GOST-2012z-kRSAz-kEECDHz-aRSAz-aDSSz-kPSKz-kDHEPSKz -kECDHEPSKz-kRSAPSK) ZANONZDHZECDHr rrrrrrrz!MD5z-SHA1)zHMAC-MD5z HMAC-SHA1ZTLS_AES_256_GCM_SHA384ZTLS_AES_128_GCM_SHA256ZTLS_CHACHA20_POLY1305_SHA256ZTLS_AES_128_CCM_SHA256ZTLS_AES_128_CCM_8_SHA256zGOST2012-GOST8912-GOST8912zGOST2001-GOST89-GOST89)r r r AES-128-CCMz AES-128-CCM8zGOST28147-TC26Z-CNTzGOST28147-CPA-CNTc Csd}|j}|j}|jd}|jd}|dks4|dkrB||d}nH|dksR|dkr`||d}n*|dksp|dkr~||d }n ||d }|d D].}z|||j|}WqtyYq0q|d D].}z|||j|}WqtyYq0q|d D]2}z|||j|}Wnty0Yn0qd |d vr^d|d vr^||d}|dD]2}z|||j|}WntyYn0qfdD]}|||}q|S)Nr min_dh_size min_rsa_sizeiz @SECLEVEL=0iz @SECLEVEL=1i z @SECLEVEL=2z @SECLEVEL=3Z key_exchangecipherrz AES-256-CCMz-AESCCMZmac)z-SHA384z -CAMELLIAz-ARIAz-AESCCM8) enabledZdisabledZintegersappendkey_exchange_mapKeyErrorkey_exchange_not_mapcipher_not_map mac_not_map) clspolicyspZiprricr&=/usr/share/crypto-policies/python/policygenerators/openssl.pygenerate_ciphersYsL            z!OpenSSLGenerator.generate_ciphersc CsFd}|j}|dD].}z|||j|}Wqty>Yq0q|S)Nr r)rrciphersuite_mapr)r r!r"r#r$r&r&r'generate_ciphersuitess  z&OpenSSLGenerator.generate_ciphersuitescCs||dS)N )r(r r!r&r&r'generate_configsz OpenSSLGenerator.generate_configcCsd}|dsJztdd|ddg}Wn@tyZ|d|d|YdStylYd S0d |vs~d |vr|d |d|dSd S) Nr+rZciphersz-There is an error in openssl generated policyzPolicy: FTsNULLsADHz0There is NULL or ADH in openssl generated policy)endswithrrZeprintOSError)r configoutputr&r&r' test_configs"     zOpenSSLGenerator.test_configN)__name__ __module__ __qualname__ CONFIG_NAMESCOPESrrrrr) classmethodr(r*r-r4r&r&r&r'rsx   3  rc@seZdZdZdddddddd d Zd d d ddddddddddddddddddd d!d"Zd#d$d%d&d'd(d)d*d+d,d-d.d/d0d1Zed2d3Zed4d5Z d6S)7OpenSSLConfigGeneratorZ opensslcnfZSSLv3ZTLSv1zTLSv1.1zTLSv1.2zTLSv1.3zDTLSv0.9ZDTLSv1zDTLSv1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2zTLS1.3zDTLS0.9zDTLS1.0zDTLS1.2zRSA+SHA1zDSA+SHA1z ECDSA+SHA1z RSA+SHA224z DSA+SHA224z ECDSA+SHA224z RSA+SHA256z DSA+SHA256z ECDSA+SHA256z RSA+SHA384z DSA+SHA384z ECDSA+SHA384z RSA+SHA512z DSA+SHA512z ECDSA+SHA512Zrsa_pss_pss_sha256Zrsa_pss_pss_sha384Zrsa_pss_pss_sha512Zrsa_pss_rsae_sha256Zrsa_pss_rsae_sha384Zrsa_pss_rsae_sha512Zed25519Zed448)zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512zRSA-PSS-RSAE-SHA2-256zRSA-PSS-RSAE-SHA2-384zRSA-PSS-RSAE-SHA2-512z EDDSA-ED25519z EDDSA-ED448Z secp224r1Z secp256r1Z secp384r1Z secp521r1X25519X448Z ffdhe2048Z ffdhe3072Z ffdhe4096Z ffdhe6144Z ffdhe8192ZbrainpoolP256r1ZbrainpoolP384r1ZbrainpoolP512r1)Z SECP224R1Z SECP256R1Z SECP384R1Z SECP521R1r<r=z FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-6144z FFDHE-8192zBRAINPOOL-P256R1zBRAINPOOL-P384R1zBRAINPOOL-P512R1csP|j}d|d}|d|d7}|jrT|d7}|dj|jd7}|jrz|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}fd d |d D}|d d |d7}fdd |dD}|dd |d7}|j ddkr6|d7}d|dvrL|t 7}|S)NzCipherString = r+zCiphersuites = zTLS.MinProtocol = zTLS.MaxProtocol =zDTLS.MinProtocol =zDTLS.MaxProtocol =cs g|]}|jvrj|qSr&)sign_map.0r$r r&r' r.z:OpenSSLConfigGenerator.generate_config..signzSignatureAlgorithms = :cs g|]}|jvrj|qSr&) group_mapr@rBr&r'rCr.groupz Groups = __emsRELAXzOptions = RHNoEnforceEMSinFIPS ZSHA1hash) rr(r*Zmin_tls_version protocol_mapZmax_tls_versionZmin_dtls_versionZmax_dtls_versionjoinenums RH_ALLOW_SHA1)r r!r#r"Zsig_algsgroupsr&rBr'r-s0z&OpenSSLConfigGenerator.generate_configcCsdSNTr&r r2r&r&r'r4sz"OpenSSLConfigGenerator.test_configN) r5r6r7r8rKr?rFr:r-r4r&r&r&r'r;sj  !r;c@s0eZdZdZhdZeddZeddZdS)OpenSSLFIPSGeneratorZ openssl_fipsrcCstt|jddkS)NrHrI)FIPS_MODULE_CONFIGformatintrMr,r&r&r'r-sz$OpenSSLFIPSGenerator.generate_configcCsdSrPr&rQr&r&r'r4 sz OpenSSLFIPSGenerator.test_configN)r5r6r7r8r9r:r-r4r&r&r&r'rRs  rRN) subprocessrrZconfiggeneratorrrNrSrr;rRr&r&r&r's a