a ifoG @s.ddlZddlZddlZddlZddlZddlZddlmZmZe ddddiBZ ddd Z d Z d Zd d hhdhdddhhdhdhdhdhdhdd ZGdddZGdddejZddZedd Zd!d"Zd0d$d%ZGd&d'd'eZd(d)ZGd*d+d+Zd,d-ZGd.d/d/ZdS)1N) alg_lists validation)Zarbitrary_dh_groupsZ min_dh_sizeZ min_dsa_sizeZ min_rsa_sizeZ sha1_in_certsZ ssh_certsZ min_ec_size)ANYZ DISABLE_ETMZDISABLE_NON_ETM)ZDEFAULTZENFORCEZRELAX)ZetmZ__ems*)tlssslopensslnssgnutlsjava-tlssshopensshopenssh-serveropenssh-clientlibsshipsecike libreswankerberoskrb5dnssecbindrr>r rr >r rr rr>rrr>rrr>r r r>rrr>rrr>r r r) rr r rrrr rrr c@s(eZdZefddZddZddZdS) ScopeSelectorcCs||_}|d |_|jr&|n |dd}tjj||jdtjj||jd|drr|dddn|g|_ tjj |j t |jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True !rN)Zoriginal_pattern{,) lowerpattern startswith _positiverscopeZillegal_charactersZcurly_bracketssplit_globsZresulting_globs ALL_SCOPES)selfr pr)B/usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py__init__>s$ zScopeSelector.__init__cCsd|jdS)Nz)r r'r)r)r*__str__YszScopeSelector.__str__csR|jtkrdSddD|jr:tfdd|jDStfdd|jDS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|] }|qSr))r).0sr)r)r* gz)ScopeSelector.matches..c3s|]}t|VqdSNfnmatchfilterr/gscopesr)r* jr2z(ScopeSelector.matches..c3s|]}t| VqdSr3r4r7r9r)r*r;kr2)r SCOPE_ANYr"anyr%allr'r:r)r9r*matches\s zScopeSelector.matchesN)__name__ __module__ __qualname__r<r+r.r@r)r)r)r*r=s rc@s0eZdZdZdZdZdZdZdZdZ dd Z d S) OperationzCAn operation that comes with the right-hand value of the directive.rcCs d|jS)Nz Operation.)namer-r)r)r*__repr__zszOperation.__repr__N) rArBrC__doc__RESETPREPENDAPPENDOMITSET_INTSET_ENUMrKr)r)r)r*rDpsrDcsdd|rRtjvr2tvr2tjt|fgStjvsDtvrtj nHtvrftj tvr|tvrtj |ttj |fgS|}tfdd|Dsfdd|D}tjdfgdd|DStfd d|Drg}|D]}|d r:tjt|d dddd }nL|d rltjt|dd ddd }ntjt|d d}|fd d|Dq|Stj |dS)ae Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(Operation.RESET, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(Operation.RESET, None), (Operation.APPEND, 'IDEA-CBC'), (Operation.APPEND, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(Operation.PREPEND, 'DES-CBC'), (Operation.PREPEND, '3DES-CBC')] >>> parse_rhs('ENFORCE', '__ems') [(Operation.SET_ENUM, 'ENFORCE')] cSs|dp|dS)N)+-rS)r!endswith)vr)r)r* differentialszparse_rhs..differentialc3s|]}|VqdSr3r)r/rVrWr)r*r;r2zparse_rhs..cs"g|]}t|D]}|qqSr))rglob)r/rVx prop_namer)r*r1r2zparse_rhs..NcSsg|]}tj|fqSr))rDrOrXr)r)r*r1r2c3s|]}|VqdSr3r)rXrYr)r*r;r2rSrrcsg|] }|fqSr)r)rX)opr)r*r1r2)isdigitrALL INT_DEFAULTSrDrQintENUMSrrulesZNonIntPropertyIntValueErrorZIntPropertyNonIntValueErrorZBadEnumValueErrorrRr$r=rMr>r!rNrZrUrOrPextendZ%MixedDifferentialNonDifferentialError)rhsr]valuesZ operationsvalueZunglobr))rWr^r]r* parse_rhs~sF           ri Directiver]r# operationrhcs|s gStj||d\}}||}}tj||d|vrZ|ddn|tf\fddt|DS)aQ Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=Operation.RESET, value=None), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='NULL')] =@rcs$g|]\}}t||dqS)rk)rjr)r/rlrhr]r#r)r*r1s zparse_line..)striprrdZcount_equals_signsr$Z empty_lhsr<ri)lineZlhsrfr)ror* parse_lines   rrFc Cs\z t|}|D]}t|jqWn6tjyV}z|s8t|WYd}~n d}~00dSr3)rrrr#rZPolicySyntaxErrorwarningswarn)rqrtldexr)r)r*syntax_check_linesrxcseZdZfddZZS)PolicySyntaxDeprecationWarningcs@|dd}d|d}|d|d7}|d7}t|dS)N z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)replacesuperr+)r'Z deprecatedZ replacementmsg __class__r)r*r+s   z'PolicySyntaxDeprecationWarning.__init__)rArBrCr+ __classcell__r)r)r~r*rysrycCstdd|}|dd}ddd|dD}|dd}dd d|dD}dd d|dD}td d|}td |rtt d dddddd}| D]`\}}d|d}t||}|rtt ||t|d|}|D]}|d|d|7}qqtd d|}ddddddd}| D]x\}}d|d}i}t ||D]} t||||| d<qj| D]\} } tt | | qt|||}qFt tjd d d!} | r,d"d#d| d d!D} td$| d!d| rd%| nd|}| qtd&d|}t tjd d d!}|rd"d'd|d d!D} td(|d!d| rd%| nd|}|qNtd)d|S)*a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*rm = rzcss|]}|VqdSr3rpr/rur)r)r*r;r2z"preprocess_text..z\ css|]}|VqdSr3rrr)r)r*r; r2css|]}tdd|VqdS)z\s+ N)resubrr)r)r*r; r2z +z\bprotocol\s*=protocolz protocol@TLSz cipher@TLSz cipher@SSHz group@SSHz protocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZ ike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+zetm@SSH = DISABLE_ETMz etm@SSH = ANYzetm@\1 = DISABLE_ETMz etm@\1 = ANY)zsha1_in_dnssec = 0zsha1_in_dnssec = 1z ssh_etm = 0z ssh_etm = 1zssh_etm@([^= ]+) = 0zssh_etm@([^= ]+) = 1rNrrcss|]}d|VqdSrTNr)rXr)r)r*r;8r2z\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdSrr)rXr)r)r*r;@r2z\bmin_tls_version = z\bmin_tls_version = 0\b)rrr{joinr$rpfindallrsrtryitemsfinditergrouplistrZDTLS_PROTOCOLSpopZ TLS_PROTOCOLS)textZPOSTFIX_REPLACEMENTSfrtoZregexmsmZPLAIN_REPLACEMENTSr@matchZmatch_frZmatch_toZ dtls_versionsnegZ tls_versionsr)r)r*preprocess_textsp         rc@sJeZdZdZd ddZeddZeddZed d Zed d Z dS) ScopedPolicya An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-192-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 Ncs^|pt}t_ddtD_ddtjD_ |D]t j }| |r>j tjkrrgj j<q>j tjkrj j}j|vr|jq>j tjkrj j}j|vr|j|djq>j tjkrfddj jDj j<q>j tjkr0jjj<q>jjj<q>fddtjD_dS)NcSsi|]\}}||dqS)rr))r/krVr)r)r* Yr2z)ScopedPolicy.__init__..cSsi|] }|gqSr)r))r/r]r)r)r*rZr2rcsg|]}|jkr|qSr))rhr/e) directiver)r*r1ms z)ScopedPolicy.__init__..cs&i|]\}fdd|DqS)csg|]}|jvr|qSr))enabledr)r]r'r)r*r1xsz4ScopedPolicy.__init__...r))r/Zalg_listr-r\r*rxs)setracopyintegersrcrenumsrr`rrr#r@rlrDrMr]rOrhappendrNremoveinsertrPrQZdisabled)r' directivesZrelevant_scopesssrr))rr'r*r+Vs8                zScopedPolicy.__init__cCst|jdSNr)rmin_tls_versionrr-r)r)r*r|szScopedPolicy.min_tls_versioncCst|jdSr)rmax_tls_versionrr-r)r)r*rszScopedPolicy.max_tls_versioncCst|jdSr)rmin_dtls_versionrr-r)r)r*rszScopedPolicy.min_dtls_versioncCst|jdSr)rmax_dtls_versionrr-r)r)r*rszScopedPolicy.max_dtls_version)N) rArBrCrLr+propertyrrrrr)r)r)r*rIs &   rcCs@|D](}tj||}t|tjr|Sqt|||dSr3)ospathraccessR_OKrZPolicyFileNotFoundError) policynamefnamepathsrvr(r)r)r* lookup_files  rc@sFeZdZdZdZddddZddZdd d Zdd d ZddZ dS)UnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN) policydircGsP||_d|g|R|_g|_||}|D]}||j|dd7}q.||_dS)N:T) subpolicy)rrrlinesread_policy_file _directives)r'Z policy_namerZsubpolicy_namesrZsubpolicy_namer)r)r*r+s zUnscopedCryptoPolicy.__init__cCs|j Sr3)rr-r)r)r*is_emptyszUnscopedCryptoPolicy.is_emptycCst|j|p iSr3)rrr?r)r)r*scopedszUnscopedCryptoPolicy.scopedFc Cs|jpd}|rtj|d}t|||s*dndtjj|tj|j|tj|j|f}t|dd}| }Wdn1s0Yt |}| d}|D]}t |dd q|D] }t |qd d |DS) NZpoliciesmodulesz.polz.pmodzutf-8)encodingrzT)rtcSsg|]}t|D]}|qqSr))rr)r/rur[r)r)r*r1r2z9UnscopedCryptoPolicy.read_policy_file..) rrrrrcurdir CONFIG_DIR SHARE_DIRopenreadrr$rx) r'rJrZpdirr(frrrur)r)r*rs( &  z%UnscopedCryptoPolicy.read_policy_filec Cs dd}|}d|jd}|d7}|d7}|d7}|d7}|d7}i|j|j|j}|D]\}}||||7}qdd }tD]p\}} |j| d } i| j| j| j} | D]<\}}|||kr|s|d 7}d }|||d ||7}qq|s|d7}|S)NcSs2t|trd|nt|}|d|dS)Nrrrz) isinstancerrstrrstrip)keyrhr0r)r)r*fmtsz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: Fr9z9# Scope-specific properties derived for select backends: Trnz&# No scope-specific properties found. )rrrrrrDUMPABLE_SCOPES) r'rZgeneric_scopedr0Z generic_allr]rhZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZ specific_allr)r)r*r.s@  zUnscopedCryptoPolicy.__str__)N)F) rArBrCrrr+rrrr.r)r)r)r*rs   r)F) collectionsenumr5rrrsrrrdictfromkeysrarcr<r&rrEnumrDri namedtuplerjrrrx FutureWarningryrrrrr)r)r)r*sL 3B   SF