a ifoG @s.ddlZddlZddlZddlZddlZddlZddlmZmZe ddddiBZ ddd Z d Z d Zd d hhdhdddhhdhdhdhdhdhdd ZGdddZGdddejZddZedd Zd!d"Zd0d$d%ZGd&d'd'eZd(d)ZGd*d+d+Zd,d-ZGd.d/d/ZdS)1N) alg_lists validation)Zarbitrary_dh_groupsZ min_dh_sizeZ min_dsa_sizeZ min_rsa_sizeZ sha1_in_certsZ ssh_certsZ min_ec_size)ANYZ DISABLE_ETMZDISABLE_NON_ETM)ZDEFAULTZENFORCEZRELAX)ZetmZ__ems*)tlssslopensslnssgnutlsjava-tlssshopensshopenssh-serveropenssh-clientlibsshipsecike libreswankerberoskrb5dnssecbindrr>r rr >r rr rr>rrr>rrr>r r r>rrr>rrr>r r r) rr r rrrr rrr c@s(eZdZefddZddZddZdS) ScopeSelectorcCs||_}|d |_|jr&|n |dd}tjj||jdtjj||jd|drr|dddn|g|_ tjj |j t |jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True !rN)Zoriginal_pattern{,) lowerpattern startswith _positiverscopeZillegal_charactersZcurly_bracketssplit_globsZresulting_globs ALL_SCOPES)selfr pr)B/usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py__init__>s$ zScopeSelector.__init__cCsd|jdS)Nz)r r'r)r)r*__str__YszScopeSelector.__str__csh|jtkrdSddDtddDs2J|jrPtfdd|jDStfdd|jDS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|] }|qSr))r.0sr)r)r* gz)ScopeSelector.matches..css|]}|tvVqdSN)r&r/r)r)r* hr3z(ScopeSelector.matches..c3s|]}t|VqdSr4fnmatchfilterr0gscopesr)r*r5jr3c3s|]}t| VqdSr4r6r9r;r)r*r5kr3)r SCOPE_ANYallr"anyr%r'r<r)r;r*matches\s zScopeSelector.matchesN)__name__ __module__ __qualname__r=r+r.rAr)r)r)r*r=s rc@s0eZdZdZdZdZdZdZdZdZ dd Z d S) OperationzCAn operation that comes with the right-hand value of the directive.rcCs d|jS)Nz Operation.)namer-r)r)r*__repr__zszOperation.__repr__N) rBrCrD__doc__RESETPREPENDAPPENDOMITSET_INTSET_ENUMrLr)r)r)r*rEpsrEcsdd|rxtjvr2tvr2tjt|fgStjvsDtvrPtj tjvs^JtvsjJtvsJnHtvrtj tvr|tvrtj |ttj |fgS|}tfdd|Ds fdd|D}tjdfgdd|DStfd d|Drg}|D]}|d rbtjt|d dddd }n\|d rtjt|dd ddd }n*|d sJtjt|d d}|fdd|Dq,|Stj |dS)ae Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(Operation.RESET, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(Operation.RESET, None), (Operation.APPEND, 'IDEA-CBC'), (Operation.APPEND, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(Operation.PREPEND, 'DES-CBC'), (Operation.PREPEND, '3DES-CBC')] >>> parse_rhs('ENFORCE', '__ems') [(Operation.SET_ENUM, 'ENFORCE')] cSs|dp|dS)N)+-rT)r!endswith)vr)r)r* differentialszparse_rhs..differentialc3s|]}|VqdSr4r)r0rWrXr)r*r5r3zparse_rhs..cs"g|]}t|D]}|qqSr))rglob)r0rWx prop_namer)r*r2r3zparse_rhs..NcSsg|]}tj|fqSr))rErPrYr)r)r*r2r3c3s|]}|VqdSr4r)rYrZr)r*r5r3rTrrrUcsg|] }|fqSr)r)rY)opr)r*r2r3)isdigitrALL INT_DEFAULTSrErRintENUMSrrulesZNonIntPropertyIntValueErrorZIntPropertyNonIntValueErrorZBadEnumValueErrorrSr$r?rNr>r!rOr[rVrPrQextendZ%MixedDifferentialNonDifferentialError)rhsr^valuesZ operationsvalueZunglobr))rXr_r^r* parse_rhs~sL            rj Directiver^r# operationrics|s gStj||d\}}||}}tj||d|vrZ|ddn|tf\fddt|DS)aQ Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=Operation.RESET, value=None), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=Operation.APPEND, value='NULL')] =@rcs$g|]\}}t||dqS)rl)rkr)r0rmrir^r#r)r*r2s zparse_line..)striprreZcount_equals_signsr$Z empty_lhsr=rj)lineZlhsrgr)rpr* parse_lines   rsFc Cs\z t|}|D]}t|jqWn6tjyV}z|s8t|WYd}~n d}~00dSr4)rsrr#rZPolicySyntaxErrorwarningswarn)rrruldexr)r)r*syntax_check_linesrycseZdZfddZZS)PolicySyntaxDeprecationWarningcs@|dd}d|d}|d|d7}|d7}t|dS)N z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)replacesuperr+)r'Z deprecatedZ replacementmsg __class__r)r*r+s   z'PolicySyntaxDeprecationWarning.__init__)rBrCrDr+ __classcell__r)r)rr*rzsrzcCstdd|}|dd}ddd|dD}|dd}dd d|dD}dd d|dD}td d|}td |rtt d dddddd}| D]`\}}d|d}t||}|rtt ||t|d|}|D]}|d|d|7}qqtd d|}ddddddd}| D]x\}}d|d}i}t ||D]} t||||| d<qj| D]\} } tt | | qt|||}qFt tjd d d!} | r,d"d#d| d d!D} td$| d!d| rd%| nd|}| qtd&d|}t tjd d d!}|rd"d'd|d d!D} td(|d!d| rd%| nd|}|qNtd)d|S)*a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*rn = r{css|]}|VqdSr4rqr0rvr)r)r*r5r3z"preprocess_text..z\ css|]}|VqdSr4rrr)r)r*r5 r3css|]}tdd|VqdS)z\s+ N)resubrr)r)r*r5 r3z +z\bprotocol\s*=protocolz protocol@TLSz cipher@TLSz cipher@SSHz group@SSHz protocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZ ike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+zetm@SSH = DISABLE_ETMz etm@SSH = ANYzetm@\1 = DISABLE_ETMz etm@\1 = ANY)zsha1_in_dnssec = 0zsha1_in_dnssec = 1z ssh_etm = 0z ssh_etm = 1zssh_etm@([^= ]+) = 0zssh_etm@([^= ]+) = 1rNrrcss|]}d|VqdSrUNr)rYr)r)r*r58r3z\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdSrr)rYr)r)r*r5@r3z\bmin_tls_version = z\bmin_tls_version = 0\b)rrr|joinr$rqfindallrtrurzitemsfinditergrouplistrZDTLS_PROTOCOLSpopZ TLS_PROTOCOLS)textZPOSTFIX_REPLACEMENTSfrtoZregexmsmZPLAIN_REPLACEMENTSrAmatchZmatch_frZmatch_toZ dtls_versionsnegZ tls_versionsr)r)r*preprocess_textsp         rc@sJeZdZdZd ddZeddZeddZed d Zed d Z dS) ScopedPolicya An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-192-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 Ncs|pt}t_ddtD_ddtjD_ |D]t j }| |r>j tjkrrgj j<q>j tjkrj j}j|vr|jq>j tjkrj j}j|vr|j|djq>j tjkrfddj jDj j<q>j tjkr0jjj<q>j tjksBJjjj<q>tj ttj kspJfddtjD_dS)NcSsi|]\}}||dqS)rr))r0krWr)r)r* Yr3z)ScopedPolicy.__init__..cSsi|] }|gqSr)r))r0r^r)r)r*rZr3rcsg|]}|jkr|qSr))rir0e) directiver)r*r2ms z)ScopedPolicy.__init__..cs&i|]\}fdd|DqS)csg|]}|jvr|qSr))enabledr)r^r'r)r*r2xsz4ScopedPolicy.__init__...r))r0Zalg_listr-r]r*rxs)setrbcopyintegersrdrenumsrrarrr#rArmrErNr^rPriappendrOremoveinsertrQrRrSlenZdisabled)r' directivesZrelevant_scopesssrr))rr'r*r+Vs<                zScopedPolicy.__init__cCst|jdSNr)rmin_tls_versionrr-r)r)r*r|szScopedPolicy.min_tls_versioncCst|jdSr)rmax_tls_versionrr-r)r)r*rszScopedPolicy.max_tls_versioncCst|jdSr)rmin_dtls_versionrr-r)r)r*rszScopedPolicy.min_dtls_versioncCst|jdSr)rmax_dtls_versionrr-r)r)r*rszScopedPolicy.max_dtls_version)N) rBrCrDrMr+propertyrrrrr)r)r)r*rIs &   rcCs@|D](}tj||}t|tjr|Sqt|||dSr4)ospathraccessR_OKrZPolicyFileNotFoundError) policynamefnamepathsrwr(r)r)r* lookup_files  rc@sFeZdZdZdZddddZddZdd d Zdd d ZddZ dS)UnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN) policydircGsP||_d|g|R|_g|_||}|D]}||j|dd7}q.||_dS)N:T) subpolicy)rrrlinesread_policy_file _directives)r'Z policy_namerZsubpolicy_namesrZsubpolicy_namer)r)r*r+s zUnscopedCryptoPolicy.__init__cCs|j Sr4)rr-r)r)r*is_emptyszUnscopedCryptoPolicy.is_emptycCst|j|p iSr4)rrr@r)r)r*scopedszUnscopedCryptoPolicy.scopedFc Cs|jpd}|rtj|d}t|||s*dndtjj|tj|j|tj|j|f}t|dd}| }Wdn1s0Yt |}| d}|D]}t |dd q|D] }t |qd d |DS) NZpoliciesmodulesz.polz.pmodzutf-8)encodingr{T)rucSsg|]}t|D]}|qqSr))rs)r0rvr\r)r)r*r2r3z9UnscopedCryptoPolicy.read_policy_file..) rrrrrcurdir CONFIG_DIR SHARE_DIRopenreadrr$ry) r'rKrZpdirr(frrrvr)r)r*rs( &  z%UnscopedCryptoPolicy.read_policy_filec Cs dd}|}d|jd}|d7}|d7}|d7}|d7}|d7}i|j|j|j}|D]\}}||||7}qdd }tD]p\}} |j| d } i| j| j| j} | D]<\}}|||kr|s|d 7}d }|||d ||7}qq|s|d7}|S)NcSs2t|trd|nt|}|d|dS)Nrrr{) isinstancerrstrrstrip)keyrir1r)r)r*fmtsz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: Fr;z9# Scope-specific properties derived for select backends: Troz&# No scope-specific properties found. )rrrrrrDUMPABLE_SCOPES) r'rZgeneric_scopedr1Z generic_allr^riZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZ specific_allr)r)r*r.s@  zUnscopedCryptoPolicy.__str__)N)F) rBrCrDrrr+rrrr.r)r)r)r*rs   r)F) collectionsenumr7rrrtrrrdictfromkeysrbrdr=r&rrEnumrErj namedtuplerkrsry FutureWarningrzrrrrr)r)r)r*sL 3B   SF