a ChI.@sXddlmZmZddlmZdZdZGdddeZGdd d eZGd d d eZ d S) )CalledProcessError check_output)ConfigGeneratorz^ [openssl_init] alg_section = evp_properties [evp_properties] rh-allow-sha1-signatures = yes z2 [fips_sect] tls1-prf-ems-check = {} activate = 1 c@s>eZdZdZhdZddddddddd d ddd d d ddZhdddhddhdZdddddddddd Zddddd d!d"d#d$d%d&d' Zd(d)d*Z dhd+hd,d-hd.dhd/hd,d-hd.d0hd/hd,d-hd.dhd/hd,d-hd.d1hd/hd2hd,d-hd3d1hd+hd4hd,d-hd3d5Z e d6d7Z e d8d9Z e d:d;Ze dS)?OpenSSLGeneratoropensslrZsslZtlsz-AES256z-AES128z-SHA256z -CHACHA20z-SEEDz!IDEAz!DESz-3DESz!RC4z!RC2z !eNULL:!aNULL)z AES-256-CTRz AES-128-CTR AES-256-GCM AES-128-GCM AES-256-CBC AES-128-CBCCHACHA20-POLY1305SEED-CBCIDEA-CBCDES-CBCzRC4-40z DES40-CBC3DES-CBCzRC4-128RC2-CBCNULL> zCAMELLIA-128-CBCrzCAMELLIA-256-CBCrr rrrr z AES-128-CCMz AES-256-CCMr r )z-CBCz-AESCCMz-AESGCMZkRSAZkEECDHZkPSKZkDHEPSKZkEDHZ kECDHEPSKZkRSAPSKZkGOST) RSAECDHEPSKDHE-PSKDHE-RSADHE-DSS ECDHE-PSKRSA-PSKz VKO-GOST-2012z-kRSAz-kEECDHz-aRSAz-aDSSz-kPSKz-kDHEPSKz -kECDHEPSKz-kRSAPSK) ZANONZDHZECDHrrrrrrrrz!MD5z-SHA1)zHMAC-MD5z HMAC-SHA1zSHA2-384TLS1.3zDTLS1.3)cipherhashprotocolzSHA2-256rrz HMAC-SHA2-256)rrmacr z HMAC-SHA2-384)ZTLS_AES_256_GCM_SHA384ZTLS_AES_128_GCM_SHA256ZTLS_CHACHA20_POLY1305_SHA256ZTLS_AES_128_CCM_SHA256ZTLS_SHA256_SHA256ZTLS_SHA384_SHA384c sd}|j}|j|jd}|jd}|dks4|dkrB||d}nH|dksR|dkr`||d}n*|dksp|dkr~||d }n ||d }|d D].}z|||j|}WqtyYq0qd D].}z|||j|}WqtyYq0qʈd D]2}z|||j|}Wnty0Yn0q|j D].\}}t fd d|Dr@|||}q@dD]2}z|||j |}WntyYn0qxdD]} ||| }q|S)Nr min_dh_size min_rsa_sizeiz @SECLEVEL=0iz @SECLEVEL=1i z @SECLEVEL=2z @SECLEVEL=3Z key_exchangerc3s|]}|dvVqdS)rN).0cipr$=/usr/share/crypto-policies/python/policygenerators/openssl.py z4OpenSSLGenerator.generate_ciphers..r!)z-SHA384z -CAMELLIAz-ARIAz-AESCCM8) enabledZdisabledZintegersappendkey_exchange_mapKeyErrorkey_exchange_not_mapcipher_not_mapcipher_notany_multimapitemsall mac_not_map) clspolicyspr"r#ikeywordZ ciphersetr&r$r'r)generate_cipherssL           z!OpenSSLGenerator.generate_cipherscsld}|jdD]Tfdd|jD}|D].\}}tfdd|Dr6|||}q6q|S)Nr rcs$i|]\}}|dhkr||qS)rr$)r%namespec)r&r$r) s z:OpenSSLGenerator.generate_ciphersuites..c3s,|]$\}tfdd|DVqdS)c3s|]}|vVqdS)Nr$)r%valZ algvaluesr$r)r*r+zCOpenSSLGenerator.generate_ciphersuites...N)any)r%Zalgclass)r9rAr)r*sz9OpenSSLGenerator.generate_ciphersuites..)r,ciphersuite_mapr3r4r-)r6r7r8Z cipher_submapZciphersuite_nameZciphersuite_specr$)r&r9r)generate_ciphersuitess   z&OpenSSLGenerator.generate_ciphersuitescCs||dS)N )r<r6r7r$r$r)generate_configsz OpenSSLGenerator.generate_configcCsd}ztdd|ddg}Wn@tyL|d|d|YdSty^YdS0d |vspd |vr|d |d|dSdS) Nr+rZciphersz-There is an error in openssl generated policyzPolicy: FTsNULLsADHz0There is NULL or ADH in openssl generated policy)rrZeprintOSError)r6configoutputr$r$r) test_configs      zOpenSSLGenerator.test_configN)__name__ __module__ __qualname__ CONFIG_NAMESCOPESr1r2r.r0r5rC classmethodr<rDrGrLr$r$r$r)rs   ) 3  rc@seZdZdZdddddddd d Zd d d ddddddddddddddddddd d!d"d#d$d%Zd&d'd(d)Zd*d+d,d-d.d/d0d1d2d3d4d5d6d7d8Zed9d:Z ed;d<Z d=S)>OpenSSLConfigGeneratorZ opensslcnfZSSLv3ZTLSv1zTLSv1.1zTLSv1.2zTLSv1.3zDTLSv0.9ZDTLSv1zDTLSv1.2)zSSL3.0zTLS1.0zTLS1.1zTLS1.2rzDTLS0.9zDTLS1.0zDTLS1.2zRSA+SHA1zDSA+SHA1z ECDSA+SHA1z RSA+SHA224z DSA+SHA224z ECDSA+SHA224z RSA+SHA256z DSA+SHA256z ECDSA+SHA256z RSA+SHA384z DSA+SHA384z ECDSA+SHA384z RSA+SHA512z DSA+SHA512z ECDSA+SHA512Zrsa_pss_pss_sha256Zrsa_pss_pss_sha384Zrsa_pss_pss_sha512Zrsa_pss_rsae_sha256Zrsa_pss_rsae_sha384Zrsa_pss_rsae_sha512Zed25519Zed448z?mldsa44z?mldsa65z?mldsa87)zRSA-SHA1zDSA-SHA1z ECDSA-SHA1z RSA-SHA2-224z DSA-SHA2-224zECDSA-SHA2-224z RSA-SHA2-256z DSA-SHA2-256zECDSA-SHA2-256z RSA-SHA2-384z DSA-SHA2-384zECDSA-SHA2-384z RSA-SHA2-512z DSA-SHA2-512zECDSA-SHA2-512zRSA-PSS-SHA2-256zRSA-PSS-SHA2-384zRSA-PSS-SHA2-512zRSA-PSS-RSAE-SHA2-256zRSA-PSS-RSAE-SHA2-384zRSA-PSS-RSAE-SHA2-512z EDDSA-ED25519z EDDSA-ED448ZMLDSA44ZMLDSA65ZMLDSA87z ?X25519MLKEM768:?x25519_mlkem768z!?SecP256r1MLKEM768:?p256_mlkem768z#?SecP384r1MLKEM1024:?p384_mlkem1024)zMLKEM768-X25519z P256-MLKEM768zP384-MLKEM1024Z secp224r1Z secp256r1Z secp384r1Z secp521r1X25519X448Z ffdhe2048Z ffdhe3072Z ffdhe4096Z ffdhe6144Z ffdhe8192ZbrainpoolP256r1ZbrainpoolP384r1ZbrainpoolP512r1)Z SECP224R1Z SECP256R1Z SECP384R1Z SECP521R1rTrUz FFDHE-2048z FFDHE-3072z FFDHE-4096z FFDHE-6144z FFDHE-8192zBRAINPOOL-P256R1zBRAINPOOL-P384R1zBRAINPOOL-P512R1cs|j}d|d}|d|d7}|jrT|d7}|dj|jd7}|jrz|d7}|dj|jd7}|jr|d7}|dj|jd7}|jr|d7}|dj|jd7}fd d |d D}|d d |d7}fdd |dD}fdd |dD}|r4dd |gng|rLdd |gng}|dd|d7}|j ddkr|d7}d|dvr|t 7}|S)NzCipherString = rEzCiphersuites = zTLS.MinProtocol = zTLS.MaxProtocol =zDTLS.MinProtocol =zDTLS.MaxProtocol =cs g|]}|jvrj|qSr$)sign_mapr%r:r6r$r) 6r+z:OpenSSLConfigGenerator.generate_config..signzSignatureAlgorithms = :cs g|]}|jvrj|qSr$) group_pq_maprXrYr$r)rZ>s groupcs g|]}|jvrj|qSr$)group_classic_maprXrYr$r)rZ@s *z Groups = /__emsRELAXzOptions = RHNoEnforceEMSinFIPS ZSHA1r) r,r<rDZmin_tls_version protocol_mapZmax_tls_versionZmin_dtls_versionZmax_dtls_versionjoinenums RH_ALLOW_SHA1)r6r7r9r8Zsig_algsZ groups_pqZgroups_classicZ group_classesr$rYr)rG"s:z&OpenSSLConfigGenerator.generate_configcCsdSNTr$r6rJr$r$r)rLPsz"OpenSSLConfigGenerator.test_configN) rMrNrOrPrdrWr]r_rRrGrLr$r$r$r)rSsx  -rSc@s0eZdZdZhdZeddZeddZdS)OpenSSLFIPSGeneratorZ openssl_fipsrcCstt|jddkS)Nrbrc)FIPS_MODULE_CONFIGformatintrfrFr$r$r)rGYsz$OpenSSLFIPSGenerator.generate_configcCsdSrhr$rir$r$r)rLbsz OpenSSLFIPSGenerator.test_configN)rMrNrOrPrQrRrGrLr$r$r$r)rjUs  rjN) subprocessrrZconfiggeneratorrrgrkrrSrjr$r$r$r)s Gv