3 ."ÉdCBã@s6ddlZddlZddlZddlZddlZddlZddlmZddlmZdd„dƒZd-d.„Zd?d0d1„ZGd2d3„d3eƒZd4d5„ZGd6d7„d7ƒZd8d9„ZGd:d;„d;ƒZdS)@éNé)Ú alg_lists)Ú validationcCsi|] }d|“qS)r©)Ú.0ÚkrrúC./usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.pyú sr Úarbitrary_dh_groupsÚmin_dh_sizeÚmin_dsa_sizeÚmin_rsa_sizeÚ sha1_in_certsÚ ssh_certsÚssh_etmÚ*ÚtlsÚsslÚopensslÚnssÚgnutlsújava-tlsÚsshÚopensshúopenssh-serverúopenssh-clientÚlibsshÚipsecÚikeÚ libreswanÚkerberosÚkrb5ÚdnssecÚbind) r#rzjava-tlsr!rrrzopenssh-clientzopenssh-serverrc@s(eZdZefdd„Zdd„Zdd„ZdS)Ú ScopeSelectorcCs”|jƒ|_}|jdƒ|_|jr&|n |dd…}tjj||jdtjj||jd|jdƒrr|dd…jdƒn|g|_ tjj |j t|jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True ú!rN)Zoriginal_patternú{ú,éÿÿÿÿ)ÚlowerÚpatternÚ startswithÚ _positiverÚscopeZillegal_charactersZcurly_bracketsÚsplitÚ_globsZresulting_globsÚ ALL_SCOPES)Úselfr*ÚprrrÚ__init__5s$zScopeSelector.__init__cCsdt|jƒ›dS)Nz)Úreprr*)r1rrrÚ__str__PszScopeSelector.__str__csh|jtkrdSdd„ˆDƒ‰tdd„ˆDƒƒs2t‚|jrPt‡fdd„|jDƒƒSt‡fdd„|jDƒƒS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|]}|jƒ‘qSr)r))rÚsrrrú ^sz)ScopeSelector.matches..css|]}|tkVqdS)N)r0)rr7rrrú _sz(ScopeSelector.matches..c3s|]}tjˆ|ƒVqdS)N)ÚfnmatchÚfilter)rÚg)Úscopesrrr9asc3s|]}tjˆ|ƒVqdS)N)r:r;)rr<)r=rrr9bs)r*Ú SCOPE_ANYÚallÚAssertionErrorr,Úanyr/)r1r=r)r=rÚmatchesSs zScopeSelector.matchesN)Ú__name__Ú __module__Ú__qualname__r>r3r6rBrrrrr$4sr$c@s$eZdZdZdZdZdZdZdZdS)Ú OperationzM An operation that comes with the right-hand value of the directive. rééééN) rCrDrEÚ__doc__ÚRESETÚPREPENDÚAPPENDÚOMITÚSET_INTrrrrrFgsrFcs®dd„‰|jƒrfˆtjkr2ˆtkr2tjt|ƒfgSˆtjkrJtjj ˆƒ‚qzˆtjksXt ‚ˆtkszt ‚nˆtkrztjjˆƒ‚|jƒ}t ‡fdd„|DƒƒsÊt‡fdd„|Dƒgƒ}tjdfgdd„|DƒSt‡fd d„|Dƒƒržg}x²|D]ª}|jd ƒr"tj‰tj|dd…ˆƒddd…}n\|jd ƒrTtj‰tj|dd…ˆƒddd…}n*|jdƒsdt ‚tj‰tj|dd…ˆƒ}|j‡fd d„|DƒƒqìW|Stjj|ƒ‚dS)a7 Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(, None), (, 'IDEA-CBC'), (, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(, 'DES-CBC'), (, '3DES-CBC')] cSs|jdƒp|jdƒp|jdƒS)Nú+ú-)r+Úendswith)ÚvrrrÚdifferential‚szparse_rhs..differentialc3s|]}ˆ|ƒVqdS)Nr)rrT)rUrrr9”szparse_rhs..csg|]}tj|ˆƒ‘qSr)rÚglob)rrT)Ú prop_namerrr8•szparse_rhs..NcSsg|]}tj|f‘qSr)rFrN)rrTrrrr8—sc3s|]}ˆ|ƒVqdS)Nr)rrT)rUrrr9˜srQrrRcsg|]}ˆ|f‘qSrr)rrT)Úoprrr8¥sr(r(r()ÚisdigitrÚALLÚINT_DEFAULTSrFrPÚintrÚrulesZNonIntPropertyIntValueErrorr@ZIntPropertyNonIntValueErrorr.rAÚsumrLr?r+rMrVrSrNrOÚextendZ%MixedDifferentialNonDifferentialError)ÚrhsrWÚvaluesZ operationsÚvalueZunglobr)rUrXrWrÚ parse_rhsrs< rcÚ DirectiverWr-Ú operationrbcs€|jƒsgStjj|ƒ|jdƒ\}}|jƒ|jƒ}}tjj||ƒd|krZ|jddƒn|tf\‰‰‡‡fdd„t|ˆƒDƒS)ae Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=, value=None), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=, value='NULL')] ú=ú@rcs$g|]\}}tˆˆjƒ||d‘qS))rWr-rerb)rdr))rrerb)rWr-rrr8Êszparse_line..)Ústriprr]Zcount_equals_signsr.Z empty_lhsr>rc)ÚlineZlhsr`r)rWr-rÚ parse_line²s rjFcCs^y$t|ƒ}x|D]}t|jƒqWWn4tjk rX}z|s>‚tj|ƒWYdd}~XnXdS)N)rjr$r-rZPolicySyntaxErrorÚwarningsÚwarn)rirlÚlÚdÚexrrrÚsyntax_check_lineÏs rpcseZdZ‡fdd„Z‡ZS)ÚPolicySyntaxDeprecationWarningcs@|jddƒ}d|›d}|d|›d7}|d7}tƒj|ƒdS)NÚ z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)ÚreplaceÚsuperr3)r1Z deprecatedZreplacementÚmsg)Ú __class__rrr3Ûs z'PolicySyntaxDeprecationWarning.__init__)rCrDrEr3Ú __classcell__rr)rvrrqÚsrqcCstjdd|ƒ}|jddƒ}djdd„|jdƒDƒƒ}|jddƒ}djd d„|jdƒDƒƒ}djd d„|jdƒDƒƒ}tjdd|ƒjƒ}tjd|ƒr¢tjt d dƒƒdddddœ}xr|j ƒD]f\}}d|d}tj||ƒ}|rîtjt ||ƒƒtj|d|ƒ}x"|D]}|d|›d|›7}qWqºWtjdd|ƒjƒ}dddœ}xN|j ƒD]B\}}d|d}tj||ƒr|tjt ||ƒƒtj|||ƒ}qJWtt jddd%…ƒ}xZ|rþdjdd„|dd&…Dƒƒ} tjd|d'd| rêd | ›nd|ƒ}|jƒq¦Wtjd!d|ƒ}tt jddd(…ƒ} xZ| r|djd"d„| dd)…Dƒƒ} tjd#| d*d| rhd | ›nd|ƒ}| jƒq$Wtjd$d|ƒ}|S)+a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*Úrfz = rrcss|]}|jƒVqdS)N)rh)rrmrrrr9ôsz"preprocess_text..z\ css|]}|jƒVqdS)N)rh)rrmrrrr9öscss|]}tjdd|ƒVqdS)z\s+ú N)ÚreÚsub)rrmrrrr9÷sz +z\bprotocol\s*=Úprotocolzprotocol@TLSz cipher@TLSz cipher@SSHz group@SSHzprotocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+)zsha1_in_dnssec = 0zsha1_in_dnssec = 1Nrrycss|]}d|VqdS)rRNr)rrTrrrr9sz\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdS)rRNr)rrTrrrr9$sz\bmin_tls_version = z\bmin_tls_version = 0\br(r(r(r(r(r()rzr{rsÚjoinr.rhÚfindallrkrlrqÚitemsÚsearchÚlistrZDTLS_PROTOCOLSÚpopZ TLS_PROTOCOLS)ÚtextZPOSTFIX_REPLACEMENTSÚfrZtoZregexZmsÚmZPLAIN_REPLACEMENTSZ dtls_versionsÚnegZtls_versionsrrrÚpreprocess_textãsZ r‡c@sJeZdZdZd dd„Zedd„ƒZedd„ƒZed d „ƒZedd„ƒZ dS)ÚScopedPolicyaŽ An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-256-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 NcsX|ptƒ}tjƒˆ_dd„tjDƒˆ_xø|D]ð‰tˆjƒ}|j |ƒr,ˆj tjkr^gˆjˆj <q,ˆj tjkrŽˆjˆj }ˆj|krŒ|jˆjƒq,ˆj tjkrÌˆjˆj }ˆj|kr¼|jˆjƒ|jdˆjƒq,ˆj tjkrü‡fdd„ˆjˆj Dƒˆjˆj <q,ˆj tjkst‚ˆjˆjˆj <q,Wtˆjƒttˆjƒƒks>t‚‡fdd„tjDƒˆ_dS)NcSsi|] }g|“qSrr)rrWrrrr >sz)ScopedPolicy.__init__..rcsg|]}|ˆjkr|‘qSr)rb)rÚe)Ú directiverrr8Rsz)ScopedPolicy.__init__..cs(i|] ‰‡‡fdd„tjˆDƒˆ“qS)csg|]}|ˆjˆkr|‘qSr)Úenabled)rr‰)rWr1rrr8Zsz4ScopedPolicy.__init__...)rrZ)r)r1)rWrr Zs)Úsetr[ÚcopyÚintegersrrZr‹r$r-rBrerFrLrWrNrbÚappendrMÚremoveÚinsertrOrPr@ÚlenZdisabled)r1Ú directivesZrelevant_scopesZssr‹r)rŠr1rr3;s0 $ zScopedPolicy.__init__cCstj|jdƒS)Nr|)rÚmin_tls_versionr‹)r1rrrr”^szScopedPolicy.min_tls_versioncCstj|jdƒS)Nr|)rÚmax_tls_versionr‹)r1rrrr•bszScopedPolicy.max_tls_versioncCstj|jdƒS)Nr|)rÚmin_dtls_versionr‹)r1rrrr–fszScopedPolicy.min_dtls_versioncCstj|jdƒS)Nr|)rÚmax_dtls_versionr‹)r1rrrr—jszScopedPolicy.max_dtls_version)N) rCrDrErKr3Úpropertyr”r•r–r—rrrrrˆ/s #rˆcCs@x,|D]$}tjj||ƒ}tj|tjƒr|SqWtj|||ƒ‚dS)N)ÚosÚpathr}ÚaccessÚR_OKrZPolicyFileNotFoundError)Ú policynameÚfnameÚpathsrnr2rrrÚlookup_fileqs r c@sFeZdZdZdZddœdd„Zdd„Zdd d „Zddd „Zdd„Z dS)ÚUnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN)Ú policydircGsR||_dj|f|ƒ|_g|_|j|ƒ}x|D]}||j|dd7}q.W||_dS)Nú:T)Ú subpolicy)r¢r}rÚlinesÚread_policy_fileÚ_directives)r1Zpolicy_namer¢Zsubpolicy_namesr“Zsubpolicy_namerrrr3€s zUnscopedCryptoPolicy.__init__cCs|jS)N)r§)r1rrrÚis_empty‹szUnscopedCryptoPolicy.is_emptycCst|j|piƒS)N)rˆr§)r1r=rrrÚscopedŽszUnscopedCryptoPolicy.scopedFc CsÊ|jpd}|rtjj|dƒ}t|||s*dndtjj|tjj|j|ƒtjj|j|ƒfƒ}t|ƒ}|j ƒ}WdQRXt |ƒ}|jdƒ}x|D]}t|ddqŒWx|D]}t|ƒq¦Wt dd „|DƒgƒS) NZpoliciesÚmodulesz.polz.pmodrrT)rlcSsg|]}t|ƒ‘qSr)rj)rrmrrrr8¥sz9UnscopedCryptoPolicy.read_policy_file..)r¢r™ršr}r ÚcurdirÚ CONFIG_DIRÚ SHARE_DIRÚopenÚreadr‡r.rpr^) r1Únamer¤Zpdirr2Úfrƒr¥rmrrrr¦‘s$ z%UnscopedCryptoPolicy.read_policy_filecCsdd„}|jƒ}d|j›d}|d7}|d7}|d7}|d7}|d7}|j|j–}x"|jƒD]\}}||||ƒ7}q\Wd }xvtjƒD]j\}} |j| d } | j| j–}xH|jƒD]<\}}|||kr®|sÒ|d7}d}|||›d |›|ƒ7}q®Wq„W|s|d7}|S)NcSs2t|tƒrdj|ƒnt|ƒ}|›d|›jƒdS)Nryz = rr)Ú isinstancerr}ÚstrÚrstrip)Úkeyrbr7rrrÚfmt¨sz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: F)r=z9# Scope-specific properties derived for select backends: Trgz&# No scope-specific properties found. )r©rr‹rŽrÚDUMPABLE_SCOPES)r1r¶Zgeneric_scopedr7Zgeneric_allrWrbZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZspecific_allrrrr6§s2 zUnscopedCryptoPolicy.__str__)N)F) rCrDrEr¬rr3r¨r©r¦r6rrrrr¡{s r¡)r rrr rrr)rrrrrrrrrrrrrrr r!r"r#)rWr-rerb)F)ÚcollectionsÚenumr:r™rzrkrxrrr[r>r0r·r$ÚEnumrFrcÚ namedtuplerdrjrpÚ FutureWarningrqr‡rˆr r¡rrrrÚsP3; LB