3 ."ÉdCBã@s6ddlZddlZddlZddlZddlZddlZddlmZddlmZdd„dƒZd-d.„Zd?d0d1„ZGd2d3„d3eƒZd4d5„ZGd6d7„d7ƒZd8d9„ZGd:d;„d;ƒZdS)@éNé)Ú alg_lists)Ú validationcCsi|] }d|“qS)r©)Ú.0ÚkrrúC./usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.pyú sr Úarbitrary_dh_groupsÚmin_dh_sizeÚmin_dsa_sizeÚmin_rsa_sizeÚ sha1_in_certsÚ ssh_certsÚssh_etmÚ*ÚtlsÚsslÚopensslÚnssÚgnutlsújava-tlsÚsshÚopensshúopenssh-serverúopenssh-clientÚlibsshÚipsecÚikeÚ libreswanÚkerberosÚkrb5ÚdnssecÚbind) r#rzjava-tlsr!rrrzopenssh-clientzopenssh-serverrc@s(eZdZefdd„Zdd„Zdd„ZdS)Ú ScopeSelectorcCs”|jƒ|_}|jdƒ|_|jr&|n |dd…}tjj||jdtjj||jd|jdƒrr|dd…jdƒn|g|_ tjj |j t|jddS)a= Initialize a scope selector. An example would be `ssh` in `ciphers@ssh = -NULL`. When openssh backend will request the configuration, it'll offer (`{'ssh', 'openssh'}`) as scopes and the rule above will be taken into account. Both patterns and scopes are cast to lowercase. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ss = ScopeSelector('!{SSH,IPsec}') >>> ss.matches({'ipsec', 'libreswan'}) False >>> ss.matches({'tls', 'openssl'}) True ú!rN)Zoriginal_patternú{ú,éÿÿÿÿ)ÚlowerÚpatternÚ startswithÚ _positiverÚscopeZillegal_charactersZcurly_bracketsÚsplitÚ_globsZresulting_globsÚ ALL_SCOPES)Úselfr*ÚprrrÚ__init__5s$zScopeSelector.__init__cCsdt|jƒ›dS)Nz)Úreprr*)r1rrrÚ__str__PszScopeSelector.__str__csR|jtkrdSdd„ˆDƒ‰|jr:t‡fdd„|jDƒƒSt‡fdd„|jDƒƒS)aE Checks whether ScopeSelector matches one of the scopes. For more examples, refer to tests/unit/parsing/test_scope_selector.py >>> ScopeSelector('{SSH,IPsec}').matches({'ipsec', 'libreswan'}) True >>> ScopeSelector('!{SSH,IPsec}').matches({'ipsec', 'libreswan'}) False TcSsg|]}|jƒ‘qSr)r))rÚsrrrú ^sz)ScopeSelector.matches..c3s|]}tjˆ|ƒVqdS)N)ÚfnmatchÚfilter)rÚg)Úscopesrrú asz(ScopeSelector.matches..c3s|]}tjˆ|ƒVqdS)N)r9r:)rr;)r<rrr=bs)r*Ú SCOPE_ANYr,Úanyr/Úall)r1r<r)r<rÚmatchesSs zScopeSelector.matchesN)Ú__name__Ú __module__Ú__qualname__r>r3r6rArrrrr$4sr$c@s$eZdZdZdZdZdZdZdZdS)Ú OperationzM An operation that comes with the right-hand value of the directive. rééééN) rBrCrDÚ__doc__ÚRESETÚPREPENDÚAPPENDÚOMITÚSET_INTrrrrrEgsrEcs„dd„‰|jƒrLˆtjkr2ˆtkr2tjt|ƒfgSˆtjkr`tjj ˆƒ‚q`nˆtkr`tjj ˆƒ‚|jƒ}t‡fdd„|Dƒƒs°t ‡fdd„|Dƒgƒ}tjdfgdd„|DƒSt‡fd d„|Dƒƒrtg}x¢|D]š}|jd ƒrtj‰tj|dd…ˆƒddd …}nL|jd ƒr:tj‰tj|dd…ˆƒddd…}ntj‰tj|dd…ˆƒ}|j‡fdd„|DƒƒqÒW|Stjj|ƒ‚dS)a7 Parses right-hand parts of the directives into lists of operation/value pairs. For more examples, refer to tests/unit/test_parsing.py >>> parse_rhs('', 'cipher') [(, None)] >>> parse_rhs('IDEA-CBC SEED-CBC', 'cipher') [(, None), (, 'IDEA-CBC'), (, 'SEED-CBC')] >>> # 3DES-CBC gets prepended last for higher prio >>> parse_rhs('+*DES-CBC', 'cipher') [(, 'DES-CBC'), (, '3DES-CBC')] cSs|jdƒp|jdƒp|jdƒS)Nú+ú-)r+Úendswith)ÚvrrrÚdifferential‚szparse_rhs..differentialc3s|]}ˆ|ƒVqdS)Nr)rrS)rTrrr=”szparse_rhs..csg|]}tj|ˆƒ‘qSr)rÚglob)rrS)Ú prop_namerrr8•szparse_rhs..NcSsg|]}tj|f‘qSr)rErM)rrSrrrr8—sc3s|]}ˆ|ƒVqdS)Nr)rrS)rTrrr=˜srPrcsg|]}ˆ|f‘qSrr)rrS)Úoprrr8¥sr(r(r()ÚisdigitrÚALLÚINT_DEFAULTSrErOÚintrÚrulesZNonIntPropertyIntValueErrorZIntPropertyNonIntValueErrorr.r?ÚsumrKr@r+rLrUrRrMrNÚextendZ%MixedDifferentialNonDifferentialError)ÚrhsrVÚvaluesZ operationsÚvalueZunglobr)rTrWrVrÚ parse_rhsrs8 rbÚ DirectiverVr-Ú operationracs€|jƒsgStjj|ƒ|jdƒ\}}|jƒ|jƒ}}tjj||ƒd|krZ|jddƒn|tf\‰‰‡‡fdd„t|ˆƒDƒS)ae Parses configuration lines into tuples of directives. For more examples, refer to tests/unit/test_parsing.py >>> parse_line('cipher@TLS = RC4* NULL') [Directive(prop_name='cipher', scope='tls', operation=, value=None), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-40'), Directive(prop_name='cipher', scope='tls', operation=, value='RC4-128'), Directive(prop_name='cipher', scope='tls', operation=, value='NULL')] ú=ú@rcs$g|]\}}tˆˆjƒ||d‘qS))rVr-rdra)rcr))rrdra)rVr-rrr8Êszparse_line..)Ústriprr\Zcount_equals_signsr.Z empty_lhsr>rb)ÚlineZlhsr_r)rVr-rÚ parse_line²s riFcCs^y$t|ƒ}x|D]}t|jƒqWWn4tjk rX}z|s>‚tj|ƒWYdd}~XnXdS)N)rir$r-rZPolicySyntaxErrorÚwarningsÚwarn)rhrkÚlÚdÚexrrrÚsyntax_check_lineÏs rocseZdZ‡fdd„Z‡ZS)ÚPolicySyntaxDeprecationWarningcs@|jddƒ}d|›d}|d|›d7}|d7}tƒj|ƒdS)NÚ z and zoption z is deprecatedz", please rewrite your rules using z; z2be advised that it is not always a 1-1 replacement)ÚreplaceÚsuperr3)r1Z deprecatedZreplacementÚmsg)Ú __class__rrr3Ûs z'PolicySyntaxDeprecationWarning.__init__)rBrCrDr3Ú __classcell__rr)rurrpÚsrpcCstjdd|ƒ}|jddƒ}djdd„|jdƒDƒƒ}|jddƒ}djd d„|jdƒDƒƒ}djd d„|jdƒDƒƒ}tjdd|ƒjƒ}tjd|ƒr¢tjt d dƒƒdddddœ}xr|j ƒD]f\}}d|d}tj||ƒ}|rîtjt ||ƒƒtj|d|ƒ}x"|D]}|d|›d|›7}qWqºWtjdd|ƒjƒ}dddœ}xN|j ƒD]B\}}d|d}tj||ƒr|tjt ||ƒƒtj|||ƒ}qJWtt jddd%…ƒ}xZ|rþdjdd„|dd&…Dƒƒ} tjd|d'd| rêd | ›nd|ƒ}|jƒq¦Wtjd!d|ƒ}tt jddd(…ƒ} xZ| r|djd"d„| dd)…Dƒƒ} tjd#| d*d| rhd | ›nd|ƒ}| jƒq$Wtjd$d|ƒ}|S)+a Preprocesses text before parsing. Fixes line breaks, handles backwards compatibility. >>> preprocess_text('cipher = c1 \\ \nc2#x') 'cipher = c1 c2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('ike_protocol = IKEv2') 'protocol@IKE = IKEv2' >>> with warnings.catch_warnings(): ... warnings.simplefilter("ignore") ... preprocess_text('min_tls_version=TLS1.3') 'protocol@TLS = -SSL2.0 -SSL3.0 -TLS1.0 -TLS1.1 -TLS1.2' z#.*Úrez = rqcss|]}|jƒVqdS)N)rg)rrlrrrr=ôsz"preprocess_text..z\ css|]}|jƒVqdS)N)rg)rrlrrrr=öscss|]}tjdd|ƒVqdS)z\s+ú N)ÚreÚsub)rrlrrrr=÷sz +z\bprotocol\s*=Úprotocolzprotocol@TLSz cipher@TLSz cipher@SSHz group@SSHzprotocol@IKE)Z tls_cipherZ ssh_cipherZ ssh_groupZike_protocolz\bz\s*=(.*)z z =z7hash@DNSSec = -SHA1 sign@DNSSec = -RSA-SHA1 -ECDSA-SHA1z7hash@DNSSec = SHA1+ sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+)zsha1_in_dnssec = 0zsha1_in_dnssec = 1Nrrxcss|]}d|VqdS)rQNr)rrSrrrr=sz\bmin_dtls_version = zprotocol@TLS = z\bmin_dtls_version = 0\bcss|]}d|VqdS)rQNr)rrSrrrr=$sz\bmin_tls_version = z\bmin_tls_version = 0\br(r(r(r(r(r()ryrzrrÚjoinr.rgÚfindallrjrkrpÚitemsÚsearchÚlistrZDTLS_PROTOCOLSÚpopZ TLS_PROTOCOLS)ÚtextZPOSTFIX_REPLACEMENTSÚfrZtoZregexZmsÚmZPLAIN_REPLACEMENTSZ dtls_versionsÚnegZtls_versionsrrrÚpreprocess_textãsZ r†c@sJeZdZdZd dd„Zedd„ƒZedd„ƒZed d „ƒZedd„ƒZ dS)ÚScopedPolicyaŽ An entity constructing lists of what's `.enabled` and what's `.disabled` when the given scopes are active. >>> sp = ScopedPolicy(parse_line('cipher@TLS = RC4* NULL'), {'tls'}) >>> 'AES-256-GCM' in sp.disabled['cipher'] True >>> sp.enabled['cipher'] ['RC4-40', 'RC4-128', 'NULL'] >>> ScopedPolicy(parse_line('min_dh_size=2048')).integers['min_dh_size'] 2048 Ncs(|ptƒ}tjƒˆ_dd„tjDƒˆ_xæ|D]Þ‰tˆjƒ}|j |ƒr,ˆj tjkr^gˆjˆj <q,ˆj tjkrŽˆjˆj }ˆj|krŒ|jˆjƒq,ˆj tjkrÌˆjˆj }ˆj|kr¼|jˆjƒ|jdˆjƒq,ˆj tjkrü‡fdd„ˆjˆj Dƒˆjˆj <q,ˆjˆjˆj <q,W‡fdd„tjDƒˆ_dS)NcSsi|] }g|“qSrr)rrVrrrr >sz)ScopedPolicy.__init__..rcsg|]}|ˆjkr|‘qSr)ra)rÚe)Ú directiverrr8Rsz)ScopedPolicy.__init__..cs(i|] ‰‡‡fdd„tjˆDƒˆ“qS)csg|]}|ˆjˆkr|‘qSr)Úenabled)rrˆ)rVr1rrr8Zsz4ScopedPolicy.__init__...)rrY)r)r1)rVrr Zs)ÚsetrZÚcopyÚintegersrrYrŠr$r-rArdrErKrVrMraÚappendrLÚremoveÚinsertrNZdisabled)r1Ú directivesZrelevant_scopesZssrŠr)r‰r1rr3;s, $ zScopedPolicy.__init__cCstj|jdƒS)Nr{)rÚmin_tls_versionrŠ)r1rrrr’^szScopedPolicy.min_tls_versioncCstj|jdƒS)Nr{)rÚmax_tls_versionrŠ)r1rrrr“bszScopedPolicy.max_tls_versioncCstj|jdƒS)Nr{)rÚmin_dtls_versionrŠ)r1rrrr”fszScopedPolicy.min_dtls_versioncCstj|jdƒS)Nr{)rÚmax_dtls_versionrŠ)r1rrrr•jszScopedPolicy.max_dtls_version)N) rBrCrDrJr3Úpropertyr’r“r”r•rrrrr‡/s #r‡cCs@x,|D]$}tjj||ƒ}tj|tjƒr|SqWtj|||ƒ‚dS)N)ÚosÚpathr|ÚaccessÚR_OKrZPolicyFileNotFoundError)Ú policynameÚfnameÚpathsrmr2rrrÚlookup_fileqs ržc@sFeZdZdZdZddœdd„Zdd„Zdd d „Zddd „Zdd„Z dS)ÚUnscopedCryptoPolicyz/etc/crypto-policiesz/usr/share/crypto-policiesN)Ú policydircGsR||_dj|f|ƒ|_g|_|j|ƒ}x|D]}||j|dd7}q.W||_dS)Nú:T)Ú subpolicy)r r|r›ÚlinesÚread_policy_fileÚ_directives)r1Zpolicy_namer Zsubpolicy_namesr‘Zsubpolicy_namerrrr3€s zUnscopedCryptoPolicy.__init__cCs|jS)N)r¥)r1rrrÚis_empty‹szUnscopedCryptoPolicy.is_emptycCst|j|piƒS)N)r‡r¥)r1r<rrrÚscopedŽszUnscopedCryptoPolicy.scopedFc CsÊ|jpd}|rtjj|dƒ}t|||s*dndtjj|tjj|j|ƒtjj|j|ƒfƒ}t|ƒ}|j ƒ}WdQRXt |ƒ}|jdƒ}x|D]}t|ddqŒWx|D]}t|ƒq¦Wt dd „|DƒgƒS) NZpoliciesÚmodulesz.polz.pmodrqT)rkcSsg|]}t|ƒ‘qSr)ri)rrlrrrr8¥sz9UnscopedCryptoPolicy.read_policy_file..)r r—r˜r|ržÚcurdirÚ CONFIG_DIRÚ SHARE_DIRÚopenÚreadr†r.ror]) r1Únamer¢Zpdirr2Úfr‚r£rlrrrr¤‘s$ z%UnscopedCryptoPolicy.read_policy_filecCsdd„}|jƒ}d|j›d}|d7}|d7}|d7}|d7}|d7}|j|j–}x"|jƒD]\}}||||ƒ7}q\Wd }xvtjƒD]j\}} |j| d } | j| j–}xH|jƒD]<\}}|||kr®|sÒ|d7}d}|||›d |›|ƒ7}q®Wq„W|s|d7}|S)NcSs2t|tƒrdj|ƒnt|ƒ}|›d|›jƒdS)Nrxz = rq)Ú isinstancer€r|ÚstrÚrstrip)Úkeyrar7rrrÚfmt¨sz)UnscopedCryptoPolicy.__str__..fmtz # Policy z dump z# z?# Do not parse the contents of this file with automated tools, z.# it is provided for review convenience only. z"# Baseline values for all scopes: F)r<z9# Scope-specific properties derived for select backends: Trfz&# No scope-specific properties found. )r§r›rŠrr~ÚDUMPABLE_SCOPES)r1r´Zgeneric_scopedr7Zgeneric_allrVraZanything_scope_specificZ scope_nameZ scope_setZspecific_scopedZspecific_allrrrr6§s2 zUnscopedCryptoPolicy.__str__)N)F) rBrCrDrªr«r3r¦r§r¤r6rrrrrŸ{s rŸ)r rrr rrr)rrrrrrrrrrrrrrr r!r"r#)rVr-rdra)F)ÚcollectionsÚenumr9r—ryrjrwrrrZr>r0rµr$ÚEnumrErbÚ namedtuplercriroÚ FutureWarningrpr†r‡ržrŸrrrrÚsP3; LB