REDROOM

Edit File Size: 2.23 KB

/usr/share/crypto-policies/python/policygenerators/bind.py

Text Base64

# SPDX-License-Identifier: LGPL-2.1-or-later

from subprocess import check_output, CalledProcessError
from tempfile import mkstemp
import os

from .configgenerator import ConfigGenerator

class BindGenerator(ConfigGenerator):
	CONFIG_NAME = 'bind'
	SCOPES = {'dnssec', 'bind'}

RELOAD_CMD = 'systemctl try-reload-or-restart bind.service 2>/dev/null || :\n'

sign_not_map = {
		'DSA-SHA1': ('DSA', 'NSEC3DSA'),
		'RSA-SHA1': ('RSASHA1', 'NSEC3RSASHA1'),
		'RSA-SHA2-256': ('RSASHA256',),
		'RSA-SHA2-512': ('RSASHA512',),
		'ECDSA-SHA2-256': ('ECDSAP256SHA256',),  # + custom handling below
		'ECDSA-SHA2-384': ('ECDSAP384SHA384',),  # + custom handling below
		'EDDSA-ED25519': ('ED25519',),
		'EDDSA-ED448': ('ED448',),
	}

hash_not_map = {
		'SHA1': 'SHA-1',
		'SHA2-256': 'SHA-256',
		'SHA2-384': 'SHA-384',
		'GOST': 'GOST',
	}

@classmethod
	def generate_config(cls, policy):
		ip = policy.disabled
		s = ''

s += 'disable-algorithms "." {\n'
		s += 'RSAMD5;\n'  # deprecated, disabled unconditionally
		s += 'ECCGOST;\n'  # deprecated, disabled unconditionally, no such knob
		for i in ip['sign']:
			try:
				for disabled_sign in cls.sign_not_map[i]:
					s += f'{disabled_sign};\n'
			except KeyError:
				pass
		if 'ECDSA-SHA256' not in ip['sign'] and 'SECP256R1' in ip['group']:
			s += 'ECDSAP256SHA256;\n'  # additionally disabled on lack of P-256
		if 'ECDSA-SHA384' not in ip['sign'] and 'SECP384R1' in ip['group']:
			s += 'ECDSAP384SHA384;\n'  # additionally disabled on lack of P-384
		s += '};\n'

s += 'disable-ds-digests "." {\n'
		for i in ip['hash']:
			try:
				s += f'{cls.hash_not_map[i]};\n'
			except KeyError:
				pass
		s += '};\n'

return s

@classmethod
	def test_config(cls, config):
		fd, path = mkstemp()

try:
			with os.fdopen(fd, 'w') as f:
				f.write('options {\n')
				f.write(config)
				f.write('\n};\n')
			try:
				_ = check_output(["/usr/sbin/named-checkconf", path])
			except CalledProcessError:
				cls.eprint("There is an error in bind generated policy")
				cls.eprint("Policy:\n%s" % config)
				return False
			except OSError:
				# Ignore missing check command
				pass
		finally:
			os.unlink(path)

return True

Exit & Reset Text mode: syntax highlighting auto-detects file type.

Name	Size	Perms	Modified	Actions
__pycache__ DIR	-	drwxr-xr-x	2024-08-07 14:15:57	Edit Download recursive recursive
bind.py	2.23 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
configgenerator.py	401 B	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
gnutls.py	5.47 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
java.py	3.58 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
krb5.py	1.61 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
libreswan.py	4.71 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
libssh.py	4.01 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
nss.py	4.79 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
openssh.py	8.18 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
openssl.py	5.46 KB	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive
__init__.py	837 B	lrw-r--r--	2023-08-01 15:18:06	Edit Download recursive recursive

Directory Contents