From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Tue, 3 Sep 2019 07:48:09 +0000 (+0300)
Subject: tls13-server-kx-neg: add test for GOST-enabled server and client
X-Git-Tag: 3.6.12~55^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4dbf2b794308c23da8a3f132cc07372f2764f062;p=thirdparty%2Fgnutls.git

tls13-server-kx-neg: add test for GOST-enabled server and client

If both client and server have enabled TLS 1.3 and GOST-CNT
ciphersuites, they should correctly negotiate a connection, but using
TLS 1.2 version.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---

diff --git a/tests/tls13-server-kx-neg.c b/tests/tls13-server-kx-neg.c
index 1b52fb56a1..0c8a20979c 100644
--- a/tests/tls13-server-kx-neg.c
+++ b/tests/tls13-server-kx-neg.c
@@ -223,7 +223,77 @@ test_case_st tests[] = {
 		.server_prio = "NORMAL:-KX-ALL:+SRP:"PVERSION,
 		.client_prio = "NORMAL:-KX-ALL:+SRP:"PVERSION,
 		.exp_version = GNUTLS_TLS1_2,
-	}
+	},
+#ifdef ENABLE_GOST
+	{
+		.name = "TLS 1.3 server, TLS 1.2 client VKO-GOST-12 with cred and GOST-256 cert",
+		.server_ret = 0,
+		.client_ret = 0,
+		.have_cert_cred = 1,
+		.have_gost12_256_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+		.exp_version = GNUTLS_TLS1_2,
+	},
+	{
+		.name = "TLS 1.3 server, TLS 1.2 client VKO-GOST-12 with cred and GOST-512 cert",
+		.server_ret = 0,
+		.client_ret = 0,
+		.have_cert_cred = 1,
+		.have_gost12_512_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+		.exp_version = GNUTLS_TLS1_2,
+	},
+	{
+		.name = "TLS 1.2 server TLS 1.3 client VKO-GOST-12 with cred and GOST-256 cert",
+		.server_ret = 0,
+		.client_ret = 0,
+		.have_cert_cred = 1,
+		.have_gost12_256_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.exp_version = GNUTLS_TLS1_2,
+	},
+	{
+		.name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert",
+		.server_ret = 0,
+		.client_ret = 0,
+		.have_cert_cred = 1,
+		.have_gost12_512_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.exp_version = GNUTLS_TLS1_2,
+	},
+	/* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
+	 * but this is unsuppored for now */
+	{
+		.name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert",
+		.server_ret = GNUTLS_E_NO_CIPHER_SUITES,
+		.client_ret = GNUTLS_E_AGAIN,
+		.have_cert_cred = 1,
+		.have_gost12_256_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.exp_version = GNUTLS_TLS1_2,
+	},
+	{
+		.name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-512 cert",
+		.server_ret = GNUTLS_E_NO_CIPHER_SUITES,
+		.client_ret = GNUTLS_E_AGAIN,
+		.have_cert_cred = 1,
+		.have_gost12_512_cert = 1,
+		.not_on_fips = 1,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+		.exp_version = GNUTLS_TLS1_2,
+	},
+#endif
 };
 
 void doit(void)