{"for ephemeral EC Diffie-Hellman support", test_ecdhe, "yes",
"no",
"dunno"},
+#ifdef ENABLE_GOST
+ {"for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support", test_vko_gost_12, "yes", "no", "dunno"},
+#endif
{"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"},
{"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"},
{"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"},
"dunno"},
{"for CHACHA20-POLY1305 cipher (RFC7905) support", test_chacha20, "yes", "no",
"dunno"},
+#ifdef ENABLE_GOST
+ {"for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support", test_gost_cnt, "yes", "no",
+ "dunno"},
+#endif
{"for MD5 MAC support", test_md5, "yes", "no", "dunno"},
{"for SHA1 MAC support", test_sha, "yes", "no", "dunno"},
{"for SHA256 MAC support", test_sha256, "yes", "no", "dunno"},
+#ifdef ENABLE_GOST
+ {"for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support", test_gost_imit, "yes", "no", "dunno"},
+#endif
{"for max record size (RFC6066) support", test_max_record_size, "yes",
"no", "dunno"},
#ifdef ENABLE_OCSP
"+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
char protocol_all_str[] =
"+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
-char prio_str[512] = "";
+char prio_str[768] = "";
-#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC"
+#ifdef ENABLE_GOST
+#define GOST_CIPHERS ":+GOST28147-TC26Z-CNT"
+#define GOST_MACS ":+GOST28147-TC26Z-IMIT"
+#define GOST_KX ":+VKO-GOST-12"
+#define GOST_REST ":+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+GROUP-GOST-ALL"
+#else
+#define GOST_CIPHERS
+#define GOST_MACS
+#define GOST_KX
+#define GOST_REST
+#endif
+
+#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS
#define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC"
#define ALL_COMP "+COMP-NULL"
-#define ALL_MACS "+MAC-ALL:+MD5:+SHA1"
-#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH"
+#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS
+#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX
#define INIT_STR "NONE:"
-char rest[128] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL";
+char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST;
#define _gnutls_priority_set_direct(s, str) __gnutls_priority_set_direct(s, str, __LINE__)
return ret;
}
+#ifdef ENABLE_GOST
+test_code_t test_vko_gost_12(gnutls_session_t session)
+{
+ int ret;
+
+ if (tls_ext_ok == 0)
+ return TEST_IGNORE;
+
+ sprintf(prio_str, INIT_STR
+ ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS
+ ":+VKO-GOST-12:%s", protocol_all_str,
+ rest);
+ _gnutls_priority_set_direct(session, prio_str);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = test_do_handshake(session);
+
+ if (ret < 0)
+ return TEST_FAILED;
+
+ return ret;
+}
+#endif
+
test_code_t test_rsa(gnutls_session_t session)
{
int ret;
return ret;
}
+#ifdef ENABLE_GOST
+test_code_t test_gost_imit(gnutls_session_t session)
+{
+ int ret;
+
+ if (gnutls_fips140_mode_enabled())
+ return TEST_IGNORE;
+
+ sprintf(prio_str,
+ INIT_STR ALL_CIPHERS ":" ALL_COMP
+ ":%s:+GOST28147-TC26Z-IMIT:" ALL_KX ":%s",
+ protocol_all_str, rest);
+ _gnutls_priority_set_direct(session, prio_str);
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = test_do_handshake(session);
+ return ret;
+}
+#endif
+
test_code_t test_3des(gnutls_session_t session)
{
int ret;
return ret;
}
+#ifdef ENABLE_GOST
+test_code_t test_gost_cnt(gnutls_session_t session)
+{
+ int ret;
+
+ if (gnutls_fips140_mode_enabled())
+ return TEST_IGNORE;
+
+ sprintf(prio_str,
+ INIT_STR "+GOST28147-TC26Z-CNT:" ALL_COMP ":%s:"
+ ALL_MACS ":" ALL_KX ":%s", protocol_str, rest);
+ _gnutls_priority_set_direct(session, prio_str);
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = test_do_handshake(session);
+ return ret;
+}
+#endif
+
test_code_t test_tls1(gnutls_session_t session)
{
int ret;
test_code_t test_aes_ccm_8(gnutls_session_t session);
test_code_t test_sha256(gnutls_session_t session);
+#ifdef ENABLE_GOST
+test_code_t test_vko_gost_12(gnutls_session_t session);
+test_code_t test_gost_cnt(gnutls_session_t session);
+test_code_t test_gost_imit(gnutls_session_t session);
+#endif
+
#endif /* GNUTLS_SRC_TESTS_H */
CERT2=${srcdir}/../doc/credentials/x509/cert-ecc.pem
KEY3=${srcdir}/../doc/credentials/x509/key-rsa-pss.pem
CERT3=${srcdir}/../doc/credentials/x509/cert-rsa-pss.pem
+KEY4=${srcdir}/../doc/credentials/x509/key-gost12.pem
+CERT4=${srcdir}/../doc/credentials/x509/cert-gost12.pem
CAFILE=${srcdir}/../doc/credentials/x509/ca.pem
TMPFILE=outcert.$$.tmp
rm -f ${OUTFILE}
+if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != 1 ; then
+ # GOST_CNT test
+ echo ""
+ echo "Checking output of gnutls-cli-debug for GOST-enabled server"
+
+ eval "${GETPORT}"
+ launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY4} --x509certfile ${CERT4} >/dev/null 2>&1
+ PID=$!
+ wait_server ${PID}
+
+ timeout 1800 datefudge "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+
+ kill ${PID}
+ wait
+
+ check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes"
+ check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes"
+ check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes"
+
+ rm -f ${OUTFILE}
+
+fi
+
exit 0
projects / thirdparty / gnutls.git / commitdiff
