tls13-server-kx-neg: add test for GOST-enabled server and client

If both client and server have enabled TLS 1.3 and GOST-CNT
ciphersuites, they should correctly negotiate a connection, but using
TLS 1.2 version.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

diff --git a/tests/tls13-server-kx-neg.c b/tests/tls13-server-kx-neg.c
index 1b52fb56a1fe0b60dc48f0f625f539275bf176a4..0c8a20979c7f489f79c2e964cdd2f4b01fdb1990 100644 (file)
--- a/tests/tls13-server-kx-neg.c
+++ b/tests/tls13-server-kx-neg.c
@@ -223,7 +223,77 @@ test_case_st tests[] = {
                .server_prio = "NORMAL:-KX-ALL:+SRP:"PVERSION,
                .client_prio = "NORMAL:-KX-ALL:+SRP:"PVERSION,
                .exp_version = GNUTLS_TLS1_2,
-       }
+       },
+#ifdef ENABLE_GOST
+       {
+               .name = "TLS 1.3 server, TLS 1.2 client VKO-GOST-12 with cred and GOST-256 cert",
+               .server_ret = 0,
+               .client_ret = 0,
+               .have_cert_cred = 1,
+               .have_gost12_256_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+               .exp_version = GNUTLS_TLS1_2,
+       },
+       {
+               .name = "TLS 1.3 server, TLS 1.2 client VKO-GOST-12 with cred and GOST-512 cert",
+               .server_ret = 0,
+               .client_ret = 0,
+               .have_cert_cred = 1,
+               .have_gost12_512_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+               .exp_version = GNUTLS_TLS1_2,
+       },
+       {
+               .name = "TLS 1.2 server TLS 1.3 client VKO-GOST-12 with cred and GOST-256 cert",
+               .server_ret = 0,
+               .client_ret = 0,
+               .have_cert_cred = 1,
+               .have_gost12_256_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .exp_version = GNUTLS_TLS1_2,
+       },
+       {
+               .name = "TLS 1.2 server TLS 1.3 client with cred and GOST-512 cert",
+               .server_ret = 0,
+               .client_ret = 0,
+               .have_cert_cred = 1,
+               .have_gost12_512_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:" "-VERS-ALL:+VERS-TLS1.2",
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .exp_version = GNUTLS_TLS1_2,
+       },
+       /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
+        * but this is unsuppored for now */
+       {
+               .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-256 cert",
+               .server_ret = GNUTLS_E_NO_CIPHER_SUITES,
+               .client_ret = GNUTLS_E_AGAIN,
+               .have_cert_cred = 1,
+               .have_gost12_256_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .exp_version = GNUTLS_TLS1_2,
+       },
+       {
+               .name = "TLS 1.3 server and client VKO-GOST-12 with cred and GOST-512 cert",
+               .server_ret = GNUTLS_E_NO_CIPHER_SUITES,
+               .client_ret = GNUTLS_E_AGAIN,
+               .have_cert_cred = 1,
+               .have_gost12_512_cert = 1,
+               .not_on_fips = 1,
+               .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:"PVERSION,
+               .exp_version = GNUTLS_TLS1_2,
+       },
+#endif
 };
 
 void doit(void)