diff options
| author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2018-07-19 15:40:46 +0300 |
|---|---|---|
| committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2019-12-20 01:46:00 +0300 |
| commit | 2a6e87081ab811812f51ead52c4eef29baa6ba43 (patch) | |
| tree | c114e9cf2f194e4c2af68f71ac9bd674c382d1d0 | |
| parent | 8d81203c987e717031a6ecfa0a25983f4471d3fc (diff) | |
| download | gnutls-2a6e87081ab811812f51ead52c4eef29baa6ba43.tar.gz | |
gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests
Add test for VKO-GOST-12, GOST28147-TC26Z-CNT and GOST28147-TC26Z-IMIT
support by the server.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| -rw-r--r-- | src/cli-debug.c | 10 | ||||
| -rw-r--r-- | src/tests.c | 86 | ||||
| -rw-r--r-- | src/tests.h | 6 | ||||
| -rwxr-xr-x | tests/gnutls-cli-debug.sh | 26 |
4 files changed, 123 insertions, 5 deletions
diff --git a/src/cli-debug.c b/src/cli-debug.c index 4a90edd2e2..06e47fd55e 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -159,6 +159,9 @@ static const TLS_TEST tls_tests[] = { {"for ephemeral EC Diffie-Hellman support", test_ecdhe, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support", test_vko_gost_12, "yes", "no", "dunno"}, +#endif {"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"}, {"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"}, {"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"}, @@ -180,9 +183,16 @@ static const TLS_TEST tls_tests[] = { "dunno"}, {"for CHACHA20-POLY1305 cipher (RFC7905) support", test_chacha20, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support", test_gost_cnt, "yes", "no", + "dunno"}, +#endif {"for MD5 MAC support", test_md5, "yes", "no", "dunno"}, {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, {"for SHA256 MAC support", test_sha256, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support", test_gost_imit, "yes", "no", "dunno"}, +#endif {"for max record size (RFC6066) support", test_max_record_size, "yes", "no", "dunno"}, #ifdef ENABLE_OCSP diff --git a/src/tests.c b/src/tests.c index e73372f7af..9b608119f5 100644 --- a/src/tests.c +++ b/src/tests.c @@ -112,15 +112,27 @@ char protocol_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; char protocol_all_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; -char prio_str[512] = ""; +char prio_str[768] = ""; -#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" +#ifdef ENABLE_GOST +#define GOST_CIPHERS ":+GOST28147-TC26Z-CNT" +#define GOST_MACS ":+GOST28147-TC26Z-IMIT" +#define GOST_KX ":+VKO-GOST-12" +#define GOST_REST ":+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+GROUP-GOST-ALL" +#else +#define GOST_CIPHERS +#define GOST_MACS +#define GOST_KX +#define GOST_REST +#endif + +#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS #define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC" #define ALL_COMP "+COMP-NULL" -#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" -#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" +#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS +#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX #define INIT_STR "NONE:" -char rest[128] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL"; +char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST; #define _gnutls_priority_set_direct(s, str) __gnutls_priority_set_direct(s, str, __LINE__) @@ -249,6 +261,31 @@ test_code_t test_ecdhe(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_vko_gost_12(gnutls_session_t session) +{ + int ret; + + if (tls_ext_ok == 0) + return TEST_IGNORE; + + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS + ":+VKO-GOST-12:%s", protocol_all_str, + rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + + if (ret < 0) + return TEST_FAILED; + + return ret; +} +#endif + test_code_t test_rsa(gnutls_session_t session) { int ret; @@ -801,6 +838,26 @@ test_code_t test_sha256(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_gost_imit(gnutls_session_t session) +{ + int ret; + + if (gnutls_fips140_mode_enabled()) + return TEST_IGNORE; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP + ":%s:+GOST28147-TC26Z-IMIT:" ALL_KX ":%s", + protocol_all_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + return ret; +} +#endif + test_code_t test_3des(gnutls_session_t session) { int ret; @@ -849,6 +906,25 @@ test_code_t test_chacha20(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_gost_cnt(gnutls_session_t session) +{ + int ret; + + if (gnutls_fips140_mode_enabled()) + return TEST_IGNORE; + + sprintf(prio_str, + INIT_STR "+GOST28147-TC26Z-CNT:" ALL_COMP ":%s:" + ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + return ret; +} +#endif + test_code_t test_tls1(gnutls_session_t session) { int ret; diff --git a/src/tests.h b/src/tests.h index 80c590585d..a8326019ca 100644 --- a/src/tests.h +++ b/src/tests.h @@ -87,4 +87,10 @@ test_code_t test_aes_ccm(gnutls_session_t session); test_code_t test_aes_ccm_8(gnutls_session_t session); test_code_t test_sha256(gnutls_session_t session); +#ifdef ENABLE_GOST +test_code_t test_vko_gost_12(gnutls_session_t session); +test_code_t test_gost_cnt(gnutls_session_t session); +test_code_t test_gost_imit(gnutls_session_t session); +#endif + #endif /* GNUTLS_SRC_TESTS_H */ diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index 1f047e870c..51f77bb565 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -56,6 +56,8 @@ KEY2=${srcdir}/../doc/credentials/x509/key-ecc.pem CERT2=${srcdir}/../doc/credentials/x509/cert-ecc.pem KEY3=${srcdir}/../doc/credentials/x509/key-rsa-pss.pem CERT3=${srcdir}/../doc/credentials/x509/cert-rsa-pss.pem +KEY4=${srcdir}/../doc/credentials/x509/key-gost12.pem +CERT4=${srcdir}/../doc/credentials/x509/cert-gost12.pem CAFILE=${srcdir}/../doc/credentials/x509/ca.pem TMPFILE=outcert.$$.tmp @@ -169,4 +171,28 @@ check_text "for RSA key exchange support... no" rm -f ${OUTFILE} +if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != 1 ; then + # GOST_CNT test + echo "" + echo "Checking output of gnutls-cli-debug for GOST-enabled server" + + eval "${GETPORT}" + launch_server $$ --echo --priority "NORMAL" --x509keyfile ${KEY4} --x509certfile ${CERT4} >/dev/null 2>&1 + PID=$! + wait_server ${PID} + + timeout 1800 datefudge "2017-08-9" \ + "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" + + kill ${PID} + wait + + check_text "for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support... yes" + check_text "for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... yes" + check_text "for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... yes" + + rm -f ${OUTFILE} + +fi + exit 0 |