diff options
author | Matt Caswell <matt@openssl.org> | 2018-07-13 16:11:46 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-07-13 18:14:43 +0100 |
commit | 1e839545803107b230a8177875de5994f85984de (patch) | |
tree | 85ccaf345b3d507ac44dc5de7df2991599090154 /test/gosttest.c | |
parent | baa45c3e74e1202eb963d22821ed87c097506b05 (diff) |
Add a GOST test
Test that we never negotiate TLSv1.3 using GOST
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)
Diffstat (limited to 'test/gosttest.c')
-rw-r--r-- | test/gosttest.c | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/test/gosttest.c b/test/gosttest.c new file mode 100644 index 0000000000..1a31a33962 --- /dev/null +++ b/test/gosttest.c @@ -0,0 +1,91 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "ssltestlib.h" +#include "testutil.h" +#include "internal/nelem.h" + +static char *cert1 = NULL; +static char *privkey1 = NULL; +static char *cert2 = NULL; +static char *privkey2 = NULL; + +static struct { + char *cipher; + int expected_prot; + int certnum; +} ciphers[] = { + /* Server doesn't have a cert with appropriate sig algs - should fail */ + {"AES128-SHA", 0, 0}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0}, +}; + +/* Test that we never negotiate TLSv1.3 if using GOST */ +static int test_tls13(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + TLS1_VERSION, + TLS_MAX_VERSION, + &sctx, &cctx, + ciphers[idx].certnum == 0 ? cert1 + : cert2, + ciphers[idx].certnum == 0 ? privkey1 + : privkey2))) + goto end; + + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher)) + || !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + if (ciphers[idx].expected_prot == 0) { + if (!TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + } else { + if (!TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_int_eq(SSL_version(clientssl), + ciphers[idx].expected_prot)) + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +int setup_tests(void) +{ + if (!TEST_ptr(cert1 = test_get_argument(0)) + || !TEST_ptr(privkey1 = test_get_argument(1)) + || !TEST_ptr(cert2 = test_get_argument(2)) + || !TEST_ptr(privkey2 = test_get_argument(3))) + return 0; + + ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers)); + return 1; +} |