Add a GOST test

Test that we never negotiate TLSv1.3 using GOST

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

1 files changed, 91 insertions, 0 deletions

diff --git a/test/gosttest.c b/test/gosttest.c
new file mode 100644
index 0000000000..1a31a33962
--- /dev/null
+++ b/test/gosttest.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "ssltestlib.h"
+#include "testutil.h"
+#include "internal/nelem.h"
+
+static char *cert1 = NULL;
+static char *privkey1 = NULL;
+static char *cert2 = NULL;
+static char *privkey2 = NULL;
+
+static struct {
+    char *cipher;
+    int expected_prot;
+    int certnum;
+} ciphers[] = {
+    /* Server doesn't have a cert with appropriate sig algs - should fail */
+    {"AES128-SHA", 0, 0},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0},
+};
+
+/* Test that we never negotiate TLSv1.3 if using GOST */
+static int test_tls13(int idx)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0;
+
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+                                       TLS_client_method(),
+                                       TLS1_VERSION,
+                                       TLS_MAX_VERSION,
+                                       &sctx, &cctx,
+                                       ciphers[idx].certnum == 0 ? cert1
+                                                                 : cert2,
+                                       ciphers[idx].certnum == 0 ? privkey1
+                                                                 : privkey2)))
+        goto end;
+
+    if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher))
+            || !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher))
+            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                             NULL, NULL)))
+        goto end;
+
+    if (ciphers[idx].expected_prot == 0) {
+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+                                              SSL_ERROR_NONE)))
+            goto end;
+    } else {
+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+                                             SSL_ERROR_NONE))
+                || !TEST_int_eq(SSL_version(clientssl),
+                                ciphers[idx].expected_prot))
+        goto end;
+    }
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
+int setup_tests(void)
+{
+    if (!TEST_ptr(cert1 = test_get_argument(0))
+            || !TEST_ptr(privkey1 = test_get_argument(1))
+            || !TEST_ptr(cert2 = test_get_argument(2))
+            || !TEST_ptr(privkey2 = test_get_argument(3)))
+        return 0;
+
+    ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers));
+    return 1;
+}