1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
/*
* Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "ssltestlib.h"
#include "testutil.h"
#include "internal/nelem.h"
static char *cert1 = NULL;
static char *privkey1 = NULL;
static char *cert2 = NULL;
static char *privkey2 = NULL;
static struct {
char *cipher;
int expected_prot;
int certnum;
} ciphers[] = {
/* Server doesn't have a cert with appropriate sig algs - should fail */
{"AES128-SHA", 0, 0},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"IANA-GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"IANA-GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"LEGACY-GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"LEGACY-GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1},
/* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
{"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0},
};
/* Test that we never negotiate TLSv1.3 if using GOST */
static int test_tls13(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
0,
&sctx, &cctx,
ciphers[idx].certnum == 0 ? cert1
: cert2,
ciphers[idx].certnum == 0 ? privkey1
: privkey2)))
goto end;
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher))
|| !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL)))
goto end;
if (ciphers[idx].expected_prot == 0) {
if (!TEST_false(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE)))
goto end;
} else {
if (!TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
|| !TEST_int_eq(SSL_version(clientssl),
ciphers[idx].expected_prot))
goto end;
}
testresult = 1;
end:
SSL_free(serverssl);
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
return testresult;
}
OPT_TEST_DECLARE_USAGE("certfile1 privkeyfile1 certfile2 privkeyfile2\n")
int setup_tests(void)
{
if (!test_skip_common_options()) {
TEST_error("Error parsing test options\n");
return 0;
}
if (!TEST_ptr(cert1 = test_get_argument(0))
|| !TEST_ptr(privkey1 = test_get_argument(1))
|| !TEST_ptr(cert2 = test_get_argument(2))
|| !TEST_ptr(privkey2 = test_get_argument(3)))
return 0;
ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers));
return 1;
}
|