priority: add more GOST shortcuts

Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only
one item, but this list will be expanded as support for GOST-CTR-ACPKM
ciphersuites will be added.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

5 files changed, 84 insertions, 44 deletions

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index f734ca79bc..47fd3bca65 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1422,18 +1422,21 @@ appended with an algorithm will add this algorithm.
 @item Ciphers @tab
 Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC, GOST28147-TC26Z-CNT; see also
 @ref{tab:ciphers} for more options. Catch all name is CIPHER-ALL which will add
-all the algorithms from NORMAL priority.
+all the algorithms from NORMAL priority. The shortcut for secure GOST
+algorithms is CIPHER-GOST-ALL.
 
 @item Key exchange @tab
 RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
 PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH.
 Catch all name is KX-ALL which will add all the algorithms from NORMAL
 priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent
-and instruct for a Diffie-Hellman key exchange using the enabled groups.
+and instruct for a Diffie-Hellman key exchange using the enabled groups. The
+shortcut for secure GOST algorithms is KX-GOST-ALL.
 
 @item MAC @tab
 MD5, SHA1, SHA256, SHA384, GOST28147-TC26Z-IMIT, AEAD (used with
-GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.
+GCM ciphers only). All algorithms from NORMAL priority can be accessed with
+MAC-ALL. The shortcut for secure GOST algorithms is MAC-GOST-ALL.
 
 @item Compression algorithms @tab
 COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
diff --git a/lib/priority.c b/lib/priority.c
index 102fc11e6b..7b34ae9e52 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -297,6 +297,11 @@ static const int _kx_priority_secure[] = {
 };
 static const int* kx_priority_secure = _kx_priority_secure;
 
+static const int _kx_priority_gost[] = {
+	GNUTLS_KX_VKO_GOST_12,
+};
+static const int* kx_priority_gost = _kx_priority_gost;
+
 static const int _cipher_priority_performance_default[] = {
 	GNUTLS_CIPHER_AES_128_GCM,
 	GNUTLS_CIPHER_AES_256_GCM,
@@ -507,6 +512,18 @@ static const int *cipher_priority_performance = _cipher_priority_performance_def
 static const int *cipher_priority_normal = _cipher_priority_normal_default;
 static const int *mac_priority_normal = mac_priority_normal_default;
 
+static const int _cipher_priority_gost[] = {
+	GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
+	0
+};
+static const int *cipher_priority_gost = _cipher_priority_gost;
+
+static const int _mac_priority_gost[] = {
+	GNUTLS_MAC_GOST28147_TC26Z_IMIT,
+	0
+};
+static const int *mac_priority_gost = _mac_priority_gost;
+
 /* if called with replace the default priorities with the FIPS140 ones */
 void _gnutls_priority_update_fips(void)
 {
@@ -2168,18 +2185,38 @@ gnutls_priority_init(gnutls_priority_t * priority_cache,
 						goto error;
 				}
 			} else if (c_strncasecmp
-				(&broken_list[i][1], "MAC-ALL", 7) == 0) {
-				bulk_fn(&(*priority_cache)->_mac,
-					mac_priority_normal);
+				 (&broken_list[i][1], "MAC-", 4) == 0) {
+				if (c_strncasecmp
+				    (&broken_list[i][1], "MAC-ALL", 7) == 0) {
+					bulk_fn(&(*priority_cache)->_mac,
+							mac_priority_normal);
+				} else if (c_strncasecmp
+				    (&broken_list[i][1], "MAC-GOST-ALL", 12) == 0) {
+					bulk_fn(&(*priority_cache)->_mac,
+							mac_priority_gost);
+				}
 			} else if (c_strncasecmp
-				(&broken_list[i][1], "CIPHER-ALL",
-				 10) == 0) {
-				bulk_fn(&(*priority_cache)->_cipher,
-					cipher_priority_normal);
+				 (&broken_list[i][1], "CIPHER-", 7) == 0) {
+				if (c_strncasecmp
+				    (&broken_list[i][1], "CIPHER-ALL", 10) == 0) {
+					bulk_fn(&(*priority_cache)->_cipher,
+							cipher_priority_normal);
+				} else if (c_strncasecmp
+				    (&broken_list[i][1], "CIPHER-GOST-ALL", 15) == 0) {
+					bulk_fn(&(*priority_cache)->_cipher,
+							cipher_priority_gost);
+				}
 			} else if (c_strncasecmp
-				(&broken_list[i][1], "KX-ALL", 6) == 0) {
-				bulk_fn(&(*priority_cache)->_kx,
-					kx_priority_secure);
+				 (&broken_list[i][1], "KX-", 3) == 0) {
+				if (c_strncasecmp
+				    (&broken_list[i][1], "KX-ALL", 6) == 0) {
+					bulk_fn(&(*priority_cache)->_kx,
+							kx_priority_secure);
+				} else if (c_strncasecmp
+				    (&broken_list[i][1], "KX-GOST-ALL", 11) == 0) {
+					bulk_fn(&(*priority_cache)->_kx,
+							kx_priority_gost);
+				}
 			} else
 				goto error;
 		} else if (broken_list[i][0] == '%') {
diff --git a/tests/tls12-cert-key-exchange.c b/tests/tls12-cert-key-exchange.c
index 1271bb3501..862fe85894 100644
--- a/tests/tls12-cert-key-exchange.c
+++ b/tests/tls12-cert-key-exchange.c
@@ -155,10 +155,10 @@ void doit(void)
 		server_priority = "NORMAL:+CTYPE-ALL"
 			":+VKO-GOST-12"
 			":+GROUP-GOST-ALL"
-			":+GOST28147-TC26Z-CNT"
-			":+GOST28147-TC26Z-IMIT"
+			":+CIPHER-GOST-ALL"
+			":+MAC-GOST-ALL"
 			":+SIGN-GOST-ALL";
-		const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL";
+		const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL";
 		try_with_key("TLS 1.2 with gost12 256 no-cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN,
 			&server_ca3_gost12_256_cert, &server_ca3_gost12_256_key, NULL, NULL, 0, GNUTLS_CRT_X509, GNUTLS_CRT_UNKNOWN);
 		try_with_key("TLS 1.2 with gost12 256 ask cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN,
diff --git a/tests/tls12-server-kx-neg.c b/tests/tls12-server-kx-neg.c
index 4ae49b226c..e3a2de363a 100644
--- a/tests/tls12-server-kx-neg.c
+++ b/tests/tls12-server-kx-neg.c
@@ -469,8 +469,8 @@ test_case_st tests[] = {
 		.client_ret = GNUTLS_E_AGAIN,
 		.server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred but no cert",
@@ -478,8 +478,8 @@ test_case_st tests[] = {
 		.server_ret = GNUTLS_E_NO_CIPHER_SUITES,
 		.have_cert_cred = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred but no GOST cert",
@@ -489,8 +489,8 @@ test_case_st tests[] = {
 		.have_rsa_sign_cert = 1,
 		.have_rsa_decrypt_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert",
@@ -499,8 +499,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_256_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert",
@@ -509,8 +509,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs",
@@ -523,8 +523,8 @@ test_case_st tests[] = {
 		.have_gost12_256_cert = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert client lacking signature algs (like SChannel)",
@@ -533,8 +533,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_256_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256"
 	},
 	{
 		.name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert client lacking signature algs (like SChannel)",
@@ -543,8 +543,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256"
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256"
 	},
 #endif
 };
diff --git a/tests/tls13-server-kx-neg.c b/tests/tls13-server-kx-neg.c
index 91651a80a0..a4cca3faaf 100644
--- a/tests/tls13-server-kx-neg.c
+++ b/tests/tls13-server-kx-neg.c
@@ -232,8 +232,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_256_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
 		.exp_version = GNUTLS_TLS1_2,
 	},
 	{
@@ -243,8 +243,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
 		.exp_version = GNUTLS_TLS1_2,
 	},
 	{
@@ -254,8 +254,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_256_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
 		.exp_version = GNUTLS_TLS1_2,
 	},
 	{
@@ -265,8 +265,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
 		.exp_version = GNUTLS_TLS1_2,
 	},
 	/* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST
@@ -278,8 +278,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_256_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
 		.exp_version = GNUTLS_TLS1_2,
 	},
 	{
@@ -289,8 +289,8 @@ test_case_st tests[] = {
 		.have_cert_cred = 1,
 		.have_gost12_512_cert = 1,
 		.not_on_fips = 1,
-		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
-		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION,
+		.server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
+		.client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION,
 		.exp_version = GNUTLS_TLS1_2,
 	},
 #endif