diff options
author | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2017-10-09 07:17:59 +0300 |
---|---|---|
committer | Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> | 2017-10-10 18:37:55 +0300 |
commit | ca34d2cc051edab433865610c50c2fc4df3c78fc (patch) | |
tree | 8e01d60e098933a3c4a3505926825f8810587440 | |
parent | 1726f39454021b149f645544af9f5151332ab7ca (diff) | |
download | gnutls-tmp-gost-review.tar.gz |
tests: added testcases for ciphersuite/KX negotiation with VKO-GOSTtmp-gost-review
This verifies whether the ciphersuite negotiation will detect and
reject incompatible data present in credentials.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
-rw-r--r-- | tests/server-kx-neg-common.c | 15 | ||||
-rw-r--r-- | tests/tls10-server-kx-neg.c | 146 | ||||
-rw-r--r-- | tests/tls11-server-kx-neg.c | 146 | ||||
-rw-r--r-- | tests/tls12-server-kx-neg.c | 146 |
4 files changed, 453 insertions, 0 deletions
diff --git a/tests/server-kx-neg-common.c b/tests/server-kx-neg-common.c index de4c7ad91a..b710e8569e 100644 --- a/tests/server-kx-neg-common.c +++ b/tests/server-kx-neg-common.c @@ -38,6 +38,9 @@ typedef struct test_case_st { unsigned have_ecc_sign_cert; unsigned have_ed25519_sign_cert; unsigned have_rsa_decrypt_cert; + unsigned have_gost01_cert; + unsigned have_gost12_256_cert; + unsigned have_gost12_512_cert; unsigned not_on_fips; const char *client_prio; const char *server_prio; @@ -208,6 +211,18 @@ static void try(test_case_st *test) assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_localhost_rsa_sign_cert, &server_ca3_key, GNUTLS_X509_FMT_PEM) >= 0); } + if (test->have_gost01_cert) { + assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_gost01_cert, &server_ca3_gost01_key, GNUTLS_X509_FMT_PEM) >= 0); + } + + if (test->have_gost12_256_cert) { + assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_gost12_256_cert, &server_ca3_gost12_256_key, GNUTLS_X509_FMT_PEM) >= 0); + } + + if (test->have_gost12_512_cert) { + assert(gnutls_certificate_set_x509_key_mem(s_cert_cred, &server_ca3_gost12_512_cert, &server_ca3_gost12_512_key, GNUTLS_X509_FMT_PEM) >= 0); + } + /* client does everything */ gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anon_cred); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_cert_cred); diff --git a/tests/tls10-server-kx-neg.c b/tests/tls10-server-kx-neg.c index 4ac53a2794..f3ec7ea935 100644 --- a/tests/tls10-server-kx-neg.c +++ b/tests/tls10-server-kx-neg.c @@ -416,6 +416,152 @@ test_case_st tests[] = { .have_srp_cred = 1, .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0", .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0" + }, + + { + .name = "TLS 1.0 VKO-GOST-01 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred and GOST12-256 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred and GOST12-512 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-01 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.0" + }, + + { + .name = "TLS 1.0 VKO-GOST-12 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred and GOST12-256 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred and GOST12-512 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" + }, + { + .name = "TLS 1.0 VKO-GOST-12 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .have_gost12_256_cert = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.0" } }; diff --git a/tests/tls11-server-kx-neg.c b/tests/tls11-server-kx-neg.c index fee785ab95..414a800a4b 100644 --- a/tests/tls11-server-kx-neg.c +++ b/tests/tls11-server-kx-neg.c @@ -416,6 +416,152 @@ test_case_st tests[] = { .have_srp_cred = 1, .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.1", .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.1" + }, + + { + .name = "TLS 1.1 VKO-GOST-01 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred and GOST12-256 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred and GOST12-512 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-01 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.1" + }, + + { + .name = "TLS 1.1 VKO-GOST-12 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred and GOST12-256 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred and GOST12-512 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" + }, + { + .name = "TLS 1.1 VKO-GOST-12 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .have_gost12_256_cert = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.1" } }; diff --git a/tests/tls12-server-kx-neg.c b/tests/tls12-server-kx-neg.c index 0595e9fc51..37e412c0d5 100644 --- a/tests/tls12-server-kx-neg.c +++ b/tests/tls12-server-kx-neg.c @@ -461,6 +461,152 @@ test_case_st tests[] = { .have_srp_cred = 1, .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.2", .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.2" + }, + + { + .name = "TLS 1.2 VKO-GOST-01 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred and GOST12-256 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred and GOST12-512 cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-01 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-01:-VERS-ALL:+VERS-TLS1.2" + }, + + { + .name = "TLS 1.2 VKO-GOST-12 without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred but no GOST cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST01 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost01_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_256_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" + }, + { + .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_gost01_cert = 1, + .have_gost12_256_cert = 1, + .have_gost12_512_cert = 1, + .not_on_fips = 1, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:-VERS-ALL:+VERS-TLS1.2" } }; |