diff options
-rw-r--r-- | doc/cha-gtls-app.texi | 9 | ||||
-rw-r--r-- | lib/priority.c | 57 | ||||
-rw-r--r-- | tests/tls12-cert-key-exchange.c | 6 | ||||
-rw-r--r-- | tests/tls12-server-kx-neg.c | 32 | ||||
-rw-r--r-- | tests/tls13-server-kx-neg.c | 24 |
5 files changed, 84 insertions, 44 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index f734ca79bc..47fd3bca65 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1422,18 +1422,21 @@ appended with an algorithm will add this algorithm. @item Ciphers @tab Examples are AES-128-GCM, AES-256-GCM, AES-256-CBC, GOST28147-TC26Z-CNT; see also @ref{tab:ciphers} for more options. Catch all name is CIPHER-ALL which will add -all the algorithms from NORMAL priority. +all the algorithms from NORMAL priority. The shortcut for secure GOST +algorithms is CIPHER-GOST-ALL. @item Key exchange @tab RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS, PSK, DHE-PSK, ECDHE-PSK, ECDHE-RSA, ECDHE-ECDSA, VKO-GOST-12, ANON-ECDH, ANON-DH. Catch all name is KX-ALL which will add all the algorithms from NORMAL priority. Under TLS1.3, the DHE-PSK and ECDHE-PSK strings are equivalent -and instruct for a Diffie-Hellman key exchange using the enabled groups. +and instruct for a Diffie-Hellman key exchange using the enabled groups. The +shortcut for secure GOST algorithms is KX-GOST-ALL. @item MAC @tab MD5, SHA1, SHA256, SHA384, GOST28147-TC26Z-IMIT, AEAD (used with -GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL. +GCM ciphers only). All algorithms from NORMAL priority can be accessed with +MAC-ALL. The shortcut for secure GOST algorithms is MAC-GOST-ALL. @item Compression algorithms @tab COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL. diff --git a/lib/priority.c b/lib/priority.c index 102fc11e6b..7b34ae9e52 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -297,6 +297,11 @@ static const int _kx_priority_secure[] = { }; static const int* kx_priority_secure = _kx_priority_secure; +static const int _kx_priority_gost[] = { + GNUTLS_KX_VKO_GOST_12, +}; +static const int* kx_priority_gost = _kx_priority_gost; + static const int _cipher_priority_performance_default[] = { GNUTLS_CIPHER_AES_128_GCM, GNUTLS_CIPHER_AES_256_GCM, @@ -507,6 +512,18 @@ static const int *cipher_priority_performance = _cipher_priority_performance_def static const int *cipher_priority_normal = _cipher_priority_normal_default; static const int *mac_priority_normal = mac_priority_normal_default; +static const int _cipher_priority_gost[] = { + GNUTLS_CIPHER_GOST28147_TC26Z_CNT, + 0 +}; +static const int *cipher_priority_gost = _cipher_priority_gost; + +static const int _mac_priority_gost[] = { + GNUTLS_MAC_GOST28147_TC26Z_IMIT, + 0 +}; +static const int *mac_priority_gost = _mac_priority_gost; + /* if called with replace the default priorities with the FIPS140 ones */ void _gnutls_priority_update_fips(void) { @@ -2168,18 +2185,38 @@ gnutls_priority_init(gnutls_priority_t * priority_cache, goto error; } } else if (c_strncasecmp - (&broken_list[i][1], "MAC-ALL", 7) == 0) { - bulk_fn(&(*priority_cache)->_mac, - mac_priority_normal); + (&broken_list[i][1], "MAC-", 4) == 0) { + if (c_strncasecmp + (&broken_list[i][1], "MAC-ALL", 7) == 0) { + bulk_fn(&(*priority_cache)->_mac, + mac_priority_normal); + } else if (c_strncasecmp + (&broken_list[i][1], "MAC-GOST-ALL", 12) == 0) { + bulk_fn(&(*priority_cache)->_mac, + mac_priority_gost); + } } else if (c_strncasecmp - (&broken_list[i][1], "CIPHER-ALL", - 10) == 0) { - bulk_fn(&(*priority_cache)->_cipher, - cipher_priority_normal); + (&broken_list[i][1], "CIPHER-", 7) == 0) { + if (c_strncasecmp + (&broken_list[i][1], "CIPHER-ALL", 10) == 0) { + bulk_fn(&(*priority_cache)->_cipher, + cipher_priority_normal); + } else if (c_strncasecmp + (&broken_list[i][1], "CIPHER-GOST-ALL", 15) == 0) { + bulk_fn(&(*priority_cache)->_cipher, + cipher_priority_gost); + } } else if (c_strncasecmp - (&broken_list[i][1], "KX-ALL", 6) == 0) { - bulk_fn(&(*priority_cache)->_kx, - kx_priority_secure); + (&broken_list[i][1], "KX-", 3) == 0) { + if (c_strncasecmp + (&broken_list[i][1], "KX-ALL", 6) == 0) { + bulk_fn(&(*priority_cache)->_kx, + kx_priority_secure); + } else if (c_strncasecmp + (&broken_list[i][1], "KX-GOST-ALL", 11) == 0) { + bulk_fn(&(*priority_cache)->_kx, + kx_priority_gost); + } } else goto error; } else if (broken_list[i][0] == '%') { diff --git a/tests/tls12-cert-key-exchange.c b/tests/tls12-cert-key-exchange.c index 1271bb3501..862fe85894 100644 --- a/tests/tls12-cert-key-exchange.c +++ b/tests/tls12-cert-key-exchange.c @@ -155,10 +155,10 @@ void doit(void) server_priority = "NORMAL:+CTYPE-ALL" ":+VKO-GOST-12" ":+GROUP-GOST-ALL" - ":+GOST28147-TC26Z-CNT" - ":+GOST28147-TC26Z-IMIT" + ":+CIPHER-GOST-ALL" + ":+MAC-GOST-ALL" ":+SIGN-GOST-ALL"; - const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL"; + const char *gost_client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL"; try_with_key("TLS 1.2 with gost12 256 no-cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN, &server_ca3_gost12_256_cert, &server_ca3_gost12_256_key, NULL, NULL, 0, GNUTLS_CRT_X509, GNUTLS_CRT_UNKNOWN); try_with_key("TLS 1.2 with gost12 256 ask cli-cert (ctype X.509)", gost_client_prio, GNUTLS_KX_VKO_GOST_12, GNUTLS_SIGN_GOST_256, GNUTLS_SIGN_UNKNOWN, diff --git a/tests/tls12-server-kx-neg.c b/tests/tls12-server-kx-neg.c index 4ae49b226c..e3a2de363a 100644 --- a/tests/tls12-server-kx-neg.c +++ b/tests/tls12-server-kx-neg.c @@ -469,8 +469,8 @@ test_case_st tests[] = { .client_ret = GNUTLS_E_AGAIN, .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred but no cert", @@ -478,8 +478,8 @@ test_case_st tests[] = { .server_ret = GNUTLS_E_NO_CIPHER_SUITES, .have_cert_cred = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred but no GOST cert", @@ -489,8 +489,8 @@ test_case_st tests[] = { .have_rsa_sign_cert = 1, .have_rsa_decrypt_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert", @@ -499,8 +499,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_256_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert", @@ -509,8 +509,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred and multiple certs", @@ -523,8 +523,8 @@ test_case_st tests[] = { .have_gost12_256_cert = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2" }, { .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-256 cert client lacking signature algs (like SChannel)", @@ -533,8 +533,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_256_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256" }, { .name = "TLS 1.2 VKO-GOST-12 with cred and GOST12-512 cert client lacking signature algs (like SChannel)", @@ -543,8 +543,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+VERS-TLS1.2:+SIGN-RSA-SHA256" + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NONE:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+VERS-TLS1.2:+SIGN-RSA-SHA256" }, #endif }; diff --git a/tests/tls13-server-kx-neg.c b/tests/tls13-server-kx-neg.c index 91651a80a0..a4cca3faaf 100644 --- a/tests/tls13-server-kx-neg.c +++ b/tests/tls13-server-kx-neg.c @@ -232,8 +232,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_256_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", .exp_version = GNUTLS_TLS1_2, }, { @@ -243,8 +243,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", .exp_version = GNUTLS_TLS1_2, }, { @@ -254,8 +254,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_256_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, .exp_version = GNUTLS_TLS1_2, }, { @@ -265,8 +265,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:" "-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, .exp_version = GNUTLS_TLS1_2, }, /* Ideally for the next two test cases we should fallback to TLS 1.2 + GOST @@ -278,8 +278,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_256_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, .exp_version = GNUTLS_TLS1_2, }, { @@ -289,8 +289,8 @@ test_case_st tests[] = { .have_cert_cred = 1, .have_gost12_512_cert = 1, .not_on_fips = 1, - .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, - .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-GOST-ALL:"PVERSION, + .server_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, + .client_prio = "NORMAL:-KX-ALL:+VKO-GOST-12:+GROUP-GOST-ALL:+CIPHER-GOST-ALL:+MAC-GOST-ALL:+SIGN-GOST-ALL:"PVERSION, .exp_version = GNUTLS_TLS1_2, }, #endif |