diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/benchmark-cipher.c | 20 | ||||
-rw-r--r-- | src/benchmark-tls.c | 95 | ||||
-rw-r--r-- | src/benchmark.h | 6 | ||||
-rw-r--r-- | src/certtool-args.def | 11 | ||||
-rw-r--r-- | src/certtool-common.h | 2 | ||||
-rw-r--r-- | src/certtool.c | 18 | ||||
-rw-r--r-- | src/cli-debug.c | 10 | ||||
-rw-r--r-- | src/common.c | 4 | ||||
-rw-r--r-- | src/serv.c | 48 | ||||
-rw-r--r-- | src/tests.c | 86 | ||||
-rw-r--r-- | src/tests.h | 6 |
12 files changed, 264 insertions, 44 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 9e16698916..92762fa88a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -160,7 +160,7 @@ BENCHMARK_SRCS = benchmark-cipher.c benchmark.c benchmark.h benchmark-tls.c gnutls_cli_SOURCES = cli.c common.h common.c \ socket.c socket.h ocsptool-common.c inline_cmds.h \ $(BENCHMARK_SRCS) -gnutls_cli_LDADD = ../lib/libgnutls.la +gnutls_cli_LDADD = ../lib/libgnutls.la -lm if ENABLE_DANE gnutls_cli_LDADD += ../libdane/libgnutls-dane.la endif diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c index b6945a2920..26d2c63c22 100644 --- a/src/benchmark-cipher.c +++ b/src/benchmark-cipher.c @@ -231,7 +231,7 @@ static void cipher_bench(int algo, int size, int aead) static void mac_bench(int algo, int size) { void *_key; - int blocksize = gnutls_hmac_get_len(algo); + int key_size = gnutls_hmac_get_key_size(algo); int step = size * 1024; struct benchmark_st st; void *input; @@ -240,10 +240,10 @@ static void mac_bench(int algo, int size) ALLOCM(input, MAX_MEM); i = input; - _key = malloc(blocksize); + _key = malloc(key_size); if (_key == NULL) return; - memset(_key, 0xf0, blocksize); + memset(_key, 0xf0, key_size); printf("%16s ", gnutls_mac_get_name(algo)); fflush(stdout); @@ -253,7 +253,7 @@ static void mac_bench(int algo, int size) start_benchmark(&st); do { - gnutls_hmac_fast(algo, _key, blocksize, i, step, _key); + gnutls_hmac_fast(algo, _key, key_size, i, step, _key); st.size += step; INC(input, i, step); } @@ -285,17 +285,29 @@ void benchmark_cipher(int debug_level) cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, size); cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256, size); +#ifdef ENABLE_GOST + cipher_mac_bench(GNUTLS_CIPHER_GOST28147_TC26Z_CNT, GNUTLS_MAC_GOST28147_TC26Z_IMIT, + size); +#endif printf("\nChecking MAC algorithms, payload size: %u\n", size * 1024); mac_bench(GNUTLS_MAC_SHA1, size); mac_bench(GNUTLS_MAC_SHA256, size); mac_bench(GNUTLS_MAC_SHA512, size); +#ifdef ENABLE_GOST + mac_bench(GNUTLS_MAC_GOST28147_TC26Z_IMIT, size); + mac_bench(GNUTLS_MAC_GOSTR_94, size); + mac_bench(GNUTLS_MAC_STREEBOG_512, size); +#endif printf("\nChecking ciphers, payload size: %u\n", size * 1024); cipher_bench(GNUTLS_CIPHER_3DES_CBC, size, 0); cipher_bench(GNUTLS_CIPHER_AES_128_CBC, size, 0); cipher_bench(GNUTLS_CIPHER_SALSA20_256, size, 0); cipher_bench(GNUTLS_CIPHER_NULL, size, 1); +#ifdef ENABLE_GOST + cipher_bench(GNUTLS_CIPHER_GOST28147_TC26Z_CNT, size, 0); +#endif gnutls_global_deinit(); } diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c index 48ca7e2f0a..14a3d190cc 100644 --- a/src/benchmark-tls.c +++ b/src/benchmark-tls.c @@ -61,6 +61,7 @@ const char *side = ""; #define PRIO_TLS12_CHACHA_POLY1305 "NONE:+VERS-TLS1.2:+CHACHA20-POLY1305:+AEAD:+SIGN-ALL:+COMP-NULL:+ECDHE-RSA:+CURVE-ALL" #define PRIO_CHACHA_POLY1305 "NONE:+VERS-TLS1.3:+CHACHA20-POLY1305:+AEAD:+SIGN-ALL:+COMP-NULL:+ECDHE-RSA:+CURVE-ALL" #define PRIO_CAMELLIA_CBC_SHA1 "NONE:+VERS-TLS1.0:+CAMELLIA-128-CBC:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA" +#define PRIO_GOST_CNT "NONE:+VERS-TLS1.2:+GOST28147-TC26Z-CNT:+GOST28147-TC26Z-IMIT:+SIGN-ALL:+SIGN-GOSTR341012-256:+COMP-NULL:+VKO-GOST-12:+GROUP-GOST-ALL" static const int rsa_bits = 3072, ec_bits = 256; @@ -202,6 +203,42 @@ static unsigned char server_ed25519_cert_pem[] = "7barRoh+qx7ZVYpe+5w3JYuxy16w\n" "-----END CERTIFICATE-----\n"; +#ifdef ENABLE_GOST +static unsigned char server_gost12_256_key_pem[] = + "-----BEGIN PRIVATE KEY-----\n" + "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIEIgQg0+JttJEV\n" + "Ud+XBzX9q13ByKK+j2b+mEmNIo1yB0wGleo=\n" + "-----END PRIVATE KEY-----\n"; + +static unsigned char server_gost12_256_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC8DCCAVigAwIBAgIIWcZKgxkCMvcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xOTEwMDgxMDQ4MTZaGA85OTk5MTIzMTIzNTk1OVowDTELMAkG\n" + "A1UEAxMCR1IwZjAfBggqhQMHAQEBATATBgcqhQMCAiQABggqhQMHAQECAgNDAARA\n" + "J9sMEEx0JW9QsT5bDqyc0TNcjVg9ZSdp4GkMtShM+OOgyBGrWK3zLP5IzHYSXja8\n" + "373QrJOUvdX7T7TUk5yU5aOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC\n" + "CWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AA\n" + "MB0GA1UdDgQWBBQYSEtdwsYrtnOq6Ya3nt8DgFPCQjAfBgNVHSMEGDAWgBT5qIYZ\n" + "Y7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAR0xtx7MWEP1KyIzM\n" + "4lXKdTyU4Nve5RcgqF82yR/0odqT5MPoaZDvLuRWEcQryztZD3kmRUmPmn1ujSfc\n" + "BbPfRnSutDXcf6imq0/U1/TV/BF3vpS1plltzetvibf8MYetHVFQHUBJDZJHh9h7\n" + "PGwA9SnmnGKFIxFdV6bVOLkPR54Gob9zN3E17KslL19lNtht1pxk9pshwTn35oRY\n" + "uOdxof9F4XjpI/4WbC8kp15QeG8XyZd5JWSl+niNOqYK31+ilQdVBr4RiZSDIcAg\n" + "twS5yV9Ap+R8rM8TLbeT2io4rhdUgmDllUf49zV3t6AbVvbsQfkqXmHXW8uW2WBu\n" + "A8FiXEbIIOb+QIW0ZGwk3BVQ7wdiw1M5w6kYtz5kBtNPxBmc+eu1+e6EAfYbFNr3\n" + "pkxtMk3veYWHb5s3dHZ4/t2Rn85hWqh03CWwCkKTN3qmEs4/XpybbXE/UE49e7u1\n" + "FkpM1bT/0gUNsNt5h3pyUzQZdiB0XbdGGFta3tB3+inIO45h\n" + "-----END CERTIFICATE-----\n"; + +static const gnutls_datum_t server_gost12_256_key = { server_gost12_256_key_pem, + sizeof(server_gost12_256_key_pem)-1 +}; + +static const gnutls_datum_t server_gost12_256_cert = { server_gost12_256_cert_pem, + sizeof(server_gost12_256_cert_pem)-1 +}; +#endif + const gnutls_datum_t server_cert = { server_cert_pem, sizeof(server_cert_pem) }; @@ -264,6 +301,11 @@ static void test_ciphersuite(const char *cipher_prio, int size) gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert, &server_ecc_key, GNUTLS_X509_FMT_PEM); +#ifdef ENABLE_GOST + gnutls_certificate_set_x509_key_mem(s_certcred, &server_gost12_256_cert, + &server_gost12_256_key, + GNUTLS_X509_FMT_PEM); +#endif gnutls_init(&server, GNUTLS_SERVER); ret = gnutls_priority_set_direct(server, cipher_prio, &str); @@ -349,7 +391,7 @@ static void test_ciphersuite(const char *cipher_prio, int size) } static -double calc_avg(unsigned int *diffs, unsigned int diffs_size) +double calc_avg(uint64_t *diffs, unsigned int diffs_size) { double avg = 0; unsigned int i; @@ -363,7 +405,7 @@ double calc_avg(unsigned int *diffs, unsigned int diffs_size) } static -double calc_sstdev(unsigned int *diffs, unsigned int diffs_size, +double calc_svar(uint64_t *diffs, unsigned int diffs_size, double avg) { double sum = 0, d; @@ -381,7 +423,7 @@ double calc_sstdev(unsigned int *diffs, unsigned int diffs_size, } -unsigned int total_diffs[32 * 1024]; +uint64_t total_diffs[32 * 1024]; unsigned int total_diffs_size = 0; static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) @@ -389,19 +431,18 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) /* Server stuff. */ gnutls_anon_server_credentials_t s_anoncred; gnutls_session_t server; - int sret, cret; + int sret, cret, ret; const char *str; char *suite = NULL; - /* Client stuff. */ gnutls_anon_client_credentials_t c_anoncred; gnutls_certificate_credentials_t c_certcred, s_certcred; gnutls_session_t client; - /* Need to enable anonymous KX specifically. */ - int ret; + unsigned i; struct benchmark_st st; struct timespec tr_start, tr_stop; - double avg, sstddev; + double avg, svar; gnutls_priority_t priority_cache; + const char *scale; total_diffs_size = 0; @@ -433,6 +474,10 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ed25519_cert, &server_ed25519_key, GNUTLS_X509_FMT_PEM); + else if (pk == GNUTLS_PK_GOST_12_256) + ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_gost12_256_cert, + &server_gost12_256_key, + GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "Error in %d: %s\n", __LINE__, gnutls_strerror(ret)); @@ -501,7 +546,7 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) gnutls_deinit(client); gnutls_deinit(server); - total_diffs[total_diffs_size++] = timespec_sub_ms(&tr_stop, &tr_start); + total_diffs[total_diffs_size++] = timespec_sub_ns(&tr_stop, &tr_start); if (total_diffs_size > sizeof(total_diffs)/sizeof(total_diffs[0])) abort(); @@ -509,16 +554,31 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk) } while (benchmark_must_finish == 0); - fprintf(stdout, "%38s ", suite); + fprintf(stdout, "%s\n - ", suite); gnutls_free(suite); stop_benchmark(&st, "transactions", 1); gnutls_priority_deinit(priority_cache); avg = calc_avg(total_diffs, total_diffs_size); - sstddev = calc_sstdev(total_diffs, total_diffs_size, avg); - printf("%32s %.2f ms, sample variance: %.2f)\n", - "(avg. handshake time:", avg, sstddev); + if (avg < 1000) { + scale = "ns"; + } else if (avg < 1000000) { + scale = "\u00B5s"; + avg /= 1000; + for (i=0;i<total_diffs_size;i++) + total_diffs[i] /= 1000; + } else { + scale = "ms"; + avg /= 1000*1000; + for (i=0;i<total_diffs_size;i++) + total_diffs[i] /= 1000*1000; + } + + svar = calc_svar(total_diffs, total_diffs_size, avg); + + printf(" - avg. handshake time: %.2f %s\n - standard deviation: %.2f %s\n\n", + avg, scale, sqrt(svar), scale); gnutls_anon_free_client_credentials(c_anoncred); gnutls_anon_free_server_credentials(s_anoncred); @@ -546,6 +606,9 @@ void benchmark_tls(int debug_level, int ciphers) test_ciphersuite(PRIO_CHACHA_POLY1305, size); test_ciphersuite(PRIO_AES_CBC_SHA1, size); test_ciphersuite(PRIO_CAMELLIA_CBC_SHA1, size); +#ifdef ENABLE_GOST + test_ciphersuite(PRIO_GOST_CNT, size); +#endif size = 16 * 1024; printf @@ -559,6 +622,9 @@ void benchmark_tls(int debug_level, int ciphers) test_ciphersuite(PRIO_CHACHA_POLY1305, size); test_ciphersuite(PRIO_AES_CBC_SHA1, size); test_ciphersuite(PRIO_CAMELLIA_CBC_SHA1, size); +#ifdef ENABLE_GOST + test_ciphersuite(PRIO_GOST_CNT, size); +#endif } else { printf ("Testing key exchanges (RSA/DH bits: %d, EC bits: %d)\n\n", @@ -571,6 +637,9 @@ void benchmark_tls(int debug_level, int ciphers) test_ciphersuite_kx(PRIO_ECDH_X25519_ECDSA, GNUTLS_PK_ECC); test_ciphersuite_kx(PRIO_ECDH_X25519_EDDSA, GNUTLS_PK_EDDSA_ED25519); test_ciphersuite_kx(PRIO_RSA, GNUTLS_PK_RSA); +#ifdef ENABLE_GOST + test_ciphersuite_kx(PRIO_GOST_CNT, GNUTLS_PK_GOST_12_256); +#endif } gnutls_global_deinit(); diff --git a/src/benchmark.h b/src/benchmark.h index 2152e6edcf..a5e2aff124 100644 --- a/src/benchmark.h +++ b/src/benchmark.h @@ -71,4 +71,10 @@ timespec_sub_ms(struct timespec *a, struct timespec *b) return (a->tv_sec - b->tv_sec) * 1000 + (a->tv_nsec - b->tv_nsec) / (1000 * 1000); } +inline static unsigned long +timespec_sub_ns(struct timespec *a, struct timespec *b) +{ + return (a->tv_sec - b->tv_sec) * 1000000000 + (a->tv_nsec - b->tv_nsec); +} + #endif /* GNUTLS_SRC_BENCHMARK_H */ diff --git a/src/certtool-args.def b/src/certtool-args.def index 915598d446..f10f57bdbb 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -355,6 +355,17 @@ flag = { doc = "This can be combined with --p7-verify, --verify or --verify-chain."; }; +flag = { + name = verify-profile; + descrip = "Specify a security level profile to be used for verification"; + arg-type = string; + doc = "This option can be used to specify a certificate verification profile. Certificate + verification profiles correspond to the security level. This should be one of + 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra', + 'future'. Note that by default no profile is applied, unless one is set + as minimum in the gnutls configuration file."; +}; + //---------------------------------------- flag = { name = pkcs7_options; diff --git a/src/certtool-common.h b/src/certtool-common.h index 7217e69dec..bfeb66b2da 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -80,6 +80,8 @@ typedef struct common_info { unsigned rsa_pss_sign; unsigned sort_chain; + + gnutls_sec_param_t verification_profile; } common_info_st; static inline diff --git a/src/certtool.c b/src/certtool.c index 34188f4c6d..35438daafa 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key, get_oid_crt_set(crt); get_key_purpose_set(TYPE_CRT, crt); - get_extensions_crt_set(TYPE_CRT, crt); if (!batch) fprintf(stderr, @@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + get_extensions_crt_set(TYPE_CRT, crt); + /* append additional extensions */ if (cinfo->v1_cert == 0) { @@ -1422,6 +1423,20 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(VERIFY_PROFILE)) { + if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { + cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + } else { + cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + } + } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { + fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + } + /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ + } + if (HAVE_OPT(SIGN_PARAMS)) sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); @@ -2395,6 +2410,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME; + vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile); if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; diff --git a/src/cli-debug.c b/src/cli-debug.c index 4a90edd2e2..06e47fd55e 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -159,6 +159,9 @@ static const TLS_TEST tls_tests[] = { {"for ephemeral EC Diffie-Hellman support", test_ecdhe, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for VKO GOST-2012 (draft-smyshlyaev-tls12-gost-suites) support", test_vko_gost_12, "yes", "no", "dunno"}, +#endif {"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"}, {"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"}, {"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"}, @@ -180,9 +183,16 @@ static const TLS_TEST tls_tests[] = { "dunno"}, {"for CHACHA20-POLY1305 cipher (RFC7905) support", test_chacha20, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support", test_gost_cnt, "yes", "no", + "dunno"}, +#endif {"for MD5 MAC support", test_md5, "yes", "no", "dunno"}, {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, {"for SHA256 MAC support", test_sha256, "yes", "no", "dunno"}, +#ifdef ENABLE_GOST + {"for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support", test_gost_imit, "yes", "no", "dunno"}, +#endif {"for max record size (RFC6066) support", test_max_record_size, "yes", "no", "dunno"}, #ifdef ENABLE_OCSP diff --git a/src/common.c b/src/common.c index 6a0c00ebaa..753481741b 100644 --- a/src/common.c +++ b/src/common.c @@ -996,7 +996,7 @@ int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cer if (ret < 0) { fprintf(stderr, "reauth: %s\n", gnutls_strerror(ret)); - exit(1); + return ret; } return 1; } else @@ -1013,7 +1013,7 @@ int check_command(gnutls_session_t session, const char *str, unsigned no_cli_cer } else { fprintf(stderr, "ping: %s\n", gnutls_strerror(ret)); - exit(1); + return ret; } } return 2; diff --git a/src/serv.c b/src/serv.c index ad58260b3a..de5691261f 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1014,7 +1014,7 @@ static void strip(char *data) } } -static void +static unsigned get_response(gnutls_session_t session, char *request, char **response, int *response_length) { @@ -1035,7 +1035,7 @@ get_response(gnutls_session_t session, char *request, goto unimplemented; *p = '\0'; } -/* *response = peer_print_info(session, request+4, h, response_length); */ + if (http != 0) { if (http_data_file == NULL) *response = peer_print_info(session, response_length, h); @@ -1051,25 +1051,34 @@ get_response(gnutls_session_t session, char *request, *response = strdup("Successfully executed command\n"); if (*response == NULL) { fprintf(stderr, "Memory error\n"); - exit(1); + return 0; } *response_length = strlen(*response); - return; + return 1; } else if (ret == 0) { + if (*response == NULL) { + fprintf(stderr, "Memory error\n"); + return 0; + } *response = strdup(request); *response_length = ((*response) ? strlen(*response) : 0); } else { + *response = NULL; do { - ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_UNEXPECTED_MESSAGE); + ret = gnutls_alert_send_appropriate(session, ret); } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + return 0; } } - return; + return 1; unimplemented: *response = strdup(HTTP_UNIMPLEMENTED); + if (*response == NULL) + return 0; *response_length = ((*response) ? strlen(*response) : 0); + return 1; } static void terminate(int sig) __attribute__ ((__noreturn__)); @@ -1663,18 +1672,21 @@ static void tcp_server(const char *name, int port) || strstr(j-> http_request, "\n\n")) { - get_response(j-> - tls_session, - j-> - http_request, - &j-> - http_response, - &j-> - response_length); - j->http_state = - HTTP_STATE_RESPONSE; - j->response_written - = 0; + if (get_response(j-> + tls_session, + j-> + http_request, + &j-> + http_response, + &j-> + response_length)) { + j->http_state = + HTTP_STATE_RESPONSE; + j->response_written + = 0; + } else { + j->http_state = HTTP_STATE_CLOSING; + } } } } diff --git a/src/tests.c b/src/tests.c index e73372f7af..9b608119f5 100644 --- a/src/tests.c +++ b/src/tests.c @@ -112,15 +112,27 @@ char protocol_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; char protocol_all_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; -char prio_str[512] = ""; +char prio_str[768] = ""; -#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" +#ifdef ENABLE_GOST +#define GOST_CIPHERS ":+GOST28147-TC26Z-CNT" +#define GOST_MACS ":+GOST28147-TC26Z-IMIT" +#define GOST_KX ":+VKO-GOST-12" +#define GOST_REST ":+SIGN-GOSTR341012-512:+SIGN-GOSTR341012-256:+SIGN-GOSTR341001:+GROUP-GOST-ALL" +#else +#define GOST_CIPHERS +#define GOST_MACS +#define GOST_KX +#define GOST_REST +#endif + +#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS #define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC" #define ALL_COMP "+COMP-NULL" -#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" -#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" +#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS +#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX #define INIT_STR "NONE:" -char rest[128] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL"; +char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST; #define _gnutls_priority_set_direct(s, str) __gnutls_priority_set_direct(s, str, __LINE__) @@ -249,6 +261,31 @@ test_code_t test_ecdhe(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_vko_gost_12(gnutls_session_t session) +{ + int ret; + + if (tls_ext_ok == 0) + return TEST_IGNORE; + + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS + ":+VKO-GOST-12:%s", protocol_all_str, + rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + + if (ret < 0) + return TEST_FAILED; + + return ret; +} +#endif + test_code_t test_rsa(gnutls_session_t session) { int ret; @@ -801,6 +838,26 @@ test_code_t test_sha256(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_gost_imit(gnutls_session_t session) +{ + int ret; + + if (gnutls_fips140_mode_enabled()) + return TEST_IGNORE; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP + ":%s:+GOST28147-TC26Z-IMIT:" ALL_KX ":%s", + protocol_all_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + return ret; +} +#endif + test_code_t test_3des(gnutls_session_t session) { int ret; @@ -849,6 +906,25 @@ test_code_t test_chacha20(gnutls_session_t session) return ret; } +#ifdef ENABLE_GOST +test_code_t test_gost_cnt(gnutls_session_t session) +{ + int ret; + + if (gnutls_fips140_mode_enabled()) + return TEST_IGNORE; + + sprintf(prio_str, + INIT_STR "+GOST28147-TC26Z-CNT:" ALL_COMP ":%s:" + ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + return ret; +} +#endif + test_code_t test_tls1(gnutls_session_t session) { int ret; diff --git a/src/tests.h b/src/tests.h index 80c590585d..a8326019ca 100644 --- a/src/tests.h +++ b/src/tests.h @@ -87,4 +87,10 @@ test_code_t test_aes_ccm(gnutls_session_t session); test_code_t test_aes_ccm_8(gnutls_session_t session); test_code_t test_sha256(gnutls_session_t session); +#ifdef ENABLE_GOST +test_code_t test_vko_gost_12(gnutls_session_t session); +test_code_t test_gost_cnt(gnutls_session_t session); +test_code_t test_gost_imit(gnutls_session_t session); +#endif + #endif /* GNUTLS_SRC_TESTS_H */ |