| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include "ssltestlib.h" |
| 11 | #include "testutil.h" |
| 12 | #include "internal/nelem.h" |
| 13 | |
| 14 | static char *cert1 = NULL; |
| 15 | static char *privkey1 = NULL; |
| 16 | static char *cert2 = NULL; |
| 17 | static char *privkey2 = NULL; |
| 18 | |
| 19 | static struct { |
| 20 | char *cipher; |
| 21 | int expected_prot; |
| 22 | int certnum; |
| 23 | } ciphers[] = { |
| 24 | /* Server doesn't have a cert with appropriate sig algs - should fail */ |
| 25 | {"AES128-SHA", 0, 0}, |
| 26 | /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ |
| 27 | {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0}, |
| 28 | /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ |
| 29 | {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1}, |
| 30 | /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ |
| 31 | {"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0}, |
| 32 | }; |
| 33 | |
| 34 | /* Test that we never negotiate TLSv1.3 if using GOST */ |
| 35 | static int test_tls13(int idx) |
| 36 | { |
| 37 | SSL_CTX *cctx = NULL, *sctx = NULL; |
| 38 | SSL *clientssl = NULL, *serverssl = NULL; |
| 39 | int testresult = 0; |
| 40 | |
| 41 | if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), |
| 42 | TLS_client_method(), |
| 43 | TLS1_VERSION, |
| 44 | TLS_MAX_VERSION, |
| 45 | &sctx, &cctx, |
| 46 | ciphers[idx].certnum == 0 ? cert1 |
| 47 | : cert2, |
| 48 | ciphers[idx].certnum == 0 ? privkey1 |
| 49 | : privkey2))) |
| 50 | goto end; |
| 51 | |
| 52 | if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher)) |
| 53 | || !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher)) |
| 54 | || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, |
| 55 | NULL, NULL))) |
| 56 | goto end; |
| 57 | |
| 58 | if (ciphers[idx].expected_prot == 0) { |
| 59 | if (!TEST_false(create_ssl_connection(serverssl, clientssl, |
| 60 | SSL_ERROR_NONE))) |
| 61 | goto end; |
| 62 | } else { |
| 63 | if (!TEST_true(create_ssl_connection(serverssl, clientssl, |
| 64 | SSL_ERROR_NONE)) |
| 65 | || !TEST_int_eq(SSL_version(clientssl), |
| 66 | ciphers[idx].expected_prot)) |
| 67 | goto end; |
| 68 | } |
| 69 | |
| 70 | testresult = 1; |
| 71 | |
| 72 | end: |
| 73 | SSL_free(serverssl); |
| 74 | SSL_free(clientssl); |
| 75 | SSL_CTX_free(sctx); |
| 76 | SSL_CTX_free(cctx); |
| 77 | |
| 78 | return testresult; |
| 79 | } |
| 80 | |
| 81 | int setup_tests(void) |
| 82 | { |
| 83 | if (!TEST_ptr(cert1 = test_get_argument(0)) |
| 84 | || !TEST_ptr(privkey1 = test_get_argument(1)) |
| 85 | || !TEST_ptr(cert2 = test_get_argument(2)) |
| 86 | || !TEST_ptr(privkey2 = test_get_argument(3))) |
| 87 | return 0; |
| 88 | |
| 89 | ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers)); |
| 90 | return 1; |
| 91 | } |