From 1e839545803107b230a8177875de5994f85984de Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 13 Jul 2018 16:11:46 +0100 Subject: [PATCH] Add a GOST test Test that we never negotiate TLSv1.3 using GOST Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6650) --- test/build.info | 6 +- test/gosttest.c | 91 +++++++++++++++++++ test/recipes/90-test_gost.t | 37 ++++++++ test/recipes/90-test_gost_data/gost.conf | 13 +++ .../90-test_gost_data/server-cert2001.pem | 13 +++ .../90-test_gost_data/server-cert2012.pem | 13 +++ .../90-test_gost_data/server-key2001.pem | 4 + .../90-test_gost_data/server-key2012.pem | 4 + 8 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 test/gosttest.c create mode 100644 test/recipes/90-test_gost.t create mode 100644 test/recipes/90-test_gost_data/gost.conf create mode 100644 test/recipes/90-test_gost_data/server-cert2001.pem create mode 100644 test/recipes/90-test_gost_data/server-cert2012.pem create mode 100644 test/recipes/90-test_gost_data/server-key2001.pem create mode 100644 test/recipes/90-test_gost_data/server-key2012.pem diff --git a/test/build.info b/test/build.info index 9fe511ace1..8dbe0c2f76 100644 --- a/test/build.info +++ b/test/build.info @@ -50,7 +50,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN recordlentest drbgtest drbg_cavs_test sslbuffertest \ time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \ - sysdefaulttest errtest + sysdefaulttest errtest gosttest SOURCE[versions]=versions.c INCLUDE[versions]=../include @@ -537,6 +537,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN SOURCE[errtest]=errtest.c INCLUDE[errtest]=../include DEPEND[errtest]=../libcrypto libtestutil.a + + SOURCE[gosttest]=gosttest.c ssltestlib.c + INCLUDE[gosttest]=../include .. + DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a ENDIF {- diff --git a/test/gosttest.c b/test/gosttest.c new file mode 100644 index 0000000000..1a31a33962 --- /dev/null +++ b/test/gosttest.c @@ -0,0 +1,91 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "ssltestlib.h" +#include "testutil.h" +#include "internal/nelem.h" + +static char *cert1 = NULL; +static char *privkey1 = NULL; +static char *cert2 = NULL; +static char *privkey2 = NULL; + +static struct { + char *cipher; + int expected_prot; + int certnum; +} ciphers[] = { + /* Server doesn't have a cert with appropriate sig algs - should fail */ + {"AES128-SHA", 0, 0}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1}, + /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */ + {"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0}, +}; + +/* Test that we never negotiate TLSv1.3 if using GOST */ +static int test_tls13(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + TLS1_VERSION, + TLS_MAX_VERSION, + &sctx, &cctx, + ciphers[idx].certnum == 0 ? cert1 + : cert2, + ciphers[idx].certnum == 0 ? privkey1 + : privkey2))) + goto end; + + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher)) + || !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + if (ciphers[idx].expected_prot == 0) { + if (!TEST_false(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + } else { + if (!TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE)) + || !TEST_int_eq(SSL_version(clientssl), + ciphers[idx].expected_prot)) + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +int setup_tests(void) +{ + if (!TEST_ptr(cert1 = test_get_argument(0)) + || !TEST_ptr(privkey1 = test_get_argument(1)) + || !TEST_ptr(cert2 = test_get_argument(2)) + || !TEST_ptr(privkey2 = test_get_argument(3))) + return 0; + + ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers)); + return 1; +} diff --git a/test/recipes/90-test_gost.t b/test/recipes/90-test_gost.t new file mode 100644 index 0000000000..00f95af20c --- /dev/null +++ b/test/recipes/90-test_gost.t @@ -0,0 +1,37 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_gost"); + +plan skip_all => "GOST support is disabled in this OpenSSL build" + if disabled("gost"); + +plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build" + if disabled("tls1_3") || disabled("tls1_2"); + +plan skip_all => "No test GOST engine found" + if !$ENV{OPENSSL_GOST_ENGINE_SO}; + +plan tests => 1; + +$ENV{OPENSSL_CONF} = srctop_file("test", "recipes", "90-test_gost_data", + "gost.conf"); + +ok(run(test(["gosttest", + srctop_file("test", "recipes", "90-test_gost_data", + "server-cert2001.pem"), + srctop_file("test", "recipes", "90-test_gost_data", + "server-key2001.pem"), + srctop_file("test", "recipes", "90-test_gost_data", + "server-cert2012.pem"), + srctop_file("test", "recipes", "90-test_gost_data", + "server-key2012.pem")])), + "running gosttest"); diff --git a/test/recipes/90-test_gost_data/gost.conf b/test/recipes/90-test_gost_data/gost.conf new file mode 100644 index 0000000000..1f42b9d87f --- /dev/null +++ b/test/recipes/90-test_gost_data/gost.conf @@ -0,0 +1,13 @@ +openssl_conf = openssl_def +[openssl_def] +engines = engine_section + +[engine_section] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = $ENV::OPENSSL_GOST_ENGINE_SO +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet + diff --git a/test/recipes/90-test_gost_data/server-cert2001.pem b/test/recipes/90-test_gost_data/server-cert2001.pem new file mode 100644 index 0000000000..e287821f82 --- /dev/null +++ b/test/recipes/90-test_gost_data/server-cert2001.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4jCCAY+gAwIBAgIUNKO10+LkPoYGkOqNJ2wv1YI8RpQwCgYGKoUDAgIDBQAw +RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODA3MTMxNTAzMDFaFw0yODA3MTAx +NTAzMDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD +VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwYzAcBgYqhQMCAhMwEgYHKoUD +AgIjAQYHKoUDAgIeAQNDAARAyDUhXsZP1JSLkvZ3xaU4aHXxAGKDwpawJ89+3B+N +lD7FS48QUIeoQrv9hn1B/kVuVxJwU4CeZRQohLvc5IkzJ6NTMFEwHQYDVR0OBBYE +FEz6BbScOOWYqklNGMTbyikZG/cRMB8GA1UdIwQYMBaAFEz6BbScOOWYqklNGMTb +yikZG/cRMA8GA1UdEwEB/wQFMAMBAf8wCgYGKoUDAgIDBQADQQAbkdWo441FqSbB +13JTW498NOzHZn69wnjYsOmMHLCdEHBTHVCa/g1wHPc4CyYk4UfMRWz5awzb6zNB +TncjMl2a +-----END CERTIFICATE----- diff --git a/test/recipes/90-test_gost_data/server-cert2012.pem b/test/recipes/90-test_gost_data/server-cert2012.pem new file mode 100644 index 0000000000..85d13c6388 --- /dev/null +++ b/test/recipes/90-test_gost_data/server-cert2012.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB6TCCAZSgAwIBAgIUVF/ajykAyHqQm1n6K1JdMFX/O6owDAYIKoUDBwEBAwIF +ADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY +SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE4MDcxMzE0MzcxNVoXDTI4MDcx +MDE0MzcxNVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf +BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBmMB8GCCqFAwcBAQEBMBMG +ByqFAwICIwEGCCqFAwcBAQICA0MABEDIj2JgFybRexBIdkG7bI//Z8woXbpC/hpg +62qflBE/dHnWVnbzpJUVeSd5sAkP7Ta0qrrs5YdW4MBIM/VPbDVOo1MwUTAdBgNV +HQ4EFgQUFZtRh6plQ3nHf1A+7ayjYw9B1X0wHwYDVR0jBBgwFoAUFZtRh6plQ3nH +f1A+7ayjYw9B1X0wDwYDVR0TAQH/BAUwAwEB/zAMBggqhQMHAQEDAgUAA0EAMttA +fMPa3YFO9db/xIS9wMB7ntbtibeZEJlngaPu5gvfdNmCY0uzjY2c3yPr9dDq84j7 +gSqY1VwVBLuKrpLC+w== +-----END CERTIFICATE----- diff --git a/test/recipes/90-test_gost_data/server-key2001.pem b/test/recipes/90-test_gost_data/server-key2001.pem new file mode 100644 index 0000000000..92a59d8e68 --- /dev/null +++ b/test/recipes/90-test_gost_data/server-key2001.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEMCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIJgoLqJR/05zND0f +8Wnma1MFMxE7ezisZhkS/DL4DXb6 +-----END PRIVATE KEY----- diff --git a/test/recipes/90-test_gost_data/server-key2012.pem b/test/recipes/90-test_gost_data/server-key2012.pem new file mode 100644 index 0000000000..e932f0dd77 --- /dev/null +++ b/test/recipes/90-test_gost_data/server-key2012.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEYCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEILemtIak5CeX +Jd75HfVqAMi1MfhxW7kGvGDj8l1/nF45 +-----END PRIVATE KEY----- -- GitLab