Add a GOST test

Test that we never negotiate TLSv1.3 using GOST

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)

test/build.info

@@ -50,7 +50,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
           recordlentest drbgtest drbg_cavs_test sslbuffertest \
           time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
           servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \
-          sysdefaulttest errtest
+          sysdefaulttest errtest gosttest
 
   SOURCE[versions]=versions.c
   INCLUDE[versions]=../include
@@ -537,6 +537,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
   SOURCE[errtest]=errtest.c
   INCLUDE[errtest]=../include
   DEPEND[errtest]=../libcrypto libtestutil.a
+
+  SOURCE[gosttest]=gosttest.c ssltestlib.c
+  INCLUDE[gosttest]=../include ..
+  DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a
 ENDIF
 
 {-

test/gosttest.c

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "ssltestlib.h"
+#include "testutil.h"
+#include "internal/nelem.h"
+
+static char *cert1 = NULL;
+static char *privkey1 = NULL;
+static char *cert2 = NULL;
+static char *privkey2 = NULL;
+
+static struct {
+    char *cipher;
+    int expected_prot;
+    int certnum;
+} ciphers[] = {
+    /* Server doesn't have a cert with appropriate sig algs - should fail */
+    {"AES128-SHA", 0, 0},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 0},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2012-GOST8912-GOST8912", TLS1_2_VERSION, 1},
+    /* Server doesn't have a TLSv1.3 capable cert - should use TLSv1.2 */
+    {"GOST2001-GOST89-GOST89", TLS1_2_VERSION, 0},
+};
+
+/* Test that we never negotiate TLSv1.3 if using GOST */
+static int test_tls13(int idx)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0;
+
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+                                       TLS_client_method(),
+                                       TLS1_VERSION,
+                                       TLS_MAX_VERSION,
+                                       &sctx, &cctx,
+                                       ciphers[idx].certnum == 0 ? cert1
+                                                                 : cert2,
+                                       ciphers[idx].certnum == 0 ? privkey1
+                                                                 : privkey2)))
+        goto end;
+
+    if (!TEST_true(SSL_CTX_set_cipher_list(cctx, ciphers[idx].cipher))
+            || !TEST_true(SSL_CTX_set_cipher_list(sctx, ciphers[idx].cipher))
+            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                             NULL, NULL)))
+        goto end;
+
+    if (ciphers[idx].expected_prot == 0) {
+        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+                                              SSL_ERROR_NONE)))
+            goto end;
+    } else {
+        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+                                             SSL_ERROR_NONE))
+                || !TEST_int_eq(SSL_version(clientssl),
+                                ciphers[idx].expected_prot))
+        goto end;
+    }
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
+int setup_tests(void)
+{
+    if (!TEST_ptr(cert1 = test_get_argument(0))
+            || !TEST_ptr(privkey1 = test_get_argument(1))
+            || !TEST_ptr(cert2 = test_get_argument(2))
+            || !TEST_ptr(privkey2 = test_get_argument(3)))
+        return 0;
+
+    ADD_ALL_TESTS(test_tls13, OSSL_NELEM(ciphers));
+    return 1;
+}

test/recipes/90-test_gost.t

@@ -0,0 +1,37 @@
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_gost");
+
+plan skip_all => "GOST support is disabled in this OpenSSL build"
+    if disabled("gost");
+
+plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build"
+    if disabled("tls1_3") || disabled("tls1_2");
+
+plan skip_all => "No test GOST engine found"
+    if !$ENV{OPENSSL_GOST_ENGINE_SO};
+
+plan tests => 1;
+
+$ENV{OPENSSL_CONF} = srctop_file("test", "recipes", "90-test_gost_data",
+                                 "gost.conf");
+
+ok(run(test(["gosttest",
+             srctop_file("test", "recipes", "90-test_gost_data",
+                         "server-cert2001.pem"),
+             srctop_file("test", "recipes", "90-test_gost_data",
+                         "server-key2001.pem"),
+             srctop_file("test", "recipes", "90-test_gost_data",
+                         "server-cert2012.pem"),
+             srctop_file("test", "recipes", "90-test_gost_data",
+                         "server-key2012.pem")])),
+             "running gosttest");

test/recipes/90-test_gost_data/gost.conf

@@ -0,0 +1,13 @@
+openssl_conf = openssl_def
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+gost = gost_section
+
+[gost_section]
+engine_id = gost
+dynamic_path = $ENV::OPENSSL_GOST_ENGINE_SO
+default_algorithms = ALL
+CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
+

test/recipes/90-test_gost_data/server-cert2001.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4jCCAY+gAwIBAgIUNKO10+LkPoYGkOqNJ2wv1YI8RpQwCgYGKoUDAgIDBQAw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODA3MTMxNTAzMDFaFw0yODA3MTAx
+NTAzMDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwYzAcBgYqhQMCAhMwEgYHKoUD
+AgIjAQYHKoUDAgIeAQNDAARAyDUhXsZP1JSLkvZ3xaU4aHXxAGKDwpawJ89+3B+N
+lD7FS48QUIeoQrv9hn1B/kVuVxJwU4CeZRQohLvc5IkzJ6NTMFEwHQYDVR0OBBYE
+FEz6BbScOOWYqklNGMTbyikZG/cRMB8GA1UdIwQYMBaAFEz6BbScOOWYqklNGMTb
+yikZG/cRMA8GA1UdEwEB/wQFMAMBAf8wCgYGKoUDAgIDBQADQQAbkdWo441FqSbB
+13JTW498NOzHZn69wnjYsOmMHLCdEHBTHVCa/g1wHPc4CyYk4UfMRWz5awzb6zNB
+TncjMl2a
+-----END CERTIFICATE-----

test/recipes/90-test_gost_data/server-cert2012.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB6TCCAZSgAwIBAgIUVF/ajykAyHqQm1n6K1JdMFX/O6owDAYIKoUDBwEBAwIF
+ADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
+SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE4MDcxMzE0MzcxNVoXDTI4MDcx
+MDE0MzcxNVowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBmMB8GCCqFAwcBAQEBMBMG
+ByqFAwICIwEGCCqFAwcBAQICA0MABEDIj2JgFybRexBIdkG7bI//Z8woXbpC/hpg
+62qflBE/dHnWVnbzpJUVeSd5sAkP7Ta0qrrs5YdW4MBIM/VPbDVOo1MwUTAdBgNV
+HQ4EFgQUFZtRh6plQ3nHf1A+7ayjYw9B1X0wHwYDVR0jBBgwFoAUFZtRh6plQ3nH
+f1A+7ayjYw9B1X0wDwYDVR0TAQH/BAUwAwEB/zAMBggqhQMHAQEDAgUAA0EAMttA
+fMPa3YFO9db/xIS9wMB7ntbtibeZEJlngaPu5gvfdNmCY0uzjY2c3yPr9dDq84j7
+gSqY1VwVBLuKrpLC+w==
+-----END CERTIFICATE-----

test/recipes/90-test_gost_data/server-key2001.pem

@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MEMCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIJgoLqJR/05zND0f
+8Wnma1MFMxE7ezisZhkS/DL4DXb6
+-----END PRIVATE KEY-----

test/recipes/90-test_gost_data/server-key2012.pem

@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEILemtIak5CeX
+Jd75HfVqAMi1MfhxW7kGvGDj8l1/nF45
+-----END PRIVATE KEY-----