diff options
| author | Matt Caswell <matt@openssl.org> | 2016-08-30 14:20:18 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-08-30 21:14:29 +0100 |
| commit | 062ed73f581ef33f319c58cda93ca818cb4095b4 (patch) | |
| tree | 535af0b2c28fb117113f2172a3ef0a97744de741 /test/handshake_helper.c | |
| parent | 06314c029d6b1e2d184546b059d827bb7040f5d4 (diff) | |
Add some CertStatus tests
The previous commit revealed a long standing problem where CertStatus
processing was broken in DTLS. This would have been revealed by better
testing - so add some!
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 767ccc3b77cde82c46ab4af541663f6c80e538d3)
Diffstat (limited to 'test/handshake_helper.c')
| -rw-r--r-- | test/handshake_helper.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 409f16cf08..90e18fcaaa 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -144,6 +144,38 @@ static int servername_reject_cb(SSL *s, int *ad, void *arg) return select_server_ctx(s, arg, 0); } +static unsigned char dummy_ocsp_resp_good_val = 0xff; +static unsigned char dummy_ocsp_resp_bad_val = 0xfe; + +static int server_ocsp_cb(SSL *s, void *arg) +{ + unsigned char *resp; + + resp = OPENSSL_malloc(1); + if (resp == NULL) + return SSL_TLSEXT_ERR_ALERT_FATAL; + /* + * For the purposes of testing we just send back a dummy OCSP response + */ + *resp = *(unsigned char *)arg; + if (!SSL_set_tlsext_status_ocsp_resp(s, resp, 1)) + return SSL_TLSEXT_ERR_ALERT_FATAL; + + return SSL_TLSEXT_ERR_OK; +} + +static int client_ocsp_cb(SSL *s, void *arg) +{ + const unsigned char *resp; + int len; + + len = SSL_get_tlsext_status_ocsp_resp(s, &resp); + if (len != 1 || *resp != dummy_ocsp_resp_good_val) + return 0; + + return 1; +} + static int verify_reject_cb(X509_STORE_CTX *ctx, void *arg) { X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); return 0; @@ -319,6 +351,16 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, break; } + if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { + SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); + SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); + SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); + SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); + SSL_CTX_set_tlsext_status_arg(server_ctx, + ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) + ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); + } + /* * The initial_ctx/session_ctx always handles the encrypt/decrypt of the * session ticket. This ticket_key callback is assigned to the second |