summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorbeck <>2017-08-12 23:39:24 +0000
committerbeck <>2017-08-12 23:39:24 +0000
commitab1df86cb18a998514b14cc0f6538d76eec73884 (patch)
tree40af0a8b49ae13870bfa61315a2cd560fabe481c /src
parenta6e24060b68da4965823f1fafe89dd446c9fa398 (diff)
downloadopenbsd-ab1df86cb18a998514b14cc0f6538d76eec73884.tar.gz
openbsd-ab1df86cb18a998514b14cc0f6538d76eec73884.tar.bz2
openbsd-ab1df86cb18a998514b14cc0f6538d76eec73884.zip
Rewrite the TLS status request extension to use the new TLS extension framework.
ok jsing@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_tlsext.c171
-rw-r--r--src/lib/libssl/ssl_tlsext.h9
-rw-r--r--src/lib/libssl/t1_lib.c176
-rw-r--r--src/regress/lib/libssl/tlsext/tlsexttest.c129
4 files changed, 307 insertions, 178 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 9db2d1ab41..646c59e5d6 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,7 +1,8 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.8 2017/08/12 21:47:59 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.9 2017/08/12 23:38:12 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
5 * 6 *
6 * Permission to use, copy, modify, and distribute this software for any 7 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above 8 * purpose with or without fee is hereby granted, provided that the above
@@ -15,6 +16,7 @@
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */ 18 */
19#include <openssl/ocsp.h>
18 20
19#include "ssl_locl.h" 21#include "ssl_locl.h"
20 22
@@ -551,6 +553,160 @@ tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
551} 553}
552 554
553/* 555/*
556 *Certificate Status Request - RFC 6066 section 8.
557 */
558
559int
560tlsext_ocsp_clienthello_needs(SSL *s)
561{
562 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
563 s->version != DTLS1_VERSION);
564}
565
566int
567tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
568{
569 CBB ocsp_respid_list, respid, exts;
570 unsigned char *ext_data;
571 size_t ext_len;
572 int i;
573
574 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
575 return 0;
576 if (!CBB_add_u16_length_prefixed(cbb, &ocsp_respid_list))
577 return 0;
578 if (!CBB_add_u16_length_prefixed(cbb, &exts))
579 return 0;
580 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
581 unsigned char *respid_data;
582 OCSP_RESPID *id;
583 size_t id_len;
584
585 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
586 i)) == NULL)
587 return 0;
588 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
589 return 0;
590 if (!CBB_add_u16_length_prefixed(&ocsp_respid_list, &respid))
591 return 0;
592 if (!CBB_add_space(&respid, &respid_data, id_len))
593 return 0;
594 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
595 return 0;
596 }
597 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
598 NULL)) == -1)
599 return 0;
600 if (!CBB_add_space(&exts, &ext_data, ext_len))
601 return 0;
602 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
603 ext_len))
604 return 0;
605 if (!CBB_flush(cbb))
606 return 0;
607 return 1;
608}
609
610int
611tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
612{
613 int failure = SSL_AD_DECODE_ERROR;
614 unsigned char *respid_data = NULL;
615 unsigned char *ext_data = NULL;
616 size_t ext_len, respid_len;
617 uint8_t status_type;
618 CBS respids, exts;
619 int ret = 0;
620
621 if (!CBS_get_u8(cbs, &status_type))
622 goto err;
623 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
624 /* ignore unknown status types */
625 s->tlsext_status_type = -1;
626 return 1;
627 }
628 s->tlsext_status_type = status_type;
629 if (!CBS_get_u16_length_prefixed(cbs, &respids))
630 goto err;
631
632 /* XXX */
633 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
634 s->internal->tlsext_ocsp_ids = NULL;
635 if (CBS_len(cbs) > 0) {
636 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
637 if (s->internal->tlsext_ocsp_ids == NULL) {
638 failure = SSL_AD_INTERNAL_ERROR;
639 goto err;
640 }
641 }
642
643 while (CBS_len(&respids) > 0) {
644 OCSP_RESPID *id = NULL;
645
646 if (!CBS_stow(cbs, &respid_data, &respid_len))
647 goto err;
648 if ((id = d2i_OCSP_RESPID(NULL,
649 (const unsigned char **)&respid_data, respid_len)) == NULL)
650 goto err;
651 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
652 failure = SSL_AD_INTERNAL_ERROR;
653 OCSP_RESPID_free(id);
654 goto err;
655 }
656 free(respid_data);
657 respid_data = NULL;
658 }
659
660 /* Read in request_extensions */
661 if (!CBS_get_u16_length_prefixed(cbs, &exts))
662 goto err;
663 if (!CBS_stow(&exts, &ext_data, &ext_len))
664 goto err;
665 if (ext_len > 0) {
666 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
667 X509_EXTENSION_free);
668 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
669 (const unsigned char **)&ext_data, ext_len)) == NULL)
670 goto err;
671 }
672 /* should be nothing left */
673 if (CBS_len(cbs) > 0)
674 goto err;
675
676 ret = 1;
677 err:
678 free(respid_data);
679 free(ext_data);
680 if (ret == 0)
681 *alert = failure;
682 return ret;
683}
684
685int
686tlsext_ocsp_serverhello_needs(SSL *s)
687{
688 return s->internal->tlsext_status_expected;
689}
690
691int
692tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
693{
694 return 1;
695}
696
697int
698tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
699{
700 if (s->tlsext_status_type == -1) {
701 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
702 return 0;
703 }
704 /* Set flag to expect CertificateStatus message */
705 s->internal->tlsext_status_expected = 1;
706 return 1;
707}
708
709/*
554 * SessionTicket extension - RFC 5077 section 3.2 710 * SessionTicket extension - RFC 5077 section 3.2
555 */ 711 */
556int 712int
@@ -705,6 +861,15 @@ static struct tls_extension tls_extensions[] = {
705 .serverhello_parse = tlsext_ri_serverhello_parse, 861 .serverhello_parse = tlsext_ri_serverhello_parse,
706 }, 862 },
707 { 863 {
864 .type = TLSEXT_TYPE_status_request,
865 .clienthello_needs = tlsext_ocsp_clienthello_needs,
866 .clienthello_build = tlsext_ocsp_clienthello_build,
867 .clienthello_parse = tlsext_ocsp_clienthello_parse,
868 .serverhello_needs = tlsext_ocsp_serverhello_needs,
869 .serverhello_build = tlsext_ocsp_serverhello_build,
870 .serverhello_parse = tlsext_ocsp_serverhello_parse,
871 },
872 {
708 .type = TLSEXT_TYPE_ec_point_formats, 873 .type = TLSEXT_TYPE_ec_point_formats,
709 .clienthello_needs = tlsext_ecpf_clienthello_needs, 874 .clienthello_needs = tlsext_ecpf_clienthello_needs,
710 .clienthello_build = tlsext_ecpf_clienthello_build, 875 .clienthello_build = tlsext_ecpf_clienthello_build,
@@ -758,7 +923,7 @@ tlsext_clienthello_build(SSL *s, CBB *cbb)
758 923
759 if (!tlsext->clienthello_needs(s)) 924 if (!tlsext->clienthello_needs(s))
760 continue; 925 continue;
761 926
762 if (!CBB_add_u16(cbb, tlsext->type)) 927 if (!CBB_add_u16(cbb, tlsext->type))
763 return 0; 928 return 0;
764 if (!CBB_add_u16_length_prefixed(cbb, &extension_data)) 929 if (!CBB_add_u16_length_prefixed(cbb, &extension_data))
@@ -811,7 +976,7 @@ tlsext_serverhello_build(SSL *s, CBB *cbb)
811 976
812 if (!tlsext->serverhello_needs(s)) 977 if (!tlsext->serverhello_needs(s))
813 continue; 978 continue;
814 979
815 if (!CBB_add_u16(cbb, tlsext->type)) 980 if (!CBB_add_u16(cbb, tlsext->type))
816 return 0; 981 return 0;
817 if (!CBB_add_u16_length_prefixed(cbb, &extension_data)) 982 if (!CBB_add_u16_length_prefixed(cbb, &extension_data))
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 4f8ae0cf35..bba8bdbea9 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.h,v 1.7 2017/08/12 21:47:59 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.h,v 1.8 2017/08/12 23:38:12 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -51,6 +51,13 @@ int tlsext_ecpf_serverhello_needs(SSL *s);
51int tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb); 51int tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb);
52int tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert); 52int tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert);
53 53
54int tlsext_ocsp_clienthello_needs(SSL *s);
55int tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb);
56int tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert);
57int tlsext_ocsp_serverhello_needs(SSL *s);
58int tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb);
59int tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert);
60
54int tlsext_sessionticket_clienthello_needs(SSL *s); 61int tlsext_sessionticket_clienthello_needs(SSL *s);
55int tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb); 62int tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb);
56int tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert); 63int tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index e27a7d1a59..405f08ed33 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.130 2017/08/12 21:47:59 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.131 2017/08/12 23:38:12 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -687,51 +687,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
687 return NULL; 687 return NULL;
688 ret += len; 688 ret += len;
689 689
690 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
691 s->version != DTLS1_VERSION) {
692 int i;
693 long extlen, idlen, itmp;
694 OCSP_RESPID *id;
695
696 idlen = 0;
697 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
698 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i);
699 itmp = i2d_OCSP_RESPID(id, NULL);
700 if (itmp <= 0)
701 return NULL;
702 idlen += itmp + 2;
703 }
704
705 if (s->internal->tlsext_ocsp_exts) {
706 extlen = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, NULL);
707 if (extlen < 0)
708 return NULL;
709 } else
710 extlen = 0;
711
712 if ((size_t)(limit - ret) < 7 + extlen + idlen)
713 return NULL;
714 s2n(TLSEXT_TYPE_status_request, ret);
715 if (extlen + idlen > 0xFFF0)
716 return NULL;
717 s2n(extlen + idlen + 5, ret);
718 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
719 s2n(idlen, ret);
720 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
721 /* save position of id len */
722 unsigned char *q = ret;
723 id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, i);
724 /* skip over id len */
725 ret += 2;
726 itmp = i2d_OCSP_RESPID(id, &ret);
727 /* write id len */
728 s2n(itmp, q);
729 }
730 s2n(extlen, ret);
731 if (extlen > 0)
732 i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ret);
733 }
734
735 if (s->internal->alpn_client_proto_list != NULL && 690 if (s->internal->alpn_client_proto_list != NULL &&
736 S3I(s)->tmp.finish_md_len == 0) { 691 S3I(s)->tmp.finish_md_len == 0) {
737 if ((size_t)(limit - ret) < 692 if ((size_t)(limit - ret) <
@@ -837,14 +792,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
837 * extension. 792 * extension.
838 */ 793 */
839 794
840 if (s->internal->tlsext_status_expected) {
841 if ((size_t)(limit - ret) < 4)
842 return NULL;
843
844 s2n(TLSEXT_TYPE_status_request, ret);
845 s2n(0, ret);
846 }
847
848#ifndef OPENSSL_NO_SRTP 795#ifndef OPENSSL_NO_SRTP
849 if (SSL_IS_DTLS(s) && s->internal->srtp_profile) { 796 if (SSL_IS_DTLS(s) && s->internal->srtp_profile) {
850 int el; 797 int el;
@@ -1011,111 +958,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1011 if (!tlsext_clienthello_parse_one(s, &cbs, type, al)) 958 if (!tlsext_clienthello_parse_one(s, &cbs, type, al))
1012 return 0; 959 return 0;
1013 960
1014 if (type == TLSEXT_TYPE_status_request && 961 if (type ==
1015 s->version != DTLS1_VERSION) {
1016
1017 if (size < 5) {
1018 *al = SSL_AD_DECODE_ERROR;
1019 return 0;
1020 }
1021
1022 s->tlsext_status_type = *data++;
1023 size--;
1024 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1025 const unsigned char *sdata;
1026 int dsize;
1027 /* Read in responder_id_list */
1028 n2s(data, dsize);
1029 size -= 2;
1030 if (dsize > size) {
1031 *al = SSL_AD_DECODE_ERROR;
1032 return 0;
1033 }
1034
1035 /*
1036 * We remove any OCSP_RESPIDs from a
1037 * previous handshake to prevent
1038 * unbounded memory growth.
1039 */
1040 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids,
1041 OCSP_RESPID_free);
1042 s->internal->tlsext_ocsp_ids = NULL;
1043 if (dsize > 0) {
1044 s->internal->tlsext_ocsp_ids =
1045 sk_OCSP_RESPID_new_null();
1046 if (s->internal->tlsext_ocsp_ids == NULL) {
1047 *al = SSL_AD_INTERNAL_ERROR;
1048 return 0;
1049 }
1050 }
1051
1052 while (dsize > 0) {
1053 OCSP_RESPID *id;
1054 int idsize;
1055 if (dsize < 4) {
1056 *al = SSL_AD_DECODE_ERROR;
1057 return 0;
1058 }
1059 n2s(data, idsize);
1060 dsize -= 2 + idsize;
1061 size -= 2 + idsize;
1062 if (dsize < 0) {
1063 *al = SSL_AD_DECODE_ERROR;
1064 return 0;
1065 }
1066 sdata = data;
1067 data += idsize;
1068 id = d2i_OCSP_RESPID(NULL,
1069 &sdata, idsize);
1070 if (!id) {
1071 *al = SSL_AD_DECODE_ERROR;
1072 return 0;
1073 }
1074 if (data != sdata) {
1075 OCSP_RESPID_free(id);
1076 *al = SSL_AD_DECODE_ERROR;
1077 return 0;
1078 }
1079 if (!sk_OCSP_RESPID_push(
1080 s->internal->tlsext_ocsp_ids, id)) {
1081 OCSP_RESPID_free(id);
1082 *al = SSL_AD_INTERNAL_ERROR;
1083 return 0;
1084 }
1085 }
1086
1087 /* Read in request_extensions */
1088 if (size < 2) {
1089 *al = SSL_AD_DECODE_ERROR;
1090 return 0;
1091 }
1092 n2s(data, dsize);
1093 size -= 2;
1094 if (dsize != size) {
1095 *al = SSL_AD_DECODE_ERROR;
1096 return 0;
1097 }
1098 sdata = data;
1099 if (dsize > 0) {
1100 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
1101 X509_EXTENSION_free);
1102
1103 s->internal->tlsext_ocsp_exts =
1104 d2i_X509_EXTENSIONS(NULL,
1105 &sdata, dsize);
1106 if (!s->internal->tlsext_ocsp_exts ||
1107 (data + dsize != sdata)) {
1108 *al = SSL_AD_DECODE_ERROR;
1109 return 0;
1110 }
1111 }
1112 } else {
1113 /* We don't know what to do with any other type
1114 * so ignore it.
1115 */
1116 s->tlsext_status_type = -1;
1117 }
1118 } else if (type ==
1119 TLSEXT_TYPE_application_layer_protocol_negotiation && 962 TLSEXT_TYPE_application_layer_protocol_negotiation &&
1120 s->ctx->internal->alpn_select_cb != NULL && 963 s->ctx->internal->alpn_select_cb != NULL &&
1121 S3I(s)->tmp.finish_md_len == 0) { 964 S3I(s)->tmp.finish_md_len == 0) {
@@ -1123,7 +966,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1123 size, al) != 1) 966 size, al) != 1)
1124 return (0); 967 return (0);
1125 } 968 }
1126
1127 /* session ticket processed earlier */ 969 /* session ticket processed earlier */
1128#ifndef OPENSSL_NO_SRTP 970#ifndef OPENSSL_NO_SRTP
1129 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { 971 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
@@ -1197,19 +1039,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al)
1197 if (!tlsext_serverhello_parse_one(s, &cbs, type, al)) 1039 if (!tlsext_serverhello_parse_one(s, &cbs, type, al))
1198 return 0; 1040 return 0;
1199 1041
1200 if (type == TLSEXT_TYPE_status_request && 1042 if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
1201 s->version != DTLS1_VERSION) {
1202 /* MUST be empty and only sent if we've requested
1203 * a status request message.
1204 */
1205 if ((s->tlsext_status_type == -1) || (size > 0)) {
1206 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1207 return 0;
1208 }
1209 /* Set flag to expect CertificateStatus message */
1210 s->internal->tlsext_status_expected = 1;
1211 } else if (type ==
1212 TLSEXT_TYPE_application_layer_protocol_negotiation) {
1213 unsigned int len; 1043 unsigned int len;
1214 1044
1215 /* We must have requested it. */ 1045 /* We must have requested it. */
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 073ba2f2f5..950588ba47 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */ 1/* $OpenBSD: tlsexttest.c,v 1.12 2017/08/12 23:39:24 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1457,6 +1457,130 @@ test_tlsext_sni_serverhello(void)
1457 return (failure); 1457 return (failure);
1458} 1458}
1459 1459
1460static unsigned char tls_ocsp_clienthello_default[] = {
1461 0x01, 0x00, 0x00, 0x00, 0x00
1462};
1463
1464static int
1465test_tlsext_ocsp_clienthello(void)
1466{
1467 unsigned char *data = NULL;
1468 SSL_CTX *ssl_ctx = NULL;
1469 SSL *ssl = NULL;
1470 size_t dlen;
1471 int failure;
1472 int alert;
1473 CBB cbb;
1474 CBS cbs;
1475
1476 failure = 1;
1477
1478 CBB_init(&cbb, 0);
1479
1480 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1481 errx(1, "failed to create SSL_CTX");
1482 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1483 errx(1, "failed to create SSL");
1484
1485 if (tlsext_ocsp_clienthello_needs(ssl)) {
1486 FAIL("clienthello should not need ocsp\n");
1487 goto err;
1488 }
1489 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
1490
1491 if (!tlsext_ocsp_clienthello_needs(ssl)) {
1492 FAIL("clienthello should need ocsp\n");
1493 goto err;
1494 }
1495 if (!tlsext_ocsp_clienthello_build(ssl, &cbb)) {
1496 FAIL("clienthello failed to build SNI\n");
1497 goto err;
1498 }
1499 if (!CBB_finish(&cbb, &data, &dlen))
1500 errx(1, "failed to finish CBB");
1501
1502 if (dlen != sizeof(tls_ocsp_clienthello_default)) {
1503 FAIL("got ocsp clienthello with length %zu, "
1504 "want length %zu\n", dlen,
1505 sizeof(tls_ocsp_clienthello_default));
1506 goto err;
1507 }
1508 if (memcmp(data, tls_ocsp_clienthello_default, dlen) != 0) {
1509 FAIL("ocsp clienthello differs:\n");
1510 fprintf(stderr, "received:\n");
1511 hexdump(data, dlen);
1512 fprintf(stderr, "test data:\n");
1513 hexdump(tls_ocsp_clienthello_default,
1514 sizeof(tls_ocsp_clienthello_default));
1515 goto err;
1516 }
1517 CBS_init(&cbs, tls_ocsp_clienthello_default,
1518 sizeof(tls_ocsp_clienthello_default));
1519 if (!tlsext_ocsp_clienthello_parse(ssl, &cbs, &alert)) {
1520 FAIL("failed to parse ocsp clienthello\n");
1521 goto err;
1522 }
1523
1524 failure = 0;
1525
1526 err:
1527 CBB_cleanup(&cbb);
1528 SSL_CTX_free(ssl_ctx);
1529 SSL_free(ssl);
1530 free(data);
1531
1532 return (failure);
1533}
1534
1535static int
1536test_tlsext_ocsp_serverhello(void)
1537{
1538 unsigned char *data = NULL;
1539 SSL_CTX *ssl_ctx = NULL;
1540 SSL *ssl = NULL;
1541 size_t dlen;
1542 int failure;
1543 CBB cbb;
1544
1545 failure = 1;
1546
1547 CBB_init(&cbb, 0);
1548
1549 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
1550 errx(1, "failed to create SSL_CTX");
1551 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1552 errx(1, "failed to create SSL");
1553
1554 if (tlsext_ocsp_serverhello_needs(ssl)) {
1555 FAIL("serverhello should not need ocsp\n");
1556 goto err;
1557 }
1558
1559 ssl->internal->tlsext_status_expected = 1;
1560
1561 if (!tlsext_ocsp_serverhello_needs(ssl)) {
1562 FAIL("serverhello should need ocsp\n");
1563 goto err;
1564 }
1565 if (!tlsext_ocsp_serverhello_build(ssl, &cbb)) {
1566 FAIL("serverhello failed to build ocsp\n");
1567 goto err;
1568 }
1569
1570 if (!CBB_finish(&cbb, &data, &dlen))
1571 errx(1, "failed to finish CBB");
1572
1573 failure = 0;
1574
1575 err:
1576 CBB_cleanup(&cbb);
1577 SSL_CTX_free(ssl_ctx);
1578 SSL_free(ssl);
1579 free(data);
1580
1581 return (failure);
1582}
1583
1460/* 1584/*
1461 * Session ticket - RFC 5077 since no known implementations use 4507. 1585 * Session ticket - RFC 5077 since no known implementations use 4507.
1462 * 1586 *
@@ -1777,6 +1901,9 @@ main(int argc, char **argv)
1777 failed |= test_tlsext_sni_clienthello(); 1901 failed |= test_tlsext_sni_clienthello();
1778 failed |= test_tlsext_sni_serverhello(); 1902 failed |= test_tlsext_sni_serverhello();
1779 1903
1904 failed |= test_tlsext_ocsp_clienthello();
1905 failed |= test_tlsext_ocsp_serverhello();
1906
1780 failed |= test_tlsext_sessionticket_clienthello(); 1907 failed |= test_tlsext_sessionticket_clienthello();
1781 failed |= test_tlsext_sessionticket_serverhello(); 1908 failed |= test_tlsext_sessionticket_serverhello();
1782 1909
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-30 18:44:54 +0000