1 files changed, 128 insertions, 1 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 073ba2f2f5..950588ba47 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.12 2017/08/12 23:39:24 beck Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1457,6 +1457,130 @@ test_tlsext_sni_serverhello(void)
        return (failure);
 }
+static unsigned char tls_ocsp_clienthello_default[] = {
+        0x01, 0x00, 0x00, 0x00, 0x00
+};
+static int
+test_tlsext_ocsp_clienthello(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        size_t dlen;
+        int failure;
+        int alert;
+        CBB cbb;
+        CBS cbs;
+        failure = 1;
+        CBB_init(&cbb, 0);
+        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if (tlsext_ocsp_clienthello_needs(ssl)) {
+                FAIL("clienthello should not need ocsp\n");
+                goto err;
+        }
+        SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
+        if (!tlsext_ocsp_clienthello_needs(ssl)) {
+                FAIL("clienthello should need ocsp\n");
+                goto err;
+        }
+        if (!tlsext_ocsp_clienthello_build(ssl, &cbb)) {
+                FAIL("clienthello failed to build SNI\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        if (dlen != sizeof(tls_ocsp_clienthello_default)) {
+                FAIL("got ocsp clienthello with length %zu, "
+                    "want length %zu\n", dlen,
+                    sizeof(tls_ocsp_clienthello_default));
+                goto err;
+        }
+        if (memcmp(data, tls_ocsp_clienthello_default, dlen) != 0) {
+                FAIL("ocsp clienthello differs:\n");
+                fprintf(stderr, "received:\n");
+                hexdump(data, dlen);
+                fprintf(stderr, "test data:\n");
+                hexdump(tls_ocsp_clienthello_default,
+                    sizeof(tls_ocsp_clienthello_default));
+                goto err;
+        }
+        CBS_init(&cbs, tls_ocsp_clienthello_default,
+            sizeof(tls_ocsp_clienthello_default));
+        if (!tlsext_ocsp_clienthello_parse(ssl, &cbs, &alert)) {
+                FAIL("failed to parse ocsp clienthello\n");
+                goto err;
+        }
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
+static int
+test_tlsext_ocsp_serverhello(void)
+{
+        unsigned char *data = NULL;
+        SSL_CTX *ssl_ctx = NULL;
+        SSL *ssl = NULL;
+        size_t dlen;
+        int failure;
+        CBB cbb;
+        failure = 1;
+        CBB_init(&cbb, 0);
+        if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+                errx(1, "failed to create SSL_CTX");
+        if ((ssl = SSL_new(ssl_ctx)) == NULL)
+                errx(1, "failed to create SSL");
+        if (tlsext_ocsp_serverhello_needs(ssl)) {
+                FAIL("serverhello should not need ocsp\n");
+                goto err;
+        }
+        ssl->internal->tlsext_status_expected = 1;
+        if (!tlsext_ocsp_serverhello_needs(ssl)) {
+                FAIL("serverhello should need ocsp\n");
+                goto err;
+        }
+        if (!tlsext_ocsp_serverhello_build(ssl, &cbb)) {
+                FAIL("serverhello failed to build ocsp\n");
+                goto err;
+        }
+        if (!CBB_finish(&cbb, &data, &dlen))
+                errx(1, "failed to finish CBB");
+        failure = 0;
+ err:
+        CBB_cleanup(&cbb);
+        SSL_CTX_free(ssl_ctx);
+        SSL_free(ssl);
+        free(data);
+        return (failure);
+}
 /*
 * Session ticket - RFC 5077 since no known implementations use 4507.
 *
@@ -1777,6 +1901,9 @@ main(int argc, char **argv)
        failed |= test_tlsext_sni_clienthello();
        failed |= test_tlsext_sni_serverhello();
+        failed |= test_tlsext_ocsp_clienthello();
+        failed |= test_tlsext_ocsp_serverhello();
        failed |= test_tlsext_sessionticket_clienthello();
        failed |= test_tlsext_sessionticket_serverhello();

diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 073ba2f2f5..950588ba47 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlsexttest.c,v 1.11 2017/08/12 21:49:28 jsing Exp $ */	1	/* $OpenBSD: tlsexttest.c,v 1.12 2017/08/12 23:39:24 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1457,6 +1457,130 @@ test_tlsext_sni_serverhello(void)
1457	return (failure);	1457	return (failure);
1458	}	1458	}
1459		1459
		1460	static unsigned char tls_ocsp_clienthello_default[] = {
		1461	0x01, 0x00, 0x00, 0x00, 0x00
		1462	};
		1463
		1464	static int
		1465	test_tlsext_ocsp_clienthello(void)
		1466	{
		1467	unsigned char *data = NULL;
		1468	SSL_CTX *ssl_ctx = NULL;
		1469	SSL *ssl = NULL;
		1470	size_t dlen;
		1471	int failure;
		1472	int alert;
		1473	CBB cbb;
		1474	CBS cbs;
		1475
		1476	failure = 1;
		1477
		1478	CBB_init(&cbb, 0);
		1479
		1480	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
		1481	errx(1, "failed to create SSL_CTX");
		1482	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		1483	errx(1, "failed to create SSL");
		1484
		1485	if (tlsext_ocsp_clienthello_needs(ssl)) {
		1486	FAIL("clienthello should not need ocsp\n");
		1487	goto err;
		1488	}
		1489	SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
		1490
		1491	if (!tlsext_ocsp_clienthello_needs(ssl)) {
		1492	FAIL("clienthello should need ocsp\n");
		1493	goto err;
		1494	}
		1495	if (!tlsext_ocsp_clienthello_build(ssl, &cbb)) {
		1496	FAIL("clienthello failed to build SNI\n");
		1497	goto err;
		1498	}
		1499	if (!CBB_finish(&cbb, &data, &dlen))
		1500	errx(1, "failed to finish CBB");
		1501
		1502	if (dlen != sizeof(tls_ocsp_clienthello_default)) {
		1503	FAIL("got ocsp clienthello with length %zu, "
		1504	"want length %zu\n", dlen,
		1505	sizeof(tls_ocsp_clienthello_default));
		1506	goto err;
		1507	}
		1508	if (memcmp(data, tls_ocsp_clienthello_default, dlen) != 0) {
		1509	FAIL("ocsp clienthello differs:\n");
		1510	fprintf(stderr, "received:\n");
		1511	hexdump(data, dlen);
		1512	fprintf(stderr, "test data:\n");
		1513	hexdump(tls_ocsp_clienthello_default,
		1514	sizeof(tls_ocsp_clienthello_default));
		1515	goto err;
		1516	}
		1517	CBS_init(&cbs, tls_ocsp_clienthello_default,
		1518	sizeof(tls_ocsp_clienthello_default));
		1519	if (!tlsext_ocsp_clienthello_parse(ssl, &cbs, &alert)) {
		1520	FAIL("failed to parse ocsp clienthello\n");
		1521	goto err;
		1522	}
		1523
		1524	failure = 0;
		1525
		1526	err:
		1527	CBB_cleanup(&cbb);
		1528	SSL_CTX_free(ssl_ctx);
		1529	SSL_free(ssl);
		1530	free(data);
		1531
		1532	return (failure);
		1533	}
		1534
		1535	static int
		1536	test_tlsext_ocsp_serverhello(void)
		1537	{
		1538	unsigned char *data = NULL;
		1539	SSL_CTX *ssl_ctx = NULL;
		1540	SSL *ssl = NULL;
		1541	size_t dlen;
		1542	int failure;
		1543	CBB cbb;
		1544
		1545	failure = 1;
		1546
		1547	CBB_init(&cbb, 0);
		1548
		1549	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
		1550	errx(1, "failed to create SSL_CTX");
		1551	if ((ssl = SSL_new(ssl_ctx)) == NULL)
		1552	errx(1, "failed to create SSL");
		1553
		1554	if (tlsext_ocsp_serverhello_needs(ssl)) {
		1555	FAIL("serverhello should not need ocsp\n");
		1556	goto err;
		1557	}
		1558
		1559	ssl->internal->tlsext_status_expected = 1;
		1560
		1561	if (!tlsext_ocsp_serverhello_needs(ssl)) {
		1562	FAIL("serverhello should need ocsp\n");
		1563	goto err;
		1564	}
		1565	if (!tlsext_ocsp_serverhello_build(ssl, &cbb)) {
		1566	FAIL("serverhello failed to build ocsp\n");
		1567	goto err;
		1568	}
		1569
		1570	if (!CBB_finish(&cbb, &data, &dlen))
		1571	errx(1, "failed to finish CBB");
		1572
		1573	failure = 0;
		1574
		1575	err:
		1576	CBB_cleanup(&cbb);
		1577	SSL_CTX_free(ssl_ctx);
		1578	SSL_free(ssl);
		1579	free(data);
		1580
		1581	return (failure);
		1582	}
		1583
1460	/*	1584	/*
1461	* Session ticket - RFC 5077 since no known implementations use 4507.	1585	* Session ticket - RFC 5077 since no known implementations use 4507.
1462	*	1586	*
@@ -1777,6 +1901,9 @@ main(int argc, char **argv)
1777	failed \|= test_tlsext_sni_clienthello();	1901	failed \|= test_tlsext_sni_clienthello();
1778	failed \|= test_tlsext_sni_serverhello();	1902	failed \|= test_tlsext_sni_serverhello();
1779		1903
		1904	failed \|= test_tlsext_ocsp_clienthello();
		1905	failed \|= test_tlsext_ocsp_serverhello();
		1906
1780	failed \|= test_tlsext_sessionticket_clienthello();	1907	failed \|= test_tlsext_sessionticket_clienthello();
1781	failed \|= test_tlsext_sessionticket_serverhello();	1908	failed \|= test_tlsext_sessionticket_serverhello();
1782		1909