static int test_tlsext_status_type(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; STACK_OF(OCSP_RESPID) *ids = NULL; OCSP_RESPID *id = NULL; BIO *certbio = NULL; if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); return 0; } if (SSL_CTX_get_tlsext_status_type(cctx) != -1) { printf("Unexpected initial value for " "SSL_CTX_get_tlsext_status_type()\n"); goto end; } /* First just do various checks getting and setting tlsext_status_type */ clientssl = SSL_new(cctx); if (SSL_get_tlsext_status_type(clientssl) != -1) { printf("Unexpected initial value for SSL_get_tlsext_status_type()\n"); goto end; } if (!SSL_set_tlsext_status_type(clientssl, TLSEXT_STATUSTYPE_ocsp)) { printf("Unexpected fail for SSL_set_tlsext_status_type()\n"); goto end; } if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_get_tlsext_status_type()\n"); goto end; } SSL_free(clientssl); clientssl = NULL; if (!SSL_CTX_set_tlsext_status_type(cctx, TLSEXT_STATUSTYPE_ocsp)) { printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n"); goto end; } if (SSL_CTX_get_tlsext_status_type(cctx) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n"); goto end; } clientssl = SSL_new(cctx); if (SSL_get_tlsext_status_type(clientssl) != TLSEXT_STATUSTYPE_ocsp) { printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n"); goto end; } SSL_free(clientssl); clientssl = NULL; /* * Now actually do a handshake and check OCSP information is exchanged and * the callbacks get called */ SSL_CTX_set_tlsext_status_cb(cctx, ocsp_client_cb); SSL_CTX_set_tlsext_status_arg(cctx, &cdummyarg); SSL_CTX_set_tlsext_status_cb(sctx, ocsp_server_cb); SSL_CTX_set_tlsext_status_arg(sctx, &cdummyarg); if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } if (!create_ssl_connection(serverssl, clientssl)) { printf("Unable to create SSL connection\n"); goto end; } if (!ocsp_client_called || !ocsp_server_called) { printf("OCSP callbacks not called\n"); goto end; } SSL_free(serverssl); SSL_free(clientssl); serverssl = NULL; clientssl = NULL; /* Try again but this time force the server side callback to fail */ ocsp_client_called = 0; ocsp_server_called = 0; cdummyarg = 0; if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } /* This should fail because the callback will fail */ if (create_ssl_connection(serverssl, clientssl)) { printf("Unexpected success creating the connection\n"); goto end; } if (ocsp_client_called || ocsp_server_called) { printf("OCSP callbacks successfully called unexpectedly\n"); goto end; } SSL_free(serverssl); SSL_free(clientssl); serverssl = NULL; clientssl = NULL; /* * This time we'll get the client to send an OCSP_RESPID that it will * accept. */ ocsp_client_called = 0; ocsp_server_called = 0; cdummyarg = 2; if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) { printf("Unable to create SSL objects\n"); goto end; } /* * We'll just use any old cert for this test - it doesn't have to be an OCSP * specific one. We'll use the server cert. */ certbio = BIO_new_file(cert, "r"); if (certbio == NULL) { printf("Can't load the certificate file\n"); goto end; } id = OCSP_RESPID_new(); ids = sk_OCSP_RESPID_new_null(); ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); if (id == NULL || ids == NULL || ocspcert == NULL || !OCSP_RESPID_set_by_key(id, ocspcert) || !sk_OCSP_RESPID_push(ids, id)) { printf("Unable to set OCSP_RESPIDs\n"); goto end; } id = NULL; SSL_set_tlsext_status_ids(clientssl, ids); /* Control has been transferred */ ids = NULL; BIO_free(certbio); certbio = NULL; if (!create_ssl_connection(serverssl, clientssl)) { printf("Unable to create SSL connection\n"); goto end; } if (!ocsp_client_called || !ocsp_server_called) { printf("OCSP callbacks not called\n"); goto end; } testresult = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); sk_OCSP_RESPID_pop_free(ids, OCSP_RESPID_free); OCSP_RESPID_free(id); BIO_free(certbio); X509_free(ocspcert); ocspcert = NULL; return testresult; }
/* * Configure callbacks and other properties that can't be set directly * in the server/client CONF. */ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, const SSL_TEST_CTX *test, const SSL_TEST_EXTRA_CONF *extra, CTX_DATA *server_ctx_data, CTX_DATA *server2_ctx_data, CTX_DATA *client_ctx_data) { unsigned char *ticket_keys; size_t ticket_key_len; TEST_check(SSL_CTX_set_max_send_fragment(server_ctx, test->max_fragment_size) == 1); if (server2_ctx != NULL) { TEST_check(SSL_CTX_set_max_send_fragment(server2_ctx, test->max_fragment_size) == 1); } TEST_check(SSL_CTX_set_max_send_fragment(client_ctx, test->max_fragment_size) == 1); switch (extra->client.verify_callback) { case SSL_TEST_VERIFY_ACCEPT_ALL: SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb, NULL); break; case SSL_TEST_VERIFY_REJECT_ALL: SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb, NULL); break; case SSL_TEST_VERIFY_NONE: break; } /* link the two contexts for SNI purposes */ switch (extra->server.servername_callback) { case SSL_TEST_SERVERNAME_IGNORE_MISMATCH: SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb); SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); break; case SSL_TEST_SERVERNAME_REJECT_MISMATCH: SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb); SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx); break; case SSL_TEST_SERVERNAME_CB_NONE: break; } if (extra->server.cert_status != SSL_TEST_CERT_STATUS_NONE) { SSL_CTX_set_tlsext_status_type(client_ctx, TLSEXT_STATUSTYPE_ocsp); SSL_CTX_set_tlsext_status_cb(client_ctx, client_ocsp_cb); SSL_CTX_set_tlsext_status_arg(client_ctx, NULL); SSL_CTX_set_tlsext_status_cb(server_ctx, server_ocsp_cb); SSL_CTX_set_tlsext_status_arg(server_ctx, ((extra->server.cert_status == SSL_TEST_CERT_STATUS_GOOD_RESPONSE) ? &dummy_ocsp_resp_good_val : &dummy_ocsp_resp_bad_val)); } /* * The initial_ctx/session_ctx always handles the encrypt/decrypt of the * session ticket. This ticket_key callback is assigned to the second * session (assigned via SNI), and should never be invoked */ if (server2_ctx != NULL) SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx, do_not_call_session_ticket_cb); if (extra->server.broken_session_ticket) { SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb); } #ifndef OPENSSL_NO_NEXTPROTONEG if (extra->server.npn_protocols != NULL) { parse_protos(extra->server.npn_protocols, &server_ctx_data->npn_protocols, &server_ctx_data->npn_protocols_len); SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb, server_ctx_data); } if (extra->server2.npn_protocols != NULL) { parse_protos(extra->server2.npn_protocols, &server2_ctx_data->npn_protocols, &server2_ctx_data->npn_protocols_len); TEST_check(server2_ctx != NULL); SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb, server2_ctx_data); } if (extra->client.npn_protocols != NULL) { parse_protos(extra->client.npn_protocols, &client_ctx_data->npn_protocols, &client_ctx_data->npn_protocols_len); SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, client_ctx_data); } #endif if (extra->server.alpn_protocols != NULL) { parse_protos(extra->server.alpn_protocols, &server_ctx_data->alpn_protocols, &server_ctx_data->alpn_protocols_len); SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); } if (extra->server2.alpn_protocols != NULL) { TEST_check(server2_ctx != NULL); parse_protos(extra->server2.alpn_protocols, &server2_ctx_data->alpn_protocols, &server2_ctx_data->alpn_protocols_len); SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data); } if (extra->client.alpn_protocols != NULL) { unsigned char *alpn_protos = NULL; size_t alpn_protos_len; parse_protos(extra->client.alpn_protocols, &alpn_protos, &alpn_protos_len); /* Reversed return value convention... */ TEST_check(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, alpn_protos_len) == 0); OPENSSL_free(alpn_protos); } /* * Use fixed session ticket keys so that we can decrypt a ticket created with * one CTX in another CTX. Don't address server2 for the moment. */ ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0); ticket_keys = OPENSSL_zalloc(ticket_key_len); TEST_check(ticket_keys != NULL); TEST_check(SSL_CTX_set_tlsext_ticket_keys(server_ctx, ticket_keys, ticket_key_len) == 1); OPENSSL_free(ticket_keys); /* The default log list includes EC keys, so CT can't work without EC. */ #if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC) TEST_check(SSL_CTX_set_default_ctlog_list_file(client_ctx)); switch (extra->client.ct_validation) { case SSL_TEST_CT_VALIDATION_PERMISSIVE: TEST_check(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_PERMISSIVE)); break; case SSL_TEST_CT_VALIDATION_STRICT: TEST_check(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT)); break; case SSL_TEST_CT_VALIDATION_NONE: break; } #endif }