Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.
2013-05-12 18:55:27 -07:00
parent 6d84daa5d6
commit a398f821fa
17 changed files with 791 additions and 5 deletions
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -370,6 +370,41 @@ static int verify_npn(SSL *client, SSL *server)
 	}
 #endif

+#define SCT_EXT_TYPE 18
+#define TACK_EXT_TYPE 62208
+
+/* These set from cmdline */
+char* serverinfo_file = NULL;
+int serverinfo_sct = 0;
+int serverinfo_tack = 0;
+int serverinfo_sct_seen = 0;
+int serverinfo_tack_seen = 0;
+int serverinfo_other_seen = 0;
+
+static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
+												     const unsigned char* in, unsigned short inlen, 
+												     int* al, void* arg)
+	{
+		if (ext_type == SCT_EXT_TYPE)
+			serverinfo_sct_seen++;
+		else if (ext_type == TACK_EXT_TYPE)
+			serverinfo_tack_seen++;
+		else
+			serverinfo_other_seen++;
+		return 1;
+	}
+
+static int verify_serverinfo()
+	{
+	if (serverinfo_sct != serverinfo_sct_seen)
+		return -1;
+	if (serverinfo_tack != serverinfo_tack_seen)
+		return -1;
+	if (serverinfo_other_seen)
+		return -1;
+	return 0;
+	}
+
 static char *cipher=NULL;
 static int verbose=0;
 static int debug=0;
@@ -449,6 +484,9 @@ static void sv_usage(void)
 	fprintf(stderr," -npn_server - have server side offer NPN\n");
 	fprintf(stderr," -npn_server_reject - have server reject NPN\n");
 #endif
+	fprintf(stderr," -serverinfo_file - have server use this file\n");
+	fprintf(stderr," -serverinfo_sct  - have client offer and expect SCT\n");
+	fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
 	}

 static void print_details(SSL *c_ssl, const char *prefix)
@@ -861,6 +899,19 @@ int main(int argc, char *argv[])
 			npn_server_reject = 1;
 			}
 #endif
+		else if (strcmp(*argv,"-serverinfo_sct") == 0)
+			{
+			serverinfo_sct = 1;
+			}
+		else if (strcmp(*argv,"-serverinfo_tack") == 0)
+			{
+			serverinfo_tack = 1;
+			}
+		else if (strcmp(*argv,"-serverinfo_file") == 0)
+			{
+			if (--argc < 1) goto bad;
+			serverinfo_file = *(++argv);
+			}
 		else
 			{
 			fprintf(stderr,"unknown option %s\n",*argv);
@@ -1186,6 +1237,18 @@ bad:
 		}
 #endif

+	if (serverinfo_sct)
+		SSL_CTX_set_custom_cli_ext(c_ctx, SCT_EXT_TYPE, NULL, serverinfo_cli_cb, NULL);
+	if (serverinfo_tack)
+		SSL_CTX_set_custom_cli_ext(c_ctx, TACK_EXT_TYPE, NULL, serverinfo_cli_cb, NULL);
+
+	if (serverinfo_file)
+		if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file))
+			{
+			BIO_printf(bio_err, "missing serverinfo file\n");
+			goto end;
+			}
+
 	c_ssl=SSL_new(c_ctx);
 	s_ssl=SSL_new(s_ctx);

@@ -1643,6 +1706,12 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
 		goto end;
 		}
 #endif
+	if (verify_serverinfo() < 0)
+		{
+		ret = 1;
+		goto err;
+		}
+
 end:
 	ret = 0;

@@ -1945,6 +2014,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 		goto err;
 		}
 #endif
+	if (verify_serverinfo() < 0)
+		{
+		ret = 1;
+		goto err;
+		}
 	ret=0;
 err:
 	/* We have to set the BIO's to NULL otherwise they will be