Add BoGo tests and fix resumption case

2 files changed, 38 insertions, 10 deletions

diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
index c607ae7c9..47810c4ba 100644
--- a/src/bogo_shim/bogo_shim.cpp
+++ b/src/bogo_shim/bogo_shim.cpp
@@ -152,6 +152,7 @@ std::string map_to_bogo_error(const std::string& e)
          { "Server_Hello_Done: Must be empty, and is not", ":DECODE_ERROR:" },
          { "Simulated OCSP callback failure", ":OCSP_CB_ERROR:" },
          { "Simulating cert verify callback failure", ":CERT_CB_ERROR:" },
+         { "Simulating failure from OCSP response callback", ":OCSP_CB_ERROR:" },
          { "TLS plaintext record is larger than allowed maximum", ":DATA_LENGTH_TOO_LONG:" },
          { "TLS signature extension did not allow for RSA/SHA-256 signature", ":WRONG_SIGNATURE_TYPE:", },
          { "Test requires rejecting cert", ":CERTIFICATE_VERIFY_FAILED:" },
@@ -432,6 +433,8 @@ class Shim_Arguments final
 
       bool option_used(const std::string& key) const
          {
+         if(m_all_options.count(key) == 0)
+            throw Shim_Exception("Invalid option " + key);
          if(m_parsed_opts.find(key) != m_parsed_opts.end())
             return true;
          if(m_parsed_int_vec_opts.find(key) != m_parsed_int_vec_opts.end())
@@ -586,7 +589,7 @@ std::unique_ptr<Shim_Arguments> parse_options(char* argv[])
       "send-alert",
       "server",
       "server-preference",
-      //"set-ocsp-in-callback",
+      "set-ocsp-in-callback",
       "shim-shuts-down",
       "shim-writes-first",
       //"tls-unique",
@@ -639,7 +642,7 @@ std::unique_ptr<Shim_Arguments> parse_options(char* argv[])
       "expect-ocsp-response",
       //"expect-quic-transport-params",
       //"expect-signed-cert-timestamps",
-      //"ocsp-response",
+      "ocsp-response",
       //"quic-transport-params",
       //"signed-cert-timestamps",
       //"ticket-key", /* we use a different ticket format from Boring */
@@ -975,7 +978,12 @@ class Shim_Policy final : public Botan::TLS::Policy
       bool support_cert_status_message() const override
          {
          if(m_args.flag_set("server"))
-            return false;
+            {
+            if(!m_args.option_used("ocsp-response"))
+               return false;
+            if(m_args.flag_set("decline-ocsp-callback"))
+               return false;
+            }
          return true;
          }
 
@@ -1226,6 +1234,23 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks
             }
          }
 
+      std::vector<uint8_t> tls_srv_provide_cert_status_response(const std::vector<Botan::X509_Certificate>&,
+                                                                const Botan::TLS::Certificate_Status_Request&) const override
+          {
+          if(m_args.flag_set("use-ocsp-callback") && m_args.flag_set("fail-ocsp-callback"))
+             throw std::runtime_error("Simulating failure from OCSP response callback");
+
+          if(m_args.flag_set("decline-ocsp-callback"))
+             return {};
+
+          if(m_args.option_used("ocsp-response"))
+             {
+             return m_args.get_b64_opt("ocsp-response");
+             }
+
+          return {};
+          }
+
       void tls_record_received(uint64_t /*seq_no*/, const uint8_t data[], size_t size) override
          {
          if(size == 0)
@@ -1345,10 +1370,16 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks
 
          m_policy.incr_session_established();
 
-         if(m_args.option_used("expect-no-session-id"))
+         if(m_args.flag_set("expect-no-session-id"))
+            {
+            // BoGo expects that ticket issuance implies no stateful session...
+            if(!m_args.flag_set("server") && session.session_id().size() > 0)
+               shim_exit_with_error("Unexpectedly got a session ID");
+            }
+         else if(m_args.flag_set("expect-session-id"))
             {
-            if(session.session_id().size() > 0)
-               shim_exit_with_error("Unexpected session ID");
+            if(session.session_id().empty())
+               shim_exit_with_error("Unexpectedly got no session ID");
             }
 
          if(m_args.option_used("expect-version"))
diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
index 545b7ce73..b670aa39b 100644
--- a/src/bogo_shim/config.json
+++ b/src/bogo_shim/config.json
@@ -40,6 +40,7 @@
         "*SignedCertificateTimestamp*": "No support for SCT",
         "*SCT*": "No support for SCT",
         "Renegotiation-ChangeAuthProperties": "No support for SCT",
+        "UnsolicitedCertificateExtensions-TLS*": "No support for SCT",
 
         "*NULL-SHA*": "No support for NULL ciphers",
         "*GREASE*": "No support for GREASE",
@@ -76,10 +77,6 @@
 
         "CheckLeafCurve": "Botan ignores this",
 
-        "OCSPStapling-Server-*": "Server doesn't support OCSP stapling currently",
-        "UnsolicitedCertificateExtensions-TLS*": "Server doesn't support OCSP stapling currently",
-        "ServerOCSPCallback*": "Server doesn't support OCSP stapling currently",
-
         "CertificateVerificationDoesNotFailOnResume*": "Botan doesn't support reverify on resume",
         "CertificateVerificationFailsOnResume*": "Botan doesn't support reverify on resume",
         "CertificateVerificationPassesOnResume*": "Botan doesn't support reverify on resume",