aboutsummaryrefslogtreecommitdiffstats
path: root/src/bogo_shim
diff options
context:
space:
mode:
Diffstat (limited to 'src/bogo_shim')
-rw-r--r--src/bogo_shim/bogo_shim.cpp43
-rw-r--r--src/bogo_shim/config.json5
2 files changed, 38 insertions, 10 deletions
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
index c607ae7c9..47810c4ba 100644
--- a/src/bogo_shim/bogo_shim.cpp
+++ b/src/bogo_shim/bogo_shim.cpp
@@ -152,6 +152,7 @@ std::string map_to_bogo_error(const std::string& e)
{ "Server_Hello_Done: Must be empty, and is not", ":DECODE_ERROR:" },
{ "Simulated OCSP callback failure", ":OCSP_CB_ERROR:" },
{ "Simulating cert verify callback failure", ":CERT_CB_ERROR:" },
+ { "Simulating failure from OCSP response callback", ":OCSP_CB_ERROR:" },
{ "TLS plaintext record is larger than allowed maximum", ":DATA_LENGTH_TOO_LONG:" },
{ "TLS signature extension did not allow for RSA/SHA-256 signature", ":WRONG_SIGNATURE_TYPE:", },
{ "Test requires rejecting cert", ":CERTIFICATE_VERIFY_FAILED:" },
@@ -432,6 +433,8 @@ class Shim_Arguments final
bool option_used(const std::string& key) const
{
+ if(m_all_options.count(key) == 0)
+ throw Shim_Exception("Invalid option " + key);
if(m_parsed_opts.find(key) != m_parsed_opts.end())
return true;
if(m_parsed_int_vec_opts.find(key) != m_parsed_int_vec_opts.end())
@@ -586,7 +589,7 @@ std::unique_ptr<Shim_Arguments> parse_options(char* argv[])
"send-alert",
"server",
"server-preference",
- //"set-ocsp-in-callback",
+ "set-ocsp-in-callback",
"shim-shuts-down",
"shim-writes-first",
//"tls-unique",
@@ -639,7 +642,7 @@ std::unique_ptr<Shim_Arguments> parse_options(char* argv[])
"expect-ocsp-response",
//"expect-quic-transport-params",
//"expect-signed-cert-timestamps",
- //"ocsp-response",
+ "ocsp-response",
//"quic-transport-params",
//"signed-cert-timestamps",
//"ticket-key", /* we use a different ticket format from Boring */
@@ -975,7 +978,12 @@ class Shim_Policy final : public Botan::TLS::Policy
bool support_cert_status_message() const override
{
if(m_args.flag_set("server"))
- return false;
+ {
+ if(!m_args.option_used("ocsp-response"))
+ return false;
+ if(m_args.flag_set("decline-ocsp-callback"))
+ return false;
+ }
return true;
}
@@ -1226,6 +1234,23 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks
}
}
+ std::vector<uint8_t> tls_srv_provide_cert_status_response(const std::vector<Botan::X509_Certificate>&,
+ const Botan::TLS::Certificate_Status_Request&) const override
+ {
+ if(m_args.flag_set("use-ocsp-callback") && m_args.flag_set("fail-ocsp-callback"))
+ throw std::runtime_error("Simulating failure from OCSP response callback");
+
+ if(m_args.flag_set("decline-ocsp-callback"))
+ return {};
+
+ if(m_args.option_used("ocsp-response"))
+ {
+ return m_args.get_b64_opt("ocsp-response");
+ }
+
+ return {};
+ }
+
void tls_record_received(uint64_t /*seq_no*/, const uint8_t data[], size_t size) override
{
if(size == 0)
@@ -1345,10 +1370,16 @@ class Shim_Callbacks final : public Botan::TLS::Callbacks
m_policy.incr_session_established();
- if(m_args.option_used("expect-no-session-id"))
+ if(m_args.flag_set("expect-no-session-id"))
+ {
+ // BoGo expects that ticket issuance implies no stateful session...
+ if(!m_args.flag_set("server") && session.session_id().size() > 0)
+ shim_exit_with_error("Unexpectedly got a session ID");
+ }
+ else if(m_args.flag_set("expect-session-id"))
{
- if(session.session_id().size() > 0)
- shim_exit_with_error("Unexpected session ID");
+ if(session.session_id().empty())
+ shim_exit_with_error("Unexpectedly got no session ID");
}
if(m_args.option_used("expect-version"))
diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
index 545b7ce73..b670aa39b 100644
--- a/src/bogo_shim/config.json
+++ b/src/bogo_shim/config.json
@@ -40,6 +40,7 @@
"*SignedCertificateTimestamp*": "No support for SCT",
"*SCT*": "No support for SCT",
"Renegotiation-ChangeAuthProperties": "No support for SCT",
+ "UnsolicitedCertificateExtensions-TLS*": "No support for SCT",
"*NULL-SHA*": "No support for NULL ciphers",
"*GREASE*": "No support for GREASE",
@@ -76,10 +77,6 @@
"CheckLeafCurve": "Botan ignores this",
- "OCSPStapling-Server-*": "Server doesn't support OCSP stapling currently",
- "UnsolicitedCertificateExtensions-TLS*": "Server doesn't support OCSP stapling currently",
- "ServerOCSPCallback*": "Server doesn't support OCSP stapling currently",
-
"CertificateVerificationDoesNotFailOnResume*": "Botan doesn't support reverify on resume",
"CertificateVerificationFailsOnResume*": "Botan doesn't support reverify on resume",
"CertificateVerificationPassesOnResume*": "Botan doesn't support reverify on resume",