Google Git
Sign in
boringssl / boringssl / aeeff2ceee2b5ccfcfa2c9bb79390ad1a1015922^! / . / ssl / test / runner
commitaeeff2ceee2b5ccfcfa2c9bb79390ad1a1015922[log] [tgz]
authorPaul Lietar <lietar@google.com>Wed Aug 12 11:47:11 2015 +0100
committerAdam Langley <agl@google.com>Thu Aug 20 17:55:31 2015 +0000
treeb8232de6bbd8a7f1f3546184461e46a0a8ba96f6
parent12fe1b25ead258858309d22ffa9e1f9a316358d7 [diff]
Server-side OCSP stapling support.

This is a simpler implementation than OpenSSL's, lacking responder IDs
and request extensions support. This mirrors the client implementation
already present.

Change-Id: I54592b60e0a708bfb003d491c9250401403c9e69
Reviewed-on: https://boringssl-review.googlesource.com/5700
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 49ada2a..b379074 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -155,6 +155,8 @@
 	// expectedSRTPProtectionProfile is the DTLS-SRTP profile that
 	// should be negotiated. If zero, none should be negotiated.
 	expectedSRTPProtectionProfile uint16
+	// expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
+	expectedOCSPResponse []uint8
 	// messageLen is the length, in bytes, of the test message that will be
 	// sent.
 	messageLen int
@@ -320,6 +322,10 @@
 		return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
 	}
 
+	if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
+		return fmt.Errorf("OCSP Response mismatch")
+	}
+
 	if test.exportKeyingMaterial > 0 {
 		actual := make([]byte, test.exportKeyingMaterial)
 		if _, err := io.ReadFull(tlsConn, actual); err != nil {
@@ -2333,6 +2339,26 @@
 		flags: []string{"-psk", "secret"},
 	})
 
+	tests = append(tests, testCase{
+		testType: clientTest,
+		name:     "OCSPStapling-Client",
+		flags: []string{
+			"-enable-ocsp-stapling",
+			"-expect-ocsp-response",
+			base64.StdEncoding.EncodeToString(testOCSPResponse),
+		},
+	})
+
+	tests = append(tests, testCase{
+		testType: serverTest,
+		name:     "OCSPStapling-Server",
+		expectedOCSPResponse: testOCSPResponse,
+		flags: []string{
+			"-ocsp-response",
+			base64.StdEncoding.EncodeToString(testOCSPResponse),
+		},
+	})
+
 	if protocol == tls {
 		tests = append(tests, testCase{
 			name:        "Renegotiate-Client",
@@ -3034,15 +3060,7 @@
 		shouldFail:    true,
 		expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
 	})
-	// Test OCSP stapling and SCT list.
-	testCases = append(testCases, testCase{
-		name: "OCSPStapling",
-		flags: []string{
-			"-enable-ocsp-stapling",
-			"-expect-ocsp-response",
-			base64.StdEncoding.EncodeToString(testOCSPResponse),
-		},
-	})
+	// Test SCT list.
 	testCases = append(testCases, testCase{
 		name: "SignedCertificateTimestampList",
 		flags: []string{