Add a test for CT in TLSv1.3

This also tests the SERVERINFO2 file format.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3298)

diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index c4e20b76146607defaa05b92f34e90190c39320b..c9603de56fb7a17aa16cd1131ebb447f5545ad5e 100644 (file)
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -126,6 +126,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
 
     [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_STATUS_REQUEST,
         checkhandshake::STATUS_REQUEST_SRV_EXTENSION],
+    [TLSProxy::Message::MT_CERTIFICATE, TLSProxy::Message::EXT_SCT,
+        checkhandshake::SCT_SRV_EXTENSION],
 
     [0,0,0]
 );
@@ -257,25 +259,29 @@ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
                | checkhandshake::ALPN_SRV_EXTENSION,
                "ALPN handshake test");
 
-#Test 13: SCT handshake (client request only)
-#TODO(TLS1.3): This only checks that the client side extension appears. The
-#SCT extension is unusual in that we have no built-in server side implementation
-#The server side implementation can nomrally be added using the custom
-#extensions framework (e.g. by using the "-serverinfo" s_server option). However
-#currently we only support <= TLS1.2 for custom extensions because the existing
-#framework and API has no knowledge of the TLS1.3 messages
-$proxy->clear();
-#Note: -ct also sends status_request
-$proxy->clientflags("-ct");
-$proxy->serverflags("-status_file "
-                    .srctop_file("test", "recipes", "ocsp-response.der"));
-$proxy->start();
-checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
-               checkhandshake::DEFAULT_EXTENSIONS
-               | checkhandshake::SCT_CLI_EXTENSION
-               | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
-               | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
-               "SCT handshake test");
+SKIP: {
+    skip "No CT, EC or OCSP support in this OpenSSL build", 1
+        if disabled("ct") || disabled("ec") || disabled("ocsp");
+
+    #Test 13: SCT handshake (client request only)
+    $proxy->clear();
+    #Note: -ct also sends status_request
+    $proxy->clientflags("-ct");
+    $proxy->serverflags("-status_file "
+                        .srctop_file("test", "recipes", "ocsp-response.der")
+                        ." -serverinfo ".srctop_file("test", "serverinfo2.pem"));
+    $proxy->start();
+    checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+                   checkhandshake::DEFAULT_EXTENSIONS
+                   | checkhandshake::SCT_CLI_EXTENSION
+                   | checkhandshake::SCT_SRV_EXTENSION
+                   | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+                   | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
+                   "SCT handshake test");
+}
+
+
+
 
 #Test 14: HRR Handshake
 $proxy->clear();