Add a nasty little ocsp regress test in the hope pedants will make it better.

author: beck <> 2016-07-04 23:43:30 +0000
committer: beck <> 2016-07-04 23:43:30 +0000
commit: a10ebb47986e84a40bd705767fec807aa331d337 (patch)
tree: 4f9d64b1b0ff0e8975c367d0007b1017cc819cf3
parent: 72c5fcefa0af7cca13d4df668cff9c5355cf3d95 (diff)
download: openbsd-a10ebb47986e84a40bd705767fec807aa331d337.tar.gz
openbsd-a10ebb47986e84a40bd705767fec807aa331d337.tar.bz2
openbsd-a10ebb47986e84a40bd705767fec807aa331d337.zip
3 files changed, 140 insertions, 1 deletions
diff --git a/src/regress/lib/libcrypto/Makefile b/src/regress/lib/libcrypto/Makefile
index 4931d0fdd8..a82ae259ea 100644
--- a/src/regress/lib/libcrypto/Makefile
+++ b/src/regress/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.22 2015/09/25 16:12:30 jsing Exp $
+#       $OpenBSD: Makefile,v 1.23 2016/07/04 23:43:30 beck Exp $
 SUBDIR= \
        aead \
@@ -27,6 +27,7 @@ SUBDIR= \
        ige \
        md4 \
        md5 \
+        ocsp \
        pbkdf2 \
        pkcs7 \
        poly1305 \
diff --git a/src/regress/lib/libcrypto/ocsp/Makefile b/src/regress/lib/libcrypto/ocsp/Makefile
new file mode 100644
index 0000000000..5748b48c77
--- /dev/null
+++ b/src/regress/lib/libcrypto/ocsp/Makefile
@@ -0,0 +1,21 @@
+#       $OpenBSD: Makefile,v 1.1 2016/07/04 23:43:30 beck Exp $
+TESTS = \
+        ocsp_test
+REGRESS_TARGETS= all_tests
+LDADD=          -lcrypto -lssl
+DPADD=          ${LIBCRYPTO} ${LIBSSL}
+WARNINGS=       Yes
+LDFLAGS+=       -lcrypto -lssl
+CFLAGS+=        -DLIBRESSL_INTERNAL -Wall -Wundef -Werror
+CLEANFILES+= ${TESTS}
+all_tests: ${TESTS}
+        @for test in $>; do \
+                ./$$test www.amazon.com 443; \
+        done
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/ocsp/ocsp_test.c b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
new file mode 100644
index 0000000000..11dcda7462
--- /dev/null
+++ b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
@@ -0,0 +1,117 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
+static int tcp_connect(char *host, char *port) {
+        int err, sd = -1;
+        struct addrinfo hints, *res, *r;
+        memset(&hints, 0, sizeof(struct addrinfo));
+        hints.ai_family = AF_INET;
+        hints.ai_socktype = SOCK_STREAM;
+        err = getaddrinfo(host, port, &hints, &res);
+        if (err != 0) {
+                perror("getaddrinfo()");
+                exit(-1);
+        }
+        for (r = res; r != NULL; r = r->ai_next) {
+                sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
+                if (sd == -1)
+                        continue;
+                if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
+                        break;
+                close(sd);
+        }
+        freeaddrinfo(res);
+        return sd;
+}
+int main(int argc, char *argv[]) {
+        int sd, ocsp_status;
+        const unsigned char *p;
+        long len;
+        OCSP_RESPONSE *rsp = NULL;
+        OCSP_BASICRESP *br = NULL;
+        X509_STORE     *st = NULL;
+        STACK_OF(X509) *ch = NULL;
+        SSL *ssl;
+        SSL_CTX *ctx;
+        SSL_library_init();
+        SSL_load_error_strings();
+        ctx = SSL_CTX_new(SSLv23_client_method());
+        SSL_CTX_load_verify_locations(ctx, "/etc/ssl/cert.pem", NULL);
+        sd = tcp_connect(argv[1], argv[2]);
+        ssl = SSL_new(ctx);
+        SSL_set_fd(ssl, (int) sd);
+        SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
+        if (SSL_connect(ssl) <= 0) {
+                puts("SSL connect error");
+                exit(-1);
+        }
+        if (SSL_get_verify_result(ssl) != X509_V_OK) {
+                puts("Certificate doesn't verify");
+                exit(-1);
+        }
+        /* ==== VERIFY OCSP RESPONSE ==== */
+        len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
+        if (!p) {
+                puts("No OCSP response received");
+                exit(-1);
+        }
+        rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+        if (!rsp) {
+                puts("Invalid OCSP response");
+                exit(-1);
+        }
+        ocsp_status = OCSP_response_status(rsp);
+        if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+                printf("Invalid OCSP response status: %s (%d)",
+                       OCSP_response_status_str(ocsp_status), ocsp_status);
+                exit(-1);
+        }
+        br = OCSP_response_get1_basic(rsp);
+        if (!br) {
+                puts("Invalid OCSP response");
+                exit(-1);
+        }
+        ch = SSL_get_peer_cert_chain(ssl);
+        st = SSL_CTX_get_cert_store(ctx);
+        if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
+                puts("OCSP response verification failed");
+                exit(-1);
+        }
+        printf("OCSP validated from %s %s\n", argv[1], argv[2]);
+        return 0;
+}
author	beck <>	2016-07-04 23:43:30 +0000
committer	beck <>	2016-07-04 23:43:30 +0000
commit	a10ebb47986e84a40bd705767fec807aa331d337 (patch)
tree	4f9d64b1b0ff0e8975c367d0007b1017cc819cf3
parent	72c5fcefa0af7cca13d4df668cff9c5355cf3d95 (diff)
download	openbsd-a10ebb47986e84a40bd705767fec807aa331d337.tar.gz openbsd-a10ebb47986e84a40bd705767fec807aa331d337.tar.bz2 openbsd-a10ebb47986e84a40bd705767fec807aa331d337.zip

diff --git a/src/regress/lib/libcrypto/Makefile b/src/regress/lib/libcrypto/Makefile index 4931d0fdd8..a82ae259ea 100644 --- a/src/regress/lib/libcrypto/Makefile +++ b/src/regress/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.22 2015/09/25 16:12:30 jsing Exp $	1	# $OpenBSD: Makefile,v 1.23 2016/07/04 23:43:30 beck Exp $
2		2
3	SUBDIR= \	3	SUBDIR= \
4	aead \	4	aead \
@@ -27,6 +27,7 @@ SUBDIR= \
27	ige \	27	ige \
28	md4 \	28	md4 \
29	md5 \	29	md5 \
		30	ocsp \
30	pbkdf2 \	31	pbkdf2 \
31	pkcs7 \	32	pkcs7 \
32	poly1305 \	33	poly1305 \


diff --git a/src/regress/lib/libcrypto/ocsp/Makefile b/src/regress/lib/libcrypto/ocsp/Makefile new file mode 100644 index 0000000000..5748b48c77 --- /dev/null +++ b/src/regress/lib/libcrypto/ocsp/Makefile
@@ -0,0 +1,21 @@
		1	# $OpenBSD: Makefile,v 1.1 2016/07/04 23:43:30 beck Exp $
		2
		3	TESTS = \
		4	ocsp_test
		5
		6	REGRESS_TARGETS= all_tests
		7
		8	LDADD= -lcrypto -lssl
		9	DPADD= ${LIBCRYPTO} ${LIBSSL}
		10	WARNINGS= Yes
		11	LDFLAGS+= -lcrypto -lssl
		12	CFLAGS+= -DLIBRESSL_INTERNAL -Wall -Wundef -Werror
		13
		14	CLEANFILES+= ${TESTS}
		15
		16	all_tests: ${TESTS}
		17	@for test in $>; do \
		18	./$$test www.amazon.com 443; \
		19	done
		20
		21	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libcrypto/ocsp/ocsp_test.c b/src/regress/lib/libcrypto/ocsp/ocsp_test.c new file mode 100644 index 0000000000..11dcda7462 --- /dev/null +++ b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
@@ -0,0 +1,117 @@
		1	#include <stdio.h>
		2	#include <netdb.h>
		3	#include <stdlib.h>
		4	#include <unistd.h>
		5	#include <sys/socket.h>
		6
		7	#include <openssl/ssl.h>
		8	#include <openssl/ocsp.h>
		9
		10	static int tcp_connect(char host, char port) {
		11	int err, sd = -1;
		12	struct addrinfo hints, res, r;
		13
		14	memset(&hints, 0, sizeof(struct addrinfo));
		15	hints.ai_family = AF_INET;
		16	hints.ai_socktype = SOCK_STREAM;
		17
		18	err = getaddrinfo(host, port, &hints, &res);
		19	if (err != 0) {
		20	perror("getaddrinfo()");
		21	exit(-1);
		22	}
		23
		24	for (r = res; r != NULL; r = r->ai_next) {
		25	sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
		26	if (sd == -1)
		27	continue;
		28
		29	if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
		30	break;
		31
		32	close(sd);
		33	}
		34
		35	freeaddrinfo(res);
		36
		37	return sd;
		38	}
		39
		40	int main(int argc, char *argv[]) {
		41	int sd, ocsp_status;
		42	const unsigned char *p;
		43	long len;
		44	OCSP_RESPONSE *rsp = NULL;
		45	OCSP_BASICRESP *br = NULL;
		46	X509_STORE *st = NULL;
		47	STACK_OF(X509) *ch = NULL;
		48
		49	SSL *ssl;
		50	SSL_CTX *ctx;
		51
		52	SSL_library_init();
		53	SSL_load_error_strings();
		54
		55	ctx = SSL_CTX_new(SSLv23_client_method());
		56
		57	SSL_CTX_load_verify_locations(ctx, "/etc/ssl/cert.pem", NULL);
		58
		59	sd = tcp_connect(argv[1], argv[2]);
		60
		61	ssl = SSL_new(ctx);
		62
		63	SSL_set_fd(ssl, (int) sd);
		64	SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
		65
		66	if (SSL_connect(ssl) <= 0) {
		67	puts("SSL connect error");
		68	exit(-1);
		69	}
		70
		71	if (SSL_get_verify_result(ssl) != X509_V_OK) {
		72	puts("Certificate doesn't verify");
		73	exit(-1);
		74	}
		75
		76	/* ==== VERIFY OCSP RESPONSE ==== */
		77
		78
		79	len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
		80
		81	if (!p) {
		82	puts("No OCSP response received");
		83	exit(-1);
		84	}
		85
		86	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
		87	if (!rsp) {
		88	puts("Invalid OCSP response");
		89	exit(-1);
		90	}
		91
		92	ocsp_status = OCSP_response_status(rsp);
		93	if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
		94	printf("Invalid OCSP response status: %s (%d)",
		95	OCSP_response_status_str(ocsp_status), ocsp_status);
		96	exit(-1);
		97	}
		98
		99	br = OCSP_response_get1_basic(rsp);
		100	if (!br) {
		101	puts("Invalid OCSP response");
		102	exit(-1);
		103	}
		104
		105	ch = SSL_get_peer_cert_chain(ssl);
		106	st = SSL_CTX_get_cert_store(ctx);
		107
		108	if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
		109	puts("OCSP response verification failed");
		110	exit(-1);
		111	}
		112
		113	printf("OCSP validated from %s %s\n", argv[1], argv[2]);
		114
		115	return 0;
		116	}
		117