1 files changed, 117 insertions, 0 deletions
diff --git a/src/regress/lib/libcrypto/ocsp/ocsp_test.c b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
new file mode 100644
index 0000000000..11dcda7462
--- /dev/null
+++ b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
@@ -0,0 +1,117 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
+static int tcp_connect(char *host, char *port) {
+        int err, sd = -1;
+        struct addrinfo hints, *res, *r;
+        memset(&hints, 0, sizeof(struct addrinfo));
+        hints.ai_family = AF_INET;
+        hints.ai_socktype = SOCK_STREAM;
+        err = getaddrinfo(host, port, &hints, &res);
+        if (err != 0) {
+                perror("getaddrinfo()");
+                exit(-1);
+        }
+        for (r = res; r != NULL; r = r->ai_next) {
+                sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
+                if (sd == -1)
+                        continue;
+                if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
+                        break;
+                close(sd);
+        }
+        freeaddrinfo(res);
+        return sd;
+}
+int main(int argc, char *argv[]) {
+        int sd, ocsp_status;
+        const unsigned char *p;
+        long len;
+        OCSP_RESPONSE *rsp = NULL;
+        OCSP_BASICRESP *br = NULL;
+        X509_STORE     *st = NULL;
+        STACK_OF(X509) *ch = NULL;
+        SSL *ssl;
+        SSL_CTX *ctx;
+        SSL_library_init();
+        SSL_load_error_strings();
+        ctx = SSL_CTX_new(SSLv23_client_method());
+        SSL_CTX_load_verify_locations(ctx, "/etc/ssl/cert.pem", NULL);
+        sd = tcp_connect(argv[1], argv[2]);
+        ssl = SSL_new(ctx);
+        SSL_set_fd(ssl, (int) sd);
+        SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
+        if (SSL_connect(ssl) <= 0) {
+                puts("SSL connect error");
+                exit(-1);
+        }
+        if (SSL_get_verify_result(ssl) != X509_V_OK) {
+                puts("Certificate doesn't verify");
+                exit(-1);
+        }
+        /* ==== VERIFY OCSP RESPONSE ==== */
+        len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
+        if (!p) {
+                puts("No OCSP response received");
+                exit(-1);
+        }
+        rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+        if (!rsp) {
+                puts("Invalid OCSP response");
+                exit(-1);
+        }
+        ocsp_status = OCSP_response_status(rsp);
+        if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+                printf("Invalid OCSP response status: %s (%d)",
+                       OCSP_response_status_str(ocsp_status), ocsp_status);
+                exit(-1);
+        }
+        br = OCSP_response_get1_basic(rsp);
+        if (!br) {
+                puts("Invalid OCSP response");
+                exit(-1);
+        }
+        ch = SSL_get_peer_cert_chain(ssl);
+        st = SSL_CTX_get_cert_store(ctx);
+        if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
+                puts("OCSP response verification failed");
+                exit(-1);
+        }
+        printf("OCSP validated from %s %s\n", argv[1], argv[2]);
+        return 0;
+}

diff --git a/src/regress/lib/libcrypto/ocsp/ocsp_test.c b/src/regress/lib/libcrypto/ocsp/ocsp_test.c new file mode 100644 index 0000000000..11dcda7462 --- /dev/null +++ b/src/regress/lib/libcrypto/ocsp/ocsp_test.c
@@ -0,0 +1,117 @@
	1	#include <stdio.h>
	2	#include <netdb.h>
	3	#include <stdlib.h>
	4	#include <unistd.h>
	5	#include <sys/socket.h>
	6
	7	#include <openssl/ssl.h>
	8	#include <openssl/ocsp.h>
	9
	10	static int tcp_connect(char host, char port) {
	11	int err, sd = -1;
	12	struct addrinfo hints, res, r;
	13
	14	memset(&hints, 0, sizeof(struct addrinfo));
	15	hints.ai_family = AF_INET;
	16	hints.ai_socktype = SOCK_STREAM;
	17
	18	err = getaddrinfo(host, port, &hints, &res);
	19	if (err != 0) {
	20	perror("getaddrinfo()");
	21	exit(-1);
	22	}
	23
	24	for (r = res; r != NULL; r = r->ai_next) {
	25	sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
	26	if (sd == -1)
	27	continue;
	28
	29	if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
	30	break;
	31
	32	close(sd);
	33	}
	34
	35	freeaddrinfo(res);
	36
	37	return sd;
	38	}
	39
	40	int main(int argc, char *argv[]) {
	41	int sd, ocsp_status;
	42	const unsigned char *p;
	43	long len;
	44	OCSP_RESPONSE *rsp = NULL;
	45	OCSP_BASICRESP *br = NULL;
	46	X509_STORE *st = NULL;
	47	STACK_OF(X509) *ch = NULL;
	48
	49	SSL *ssl;
	50	SSL_CTX *ctx;
	51
	52	SSL_library_init();
	53	SSL_load_error_strings();
	54
	55	ctx = SSL_CTX_new(SSLv23_client_method());
	56
	57	SSL_CTX_load_verify_locations(ctx, "/etc/ssl/cert.pem", NULL);
	58
	59	sd = tcp_connect(argv[1], argv[2]);
	60
	61	ssl = SSL_new(ctx);
	62
	63	SSL_set_fd(ssl, (int) sd);
	64	SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
	65
	66	if (SSL_connect(ssl) <= 0) {
	67	puts("SSL connect error");
	68	exit(-1);
	69	}
	70
	71	if (SSL_get_verify_result(ssl) != X509_V_OK) {
	72	puts("Certificate doesn't verify");
	73	exit(-1);
	74	}
	75
	76	/* ==== VERIFY OCSP RESPONSE ==== */
	77
	78
	79	len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
	80
	81	if (!p) {
	82	puts("No OCSP response received");
	83	exit(-1);
	84	}
	85
	86	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
	87	if (!rsp) {
	88	puts("Invalid OCSP response");
	89	exit(-1);
	90	}
	91
	92	ocsp_status = OCSP_response_status(rsp);
	93	if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
	94	printf("Invalid OCSP response status: %s (%d)",
	95	OCSP_response_status_str(ocsp_status), ocsp_status);
	96	exit(-1);
	97	}
	98
	99	br = OCSP_response_get1_basic(rsp);
	100	if (!br) {
	101	puts("Invalid OCSP response");
	102	exit(-1);
	103	}
	104
	105	ch = SSL_get_peer_cert_chain(ssl);
	106	st = SSL_CTX_get_cert_store(ctx);
	107
	108	if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
	109	puts("OCSP response verification failed");
	110	exit(-1);
	111	}
	112
	113	printf("OCSP validated from %s %s\n", argv[1], argv[2]);
	114
	115	return 0;
	116	}
	117