add ocs stapling checking for gg

2021-12-09 18:51:02 +00:00 · 2021-12-09 18:51:02 +00:00 · ea47a245aa
parent ebf3373d66
commit ea47a245aa
2 changed files with 12 additions and 3 deletions
--- a/regress/gg.1
+++ b/regress/gg.1
@ -20,7 +20,7 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Op Fl 23bchNVv
+.Op Fl 23bchNOVv
 .Op Fl C Pa cert.pem Fl K Pa key.pem
 .Op Fl H Ar hostname
 .Op Fl T Ar timeout
@ -55,6 +55,9 @@ Load the client certificate key, must be in PEM format.
 .It Fl N
 Don't check whether the peer certificate name matches the requested
 hostname.
+.It Fl O
+Require that a valid stapled OCSP response be provided during the TLS
+handshake.
 .It Fl T Ar timeout
 Kill
 .Nm
--- a/regress/gg.c
+++ b/regress/gg.c
@ -18,7 +18,7 @@

 #include <string.h>

-int flag2, flag3, bflag, cflag, hflag, Nflag, Vflag, vflag;
+int flag2, flag3, bflag, cflag, hflag, Nflag, Oflag, Vflag, vflag;
 const char *cert, *key;

 static void
@ -42,7 +42,7 @@ main(int argc, char **argv)
 	ssize_t len;

 	hostname = NULL;
-	while ((ch = getopt(argc, argv, "23C:cbH:hK:NT:Vv")) != -1) {
+	while ((ch = getopt(argc, argv, "23C:cbH:hK:NOT:Vv")) != -1) {
 		switch (ch) {
 		case '2':
 			flag2 = 1;
@ -71,6 +71,9 @@ main(int argc, char **argv)
 		case 'N':
 			Nflag = 1;
 			break;
+		case 'O':
+			Oflag = 1;
+			break;
 		case 'T':
 			timer = strtonum(optarg, 1, 1000, &errstr);
 			if (errstr != NULL)
@ -125,6 +128,9 @@ main(int argc, char **argv)
 	if (Nflag)
 		tls_config_insecure_noverifyname(conf);

+	if (Oflag)
+		tls_config_ocsp_require_stapling(conf);
+
 	if (flag2 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_2) == -1)
 		errx(1, "cannot set TLSv1.2");
 	if (flag3 && tls_config_set_protocols(conf, TLS_PROTOCOL_TLSv1_3) == -1)