From 3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 4 Oct 2012 19:10:26 +0200 Subject: [PATCH] gnutls_certificate_verify_peers2() checks ocsp status response if available. --- doc/cha-intro-tls.texi | 25 ++- doc/invoke-gnutls-cli.texi | 12 +- lib/gnutls_cert.c | 6 +- lib/gnutls_x509.c | 114 +++++++++++- src/cli-args.c | 426 +++++++++++++++++++++++---------------------- src/cli-args.def | 2 + src/cli-args.h | 2 +- src/cli.c | 24 +-- 8 files changed, 370 insertions(+), 241 deletions(-) diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index ee58f0cfc..aa5eaa2dd 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -398,6 +398,7 @@ and they will be discussed in the subsections that follow. * Session tickets:: * HeartBeat:: * Safe renegotiation:: +* OCSP status request:: @end menu @node Maximum fragment length negotiation @@ -459,10 +460,8 @@ The requests coming from the peer result to @code{GNUTLS_@-E_@-HERTBEAT_@-PING_@ being returned from the receive function. Ping requests to peer can be send via @funcref{gnutls_heartbeat_ping}. -Policy-related functions: @showfuncB{gnutls_heartbeat_allowed,gnutls_heartbeat_enable} -Operational functions: @showfuncD{gnutls_heartbeat_ping,gnutls_heartbeat_pong,gnutls_heartbeat_set_timeouts,gnutls_heartbeat_get_timeout} @node Safe renegotiation @@ -564,6 +563,28 @@ renegotiation. The @funcref{gnutls_safe_renegotiation_status} function is used to check if the extension has been negotiated on a session, and can be used both by clients and servers. +@node OCSP status request +@subsection OCSP status request +@cindex OCSP status request +@cindex Certificate status request + +The Online Certificate Status Protocol (OCSP) is a protocol that allows the +client to verify the server certificate for revocation without messing with +certificate revocation lists. Its drawback is that it requires the client +to connect to the server's CA OCSP server and ask for the status of the +certificate. This extension however, enables a TLS server to include +its CA OCSP server response in the handshake. That is an HTTPS server +may periodically run @code{ocsptool} (see @ref{ocsptool Invocation}) to obtain +its certificate revocation status and serve it to the clients. This +reduces the number of connections a client needs to perform to access a +secure server. + +Server functions: +@showfuncB{gnutls_certificate_set_ocsp_status_request_function,gnutls_certificate_set_ocsp_status_request_file} + +Client functions: +@showfuncA{gnutls_ocsp_status_request_enable_client} + @include sec-tls-app.texi @node On SSL 2 and older protocols diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi index c0191e9a1..dad4069c4 100644 --- a/doc/invoke-gnutls-cli.texi +++ b/doc/invoke-gnutls-cli.texi @@ -7,7 +7,7 @@ # # DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi) # -# It has been AutoGen-ed September 30, 2012 at 04:41:48 PM by AutoGen 5.16 +# It has been AutoGen-ed October 4, 2012 at 07:18:42 PM by AutoGen 5.16 # From the definitions ../src/cli-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -52,6 +52,8 @@ USAGE: gnutls-cli [ - [] | --[@{=| @}] ]... [hostname] -e, --rehandshake Establish a session and rehandshake --noticket Don't accept session tickets --ocsp-status-request Enable OCSP status request + - disabled as --no-ocsp-status-request + - enabled by default -s, --starttls Connect, establish a plain session and start TLS. -u, --udp Use DTLS (datagram TLS) over UDP --mtu=num Set MTU for datagram TLS @@ -144,6 +146,14 @@ Connect, establish a session and rehandshake immediately. @cindex gnutls-cli-ocsp-status-request This is the ``enable ocsp status request'' option. + +@noindent +This option has some usage constraints. It: +@itemize @bullet +@item +is enabled by default. +@end itemize + The client will indicate to the server in a TLS extension that it wants a OCSP status request. @anchor{gnutls-cli starttls} @subheading starttls option (-s) diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index fef4e96b5..d5912e9a2 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -644,8 +644,10 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session, * be one or more of the gnutls_certificate_status_t enumerated * elements bitwise or'd. To avoid denial of service attacks some * default upper limits regarding the certificate key size and chain - * size are set. To override them use - * gnutls_certificate_set_verify_limits(). + * size are set. To override them use gnutls_certificate_set_verify_limits(). + * + * This function will utilize the OCSP Certificate Status extension if + * negotiated --to enable see gnutls_ocsp_status_request_enable_client(). * * Note that you must also check the peer's name in order to check if * the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname(). diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 49ac9b1ff..1d7128b3c 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "x509/common.h" #include "x509/x509_int.h" #include @@ -84,6 +85,91 @@ check_bits (gnutls_session_t session, gnutls_x509_crt_t crt, unsigned int max_bi return 0; } +/* three days */ +#define MAX_OCSP_VALIDITY_SECS (3*60*60*24) + +/* Returns: + * -1: certificate is revoked + * 1: certificate is ok + * 0: dunno + */ +static int +check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, + gnutls_datum_t *data) +{ + gnutls_ocsp_resp_t resp; + int ret; + unsigned int status, cert_status; + time_t rtime, vtime, ntime, now; + + now = gnutls_time(0); + + ret = gnutls_ocsp_resp_init (&resp); + if (ret < 0) + return gnutls_assert_val(0); + + ret = gnutls_ocsp_resp_import (resp, data); + if (ret < 0) + return gnutls_assert_val(0); + + ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); + if (ret < 0) + { + _gnutls_audit_log (session, "Got OCSP response on an unrelated certificate (ignoring)\n"); + ret = 0; + goto cleanup; + } + + ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0); + if (ret < 0) + return gnutls_assert_val(0); + + /* do not consider revocation data if response was not verified */ + if (status != 0) + { + ret = gnutls_assert_val(0); + goto cleanup; + } + + ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, + &cert_status, &vtime, &ntime, &rtime, NULL); + if (ret < 0) + { + ret = gnutls_assert_val(0); + goto cleanup; + } + + if (cert_status == GNUTLS_OCSP_CERT_REVOKED) + { + _gnutls_audit_log(session, "The certificate was revoked via OCSP\n"); + ret = gnutls_assert_val(-1); + goto cleanup; + } + + if (ntime == -1) + { + if (now - vtime > MAX_OCSP_VALIDITY_SECS) + { + _gnutls_audit_log(session, "The OCSP response is old\n"); + } + } + else + { + /* there is a newer OCSP answer, don't trust this one */ + if (ntime < now) + { + _gnutls_audit_log(session, "There is a newer OCSP response but was not provided by the server\n"); + } + } + + ret = 1; +cleanup: + gnutls_ocsp_resp_deinit (resp); + + return ret; +} + #define CLEAR_CERTS for(x=0;x 1) + issuer = peer_certificate_list[1]; + else + { + ret = gnutls_x509_trust_list_get_issuer(cred->tlist, peer_certificate_list[0], + &issuer, 0); + if (ret < 0) + { + goto skip_ocsp; + } + } + + ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp); + if (ret < 0) /* revoked */ + ocsp_status |= GNUTLS_CERT_REVOKED; + +skip_ocsp: /* Verify certificate */ - ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list, peer_certificate_list_size, cred->verify_flags | session->internals. @@ -195,6 +305,8 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session, return ret; } + *status |= ocsp_status; + return 0; } diff --git a/src/cli-args.c b/src/cli-args.c index 2566d5186..62b005444 100644 --- a/src/cli-args.c +++ b/src/cli-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (cli-args.c) * - * It has been AutoGen-ed September 30, 2012 at 03:25:07 PM by AutoGen 5.16 + * It has been AutoGen-ed October 4, 2012 at 07:09:10 PM by AutoGen 5.16 * From the definitions cli-args.def * and the template file options * @@ -67,7 +67,7 @@ extern FILE * option_usage_fp; /* * gnutls-cli option static const strings */ -static char const gnutls_cli_opt_strs[3605] = +static char const gnutls_cli_opt_strs[3608] = /* 0 */ "gnutls-cli @VERSION@\n" "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -111,114 +111,114 @@ static char const gnutls_cli_opt_strs[3605] = /* 1253 */ "noticket\0" /* 1262 */ "Enable OCSP status request\0" /* 1289 */ "OCSP_STATUS_REQUEST\0" -/* 1309 */ "ocsp-status-request\0" -/* 1329 */ "Connect, establish a plain session and start TLS.\0" -/* 1379 */ "STARTTLS\0" -/* 1388 */ "starttls\0" -/* 1397 */ "Use DTLS (datagram TLS) over UDP\0" -/* 1430 */ "UDP\0" -/* 1434 */ "udp\0" -/* 1438 */ "Set MTU for datagram TLS\0" -/* 1463 */ "MTU\0" -/* 1467 */ "mtu\0" -/* 1471 */ "Send CR LF instead of LF\0" -/* 1496 */ "CRLF\0" -/* 1501 */ "crlf\0" -/* 1506 */ "Use DER format for certificates to read from\0" -/* 1551 */ "X509FMTDER\0" -/* 1562 */ "x509fmtder\0" -/* 1573 */ "Send the openpgp fingerprint, instead of the key\0" -/* 1622 */ "FINGERPRINT\0" -/* 1634 */ "fingerprint\0" -/* 1646 */ "Disable all the TLS extensions\0" -/* 1677 */ "DISABLE_EXTENSIONS\0" -/* 1696 */ "disable-extensions\0" -/* 1715 */ "Print peer's certificate in PEM format\0" -/* 1754 */ "PRINT_CERT\0" -/* 1765 */ "print-cert\0" -/* 1776 */ "The maximum record size to advertize\0" -/* 1813 */ "RECORDSIZE\0" -/* 1824 */ "recordsize\0" -/* 1835 */ "The minimum number of bits allowed for DH\0" -/* 1877 */ "DH_BITS\0" -/* 1885 */ "dh-bits\0" -/* 1893 */ "Priorities string\0" -/* 1911 */ "PRIORITY\0" -/* 1920 */ "priority\0" -/* 1929 */ "Certificate file or PKCS #11 URL to use\0" -/* 1969 */ "X509CAFILE\0" -/* 1980 */ "x509cafile\0" -/* 1991 */ "CRL file to use\0" -/* 2007 */ "X509CRLFILE\0" -/* 2019 */ "x509crlfile\0" -/* 2031 */ "PGP Key file to use\0" -/* 2051 */ "PGPKEYFILE\0" -/* 2062 */ "pgpkeyfile\0" -/* 2073 */ "PGP Key ring file to use\0" -/* 2098 */ "PGPKEYRING\0" -/* 2109 */ "pgpkeyring\0" -/* 2120 */ "PGP Public Key (certificate) file to use\0" -/* 2161 */ "PGPCERTFILE\0" -/* 2173 */ "pgpcertfile\0" -/* 2185 */ "X.509 key file or PKCS #11 URL to use\0" -/* 2223 */ "X509KEYFILE\0" -/* 2235 */ "x509keyfile\0" -/* 2247 */ "X.509 Certificate file or PKCS #11 URL to use\0" -/* 2293 */ "X509CERTFILE\0" -/* 2306 */ "x509certfile\0" -/* 2319 */ "PGP subkey to use (hex or auto)\0" -/* 2351 */ "PGPSUBKEY\0" -/* 2361 */ "pgpsubkey\0" -/* 2371 */ "SRP username to use\0" -/* 2391 */ "SRPUSERNAME\0" -/* 2403 */ "srpusername\0" -/* 2415 */ "SRP password to use\0" -/* 2435 */ "SRPPASSWD\0" -/* 2445 */ "srppasswd\0" -/* 2455 */ "PSK username to use\0" -/* 2475 */ "PSKUSERNAME\0" -/* 2487 */ "pskusername\0" -/* 2499 */ "PSK key (in hex) to use\0" -/* 2523 */ "PSKKEY\0" -/* 2530 */ "pskkey\0" -/* 2537 */ "The port or service to connect to\0" -/* 2571 */ "PORT\0" -/* 2576 */ "port\0" -/* 2581 */ "Don't abort program if server certificate can't be validated\0" -/* 2642 */ "INSECURE\0" -/* 2651 */ "insecure\0" -/* 2660 */ "Benchmark individual ciphers\0" -/* 2689 */ "BENCHMARK_CIPHERS\0" -/* 2707 */ "benchmark-ciphers\0" -/* 2725 */ "Benchmark individual software ciphers (no hw acceleration)\0" -/* 2784 */ "BENCHMARK_SOFT_CIPHERS\0" -/* 2807 */ "benchmark-soft-ciphers\0" -/* 2830 */ "Benchmark TLS key exchange methods\0" -/* 2865 */ "BENCHMARK_TLS_KX\0" -/* 2882 */ "benchmark-tls-kx\0" -/* 2899 */ "Benchmark TLS ciphers\0" -/* 2921 */ "BENCHMARK_TLS_CIPHERS\0" -/* 2943 */ "benchmark-tls-ciphers\0" -/* 2965 */ "Print a list of the supported algorithms and modes\0" -/* 3016 */ "LIST\0" -/* 3021 */ "list\0" -/* 3026 */ "Display extended usage information and exit\0" -/* 3070 */ "help\0" -/* 3075 */ "Extended usage information passed thru pager\0" -/* 3120 */ "more-help\0" -/* 3130 */ "Output version information and exit\0" -/* 3166 */ "version\0" -/* 3174 */ "GNUTLS_CLI\0" -/* 3185 */ "gnutls-cli - GnuTLS client - Ver. @VERSION@\n" +/* 1309 */ "no-ocsp-status-request\0" +/* 1332 */ "Connect, establish a plain session and start TLS.\0" +/* 1382 */ "STARTTLS\0" +/* 1391 */ "starttls\0" +/* 1400 */ "Use DTLS (datagram TLS) over UDP\0" +/* 1433 */ "UDP\0" +/* 1437 */ "udp\0" +/* 1441 */ "Set MTU for datagram TLS\0" +/* 1466 */ "MTU\0" +/* 1470 */ "mtu\0" +/* 1474 */ "Send CR LF instead of LF\0" +/* 1499 */ "CRLF\0" +/* 1504 */ "crlf\0" +/* 1509 */ "Use DER format for certificates to read from\0" +/* 1554 */ "X509FMTDER\0" +/* 1565 */ "x509fmtder\0" +/* 1576 */ "Send the openpgp fingerprint, instead of the key\0" +/* 1625 */ "FINGERPRINT\0" +/* 1637 */ "fingerprint\0" +/* 1649 */ "Disable all the TLS extensions\0" +/* 1680 */ "DISABLE_EXTENSIONS\0" +/* 1699 */ "disable-extensions\0" +/* 1718 */ "Print peer's certificate in PEM format\0" +/* 1757 */ "PRINT_CERT\0" +/* 1768 */ "print-cert\0" +/* 1779 */ "The maximum record size to advertize\0" +/* 1816 */ "RECORDSIZE\0" +/* 1827 */ "recordsize\0" +/* 1838 */ "The minimum number of bits allowed for DH\0" +/* 1880 */ "DH_BITS\0" +/* 1888 */ "dh-bits\0" +/* 1896 */ "Priorities string\0" +/* 1914 */ "PRIORITY\0" +/* 1923 */ "priority\0" +/* 1932 */ "Certificate file or PKCS #11 URL to use\0" +/* 1972 */ "X509CAFILE\0" +/* 1983 */ "x509cafile\0" +/* 1994 */ "CRL file to use\0" +/* 2010 */ "X509CRLFILE\0" +/* 2022 */ "x509crlfile\0" +/* 2034 */ "PGP Key file to use\0" +/* 2054 */ "PGPKEYFILE\0" +/* 2065 */ "pgpkeyfile\0" +/* 2076 */ "PGP Key ring file to use\0" +/* 2101 */ "PGPKEYRING\0" +/* 2112 */ "pgpkeyring\0" +/* 2123 */ "PGP Public Key (certificate) file to use\0" +/* 2164 */ "PGPCERTFILE\0" +/* 2176 */ "pgpcertfile\0" +/* 2188 */ "X.509 key file or PKCS #11 URL to use\0" +/* 2226 */ "X509KEYFILE\0" +/* 2238 */ "x509keyfile\0" +/* 2250 */ "X.509 Certificate file or PKCS #11 URL to use\0" +/* 2296 */ "X509CERTFILE\0" +/* 2309 */ "x509certfile\0" +/* 2322 */ "PGP subkey to use (hex or auto)\0" +/* 2354 */ "PGPSUBKEY\0" +/* 2364 */ "pgpsubkey\0" +/* 2374 */ "SRP username to use\0" +/* 2394 */ "SRPUSERNAME\0" +/* 2406 */ "srpusername\0" +/* 2418 */ "SRP password to use\0" +/* 2438 */ "SRPPASSWD\0" +/* 2448 */ "srppasswd\0" +/* 2458 */ "PSK username to use\0" +/* 2478 */ "PSKUSERNAME\0" +/* 2490 */ "pskusername\0" +/* 2502 */ "PSK key (in hex) to use\0" +/* 2526 */ "PSKKEY\0" +/* 2533 */ "pskkey\0" +/* 2540 */ "The port or service to connect to\0" +/* 2574 */ "PORT\0" +/* 2579 */ "port\0" +/* 2584 */ "Don't abort program if server certificate can't be validated\0" +/* 2645 */ "INSECURE\0" +/* 2654 */ "insecure\0" +/* 2663 */ "Benchmark individual ciphers\0" +/* 2692 */ "BENCHMARK_CIPHERS\0" +/* 2710 */ "benchmark-ciphers\0" +/* 2728 */ "Benchmark individual software ciphers (no hw acceleration)\0" +/* 2787 */ "BENCHMARK_SOFT_CIPHERS\0" +/* 2810 */ "benchmark-soft-ciphers\0" +/* 2833 */ "Benchmark TLS key exchange methods\0" +/* 2868 */ "BENCHMARK_TLS_KX\0" +/* 2885 */ "benchmark-tls-kx\0" +/* 2902 */ "Benchmark TLS ciphers\0" +/* 2924 */ "BENCHMARK_TLS_CIPHERS\0" +/* 2946 */ "benchmark-tls-ciphers\0" +/* 2968 */ "Print a list of the supported algorithms and modes\0" +/* 3019 */ "LIST\0" +/* 3024 */ "list\0" +/* 3029 */ "Display extended usage information and exit\0" +/* 3073 */ "help\0" +/* 3078 */ "Extended usage information passed thru pager\0" +/* 3123 */ "more-help\0" +/* 3133 */ "Output version information and exit\0" +/* 3169 */ "version\0" +/* 3177 */ "GNUTLS_CLI\0" +/* 3188 */ "gnutls-cli - GnuTLS client - Ver. @VERSION@\n" "USAGE: %s [ - [] | --[{=| }] ]... [hostname]\n\0" -/* 3298 */ "bug-gnutls@gnu.org\0" -/* 3317 */ "\n\n\0" -/* 3320 */ "\n" +/* 3301 */ "bug-gnutls@gnu.org\0" +/* 3320 */ "\n\n\0" +/* 3323 */ "\n" "Simple client program to set up a TLS connection to some other computer. It\n" "sets up a TLS connection and forwards data from the standard input to the\n" "secured socket and vice versa.\n\0" -/* 3504 */ "gnutls-cli @VERSION@\0" -/* 3525 */ "Usage: gnutls-cli [options] hostname\n" +/* 3507 */ "gnutls-cli @VERSION@\0" +/* 3528 */ "Usage: gnutls-cli [options] hostname\n" "gnutls-cli --help for usage instructions.\n"; /* @@ -295,274 +295,276 @@ static char const gnutls_cli_opt_strs[3605] = */ #define OCSP_STATUS_REQUEST_DESC (gnutls_cli_opt_strs+1262) #define OCSP_STATUS_REQUEST_NAME (gnutls_cli_opt_strs+1289) -#define OCSP_STATUS_REQUEST_name (gnutls_cli_opt_strs+1309) -#define OCSP_STATUS_REQUEST_FLAGS (OPTST_DISABLED) +#define NOT_OCSP_STATUS_REQUEST_name (gnutls_cli_opt_strs+1309) +#define NOT_OCSP_STATUS_REQUEST_PFX (gnutls_cli_opt_strs+1010) +#define OCSP_STATUS_REQUEST_name (NOT_OCSP_STATUS_REQUEST_name + 3) +#define OCSP_STATUS_REQUEST_FLAGS (OPTST_INITENABLED) /* * starttls option description: */ -#define STARTTLS_DESC (gnutls_cli_opt_strs+1329) -#define STARTTLS_NAME (gnutls_cli_opt_strs+1379) -#define STARTTLS_name (gnutls_cli_opt_strs+1388) +#define STARTTLS_DESC (gnutls_cli_opt_strs+1332) +#define STARTTLS_NAME (gnutls_cli_opt_strs+1382) +#define STARTTLS_name (gnutls_cli_opt_strs+1391) #define STARTTLS_FLAGS (OPTST_DISABLED) /* * udp option description: */ -#define UDP_DESC (gnutls_cli_opt_strs+1397) -#define UDP_NAME (gnutls_cli_opt_strs+1430) -#define UDP_name (gnutls_cli_opt_strs+1434) +#define UDP_DESC (gnutls_cli_opt_strs+1400) +#define UDP_NAME (gnutls_cli_opt_strs+1433) +#define UDP_name (gnutls_cli_opt_strs+1437) #define UDP_FLAGS (OPTST_DISABLED) /* * mtu option description: */ -#define MTU_DESC (gnutls_cli_opt_strs+1438) -#define MTU_NAME (gnutls_cli_opt_strs+1463) -#define MTU_name (gnutls_cli_opt_strs+1467) +#define MTU_DESC (gnutls_cli_opt_strs+1441) +#define MTU_NAME (gnutls_cli_opt_strs+1466) +#define MTU_name (gnutls_cli_opt_strs+1470) #define MTU_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) /* * crlf option description: */ -#define CRLF_DESC (gnutls_cli_opt_strs+1471) -#define CRLF_NAME (gnutls_cli_opt_strs+1496) -#define CRLF_name (gnutls_cli_opt_strs+1501) +#define CRLF_DESC (gnutls_cli_opt_strs+1474) +#define CRLF_NAME (gnutls_cli_opt_strs+1499) +#define CRLF_name (gnutls_cli_opt_strs+1504) #define CRLF_FLAGS (OPTST_DISABLED) /* * x509fmtder option description: */ -#define X509FMTDER_DESC (gnutls_cli_opt_strs+1506) -#define X509FMTDER_NAME (gnutls_cli_opt_strs+1551) -#define X509FMTDER_name (gnutls_cli_opt_strs+1562) +#define X509FMTDER_DESC (gnutls_cli_opt_strs+1509) +#define X509FMTDER_NAME (gnutls_cli_opt_strs+1554) +#define X509FMTDER_name (gnutls_cli_opt_strs+1565) #define X509FMTDER_FLAGS (OPTST_DISABLED) /* * fingerprint option description: */ -#define FINGERPRINT_DESC (gnutls_cli_opt_strs+1573) -#define FINGERPRINT_NAME (gnutls_cli_opt_strs+1622) -#define FINGERPRINT_name (gnutls_cli_opt_strs+1634) +#define FINGERPRINT_DESC (gnutls_cli_opt_strs+1576) +#define FINGERPRINT_NAME (gnutls_cli_opt_strs+1625) +#define FINGERPRINT_name (gnutls_cli_opt_strs+1637) #define FINGERPRINT_FLAGS (OPTST_DISABLED) /* * disable-extensions option description: */ -#define DISABLE_EXTENSIONS_DESC (gnutls_cli_opt_strs+1646) -#define DISABLE_EXTENSIONS_NAME (gnutls_cli_opt_strs+1677) -#define DISABLE_EXTENSIONS_name (gnutls_cli_opt_strs+1696) +#define DISABLE_EXTENSIONS_DESC (gnutls_cli_opt_strs+1649) +#define DISABLE_EXTENSIONS_NAME (gnutls_cli_opt_strs+1680) +#define DISABLE_EXTENSIONS_name (gnutls_cli_opt_strs+1699) #define DISABLE_EXTENSIONS_FLAGS (OPTST_DISABLED) /* * print-cert option description: */ -#define PRINT_CERT_DESC (gnutls_cli_opt_strs+1715) -#define PRINT_CERT_NAME (gnutls_cli_opt_strs+1754) -#define PRINT_CERT_name (gnutls_cli_opt_strs+1765) +#define PRINT_CERT_DESC (gnutls_cli_opt_strs+1718) +#define PRINT_CERT_NAME (gnutls_cli_opt_strs+1757) +#define PRINT_CERT_name (gnutls_cli_opt_strs+1768) #define PRINT_CERT_FLAGS (OPTST_DISABLED) /* * recordsize option description: */ -#define RECORDSIZE_DESC (gnutls_cli_opt_strs+1776) -#define RECORDSIZE_NAME (gnutls_cli_opt_strs+1813) -#define RECORDSIZE_name (gnutls_cli_opt_strs+1824) +#define RECORDSIZE_DESC (gnutls_cli_opt_strs+1779) +#define RECORDSIZE_NAME (gnutls_cli_opt_strs+1816) +#define RECORDSIZE_name (gnutls_cli_opt_strs+1827) #define RECORDSIZE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) /* * dh-bits option description: */ -#define DH_BITS_DESC (gnutls_cli_opt_strs+1835) -#define DH_BITS_NAME (gnutls_cli_opt_strs+1877) -#define DH_BITS_name (gnutls_cli_opt_strs+1885) +#define DH_BITS_DESC (gnutls_cli_opt_strs+1838) +#define DH_BITS_NAME (gnutls_cli_opt_strs+1880) +#define DH_BITS_name (gnutls_cli_opt_strs+1888) #define DH_BITS_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) /* * priority option description: */ -#define PRIORITY_DESC (gnutls_cli_opt_strs+1893) -#define PRIORITY_NAME (gnutls_cli_opt_strs+1911) -#define PRIORITY_name (gnutls_cli_opt_strs+1920) +#define PRIORITY_DESC (gnutls_cli_opt_strs+1896) +#define PRIORITY_NAME (gnutls_cli_opt_strs+1914) +#define PRIORITY_name (gnutls_cli_opt_strs+1923) #define PRIORITY_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * x509cafile option description: */ -#define X509CAFILE_DESC (gnutls_cli_opt_strs+1929) -#define X509CAFILE_NAME (gnutls_cli_opt_strs+1969) -#define X509CAFILE_name (gnutls_cli_opt_strs+1980) +#define X509CAFILE_DESC (gnutls_cli_opt_strs+1932) +#define X509CAFILE_NAME (gnutls_cli_opt_strs+1972) +#define X509CAFILE_name (gnutls_cli_opt_strs+1983) #define X509CAFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * x509crlfile option description: */ -#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1991) -#define X509CRLFILE_NAME (gnutls_cli_opt_strs+2007) -#define X509CRLFILE_name (gnutls_cli_opt_strs+2019) +#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1994) +#define X509CRLFILE_NAME (gnutls_cli_opt_strs+2010) +#define X509CRLFILE_name (gnutls_cli_opt_strs+2022) #define X509CRLFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) /* * pgpkeyfile option description: */ -#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+2031) -#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+2051) -#define PGPKEYFILE_name (gnutls_cli_opt_strs+2062) +#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+2034) +#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+2054) +#define PGPKEYFILE_name (gnutls_cli_opt_strs+2065) #define PGPKEYFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) /* * pgpkeyring option description: */ -#define PGPKEYRING_DESC (gnutls_cli_opt_strs+2073) -#define PGPKEYRING_NAME (gnutls_cli_opt_strs+2098) -#define PGPKEYRING_name (gnutls_cli_opt_strs+2109) +#define PGPKEYRING_DESC (gnutls_cli_opt_strs+2076) +#define PGPKEYRING_NAME (gnutls_cli_opt_strs+2101) +#define PGPKEYRING_name (gnutls_cli_opt_strs+2112) #define PGPKEYRING_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) /* * pgpcertfile option description: */ -#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+2120) -#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+2161) -#define PGPCERTFILE_name (gnutls_cli_opt_strs+2173) +#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+2123) +#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+2164) +#define PGPCERTFILE_name (gnutls_cli_opt_strs+2176) #define PGPCERTFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) /* * x509keyfile option description: */ -#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2185) -#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2223) -#define X509KEYFILE_name (gnutls_cli_opt_strs+2235) +#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2188) +#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2226) +#define X509KEYFILE_name (gnutls_cli_opt_strs+2238) #define X509KEYFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * x509certfile option description: */ -#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2247) -#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2293) -#define X509CERTFILE_name (gnutls_cli_opt_strs+2306) +#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2250) +#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2296) +#define X509CERTFILE_name (gnutls_cli_opt_strs+2309) #define X509CERTFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * pgpsubkey option description: */ -#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2319) -#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2351) -#define PGPSUBKEY_name (gnutls_cli_opt_strs+2361) +#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2322) +#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2354) +#define PGPSUBKEY_name (gnutls_cli_opt_strs+2364) #define PGPSUBKEY_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * srpusername option description: */ -#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2371) -#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2391) -#define SRPUSERNAME_name (gnutls_cli_opt_strs+2403) +#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2374) +#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2394) +#define SRPUSERNAME_name (gnutls_cli_opt_strs+2406) #define SRPUSERNAME_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * srppasswd option description: */ -#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2415) -#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2435) -#define SRPPASSWD_name (gnutls_cli_opt_strs+2445) +#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2418) +#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2438) +#define SRPPASSWD_name (gnutls_cli_opt_strs+2448) #define SRPPASSWD_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * pskusername option description: */ -#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2455) -#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2475) -#define PSKUSERNAME_name (gnutls_cli_opt_strs+2487) +#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2458) +#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2478) +#define PSKUSERNAME_name (gnutls_cli_opt_strs+2490) #define PSKUSERNAME_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * pskkey option description: */ -#define PSKKEY_DESC (gnutls_cli_opt_strs+2499) -#define PSKKEY_NAME (gnutls_cli_opt_strs+2523) -#define PSKKEY_name (gnutls_cli_opt_strs+2530) +#define PSKKEY_DESC (gnutls_cli_opt_strs+2502) +#define PSKKEY_NAME (gnutls_cli_opt_strs+2526) +#define PSKKEY_name (gnutls_cli_opt_strs+2533) #define PSKKEY_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * port option description: */ -#define PORT_DESC (gnutls_cli_opt_strs+2537) -#define PORT_NAME (gnutls_cli_opt_strs+2571) -#define PORT_name (gnutls_cli_opt_strs+2576) +#define PORT_DESC (gnutls_cli_opt_strs+2540) +#define PORT_NAME (gnutls_cli_opt_strs+2574) +#define PORT_name (gnutls_cli_opt_strs+2579) #define PORT_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * insecure option description: */ -#define INSECURE_DESC (gnutls_cli_opt_strs+2581) -#define INSECURE_NAME (gnutls_cli_opt_strs+2642) -#define INSECURE_name (gnutls_cli_opt_strs+2651) +#define INSECURE_DESC (gnutls_cli_opt_strs+2584) +#define INSECURE_NAME (gnutls_cli_opt_strs+2645) +#define INSECURE_name (gnutls_cli_opt_strs+2654) #define INSECURE_FLAGS (OPTST_DISABLED) /* * benchmark-ciphers option description: */ -#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2660) -#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2689) -#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2707) +#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2663) +#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2692) +#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2710) #define BENCHMARK_CIPHERS_FLAGS (OPTST_DISABLED) /* * benchmark-soft-ciphers option description: */ -#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2725) -#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2784) -#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2807) +#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2728) +#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2787) +#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2810) #define BENCHMARK_SOFT_CIPHERS_FLAGS (OPTST_DISABLED) /* * benchmark-tls-kx option description: */ -#define BENCHMARK_TLS_KX_DESC (gnutls_cli_opt_strs+2830) -#define BENCHMARK_TLS_KX_NAME (gnutls_cli_opt_strs+2865) -#define BENCHMARK_TLS_KX_name (gnutls_cli_opt_strs+2882) +#define BENCHMARK_TLS_KX_DESC (gnutls_cli_opt_strs+2833) +#define BENCHMARK_TLS_KX_NAME (gnutls_cli_opt_strs+2868) +#define BENCHMARK_TLS_KX_name (gnutls_cli_opt_strs+2885) #define BENCHMARK_TLS_KX_FLAGS (OPTST_DISABLED) /* * benchmark-tls-ciphers option description: */ -#define BENCHMARK_TLS_CIPHERS_DESC (gnutls_cli_opt_strs+2899) -#define BENCHMARK_TLS_CIPHERS_NAME (gnutls_cli_opt_strs+2921) -#define BENCHMARK_TLS_CIPHERS_name (gnutls_cli_opt_strs+2943) +#define BENCHMARK_TLS_CIPHERS_DESC (gnutls_cli_opt_strs+2902) +#define BENCHMARK_TLS_CIPHERS_NAME (gnutls_cli_opt_strs+2924) +#define BENCHMARK_TLS_CIPHERS_name (gnutls_cli_opt_strs+2946) #define BENCHMARK_TLS_CIPHERS_FLAGS (OPTST_DISABLED) /* * list option description: */ -#define LIST_DESC (gnutls_cli_opt_strs+2965) -#define LIST_NAME (gnutls_cli_opt_strs+3016) -#define LIST_name (gnutls_cli_opt_strs+3021) +#define LIST_DESC (gnutls_cli_opt_strs+2968) +#define LIST_NAME (gnutls_cli_opt_strs+3019) +#define LIST_name (gnutls_cli_opt_strs+3024) #define LIST_FLAGS (OPTST_DISABLED) /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (gnutls_cli_opt_strs+3026) -#define HELP_name (gnutls_cli_opt_strs+3070) +#define HELP_DESC (gnutls_cli_opt_strs+3029) +#define HELP_name (gnutls_cli_opt_strs+3073) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (gnutls_cli_opt_strs+3075) -#define MORE_HELP_name (gnutls_cli_opt_strs+3120) +#define MORE_HELP_DESC (gnutls_cli_opt_strs+3078) +#define MORE_HELP_name (gnutls_cli_opt_strs+3123) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC NULL @@ -575,8 +577,8 @@ static char const gnutls_cli_opt_strs[3605] = # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (gnutls_cli_opt_strs+3130) -#define VER_name (gnutls_cli_opt_strs+3166) +#define VER_DESC (gnutls_cli_opt_strs+3133) +#define VER_name (gnutls_cli_opt_strs+3169) /* * Declare option callback procedures */ @@ -703,7 +705,7 @@ static tOptDesc optDesc[OPTION_CT] = { /* must/cannot opts */ NULL, NULL, /* option proc */ NULL, /* desc, NAME, name */ OCSP_STATUS_REQUEST_DESC, OCSP_STATUS_REQUEST_NAME, OCSP_STATUS_REQUEST_name, - /* disablement strs */ NULL, NULL }, + /* disablement strs */ NOT_OCSP_STATUS_REQUEST_name, NOT_OCSP_STATUS_REQUEST_PFX }, { /* entry idx, value */ 9, VALUE_OPT_STARTTLS, /* equiv idx, value */ 9, VALUE_OPT_STARTTLS, @@ -1109,14 +1111,14 @@ static tOptDesc optDesc[OPTION_CT] = { * * Define the gnutls-cli Option Environment */ -#define zPROGNAME (gnutls_cli_opt_strs+3174) -#define zUsageTitle (gnutls_cli_opt_strs+3185) +#define zPROGNAME (gnutls_cli_opt_strs+3177) +#define zUsageTitle (gnutls_cli_opt_strs+3188) #define zRcName NULL #define apzHomeList NULL -#define zBugsAddr (gnutls_cli_opt_strs+3298) -#define zExplain (gnutls_cli_opt_strs+3317) -#define zDetail (gnutls_cli_opt_strs+3320) -#define zFullVersion (gnutls_cli_opt_strs+3504) +#define zBugsAddr (gnutls_cli_opt_strs+3301) +#define zExplain (gnutls_cli_opt_strs+3320) +#define zDetail (gnutls_cli_opt_strs+3323) +#define zFullVersion (gnutls_cli_opt_strs+3507) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -1130,7 +1132,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define gnutls_cli_full_usage (NULL) -#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3525) +#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3528) #endif /* not defined __doxygen__ */ diff --git a/src/cli-args.def b/src/cli-args.def index 79d9b7128..6a4d7176d 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -58,6 +58,8 @@ flag = { flag = { name = ocsp-status-request; descrip = "Enable OCSP status request"; + enabled; + disable = "no"; doc = "The client will indicate to the server in a TLS extension that it wants a OCSP status request."; }; diff --git a/src/cli-args.h b/src/cli-args.h index 86e710b0e..0085141d3 100644 --- a/src/cli-args.h +++ b/src/cli-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (cli-args.h) * - * It has been AutoGen-ed September 30, 2012 at 03:25:07 PM by AutoGen 5.16 + * It has been AutoGen-ed October 4, 2012 at 07:09:10 PM by AutoGen 5.16 * From the definitions cli-args.def * and the template file options * diff --git a/src/cli.c b/src/cli.c index 2ca5b26a9..410e1dc6c 100644 --- a/src/cli.c +++ b/src/cli.c @@ -403,7 +403,7 @@ cert_verify_callback (gnutls_session_t session) if (!insecure && !ssh) return -1; } - else if (ENABLED_OPT(OCSP) || status_request_ocsp) + else if (ENABLED_OPT(OCSP)) { /* off-line verification succeeded. Try OCSP */ rc = cert_verify_ocsp(session); if (rc == 0) @@ -1102,7 +1102,7 @@ const char* rest = NULL; } record_max_size = OPT_VALUE_RECORDSIZE; - status_request_ocsp = HAVE_OPT(OCSP_STATUS_REQUEST); + status_request_ocsp = ENABLED_OPT(OCSP_STATUS_REQUEST); if (ENABLED_OPT(OCSP)) status_request_ocsp = 1; @@ -1485,26 +1485,6 @@ cert_verify_ocsp (gnutls_session_t session) goto cleanup; } - if (status_request_ocsp) - { /* try the server's OCSP response */ - ret = gnutls_ocsp_status_request_get(session, &resp); - if (ret < 0 && !ENABLED_OPT(OCSP)) - { - if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - fprintf(stderr, "gnutls_ocsp_status_request_get: %s\n", gnutls_strerror(ret)); - ret = -1; - goto cleanup; - } - - if (ret >= 0) - { - ret = check_ocsp_response(crt, issuer, &resp); - if (ret >= 0 || !ENABLED_OPT(OCSP)) - goto cleanup; - } - } - - ret = send_ocsp_request(NULL, crt, issuer, &resp, 1); if (ret < 0) { -- 2.11.4.GIT