[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-37-g3b70b9f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-37-g3b70b9f |
|
Date: |
Thu, 04 Oct 2012 17:19:39 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf
The branch, master has been updated
via 3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf (commit)
via 0101efc0e26dc74ea79b39584df82da53a6e2032 (commit)
via 43bbf98f1218e033184db6615191fbc866cfde74 (commit)
from b474d918f31a97fb3c3999ac83d819360aa3f7b0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Oct 4 19:10:26 2012 +0200
gnutls_certificate_verify_peers2() checks ocsp status response if available.
commit 0101efc0e26dc74ea79b39584df82da53a6e2032
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Oct 4 18:58:13 2012 +0200
do not set verify_flags
commit 43bbf98f1218e033184db6615191fbc866cfde74
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Oct 4 10:31:35 2012 +0200
doc update.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-intro-tls.texi | 25 +++-
doc/invoke-gnutls-cli.texi | 12 ++-
lib/gnutls_cert.c | 6 +-
lib/gnutls_x509.c | 114 ++++++++++++-
lib/x509/verify-high.c | 10 +-
src/cli-args.c | 426 ++++++++++++++++++++++----------------------
src/cli-args.def | 2 +
src/cli-args.h | 2 +-
src/cli.c | 25 +---
9 files changed, 376 insertions(+), 246 deletions(-)
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index ee58f0c..aa5eaa2 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -398,6 +398,7 @@ and they will be discussed in the subsections that follow.
* Session tickets::
* HeartBeat::
* Safe renegotiation::
+* OCSP status request::
@end menu
@node Maximum fragment length negotiation
@@ -459,10 +460,8 @@ The requests coming from the peer result to
@address@hidden@address@hidden@
being returned from the receive function. Ping requests to peer can be send via
@funcref{gnutls_heartbeat_ping}.
-Policy-related functions:
@showfuncB{gnutls_heartbeat_allowed,gnutls_heartbeat_enable}
-Operational functions:
@showfuncD{gnutls_heartbeat_ping,gnutls_heartbeat_pong,gnutls_heartbeat_set_timeouts,gnutls_heartbeat_get_timeout}
@node Safe renegotiation
@@ -564,6 +563,28 @@ renegotiation. The
@funcref{gnutls_safe_renegotiation_status} function is
used to check if the extension has been negotiated on a session, and
can be used both by clients and servers.
address@hidden OCSP status request
address@hidden OCSP status request
address@hidden OCSP status request
address@hidden Certificate status request
+
+The Online Certificate Status Protocol (OCSP) is a protocol that allows the
+client to verify the server certificate for revocation without messing with
+certificate revocation lists. Its drawback is that it requires the client
+to connect to the server's CA OCSP server and ask for the status of the
+certificate. This extension however, enables a TLS server to include
+its CA OCSP server response in the handshake. That is an HTTPS server
+may periodically run @code{ocsptool} (see @ref{ocsptool Invocation}) to obtain
+its certificate revocation status and serve it to the clients. This
+reduces the number of connections a client needs to perform to access a
+secure server.
+
+Server functions:
address@hidden,gnutls_certificate_set_ocsp_status_request_file}
+
+Client functions:
address@hidden
+
@include sec-tls-app.texi
@node On SSL 2 and older protocols
diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi
index c0191e9..dad4069 100644
--- a/doc/invoke-gnutls-cli.texi
+++ b/doc/invoke-gnutls-cli.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi)
#
-# It has been AutoGen-ed September 30, 2012 at 04:41:48 PM by AutoGen 5.16
+# It has been AutoGen-ed October 4, 2012 at 07:18:42 PM by AutoGen 5.16
# From the definitions ../src/cli-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -52,6 +52,8 @@ USAGE: gnutls-cli [ -<flag> [<val>] |
--<name>address@hidden| @}<val>] ]... [hostname]
-e, --rehandshake Establish a session and rehandshake
--noticket Don't accept session tickets
--ocsp-status-request Enable OCSP status request
+ - disabled as --no-ocsp-status-request
+ - enabled by default
-s, --starttls Connect, establish a plain session and start TLS.
-u, --udp Use DTLS (datagram TLS) over UDP
--mtu=num Set MTU for datagram TLS
@@ -144,6 +146,14 @@ Connect, establish a session and rehandshake immediately.
@cindex gnutls-cli-ocsp-status-request
This is the ``enable ocsp status request'' option.
+
address@hidden
+This option has some usage constraints. It:
address@hidden @bullet
address@hidden
+is enabled by default.
address@hidden itemize
+
The client will indicate to the server in a TLS extension that it wants a OCSP
status request.
@anchor{gnutls-cli starttls}
@subheading starttls option (-s)
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index fef4e96..d5912e9 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -644,8 +644,10 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session,
* be one or more of the gnutls_certificate_status_t enumerated
* elements bitwise or'd. To avoid denial of service attacks some
* default upper limits regarding the certificate key size and chain
- * size are set. To override them use
- * gnutls_certificate_set_verify_limits().
+ * size are set. To override them use gnutls_certificate_set_verify_limits().
+ *
+ * This function will utilize the OCSP Certificate Status extension if
+ * negotiated --to enable see gnutls_ocsp_status_request_enable_client().
*
* Note that you must also check the peer's name in order to check if
* the verified certificate belongs to the actual peer, see
gnutls_x509_crt_check_hostname().
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 49ac9b1..1d7128b 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -38,6 +38,7 @@
#include <debug.h>
#include <x509_b64.h>
#include <gnutls_x509.h>
+#include <gnutls/ocsp.h>
#include "x509/common.h"
#include "x509/x509_int.h"
#include <gnutls_str_array.h>
@@ -84,6 +85,91 @@ check_bits (gnutls_session_t session, gnutls_x509_crt_t crt,
unsigned int max_bi
return 0;
}
+/* three days */
+#define MAX_OCSP_VALIDITY_SECS (3*60*60*24)
+
+/* Returns:
+ * -1: certificate is revoked
+ * 1: certificate is ok
+ * 0: dunno
+ */
+static int
+check_ocsp_response (gnutls_session_t session, gnutls_x509_crt_t cert,
+ gnutls_x509_crt_t issuer,
+ gnutls_datum_t *data)
+{
+ gnutls_ocsp_resp_t resp;
+ int ret;
+ unsigned int status, cert_status;
+ time_t rtime, vtime, ntime, now;
+
+ now = gnutls_time(0);
+
+ ret = gnutls_ocsp_resp_init (&resp);
+ if (ret < 0)
+ return gnutls_assert_val(0);
+
+ ret = gnutls_ocsp_resp_import (resp, data);
+ if (ret < 0)
+ return gnutls_assert_val(0);
+
+ ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
+ if (ret < 0)
+ {
+ _gnutls_audit_log (session, "Got OCSP response on an unrelated
certificate (ignoring)\n");
+ ret = 0;
+ goto cleanup;
+ }
+
+ ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
+ if (ret < 0)
+ return gnutls_assert_val(0);
+
+ /* do not consider revocation data if response was not verified */
+ if (status != 0)
+ {
+ ret = gnutls_assert_val(0);
+ goto cleanup;
+ }
+
+ ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
+ &cert_status, &vtime, &ntime, &rtime, NULL);
+ if (ret < 0)
+ {
+ ret = gnutls_assert_val(0);
+ goto cleanup;
+ }
+
+ if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
+ {
+ _gnutls_audit_log(session, "The certificate was revoked via OCSP\n");
+ ret = gnutls_assert_val(-1);
+ goto cleanup;
+ }
+
+ if (ntime == -1)
+ {
+ if (now - vtime > MAX_OCSP_VALIDITY_SECS)
+ {
+ _gnutls_audit_log(session, "The OCSP response is old\n");
+ }
+ }
+ else
+ {
+ /* there is a newer OCSP answer, don't trust this one */
+ if (ntime < now)
+ {
+ _gnutls_audit_log(session, "There is a newer OCSP response but was
not provided by the server\n");
+ }
+ }
+
+ ret = 1;
+cleanup:
+ gnutls_ocsp_resp_deinit (resp);
+
+ return ret;
+}
+
#define CLEAR_CERTS for(x=0;x<peer_certificate_list_size;x++) { \
if (peer_certificate_list[x]) \
@@ -107,7 +193,10 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
cert_auth_info_t info;
gnutls_certificate_credentials_t cred;
gnutls_x509_crt_t *peer_certificate_list;
+ gnutls_datum_t resp;
int peer_certificate_list_size, i, x, ret;
+ gnutls_x509_crt_t issuer;
+ unsigned int ocsp_status = 0;
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
@@ -178,9 +267,30 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
}
+ /* Use the OCSP extension if any */
+ ret = gnutls_ocsp_status_request_get(session, &resp);
+ if (ret < 0)
+ goto skip_ocsp;
+
+ if (peer_certificate_list_size > 1)
+ issuer = peer_certificate_list[1];
+ else
+ {
+ ret = gnutls_x509_trust_list_get_issuer(cred->tlist,
peer_certificate_list[0],
+ &issuer, 0);
+ if (ret < 0)
+ {
+ goto skip_ocsp;
+ }
+ }
+
+ ret = check_ocsp_response(session, peer_certificate_list[0], issuer, &resp);
+ if (ret < 0) /* revoked */
+ ocsp_status |= GNUTLS_CERT_REVOKED;
+
+skip_ocsp:
/* Verify certificate
*/
-
ret = gnutls_x509_trust_list_verify_crt (cred->tlist, peer_certificate_list,
peer_certificate_list_size,
cred->verify_flags | session->internals.
@@ -195,6 +305,8 @@ _gnutls_x509_cert_verify_peers (gnutls_session_t session,
return ret;
}
+ *status |= ocsp_status;
+
return 0;
}
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 5dafd63..cf603a2 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -526,7 +526,8 @@ int
gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
* @func: If non-null will be called on each chain element verification with
the output.
*
* This function will try to verify the given certificate and return
- * its status.
+ * its status. The @verify parameter will hold an OR'ed sequence of
+ * %gnutls_certificate_status_t flags.
*
* Limitation: Pathlen constraints or key usage flags are not consulted.
*
@@ -630,9 +631,10 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t
list,
* @verify: will hold the certificate verification output.
* @func: If non-null will be called on each chain element verification with
the output.
*
- * This function will try to find a matching named certificate. If a
- * match is found the certificate is considered valid. In addition to that
- * this function will also check CRLs.
+ * This function will try to find a certificate that is associated with the
provided
+ * name --see gnutls_x509_trust_list_add_named_crt(). If a match is found the
certificate is considered valid. In addition to that
+ * this function will also check CRLs. The @verify parameter will hold an
OR'ed sequence of
+ * %gnutls_certificate_status_t flags.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
diff --git a/src/cli-args.c b/src/cli-args.c
index 2566d51..62b0054 100644
--- a/src/cli-args.c
+++ b/src/cli-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (cli-args.c)
*
- * It has been AutoGen-ed September 30, 2012 at 03:25:07 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 4, 2012 at 07:09:10 PM by AutoGen 5.16
* From the definitions cli-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* gnutls-cli option static const strings
*/
-static char const gnutls_cli_opt_strs[3605] =
+static char const gnutls_cli_opt_strs[3608] =
/* 0 */ "gnutls-cli @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -111,114 +111,114 @@ static char const gnutls_cli_opt_strs[3605] =
/* 1253 */ "noticket\0"
/* 1262 */ "Enable OCSP status request\0"
/* 1289 */ "OCSP_STATUS_REQUEST\0"
-/* 1309 */ "ocsp-status-request\0"
-/* 1329 */ "Connect, establish a plain session and start TLS.\0"
-/* 1379 */ "STARTTLS\0"
-/* 1388 */ "starttls\0"
-/* 1397 */ "Use DTLS (datagram TLS) over UDP\0"
-/* 1430 */ "UDP\0"
-/* 1434 */ "udp\0"
-/* 1438 */ "Set MTU for datagram TLS\0"
-/* 1463 */ "MTU\0"
-/* 1467 */ "mtu\0"
-/* 1471 */ "Send CR LF instead of LF\0"
-/* 1496 */ "CRLF\0"
-/* 1501 */ "crlf\0"
-/* 1506 */ "Use DER format for certificates to read from\0"
-/* 1551 */ "X509FMTDER\0"
-/* 1562 */ "x509fmtder\0"
-/* 1573 */ "Send the openpgp fingerprint, instead of the key\0"
-/* 1622 */ "FINGERPRINT\0"
-/* 1634 */ "fingerprint\0"
-/* 1646 */ "Disable all the TLS extensions\0"
-/* 1677 */ "DISABLE_EXTENSIONS\0"
-/* 1696 */ "disable-extensions\0"
-/* 1715 */ "Print peer's certificate in PEM format\0"
-/* 1754 */ "PRINT_CERT\0"
-/* 1765 */ "print-cert\0"
-/* 1776 */ "The maximum record size to advertize\0"
-/* 1813 */ "RECORDSIZE\0"
-/* 1824 */ "recordsize\0"
-/* 1835 */ "The minimum number of bits allowed for DH\0"
-/* 1877 */ "DH_BITS\0"
-/* 1885 */ "dh-bits\0"
-/* 1893 */ "Priorities string\0"
-/* 1911 */ "PRIORITY\0"
-/* 1920 */ "priority\0"
-/* 1929 */ "Certificate file or PKCS #11 URL to use\0"
-/* 1969 */ "X509CAFILE\0"
-/* 1980 */ "x509cafile\0"
-/* 1991 */ "CRL file to use\0"
-/* 2007 */ "X509CRLFILE\0"
-/* 2019 */ "x509crlfile\0"
-/* 2031 */ "PGP Key file to use\0"
-/* 2051 */ "PGPKEYFILE\0"
-/* 2062 */ "pgpkeyfile\0"
-/* 2073 */ "PGP Key ring file to use\0"
-/* 2098 */ "PGPKEYRING\0"
-/* 2109 */ "pgpkeyring\0"
-/* 2120 */ "PGP Public Key (certificate) file to use\0"
-/* 2161 */ "PGPCERTFILE\0"
-/* 2173 */ "pgpcertfile\0"
-/* 2185 */ "X.509 key file or PKCS #11 URL to use\0"
-/* 2223 */ "X509KEYFILE\0"
-/* 2235 */ "x509keyfile\0"
-/* 2247 */ "X.509 Certificate file or PKCS #11 URL to use\0"
-/* 2293 */ "X509CERTFILE\0"
-/* 2306 */ "x509certfile\0"
-/* 2319 */ "PGP subkey to use (hex or auto)\0"
-/* 2351 */ "PGPSUBKEY\0"
-/* 2361 */ "pgpsubkey\0"
-/* 2371 */ "SRP username to use\0"
-/* 2391 */ "SRPUSERNAME\0"
-/* 2403 */ "srpusername\0"
-/* 2415 */ "SRP password to use\0"
-/* 2435 */ "SRPPASSWD\0"
-/* 2445 */ "srppasswd\0"
-/* 2455 */ "PSK username to use\0"
-/* 2475 */ "PSKUSERNAME\0"
-/* 2487 */ "pskusername\0"
-/* 2499 */ "PSK key (in hex) to use\0"
-/* 2523 */ "PSKKEY\0"
-/* 2530 */ "pskkey\0"
-/* 2537 */ "The port or service to connect to\0"
-/* 2571 */ "PORT\0"
-/* 2576 */ "port\0"
-/* 2581 */ "Don't abort program if server certificate can't be validated\0"
-/* 2642 */ "INSECURE\0"
-/* 2651 */ "insecure\0"
-/* 2660 */ "Benchmark individual ciphers\0"
-/* 2689 */ "BENCHMARK_CIPHERS\0"
-/* 2707 */ "benchmark-ciphers\0"
-/* 2725 */ "Benchmark individual software ciphers (no hw acceleration)\0"
-/* 2784 */ "BENCHMARK_SOFT_CIPHERS\0"
-/* 2807 */ "benchmark-soft-ciphers\0"
-/* 2830 */ "Benchmark TLS key exchange methods\0"
-/* 2865 */ "BENCHMARK_TLS_KX\0"
-/* 2882 */ "benchmark-tls-kx\0"
-/* 2899 */ "Benchmark TLS ciphers\0"
-/* 2921 */ "BENCHMARK_TLS_CIPHERS\0"
-/* 2943 */ "benchmark-tls-ciphers\0"
-/* 2965 */ "Print a list of the supported algorithms and modes\0"
-/* 3016 */ "LIST\0"
-/* 3021 */ "list\0"
-/* 3026 */ "Display extended usage information and exit\0"
-/* 3070 */ "help\0"
-/* 3075 */ "Extended usage information passed thru pager\0"
-/* 3120 */ "more-help\0"
-/* 3130 */ "Output version information and exit\0"
-/* 3166 */ "version\0"
-/* 3174 */ "GNUTLS_CLI\0"
-/* 3185 */ "gnutls-cli - GnuTLS client - Ver. @address@hidden"
+/* 1309 */ "no-ocsp-status-request\0"
+/* 1332 */ "Connect, establish a plain session and start TLS.\0"
+/* 1382 */ "STARTTLS\0"
+/* 1391 */ "starttls\0"
+/* 1400 */ "Use DTLS (datagram TLS) over UDP\0"
+/* 1433 */ "UDP\0"
+/* 1437 */ "udp\0"
+/* 1441 */ "Set MTU for datagram TLS\0"
+/* 1466 */ "MTU\0"
+/* 1470 */ "mtu\0"
+/* 1474 */ "Send CR LF instead of LF\0"
+/* 1499 */ "CRLF\0"
+/* 1504 */ "crlf\0"
+/* 1509 */ "Use DER format for certificates to read from\0"
+/* 1554 */ "X509FMTDER\0"
+/* 1565 */ "x509fmtder\0"
+/* 1576 */ "Send the openpgp fingerprint, instead of the key\0"
+/* 1625 */ "FINGERPRINT\0"
+/* 1637 */ "fingerprint\0"
+/* 1649 */ "Disable all the TLS extensions\0"
+/* 1680 */ "DISABLE_EXTENSIONS\0"
+/* 1699 */ "disable-extensions\0"
+/* 1718 */ "Print peer's certificate in PEM format\0"
+/* 1757 */ "PRINT_CERT\0"
+/* 1768 */ "print-cert\0"
+/* 1779 */ "The maximum record size to advertize\0"
+/* 1816 */ "RECORDSIZE\0"
+/* 1827 */ "recordsize\0"
+/* 1838 */ "The minimum number of bits allowed for DH\0"
+/* 1880 */ "DH_BITS\0"
+/* 1888 */ "dh-bits\0"
+/* 1896 */ "Priorities string\0"
+/* 1914 */ "PRIORITY\0"
+/* 1923 */ "priority\0"
+/* 1932 */ "Certificate file or PKCS #11 URL to use\0"
+/* 1972 */ "X509CAFILE\0"
+/* 1983 */ "x509cafile\0"
+/* 1994 */ "CRL file to use\0"
+/* 2010 */ "X509CRLFILE\0"
+/* 2022 */ "x509crlfile\0"
+/* 2034 */ "PGP Key file to use\0"
+/* 2054 */ "PGPKEYFILE\0"
+/* 2065 */ "pgpkeyfile\0"
+/* 2076 */ "PGP Key ring file to use\0"
+/* 2101 */ "PGPKEYRING\0"
+/* 2112 */ "pgpkeyring\0"
+/* 2123 */ "PGP Public Key (certificate) file to use\0"
+/* 2164 */ "PGPCERTFILE\0"
+/* 2176 */ "pgpcertfile\0"
+/* 2188 */ "X.509 key file or PKCS #11 URL to use\0"
+/* 2226 */ "X509KEYFILE\0"
+/* 2238 */ "x509keyfile\0"
+/* 2250 */ "X.509 Certificate file or PKCS #11 URL to use\0"
+/* 2296 */ "X509CERTFILE\0"
+/* 2309 */ "x509certfile\0"
+/* 2322 */ "PGP subkey to use (hex or auto)\0"
+/* 2354 */ "PGPSUBKEY\0"
+/* 2364 */ "pgpsubkey\0"
+/* 2374 */ "SRP username to use\0"
+/* 2394 */ "SRPUSERNAME\0"
+/* 2406 */ "srpusername\0"
+/* 2418 */ "SRP password to use\0"
+/* 2438 */ "SRPPASSWD\0"
+/* 2448 */ "srppasswd\0"
+/* 2458 */ "PSK username to use\0"
+/* 2478 */ "PSKUSERNAME\0"
+/* 2490 */ "pskusername\0"
+/* 2502 */ "PSK key (in hex) to use\0"
+/* 2526 */ "PSKKEY\0"
+/* 2533 */ "pskkey\0"
+/* 2540 */ "The port or service to connect to\0"
+/* 2574 */ "PORT\0"
+/* 2579 */ "port\0"
+/* 2584 */ "Don't abort program if server certificate can't be validated\0"
+/* 2645 */ "INSECURE\0"
+/* 2654 */ "insecure\0"
+/* 2663 */ "Benchmark individual ciphers\0"
+/* 2692 */ "BENCHMARK_CIPHERS\0"
+/* 2710 */ "benchmark-ciphers\0"
+/* 2728 */ "Benchmark individual software ciphers (no hw acceleration)\0"
+/* 2787 */ "BENCHMARK_SOFT_CIPHERS\0"
+/* 2810 */ "benchmark-soft-ciphers\0"
+/* 2833 */ "Benchmark TLS key exchange methods\0"
+/* 2868 */ "BENCHMARK_TLS_KX\0"
+/* 2885 */ "benchmark-tls-kx\0"
+/* 2902 */ "Benchmark TLS ciphers\0"
+/* 2924 */ "BENCHMARK_TLS_CIPHERS\0"
+/* 2946 */ "benchmark-tls-ciphers\0"
+/* 2968 */ "Print a list of the supported algorithms and modes\0"
+/* 3019 */ "LIST\0"
+/* 3024 */ "list\0"
+/* 3029 */ "Display extended usage information and exit\0"
+/* 3073 */ "help\0"
+/* 3078 */ "Extended usage information passed thru pager\0"
+/* 3123 */ "more-help\0"
+/* 3133 */ "Output version information and exit\0"
+/* 3169 */ "version\0"
+/* 3177 */ "GNUTLS_CLI\0"
+/* 3188 */ "gnutls-cli - GnuTLS client - Ver. @address@hidden"
"USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
[hostname]\n\0"
-/* 3298 */ "address@hidden"
-/* 3317 */ "\n\n\0"
-/* 3320 */ "\n"
+/* 3301 */ "address@hidden"
+/* 3320 */ "\n\n\0"
+/* 3323 */ "\n"
"Simple client program to set up a TLS connection to some other
computer. It\n"
"sets up a TLS connection and forwards data from the standard
input to the\n"
"secured socket and vice versa.\n\0"
-/* 3504 */ "gnutls-cli @address@hidden"
-/* 3525 */ "Usage: gnutls-cli [options] hostname\n"
+/* 3507 */ "gnutls-cli @address@hidden"
+/* 3528 */ "Usage: gnutls-cli [options] hostname\n"
"gnutls-cli --help for usage instructions.\n";
/*
@@ -295,274 +295,276 @@ static char const gnutls_cli_opt_strs[3605] =
*/
#define OCSP_STATUS_REQUEST_DESC (gnutls_cli_opt_strs+1262)
#define OCSP_STATUS_REQUEST_NAME (gnutls_cli_opt_strs+1289)
-#define OCSP_STATUS_REQUEST_name (gnutls_cli_opt_strs+1309)
-#define OCSP_STATUS_REQUEST_FLAGS (OPTST_DISABLED)
+#define NOT_OCSP_STATUS_REQUEST_name (gnutls_cli_opt_strs+1309)
+#define NOT_OCSP_STATUS_REQUEST_PFX (gnutls_cli_opt_strs+1010)
+#define OCSP_STATUS_REQUEST_name (NOT_OCSP_STATUS_REQUEST_name + 3)
+#define OCSP_STATUS_REQUEST_FLAGS (OPTST_INITENABLED)
/*
* starttls option description:
*/
-#define STARTTLS_DESC (gnutls_cli_opt_strs+1329)
-#define STARTTLS_NAME (gnutls_cli_opt_strs+1379)
-#define STARTTLS_name (gnutls_cli_opt_strs+1388)
+#define STARTTLS_DESC (gnutls_cli_opt_strs+1332)
+#define STARTTLS_NAME (gnutls_cli_opt_strs+1382)
+#define STARTTLS_name (gnutls_cli_opt_strs+1391)
#define STARTTLS_FLAGS (OPTST_DISABLED)
/*
* udp option description:
*/
-#define UDP_DESC (gnutls_cli_opt_strs+1397)
-#define UDP_NAME (gnutls_cli_opt_strs+1430)
-#define UDP_name (gnutls_cli_opt_strs+1434)
+#define UDP_DESC (gnutls_cli_opt_strs+1400)
+#define UDP_NAME (gnutls_cli_opt_strs+1433)
+#define UDP_name (gnutls_cli_opt_strs+1437)
#define UDP_FLAGS (OPTST_DISABLED)
/*
* mtu option description:
*/
-#define MTU_DESC (gnutls_cli_opt_strs+1438)
-#define MTU_NAME (gnutls_cli_opt_strs+1463)
-#define MTU_name (gnutls_cli_opt_strs+1467)
+#define MTU_DESC (gnutls_cli_opt_strs+1441)
+#define MTU_NAME (gnutls_cli_opt_strs+1466)
+#define MTU_name (gnutls_cli_opt_strs+1470)
#define MTU_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* crlf option description:
*/
-#define CRLF_DESC (gnutls_cli_opt_strs+1471)
-#define CRLF_NAME (gnutls_cli_opt_strs+1496)
-#define CRLF_name (gnutls_cli_opt_strs+1501)
+#define CRLF_DESC (gnutls_cli_opt_strs+1474)
+#define CRLF_NAME (gnutls_cli_opt_strs+1499)
+#define CRLF_name (gnutls_cli_opt_strs+1504)
#define CRLF_FLAGS (OPTST_DISABLED)
/*
* x509fmtder option description:
*/
-#define X509FMTDER_DESC (gnutls_cli_opt_strs+1506)
-#define X509FMTDER_NAME (gnutls_cli_opt_strs+1551)
-#define X509FMTDER_name (gnutls_cli_opt_strs+1562)
+#define X509FMTDER_DESC (gnutls_cli_opt_strs+1509)
+#define X509FMTDER_NAME (gnutls_cli_opt_strs+1554)
+#define X509FMTDER_name (gnutls_cli_opt_strs+1565)
#define X509FMTDER_FLAGS (OPTST_DISABLED)
/*
* fingerprint option description:
*/
-#define FINGERPRINT_DESC (gnutls_cli_opt_strs+1573)
-#define FINGERPRINT_NAME (gnutls_cli_opt_strs+1622)
-#define FINGERPRINT_name (gnutls_cli_opt_strs+1634)
+#define FINGERPRINT_DESC (gnutls_cli_opt_strs+1576)
+#define FINGERPRINT_NAME (gnutls_cli_opt_strs+1625)
+#define FINGERPRINT_name (gnutls_cli_opt_strs+1637)
#define FINGERPRINT_FLAGS (OPTST_DISABLED)
/*
* disable-extensions option description:
*/
-#define DISABLE_EXTENSIONS_DESC (gnutls_cli_opt_strs+1646)
-#define DISABLE_EXTENSIONS_NAME (gnutls_cli_opt_strs+1677)
-#define DISABLE_EXTENSIONS_name (gnutls_cli_opt_strs+1696)
+#define DISABLE_EXTENSIONS_DESC (gnutls_cli_opt_strs+1649)
+#define DISABLE_EXTENSIONS_NAME (gnutls_cli_opt_strs+1680)
+#define DISABLE_EXTENSIONS_name (gnutls_cli_opt_strs+1699)
#define DISABLE_EXTENSIONS_FLAGS (OPTST_DISABLED)
/*
* print-cert option description:
*/
-#define PRINT_CERT_DESC (gnutls_cli_opt_strs+1715)
-#define PRINT_CERT_NAME (gnutls_cli_opt_strs+1754)
-#define PRINT_CERT_name (gnutls_cli_opt_strs+1765)
+#define PRINT_CERT_DESC (gnutls_cli_opt_strs+1718)
+#define PRINT_CERT_NAME (gnutls_cli_opt_strs+1757)
+#define PRINT_CERT_name (gnutls_cli_opt_strs+1768)
#define PRINT_CERT_FLAGS (OPTST_DISABLED)
/*
* recordsize option description:
*/
-#define RECORDSIZE_DESC (gnutls_cli_opt_strs+1776)
-#define RECORDSIZE_NAME (gnutls_cli_opt_strs+1813)
-#define RECORDSIZE_name (gnutls_cli_opt_strs+1824)
+#define RECORDSIZE_DESC (gnutls_cli_opt_strs+1779)
+#define RECORDSIZE_NAME (gnutls_cli_opt_strs+1816)
+#define RECORDSIZE_name (gnutls_cli_opt_strs+1827)
#define RECORDSIZE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* dh-bits option description:
*/
-#define DH_BITS_DESC (gnutls_cli_opt_strs+1835)
-#define DH_BITS_NAME (gnutls_cli_opt_strs+1877)
-#define DH_BITS_name (gnutls_cli_opt_strs+1885)
+#define DH_BITS_DESC (gnutls_cli_opt_strs+1838)
+#define DH_BITS_NAME (gnutls_cli_opt_strs+1880)
+#define DH_BITS_name (gnutls_cli_opt_strs+1888)
#define DH_BITS_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* priority option description:
*/
-#define PRIORITY_DESC (gnutls_cli_opt_strs+1893)
-#define PRIORITY_NAME (gnutls_cli_opt_strs+1911)
-#define PRIORITY_name (gnutls_cli_opt_strs+1920)
+#define PRIORITY_DESC (gnutls_cli_opt_strs+1896)
+#define PRIORITY_NAME (gnutls_cli_opt_strs+1914)
+#define PRIORITY_name (gnutls_cli_opt_strs+1923)
#define PRIORITY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509cafile option description:
*/
-#define X509CAFILE_DESC (gnutls_cli_opt_strs+1929)
-#define X509CAFILE_NAME (gnutls_cli_opt_strs+1969)
-#define X509CAFILE_name (gnutls_cli_opt_strs+1980)
+#define X509CAFILE_DESC (gnutls_cli_opt_strs+1932)
+#define X509CAFILE_NAME (gnutls_cli_opt_strs+1972)
+#define X509CAFILE_name (gnutls_cli_opt_strs+1983)
#define X509CAFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509crlfile option description:
*/
-#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1991)
-#define X509CRLFILE_NAME (gnutls_cli_opt_strs+2007)
-#define X509CRLFILE_name (gnutls_cli_opt_strs+2019)
+#define X509CRLFILE_DESC (gnutls_cli_opt_strs+1994)
+#define X509CRLFILE_NAME (gnutls_cli_opt_strs+2010)
+#define X509CRLFILE_name (gnutls_cli_opt_strs+2022)
#define X509CRLFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpkeyfile option description:
*/
-#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+2031)
-#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+2051)
-#define PGPKEYFILE_name (gnutls_cli_opt_strs+2062)
+#define PGPKEYFILE_DESC (gnutls_cli_opt_strs+2034)
+#define PGPKEYFILE_NAME (gnutls_cli_opt_strs+2054)
+#define PGPKEYFILE_name (gnutls_cli_opt_strs+2065)
#define PGPKEYFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpkeyring option description:
*/
-#define PGPKEYRING_DESC (gnutls_cli_opt_strs+2073)
-#define PGPKEYRING_NAME (gnutls_cli_opt_strs+2098)
-#define PGPKEYRING_name (gnutls_cli_opt_strs+2109)
+#define PGPKEYRING_DESC (gnutls_cli_opt_strs+2076)
+#define PGPKEYRING_NAME (gnutls_cli_opt_strs+2101)
+#define PGPKEYRING_name (gnutls_cli_opt_strs+2112)
#define PGPKEYRING_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* pgpcertfile option description:
*/
-#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+2120)
-#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+2161)
-#define PGPCERTFILE_name (gnutls_cli_opt_strs+2173)
+#define PGPCERTFILE_DESC (gnutls_cli_opt_strs+2123)
+#define PGPCERTFILE_NAME (gnutls_cli_opt_strs+2164)
+#define PGPCERTFILE_name (gnutls_cli_opt_strs+2176)
#define PGPCERTFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
/*
* x509keyfile option description:
*/
-#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2185)
-#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2223)
-#define X509KEYFILE_name (gnutls_cli_opt_strs+2235)
+#define X509KEYFILE_DESC (gnutls_cli_opt_strs+2188)
+#define X509KEYFILE_NAME (gnutls_cli_opt_strs+2226)
+#define X509KEYFILE_name (gnutls_cli_opt_strs+2238)
#define X509KEYFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* x509certfile option description:
*/
-#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2247)
-#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2293)
-#define X509CERTFILE_name (gnutls_cli_opt_strs+2306)
+#define X509CERTFILE_DESC (gnutls_cli_opt_strs+2250)
+#define X509CERTFILE_NAME (gnutls_cli_opt_strs+2296)
+#define X509CERTFILE_name (gnutls_cli_opt_strs+2309)
#define X509CERTFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pgpsubkey option description:
*/
-#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2319)
-#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2351)
-#define PGPSUBKEY_name (gnutls_cli_opt_strs+2361)
+#define PGPSUBKEY_DESC (gnutls_cli_opt_strs+2322)
+#define PGPSUBKEY_NAME (gnutls_cli_opt_strs+2354)
+#define PGPSUBKEY_name (gnutls_cli_opt_strs+2364)
#define PGPSUBKEY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* srpusername option description:
*/
-#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2371)
-#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2391)
-#define SRPUSERNAME_name (gnutls_cli_opt_strs+2403)
+#define SRPUSERNAME_DESC (gnutls_cli_opt_strs+2374)
+#define SRPUSERNAME_NAME (gnutls_cli_opt_strs+2394)
+#define SRPUSERNAME_name (gnutls_cli_opt_strs+2406)
#define SRPUSERNAME_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* srppasswd option description:
*/
-#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2415)
-#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2435)
-#define SRPPASSWD_name (gnutls_cli_opt_strs+2445)
+#define SRPPASSWD_DESC (gnutls_cli_opt_strs+2418)
+#define SRPPASSWD_NAME (gnutls_cli_opt_strs+2438)
+#define SRPPASSWD_name (gnutls_cli_opt_strs+2448)
#define SRPPASSWD_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pskusername option description:
*/
-#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2455)
-#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2475)
-#define PSKUSERNAME_name (gnutls_cli_opt_strs+2487)
+#define PSKUSERNAME_DESC (gnutls_cli_opt_strs+2458)
+#define PSKUSERNAME_NAME (gnutls_cli_opt_strs+2478)
+#define PSKUSERNAME_name (gnutls_cli_opt_strs+2490)
#define PSKUSERNAME_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* pskkey option description:
*/
-#define PSKKEY_DESC (gnutls_cli_opt_strs+2499)
-#define PSKKEY_NAME (gnutls_cli_opt_strs+2523)
-#define PSKKEY_name (gnutls_cli_opt_strs+2530)
+#define PSKKEY_DESC (gnutls_cli_opt_strs+2502)
+#define PSKKEY_NAME (gnutls_cli_opt_strs+2526)
+#define PSKKEY_name (gnutls_cli_opt_strs+2533)
#define PSKKEY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* port option description:
*/
-#define PORT_DESC (gnutls_cli_opt_strs+2537)
-#define PORT_NAME (gnutls_cli_opt_strs+2571)
-#define PORT_name (gnutls_cli_opt_strs+2576)
+#define PORT_DESC (gnutls_cli_opt_strs+2540)
+#define PORT_NAME (gnutls_cli_opt_strs+2574)
+#define PORT_name (gnutls_cli_opt_strs+2579)
#define PORT_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* insecure option description:
*/
-#define INSECURE_DESC (gnutls_cli_opt_strs+2581)
-#define INSECURE_NAME (gnutls_cli_opt_strs+2642)
-#define INSECURE_name (gnutls_cli_opt_strs+2651)
+#define INSECURE_DESC (gnutls_cli_opt_strs+2584)
+#define INSECURE_NAME (gnutls_cli_opt_strs+2645)
+#define INSECURE_name (gnutls_cli_opt_strs+2654)
#define INSECURE_FLAGS (OPTST_DISABLED)
/*
* benchmark-ciphers option description:
*/
-#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2660)
-#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2689)
-#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2707)
+#define BENCHMARK_CIPHERS_DESC (gnutls_cli_opt_strs+2663)
+#define BENCHMARK_CIPHERS_NAME (gnutls_cli_opt_strs+2692)
+#define BENCHMARK_CIPHERS_name (gnutls_cli_opt_strs+2710)
#define BENCHMARK_CIPHERS_FLAGS (OPTST_DISABLED)
/*
* benchmark-soft-ciphers option description:
*/
-#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2725)
-#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2784)
-#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2807)
+#define BENCHMARK_SOFT_CIPHERS_DESC (gnutls_cli_opt_strs+2728)
+#define BENCHMARK_SOFT_CIPHERS_NAME (gnutls_cli_opt_strs+2787)
+#define BENCHMARK_SOFT_CIPHERS_name (gnutls_cli_opt_strs+2810)
#define BENCHMARK_SOFT_CIPHERS_FLAGS (OPTST_DISABLED)
/*
* benchmark-tls-kx option description:
*/
-#define BENCHMARK_TLS_KX_DESC (gnutls_cli_opt_strs+2830)
-#define BENCHMARK_TLS_KX_NAME (gnutls_cli_opt_strs+2865)
-#define BENCHMARK_TLS_KX_name (gnutls_cli_opt_strs+2882)
+#define BENCHMARK_TLS_KX_DESC (gnutls_cli_opt_strs+2833)
+#define BENCHMARK_TLS_KX_NAME (gnutls_cli_opt_strs+2868)
+#define BENCHMARK_TLS_KX_name (gnutls_cli_opt_strs+2885)
#define BENCHMARK_TLS_KX_FLAGS (OPTST_DISABLED)
/*
* benchmark-tls-ciphers option description:
*/
-#define BENCHMARK_TLS_CIPHERS_DESC (gnutls_cli_opt_strs+2899)
-#define BENCHMARK_TLS_CIPHERS_NAME (gnutls_cli_opt_strs+2921)
-#define BENCHMARK_TLS_CIPHERS_name (gnutls_cli_opt_strs+2943)
+#define BENCHMARK_TLS_CIPHERS_DESC (gnutls_cli_opt_strs+2902)
+#define BENCHMARK_TLS_CIPHERS_NAME (gnutls_cli_opt_strs+2924)
+#define BENCHMARK_TLS_CIPHERS_name (gnutls_cli_opt_strs+2946)
#define BENCHMARK_TLS_CIPHERS_FLAGS (OPTST_DISABLED)
/*
* list option description:
*/
-#define LIST_DESC (gnutls_cli_opt_strs+2965)
-#define LIST_NAME (gnutls_cli_opt_strs+3016)
-#define LIST_name (gnutls_cli_opt_strs+3021)
+#define LIST_DESC (gnutls_cli_opt_strs+2968)
+#define LIST_NAME (gnutls_cli_opt_strs+3019)
+#define LIST_name (gnutls_cli_opt_strs+3024)
#define LIST_FLAGS (OPTST_DISABLED)
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (gnutls_cli_opt_strs+3026)
-#define HELP_name (gnutls_cli_opt_strs+3070)
+#define HELP_DESC (gnutls_cli_opt_strs+3029)
+#define HELP_name (gnutls_cli_opt_strs+3073)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (gnutls_cli_opt_strs+3075)
-#define MORE_HELP_name (gnutls_cli_opt_strs+3120)
+#define MORE_HELP_DESC (gnutls_cli_opt_strs+3078)
+#define MORE_HELP_name (gnutls_cli_opt_strs+3123)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC NULL
@@ -575,8 +577,8 @@ static char const gnutls_cli_opt_strs[3605] =
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (gnutls_cli_opt_strs+3130)
-#define VER_name (gnutls_cli_opt_strs+3166)
+#define VER_DESC (gnutls_cli_opt_strs+3133)
+#define VER_name (gnutls_cli_opt_strs+3169)
/*
* Declare option callback procedures
*/
@@ -703,7 +705,7 @@ static tOptDesc optDesc[OPTION_CT] = {
/* must/cannot opts */ NULL, NULL,
/* option proc */ NULL,
/* desc, NAME, name */ OCSP_STATUS_REQUEST_DESC,
OCSP_STATUS_REQUEST_NAME, OCSP_STATUS_REQUEST_name,
- /* disablement strs */ NULL, NULL },
+ /* disablement strs */ NOT_OCSP_STATUS_REQUEST_name,
NOT_OCSP_STATUS_REQUEST_PFX },
{ /* entry idx, value */ 9, VALUE_OPT_STARTTLS,
/* equiv idx, value */ 9, VALUE_OPT_STARTTLS,
@@ -1109,14 +1111,14 @@ static tOptDesc optDesc[OPTION_CT] = {
*
* Define the gnutls-cli Option Environment
*/
-#define zPROGNAME (gnutls_cli_opt_strs+3174)
-#define zUsageTitle (gnutls_cli_opt_strs+3185)
+#define zPROGNAME (gnutls_cli_opt_strs+3177)
+#define zUsageTitle (gnutls_cli_opt_strs+3188)
#define zRcName NULL
#define apzHomeList NULL
-#define zBugsAddr (gnutls_cli_opt_strs+3298)
-#define zExplain (gnutls_cli_opt_strs+3317)
-#define zDetail (gnutls_cli_opt_strs+3320)
-#define zFullVersion (gnutls_cli_opt_strs+3504)
+#define zBugsAddr (gnutls_cli_opt_strs+3301)
+#define zExplain (gnutls_cli_opt_strs+3320)
+#define zDetail (gnutls_cli_opt_strs+3323)
+#define zFullVersion (gnutls_cli_opt_strs+3507)
/* extracted from optcode.tlib near line 350 */
#if defined(ENABLE_NLS)
@@ -1130,7 +1132,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define gnutls_cli_full_usage (NULL)
-#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3525)
+#define gnutls_cli_short_usage (gnutls_cli_opt_strs+3528)
#endif /* not defined __doxygen__ */
diff --git a/src/cli-args.def b/src/cli-args.def
index 79d9b71..6a4d717 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -58,6 +58,8 @@ flag = {
flag = {
name = ocsp-status-request;
descrip = "Enable OCSP status request";
+ enabled;
+ disable = "no";
doc = "The client will indicate to the server in a TLS extension
that it wants a OCSP status request.";
};
diff --git a/src/cli-args.h b/src/cli-args.h
index 86e710b..0085141 100644
--- a/src/cli-args.h
+++ b/src/cli-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (cli-args.h)
*
- * It has been AutoGen-ed September 30, 2012 at 03:25:07 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 4, 2012 at 07:09:10 PM by AutoGen 5.16
* From the definitions cli-args.def
* and the template file options
*
diff --git a/src/cli.c b/src/cli.c
index 6d99572..410e1dc 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -403,7 +403,7 @@ cert_verify_callback (gnutls_session_t session)
if (!insecure && !ssh)
return -1;
}
- else if (ENABLED_OPT(OCSP) || status_request_ocsp)
+ else if (ENABLED_OPT(OCSP))
{ /* off-line verification succeeded. Try OCSP */
rc = cert_verify_ocsp(session);
if (rc == 0)
@@ -605,7 +605,6 @@ init_tls_session (const char *hostname)
gnutls_certificate_set_retrieve_function2 (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
- gnutls_certificate_set_verify_flags (xcred, 0);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
@@ -1103,7 +1102,7 @@ const char* rest = NULL;
}
record_max_size = OPT_VALUE_RECORDSIZE;
- status_request_ocsp = HAVE_OPT(OCSP_STATUS_REQUEST);
+ status_request_ocsp = ENABLED_OPT(OCSP_STATUS_REQUEST);
if (ENABLED_OPT(OCSP))
status_request_ocsp = 1;
@@ -1486,26 +1485,6 @@ cert_verify_ocsp (gnutls_session_t session)
goto cleanup;
}
- if (status_request_ocsp)
- { /* try the server's OCSP response */
- ret = gnutls_ocsp_status_request_get(session, &resp);
- if (ret < 0 && !ENABLED_OPT(OCSP))
- {
- if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
- fprintf(stderr, "gnutls_ocsp_status_request_get: %s\n",
gnutls_strerror(ret));
- ret = -1;
- goto cleanup;
- }
-
- if (ret >= 0)
- {
- ret = check_ocsp_response(crt, issuer, &resp);
- if (ret >= 0 || !ENABLED_OPT(OCSP))
- goto cleanup;
- }
- }
-
-
ret = send_ocsp_request(NULL, crt, issuer, &resp, 1);
if (ret < 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-37-g3b70b9f,
Nikos Mavrogiannopoulos <=