From 172b2beba6b89b632c09be7a88645e3a0607cfe9 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 17 Jul 2015 02:40:16 -0400
Subject: SSL: Add an option to disable certificate revocation checks

New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
---
 src/tool_cfgable.h  | 1 +
 src/tool_getparam.c | 6 ++++++
 src/tool_help.c     | 1 +
 src/tool_operate.c  | 5 +++--
 src/tool_setopt.c   | 6 ++++++
 src/tool_setopt.h   | 2 ++
 6 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h
index 048eb4ffe..c6a691447 100644
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@@ -199,6 +199,7 @@ struct OperationConfig {
   bool xattr;               /* store metadata in extended attributes */
   long gssapi_delegation;
   bool ssl_allow_beast;     /* allow this SSL vulnerability */
+  bool ssl_no_revoke;       /* disable SSL certificate revocation checks */
 
   bool use_metalink;        /* process given URLs as metalink XML file */
   metalinkfile *metalinkfile_list; /* point to the first node */
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 339fb7b5d..4405bce87 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -221,6 +221,7 @@ static const struct LongShort aliases[]= {
   {"Ep", "pinnedpubkey",             TRUE},
   {"Eq", "cert-status",              FALSE},
   {"Er", "false-start",              FALSE},
+  {"Es", "ssl-no-revoke",            FALSE},
   {"f",  "fail",                     FALSE},
   {"F",  "form",                     TRUE},
   {"Fs", "form-string",              TRUE},
@@ -1382,6 +1383,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
         config->falsestart = TRUE;
         break;
 
+      case 's': /* --ssl-no-revoke */
+        if(curlinfo->features & CURL_VERSION_SSL)
+          config->ssl_no_revoke = TRUE;
+        break;
+
       default: /* certificate file */
       {
         char *certname, *passphrase;
diff --git a/src/tool_help.c b/src/tool_help.c
index e0c45954b..6ad51cb5b 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -214,6 +214,7 @@ static const char *const helptext[] = {
   " -2, --sslv2         Use SSLv2 (SSL)",
   " -3, --sslv3         Use SSLv3 (SSL)",
   "     --ssl-allow-beast  Allow security flaw to improve interop (SSL)",
+  "     --ssl-no-revoke    Disable cert revocation checks (WinSSL)",
   "     --stderr FILE   Where to redirect stderr (use \"-\" for stdout)",
   "     --tcp-nodelay   Use the TCP_NODELAY option",
   " -t, --telnet-option OPT=VAL  Set telnet option",
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 4c6ff854c..1180555fa 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -1328,8 +1328,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
                         config->gssapi_delegation);
 
         /* new in 7.25.0 */
-        if(config->ssl_allow_beast)
-          my_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_ALLOW_BEAST);
+        my_setopt_bitmask(curl, CURLOPT_SSL_OPTIONS,
+          (long)((config->ssl_allow_beast ? CURLSSLOPT_ALLOW_BEAST : 0) |
+                 (config->ssl_no_revoke ? CURLSSLOPT_NO_REVOKE : 0)));
 
         if(config->mail_auth)
           my_setopt_str(curl, CURLOPT_MAIL_AUTH, config->mail_auth);
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index a53fdc835..7eb64b039 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -107,6 +107,12 @@ const NameValue setopt_nv_CURLUSESSL[] = {
   NVEND,
 };
 
+const NameValueUnsigned setopt_nv_CURLSSLOPT[] = {
+  NV(CURLSSLOPT_ALLOW_BEAST),
+  NV(CURLSSLOPT_NO_REVOKE),
+  NVEND,
+};
+
 const NameValue setopt_nv_CURL_NETRC[] = {
   NV(CURL_NETRC_IGNORED),
   NV(CURL_NETRC_OPTIONAL),
diff --git a/src/tool_setopt.h b/src/tool_setopt.h
index fcba94cb2..b32adf988 100644
--- a/src/tool_setopt.h
+++ b/src/tool_setopt.h
@@ -52,6 +52,7 @@ extern const NameValue setopt_nv_CURL_SSLVERSION[];
 extern const NameValue setopt_nv_CURL_TIMECOND[];
 extern const NameValue setopt_nv_CURLFTPSSL_CCC[];
 extern const NameValue setopt_nv_CURLUSESSL[];
+extern const NameValueUnsigned setopt_nv_CURLSSLOPT[];
 extern const NameValue setopt_nv_CURL_NETRC[];
 extern const NameValue setopt_nv_CURLPROTO[];
 extern const NameValueUnsigned setopt_nv_CURLAUTH[];
@@ -63,6 +64,7 @@ extern const NameValueUnsigned setopt_nv_CURLAUTH[];
 #define setopt_nv_CURLOPT_TIMECONDITION setopt_nv_CURL_TIMECOND
 #define setopt_nv_CURLOPT_FTP_SSL_CCC setopt_nv_CURLFTPSSL_CCC
 #define setopt_nv_CURLOPT_USE_SSL setopt_nv_CURLUSESSL
+#define setopt_nv_CURLOPT_SSL_OPTIONS setopt_nv_CURLSSLOPT
 #define setopt_nv_CURLOPT_NETRC setopt_nv_CURL_NETRC
 #define setopt_nv_CURLOPT_PROTOCOLS setopt_nv_CURLPROTO
 #define setopt_nv_CURLOPT_REDIR_PROTOCOLS setopt_nv_CURLPROTO
-- 
cgit v1.2.3