From 75d6d2ca7daaedc9ebe7930439f3c31b2fbf5f60 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Fri, 4 Nov 2016 05:13:13 +0000
Subject: Add ocsp_require_stapling config option for tls - allows a connection
 to indicate that it requires the peer to provide a stapled OCSP response with
 the handshake.  Provide a "-T muststaple" for nc that uses it. ok jsing@,
 guenther@

---
 src/usr.bin/nc/nc.1     | 12 +++++++-----
 src/usr.bin/nc/netcat.c |  6 +++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

(limited to 'src/usr.bin/nc')

diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 8b7c92aa63..313ec1f19c 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.74 2016/07/02 05:58:00 jmc Exp $
+.\"     $OpenBSD: nc.1,v 1.75 2016/11/04 05:13:13 beck Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 2 2016 $
+.Dd $Mdocdate: November 4 2016 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -229,10 +229,12 @@ which allows legacy TLS protocols;
 .Ar noverify ,
 which disables certificate verification;
 .Ar noname ,
-which disables certificate name checking; or
+which disables certificate name checking;
 .Ar clientcert ,
-which requires a client certificate on incoming connections.
-It is illegal to specify TLS options if not using TLS.
+which requires a client certificate on incoming connections; or
+.Ar muststaple ,
+which requires the peer to provide a valid stapled OCSP response 
+with the handshake. It is illegal to specify TLS options if not using TLS.
 .Pp
 For IPv4 TOS value
 .Ar keyword
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 6b05b3fdf7..b71c0426dc 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.166 2016/11/03 15:54:39 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.167 2016/11/04 05:13:13 beck Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -71,6 +71,7 @@
 #define TLS_NOVERIFY	(1 << 2)
 #define TLS_NONAME	(1 << 3)
 #define TLS_CCERT	(1 << 4)
+#define TLS_MUSTSTAPLE	(1 << 5)
 
 /* Command Line Options */
 int	dflag;					/* detached, no stdin */
@@ -468,6 +469,8 @@ main(int argc, char *argv[])
 				    "together");
 			tls_config_insecure_noverifycert(tls_cfg);
 		}
+		if (TLSopt & TLS_MUSTSTAPLE)
+			tls_config_ocsp_require_stapling(tls_cfg);
 
 		if (Pflag) {
 			if (pledge("stdio inet dns tty", NULL) == -1)
@@ -1502,6 +1505,7 @@ map_tls(char *s, int *val)
 		{ "noverify",		TLS_NOVERIFY },
 		{ "noname",		TLS_NONAME },
 		{ "clientcert",		TLS_CCERT},
+		{ "muststaple",		TLS_MUSTSTAPLE},
 		{ NULL,			-1 },
 	};
 
-- 
cgit v1.2.3-55-g6feb