From f07811ee2c0a8044551e2ec063eda61cff7f6e39 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 17 Feb 2017 21:31:33 +0100
Subject: dirmngr: Add option --no-crl to the VALIDATE cmd.

* dirmngr/validate.h: Remove enums VALIDATE_MODE_*.
(VALIDATE_FLAG_SYSTRUST, VALIDATE_FLAG_EXTRATRUST)
(VALIDATE_FLAG_CRL, VALIDATE_FLAG_RECURSIVE)
(VALIDATE_FLAG_OCSP, VALIDATE_FLAG_TLS)
(VALIDATE_FLAG_NOCRLCHECK): New constants.
* dirmngr/validate.c (validate_cert_chain): Change arg 'mode' to
'flags'.  Change code accordingly.  Remove NO-CRL in TLS mode kludge.
* dirmngr/crlcache.c (crl_parse_insert): Change to use flag values for
the validate_cert_chain call.
* dirmngr/server.c (cmd_validate): Ditto.  Add new option --no-crl.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 dirmngr/validate.h | 37 +++++++++++++++++--------------------
 1 file changed, 17 insertions(+), 20 deletions(-)

(limited to 'dirmngr/validate.h')

diff --git a/dirmngr/validate.h b/dirmngr/validate.h
index 376d99d60..b6222b51f 100644
--- a/dirmngr/validate.h
+++ b/dirmngr/validate.h
@@ -22,38 +22,35 @@
 #define VALIDATE_H
 
 
-enum {
-  /* Simple certificate validation mode. */
-  VALIDATE_MODE_CERT = 0,
+/* Make use of the system provided root certificates.  */
+#define VALIDATE_FLAG_SYSTRUST     1
 
-  /* Same as MODE_CERT but using the system provided root
-   * certificates.  */
-  VALIDATE_MODE_CERT_SYSTRUST,
+/* Make use of extra provided root certificates.  */
+#define VALIDATE_FLAG_EXTRATRUST   2
 
-  /* Same as MODE_CERT but uses a provided list of certificates.  */
-  VALIDATE_MODE_TLS,
+/* Standard CRL issuer certificate validation; i.e. CRLs are not
+ * considered for CRL issuer certificates.  */
+#define VALIDATE_FLAG_CRL          4
 
-  /* Same as MODE_TLS but using the system provided root
-   * certificates.  */
-  VALIDATE_MODE_TLS_SYSTRUST,
+/* If this flag is set along with VALIDATE_FLAG_CRL a full CRL
+ * verification is done.  */
+#define VALIDATE_FLAG_RECURSIVE    8
 
-  /* Standard CRL issuer certificate validation; i.e. CRLs are not
-     considered for CRL issuer certificates. */
-  VALIDATE_MODE_CRL,
+/* Validation mode as used for OCSP.  */
+#define VALIDATE_FLAG_OCSP        16
 
-  /* Full CRL validation. */
-  VALIDATE_MODE_CRL_RECURSIVE,
+/* Validation mode as used with TLS.  */
+#define VALIDATE_FLAG_TLS         32
 
-  /* Validation as used for OCSP. */
-  VALIDATE_MODE_OCSP
-};
+/* Don't do CRL checks.  */
+#define VALIDATE_FLAG_NOCRLCHECK  64
 
 
 /* Validate the certificate CHAIN up to the trust anchor. Optionally
    return the closest expiration time in R_EXPTIME. */
 gpg_error_t validate_cert_chain (ctrl_t ctrl,
                                  ksba_cert_t cert, ksba_isotime_t r_exptime,
-                                 int mode, char **r_trust_anchor);
+                                 unsigned int flags, char **r_trust_anchor);
 
 /* Return 0 if the certificate CERT is usable for certification.  */
 gpg_error_t check_cert_use_cert (ksba_cert_t cert);
-- 
cgit v1.2.3