diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:06:16 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-28 11:06:16 +0200 |
| commit | 2c7a885d9e670bb64e193330427480f4cc4b3104 (patch) | |
| tree | 03000bb2c1a93d39d0f4fadd6c21841b1a156fa4 | |
| parent | 3d5eefe2dcdb3b92e5222ff5d658445671a7c4ba (diff) | |
| download | gnutls-2c7a885d9e670bb64e193330427480f4cc4b3104.tar.gz | |
DANE verification is advisory when tofu is being used.
| -rw-r--r-- | src/cli.c | 81 |
1 files changed, 41 insertions, 40 deletions
@@ -422,16 +422,16 @@ static int cert_verify_callback(gnutls_session_t session) unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); int strictssh = ENABLED_OPT(STRICT_TOFU); - if (strictssh) { - ssh = strictssh; - } - #ifdef HAVE_DANE int dane = ENABLED_OPT(DANE); #endif int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char *txt_service; + if (strictssh) { + ssh = strictssh; + } + print_cert_info(session, verbose, print_cert); if (ca_verify) { @@ -453,6 +453,43 @@ static int cert_verify_callback(gnutls_session_t session) } } +#ifdef HAVE_DANE + if (dane) { /* try DANE auth */ + int port; + unsigned int sflags = + ENABLED_OPT(LOCAL_DNS) ? 0 : + DANE_F_IGNORE_LOCAL_RESOLVER; + + port = service_to_port(service); + rc = dane_verify_session_crt(NULL, session, hostname, + udp ? "udp" : "tcp", port, + sflags, 0, &status); + if (rc < 0) { + fprintf(stderr, + "*** DANE verification error: %s\n", + dane_strerror(rc)); + if (!insecure && !ssh) + return -1; + } else { + gnutls_datum_t out; + + rc = dane_verification_status_print(status, &out, + 0); + if (rc < 0) { + fprintf(stderr, "*** DANE error: %s\n", + dane_strerror(rc)); + } else { + fprintf(stderr, "- DANE: %s\n", out.data); + gnutls_free(out.data); + } + + if (!insecure && !ssh) + return -1; + } + + } +#endif + if (ssh) { /* try ssh auth */ unsigned int list_size; const gnutls_datum_t *cert; @@ -520,42 +557,6 @@ static int cert_verify_callback(gnutls_session_t session) gnutls_strerror(rc)); } } -#ifdef HAVE_DANE - if (dane) { /* try DANE auth */ - int port; - unsigned int sflags = - ENABLED_OPT(LOCAL_DNS) ? 0 : - DANE_F_IGNORE_LOCAL_RESOLVER; - - port = service_to_port(service); - rc = dane_verify_session_crt(NULL, session, hostname, - udp ? "udp" : "tcp", port, - sflags, 0, &status); - if (rc < 0) { - fprintf(stderr, - "*** DANE verification error: %s\n", - dane_strerror(rc)); - if (!insecure) - return -1; - } else { - gnutls_datum_t out; - - rc = dane_verification_status_print(status, &out, - 0); - if (rc < 0) { - fprintf(stderr, "*** DANE error: %s\n", - dane_strerror(rc)); - } else { - fprintf(stderr, "- DANE: %s\n", out.data); - gnutls_free(out.data); - } - - if (!insecure) - return -1; - } - - } -#endif return 0; } |