diff options
| author | Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> | 2014-02-22 18:43:17 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-02-23 08:27:26 +0100 |
| commit | bcb8729400395e1ad432e898d79159fc29c22e6e (patch) | |
| tree | 6586b10a3b5f591fa270196000f702958277469a /src/cli.c | |
| parent | bc7182404096cdfefec1abb3836a168b5eeecc48 (diff) | |
| download | gnutls-bcb8729400395e1ad432e898d79159fc29c22e6e.tar.gz | |
New option --stricttofu for gnutls-cli
With option --tofu, gnutls-cli waits with a yes-no-question upon
certificate changes. I added the option --stricttofu that omits the
question and fails instead.
The contribution is in accordance to the "Developer's Certificate of
Origin" as found in the file doc/DCO.txt.
Best wishes
Jens
Signed-off-by: Jens Lechtenbörger <jens.lechtenboerger@fsfe.org>
Diffstat (limited to 'src/cli.c')
| -rw-r--r-- | src/cli.c | 16 |
1 files changed, 12 insertions, 4 deletions
@@ -421,6 +421,11 @@ static int cert_verify_callback(gnutls_session_t session) int rc; unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); + int strictssh = ENABLED_OPT(STRICT_TOFU); + if (strictssh) { + ssh = strictssh; + } + #ifdef HAVE_DANE int dane = ENABLED_OPT(DANE); #endif @@ -490,10 +495,13 @@ static int cert_verify_callback(gnutls_session_t session) "Its certificate is valid for %s.\n", hostname); - rc = read_yesno - ("Do you trust the received key? (y/N): "); - if (rc == 0) - return -1; + if (strictssh == 0) { + rc = read_yesno + ("Do you trust the received key? (y/N): "); + if (rc == 0) + return -1; + } else return -1; + } else if (rc < 0) { fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", |