[gnutls-devel] [PATCH] New option --stricttofu for gnutls-cli

Jens Lechtenboerger jens.lechtenboerger at fsfe.org
Sat Feb 22 18:43:17 CET 2014


With option --tofu, gnutls-cli waits with a yes-no-question upon
certificate changes.  I added the option --stricttofu that omits the
question and fails instead.

The contribution is in accordance to the "Developer's Certificate of
Origin" as found in the file doc/DCO.txt.

Best wishes
Jens

Signed-off-by: Jens Lechtenbörger <jens.lechtenboerger at fsfe.org>
---
 src/cli-args.def |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/src/cli-args.def b/src/cli-args.def
index 6f9c722..db69a0d 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -21,6 +21,14 @@ flag = {
 };
 
 flag = {
+    name      = stricttofu;
+    descrip   = "Fail to connect if a known certificate has changed";
+    disabled;
+    disable   = "no";
+    doc       = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed certificate, this option will fail in case of certificate changes.";
+};
+
+flag = {
     name      = dane;
     descrip   = "Enable DANE certificate verification (DNSSEC)";
     disabled;
@@ -421,4 +429,3 @@ $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT
 Notice that the private key only differs from the certificate in the object-type.
 _EOF_;
 };
-
-- 
1.7.1


Signed-off-by: Jens Lechtenbörger <jens.lechtenboerger at fsfe.org>
---
 src/cli.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/cli.c b/src/cli.c
index 68004aa..2c78e93 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -421,6 +421,11 @@ static int cert_verify_callback(gnutls_session_t session)
 	int rc;
 	unsigned int status = 0;
 	int ssh = ENABLED_OPT(TOFU);
+	int strictssh = ENABLED_OPT(STRICTTOFU);
+	if (strictssh) {
+		ssh = strictssh;
+	}
+
 #ifdef HAVE_DANE
 	int dane = ENABLED_OPT(DANE);
 #endif
@@ -490,10 +495,13 @@ static int cert_verify_callback(gnutls_session_t session)
 					"Its certificate is valid for %s.\n",
 					hostname);
 
-			rc = read_yesno
-			    ("Do you trust the received key? (y/N): ");
-			if (rc == 0)
-				return -1;
+			if (strictssh == 0) {
+				rc = read_yesno
+					("Do you trust the received key? (y/N): ");
+				if (rc == 0)
+					return -1;
+			} else return -1;
+
 		} else if (rc < 0) {
 			fprintf(stderr,
 				"gnutls_verify_stored_pubkey: %s\n",
-- 
1.7.1



More information about the Gnutls-devel mailing list