From: Nikos Mavrogiannopoulos Date: Fri, 18 Apr 2014 09:02:38 +0000 (+0200) Subject: Both DANE and PKI verification are advisory when --tofu is being used. X-Git-Tag: gnutls_3_3_1~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4115be3a4eeb58477ce89d66fef88b9b1b8cf63;p=thirdparty%2Fgnutls.git Both DANE and PKI verification are advisory when --tofu is being used. --- diff --git a/src/cli-args.def b/src/cli-args.def index 1b3354491d..ddca613e22 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -17,7 +17,10 @@ flag = { descrip = "Enable trust on first use authentication"; disabled; disable = "no"; - doc = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication. Note that tofu will take precedence over certificate (PKI) authentication."; + doc = "This option will, in addition to certificate authentication, perform authentication +based on previously seen public keys, a model similar to SSH authentication. Note that when tofu +is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance +process."; }; flag = { diff --git a/src/cli.c b/src/cli.c index 1c3f14d05b..f3dc435101 100644 --- a/src/cli.c +++ b/src/cli.c @@ -423,16 +423,20 @@ static int cert_verify_callback(gnutls_session_t session) unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); int strictssh = ENABLED_OPT(STRICT_TOFU); - if (strictssh) { - ssh = strictssh; - } - #ifdef HAVE_DANE int dane = ENABLED_OPT(DANE); #endif int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char *txt_service; + /* On an session with TOFU the PKI/DANE verification + * become advisory. + */ + + if (strictssh) { + ssh = strictssh; + } + print_cert_info(session, verbose, print_cert); if (ca_verify) { @@ -454,6 +458,42 @@ static int cert_verify_callback(gnutls_session_t session) } } +#ifdef HAVE_DANE + if (dane) { /* try DANE auth */ + int port; + unsigned int sflags = + ENABLED_OPT(LOCAL_DNS) ? 0 : + DANE_F_IGNORE_LOCAL_RESOLVER; + + port = service_to_port(service); + rc = dane_verify_session_crt(NULL, session, hostname, + udp ? "udp" : "tcp", port, + sflags, 0, &status); + if (rc < 0) { + fprintf(stderr, + "*** DANE verification error: %s\n", + dane_strerror(rc)); + if (!insecure && !ssh) + return -1; + } else { + gnutls_datum_t out; + + rc = dane_verification_status_print(status, &out, + 0); + if (rc < 0) { + fprintf(stderr, "*** DANE error: %s\n", + dane_strerror(rc)); + if (!insecure && !ssh) + return -1; + } + + fprintf(stderr, "- DANE: %s\n", out.data); + gnutls_free(out.data); + } + + } +#endif + if (ssh) { /* try ssh auth */ unsigned int list_size; const gnutls_datum_t *cert; @@ -519,42 +559,6 @@ static int cert_verify_callback(gnutls_session_t session) gnutls_strerror(rc)); } } -#ifdef HAVE_DANE - if (dane) { /* try DANE auth */ - int port; - unsigned int sflags = - ENABLED_OPT(LOCAL_DNS) ? 0 : - DANE_F_IGNORE_LOCAL_RESOLVER; - - port = service_to_port(service); - rc = dane_verify_session_crt(NULL, session, hostname, - udp ? "udp" : "tcp", port, - sflags, 0, &status); - if (rc < 0) { - fprintf(stderr, - "*** DANE verification error: %s\n", - dane_strerror(rc)); - if (!insecure) - return -1; - } else { - gnutls_datum_t out; - - rc = dane_verification_status_print(status, &out, - 0); - if (rc < 0) { - fprintf(stderr, "*** DANE error: %s\n", - dane_strerror(rc)); - if (!insecure) - return -1; - } - - fprintf(stderr, "- DANE: %s\n", out.data); - gnutls_free(out.data); - } - - } -#endif - return 0; }