]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Both DANE and PKI verification are advisory when --tofu is being used.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 18 Apr 2014 09:02:38 +0000 (11:02 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 18 Apr 2014 09:02:38 +0000 (11:02 +0200)
src/cli-args.def
src/cli.c

index 1b3354491d81081b82307c3eec67f363041473df..ddca613e2258836362397892c89e702358c76413 100644 (file)
@@ -17,7 +17,10 @@ flag = {
     descrip   = "Enable trust on first use authentication";
     disabled;
     disable   = "no";
-    doc       = "This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication. Note that tofu will take precedence over certificate (PKI) authentication.";
+    doc       = "This option will, in addition to certificate authentication, perform authentication
+based on previously seen public keys, a model similar to SSH authentication. Note that when tofu 
+is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance
+process.";
 };
 
 flag = {
index 1c3f14d05b85c097e060da84e6753d07dd250c55..f3dc4351019cfc6907c6ecb46bfb319cf28f0a0a 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -423,16 +423,20 @@ static int cert_verify_callback(gnutls_session_t session)
        unsigned int status = 0;
        int ssh = ENABLED_OPT(TOFU);
        int strictssh = ENABLED_OPT(STRICT_TOFU);
-       if (strictssh) {
-               ssh = strictssh;
-       }
-
 #ifdef HAVE_DANE
        int dane = ENABLED_OPT(DANE);
 #endif
        int ca_verify = ENABLED_OPT(CA_VERIFICATION);
        const char *txt_service;
 
+       /* On an session with TOFU the PKI/DANE verification
+        * become advisory.
+        */
+
+       if (strictssh) {
+               ssh = strictssh;
+       }
+
        print_cert_info(session, verbose, print_cert);
 
        if (ca_verify) {
@@ -454,6 +458,42 @@ static int cert_verify_callback(gnutls_session_t session)
                }
        }
 
+#ifdef HAVE_DANE
+       if (dane) {             /* try DANE auth */
+               int port;
+               unsigned int sflags =
+                   ENABLED_OPT(LOCAL_DNS) ? 0 :
+                   DANE_F_IGNORE_LOCAL_RESOLVER;
+
+               port = service_to_port(service);
+               rc = dane_verify_session_crt(NULL, session, hostname,
+                                            udp ? "udp" : "tcp", port,
+                                            sflags, 0, &status);
+               if (rc < 0) {
+                       fprintf(stderr,
+                               "*** DANE verification error: %s\n",
+                               dane_strerror(rc));
+                       if (!insecure && !ssh)
+                               return -1;
+               } else {
+                       gnutls_datum_t out;
+
+                       rc = dane_verification_status_print(status, &out,
+                                                           0);
+                       if (rc < 0) {
+                               fprintf(stderr, "*** DANE error: %s\n",
+                                       dane_strerror(rc));
+                               if (!insecure && !ssh)
+                                       return -1;
+                       }
+
+                       fprintf(stderr, "- DANE: %s\n", out.data);
+                       gnutls_free(out.data);
+               }
+
+       }
+#endif
+
        if (ssh) {              /* try ssh auth */
                unsigned int list_size;
                const gnutls_datum_t *cert;
@@ -519,42 +559,6 @@ static int cert_verify_callback(gnutls_session_t session)
                                        gnutls_strerror(rc));
                }
        }
-#ifdef HAVE_DANE
-       if (dane) {             /* try DANE auth */
-               int port;
-               unsigned int sflags =
-                   ENABLED_OPT(LOCAL_DNS) ? 0 :
-                   DANE_F_IGNORE_LOCAL_RESOLVER;
-
-               port = service_to_port(service);
-               rc = dane_verify_session_crt(NULL, session, hostname,
-                                            udp ? "udp" : "tcp", port,
-                                            sflags, 0, &status);
-               if (rc < 0) {
-                       fprintf(stderr,
-                               "*** DANE verification error: %s\n",
-                               dane_strerror(rc));
-                       if (!insecure)
-                               return -1;
-               } else {
-                       gnutls_datum_t out;
-
-                       rc = dane_verification_status_print(status, &out,
-                                                           0);
-                       if (rc < 0) {
-                               fprintf(stderr, "*** DANE error: %s\n",
-                                       dane_strerror(rc));
-                               if (!insecure)
-                                       return -1;
-                       }
-
-                       fprintf(stderr, "- DANE: %s\n", out.data);
-                       gnutls_free(out.data);
-               }
-
-       }
-#endif
-
        return 0;
 }