gnutls-cli: do not ask any questions with --strict-tofu

author Łukasz Stelmach <stlman@poczta.fm>

Tue, 27 Feb 2018 14:44:55 +0000 (15:44 +0100)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Thu, 1 Mar 2018 15:07:44 +0000 (16:07 +0100)
author Łukasz Stelmach <stlman@poczta.fm>
Tue, 27 Feb 2018 14:44:55 +0000 (15:44 +0100)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 1 Mar 2018 15:07:44 +0000 (16:07 +0100)
diff --git a/src/cli-args.def b/src/cli-args.def

index 9a067ce78b0e874fad475855b9094d3a695cba9b..8ad9a98ed3badaf9f446664e320bf060b7c1340b 100644 (file)
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -25,10 +25,11 @@ process.";
  
  flag = {
      name      = strict-tofu;
-    descrip   = "Fail to connect if a known certificate has changed";
+    descrip   = "Fail to connect if a certificate is unknown or a known certificate has changed";
      disabled;
      disable   = "no";
-    doc       = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed public key, this option will fail in case of public key changes.";
+    doc       = "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.";
+
  };
  
  flag = {
diff --git a/src/cli.c b/src/cli.c

index 06e1da8af999f0a7e866eec362e32a1c9dfbb116..e1d9c7aa676069eae18a1a08d04a80a122830668 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -448,6 +448,9 @@ static int cert_verify_callback(gnutls_session_t session)
                                         "Its certificate is valid for %s.\n",
                                         hostname);
  
+                       if (strictssh)
+                               return -1;
+
                         rc = read_yesno
                             ("Are you sure you want to trust it? (y/N): ");
                         if (rc == 0)
@@ -463,13 +466,13 @@ static int cert_verify_callback(gnutls_session_t session)
                                         "Its certificate is valid for %s.\n",
                                         hostname);
  
-                       if (strictssh == 0) {
-                               rc = read_yesno
-                                       ("Do you trust the received key? (y/N): ");
-                               if (rc == 0)
-                                       return -1;
-                       } else return -1;
+                       if (strictssh)
+                               return -1;
  
+                       rc = read_yesno
+                               ("Do you trust the received key? (y/N): ");
+                       if (rc == 0)
+                               return -1;
                 } else if (rc < 0) {
                         fprintf(stderr,
                                 "gnutls_verify_stored_pubkey: %s\n",
author	Łukasz Stelmach <stlman@poczta.fm>
	Tue, 27 Feb 2018 14:44:55 +0000 (15:44 +0100)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Thu, 1 Mar 2018 15:07:44 +0000 (16:07 +0100)
src/cli-args.def		patch \| blob \| blame \| history
src/cli.c		patch \| blob \| blame \| history