diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-23 13:58:22 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-04-29 13:41:41 +0200 |
| commit | afaffc51369a31cf32cacf58cc61d65957746f01 (patch) | |
| tree | a1e8db10dc430ed11b8ecf2da3571e114066ff05 /src/cli.c | |
| parent | a27c8b1d9e4fc2aa0ad8b36348fc9c99b9ad2060 (diff) | |
| download | gnutls-afaffc51369a31cf32cacf58cc61d65957746f01.tar.gz | |
gnutls-cli: added option to specify the verification hostname
This enables testing various scenarios, by allowing to specify the
hostname to be used for certificate validation when connecting to
a remote host (e.g., localhost but with a certificate for example.com).
Resolves #344
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'src/cli.c')
| -rw-r--r-- | src/cli.c | 22 |
1 files changed, 14 insertions, 8 deletions
@@ -325,6 +325,7 @@ static int cert_verify_callback(gnutls_session_t session) int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char *txt_service; gnutls_datum_t oresp; + const char *host; /* On an session with TOFU the PKI/DANE verification * become advisory. @@ -334,6 +335,11 @@ static int cert_verify_callback(gnutls_session_t session) ssh = strictssh; } + if (HAVE_OPT(VERIFY_HOSTNAME)) + host = OPT_ARG(VERIFY_HOSTNAME); + else + host = hostname; + /* Save certificate and OCSP response */ if (HAVE_OPT(SAVE_CERT)) { try_save_cert(session); @@ -357,7 +363,7 @@ static int cert_verify_callback(gnutls_session_t session) print_cert_info(session, verbose, print_cert); if (ca_verify) { - rc = cert_verify(session, hostname, GNUTLS_KP_TLS_WWW_SERVER); + rc = cert_verify(session, host, GNUTLS_KP_TLS_WWW_SERVER); if (rc == 0) { printf ("*** PKI verification of server certificate failed...\n"); @@ -391,7 +397,7 @@ static int cert_verify_callback(gnutls_session_t session) vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE; port = service_to_port(service, udp?"udp":"tcp"); - rc = dane_verify_session_crt(NULL, session, hostname, + rc = dane_verify_session_crt(NULL, session, host, udp ? "udp" : "tcp", port, sflags, vflags, &status); if (rc < 0) { @@ -436,17 +442,17 @@ static int cert_verify_callback(gnutls_session_t session) txt_service = port_to_service(service, udp?"udp":"tcp"); - rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, + rc = gnutls_verify_stored_pubkey(NULL, NULL, host, txt_service, GNUTLS_CRT_X509, cert, 0); if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) { fprintf(stderr, "Host %s (%s) has never been contacted before.\n", - hostname, txt_service); + host, txt_service); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", - hostname); + host); if (strictssh) return -1; @@ -458,13 +464,13 @@ static int cert_verify_callback(gnutls_session_t session) } else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", - hostname); + host); fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n"); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", - hostname); + host); if (strictssh) return -1; @@ -481,7 +487,7 @@ static int cert_verify_callback(gnutls_session_t session) } if (rc != 0) { - rc = gnutls_store_pubkey(NULL, NULL, hostname, + rc = gnutls_store_pubkey(NULL, NULL, host, txt_service, GNUTLS_CRT_X509, cert, 0, 0); |