tlshd: Add a command line option to disable verification

chucklever · chucklever · commit 2a7ee213a7ee · 2022-04-05T11:50:16.000-04:00
Currently, server verification for anonymous x.509 handshakes is
commented out so we can test with prototype servers. However,
server verification needs to be done normally. To enable testing
to continue, make verification an opt-out instead of always off.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/src/tlshd/main.c b/src/tlshd/main.c
@@ -46,11 +46,14 @@
 
 #define TLSH_LISTENER_BACKLOG	(20)
 
-static const char *optstring = "dhl:v";
+int tlshd_verify_server = 1;
+
+static const char *optstring = "dhl:nv";
 static const struct option longopts[] = {
 	{ "debug",	no_argument,		NULL,	'd' },
 	{ "help",	no_argument,		NULL,	'h' },
 	{ "libdebug",	required_argument,	NULL,	'l' },
+	{ "noverify",	no_argument,		NULL,	'n' },
 	{ "version",	no_argument,		NULL,	'v' },
 	{ NULL,		0,			NULL,	 0 }
 };
@@ -165,6 +168,9 @@ int main(int argc, char **argv)
 		case 'l':
 			tlshd_library_debug = atoi(optarg);
 			break;
+		case 'n':
+			tlshd_verify_server = 0;
+			break;
 		case 'v':
 			fprintf(stderr, "%s, built from " PACKAGE_STRING
 				" on " __DATE__ " " __TIME__ "\n",
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
@@ -20,6 +20,7 @@
 
 extern int tlshd_debug;
 extern int tlshd_library_debug;
+extern int tlshd_verify_server;
 
 /* handshake.c */
 extern void tlshd_client_handshake(gnutls_session_t session);
diff --git a/src/tlshd/tlshd.man b/src/tlshd/tlshd.man
@@ -50,6 +50,16 @@ When specified tlshd displays a help message then exits immediately.
 When specified this option sets the debug level for the TLS library.
 By default, library debugging messages are disabled.
 .TP
+.B \-n " or " \-\-noverify
+When specified this option prevents
+.B tlshd
+from verifying the server's credential during anonymous handshakes.
+By default,
+.B tlshd
+verifies server credentials during anonymous handshakes.
+.IP
+Do not use this option on secure systems.
+.TP
 .B \-v " or " \-\-version
 When specified tlshd displays build version information then exits immediately.
 .SH ENVIRONMENT VARIABLES
diff --git a/src/tlshd/x509.c b/src/tlshd/x509.c
@@ -82,8 +82,8 @@ static void tlshd_client_anon_x509_handshake(int sock, const char *peername)
 
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
 
-	/* Allow self-signed server certificates */
-	//gnutls_session_set_verify_cert(session, peername, 0);
+	if (tlshd_verify_server)
+		gnutls_session_set_verify_cert(session, peername, 0);
 
 	ret = gnutls_set_default_priority(session);
 	if (ret != GNUTLS_E_SUCCESS) {
