Added new option /cert that unifies all.

* The mess with /cert-tofu, /cert-ignore et al is now unified in
  a single option.
* Added the option to add fingerprint:<hash>:<hex string> multiple
  times to /cert to build a list of accepted certificate
  fingerprints
* Added a deprecation warning to older /cert-* options

client/common/cmdline.c

@@ -187,6 +187,28 @@ static BOOL copy_value(const char* value, char** dst)
 	return (*dst) != NULL;
 }
 
+static BOOL append_value(const char* value, char** dst)
+{
+	size_t x = 0, y;
+	char* tmp;
+	if (!dst || !value)
+		return FALSE;
+
+	if (*dst)
+		x = strlen(*dst);
+	y = strlen(value);
+	tmp = realloc(*dst, x + y + 1);
+	if (!tmp)
+		return FALSE;
+	if (x == 0)
+		tmp[0] = '\0';
+	else
+		strcat(tmp, ",");
+	strcat(tmp, value);
+	*dst = tmp;
+	return TRUE;
+}
+
 static BOOL value_to_int(const char* value, LONGLONG* result, LONGLONG min, LONGLONG max)
 {
 	long long rc;
@@ -2748,6 +2770,47 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
 
 			settings->TlsSecLevel = (UINT32)val;
 		}
+		CommandLineSwitchCase(arg, "cert")
+		{
+			int rc = 0;
+			char** p;
+			size_t count, x;
+			p = CommandLineParseCommaSeparatedValues(arg->Value, &count);
+			for (x = 0; (x < count) && (rc == 0); x++)
+			{
+				const char deny[] = "deny";
+				const char ignore[] = "ignore";
+				const char tofu[] = "tofu";
+				const char name[5] = "name:";
+				const char fingerprints[12] = "fingerprint:";
+
+				const char* cur = p[x];
+				if (strncmp(deny, cur, sizeof(deny)) == 0)
+					settings->AutoDenyCertificate = TRUE;
+				else if (strncmp(ignore, cur, sizeof(ignore)) == 0)
+					settings->IgnoreCertificate = TRUE;
+				else if (strncmp(tofu, cur, 4) == 0)
+					settings->AutoAcceptCertificate = TRUE;
+				else if (strncmp(name, cur, sizeof(name)) == 0)
+				{
+					const char* val = &cur[sizeof(name)];
+					if (!copy_value(val, &settings->CertificateName))
+						rc = COMMAND_LINE_ERROR_MEMORY;
+				}
+				else if (strncmp(fingerprints, cur, sizeof(fingerprints)) == 0)
+				{
+					const char* val = &cur[sizeof(fingerprints)];
+					if (!append_value(val, &settings->CertificateAcceptedFingerprints))
+						rc = COMMAND_LINE_ERROR_MEMORY;
+				}
+				else
+					rc = COMMAND_LINE_ERROR_UNEXPECTED_VALUE;
+			}
+			free(p);
+
+			if (rc)
+				return rc;
+		}
 		CommandLineSwitchCase(arg, "cert-name")
 		{
 			if (!copy_value(arg->Value, &settings->CertificateName))

client/common/cmdline.h

@@ -70,13 +70,30 @@ static const COMMAND_LINE_ARGUMENT_A args[] = {
 	  "Session bpp (color depth)" },
 	{ "buildconfig", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_BUILDCONFIG, NULL, NULL, NULL, -1,
 	  NULL, "Print the build configuration" },
+	{ "cert", COMMAND_LINE_VALUE_REQUIRED,
+	  "[deny,ignore,name:<name>,tofu,fingerprint:<hash>:<hash as hex>[,fingerprint:<hash>:<another "
+	  "hash>]]",
+	  NULL, NULL, -1, NULL,
+	  "Certificate accept options. Use with care!"
+	  " * deny         ... Automatically abort connection if the certificate does not match, no "
+	  "user interaction.          "
+	  " * ignore       ... Ignore the certificate checks altogether (overrules all other options)  "
+	  "                        "
+	  " * name         ... Use the alternate <name> instead of the certificate subject to match "
+	  "locally stored certificates"
+	  " * tofu         ... Accept certificate unconditionally on first connect and deny on "
+	  "subsequent connections if the certificate does not match"
+	  " * fingerprints ... A list of certificate hashes that are accepted unconditionally for a "
+	  "connection" },
 	{ "cert-deny", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
-	  "Automatically abort connection for any certificate that can not be validated." },
-	{ "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Ignore certificate" },
+	  "[deprecated, use /cert:deny] Automatically abort connection for any certificate that can "
+	  "not be validated." },
+	{ "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
+	  "[deprecated, use /cert:ignore] Ignore certificate" },
 	{ "cert-name", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
-	  "Certificate name" },
+	  "[deprecated, use /cert:name:<name>] Certificate name" },
 	{ "cert-tofu", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
-	  "Automatically accept certificate on first connect" },
+	  "[deprecated, use /cert:tofu] Automatically accept certificate on first connect" },
 	{ "client-build-number", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
 	  "Client Build Number sent to server (influences smartcard behaviour, see [MS-RDPESC])" },
 	{ "client-hostname", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,