diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-21 22:23:30 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-21 22:23:59 +0100 |
commit | a7a64ea8eeabf0098f3af83a3ca7b84dbebbf969 (patch) | |
tree | 5178b769e4044cb66e55c40ed8c9e307bf79ef78 | |
parent | 45bce4b8726edb9773c016125401500e7cace021 (diff) | |
download | gnutls-a7a64ea8eeabf0098f3af83a3ca7b84dbebbf969.tar.gz |
danetool is being built even without libgnutls-dane.
The --check functionality is not operational though. It can
only generate tlsa records.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | doc/invoke-danetool.texi | 4 | ||||
-rw-r--r-- | src/Makefile.am | 9 | ||||
-rw-r--r-- | src/danetool-args.c | 188 | ||||
-rw-r--r-- | src/danetool-args.def | 2 | ||||
-rw-r--r-- | src/danetool-args.h | 2 | ||||
-rw-r--r-- | src/danetool.c | 15 |
7 files changed, 115 insertions, 108 deletions
@@ -27,6 +27,9 @@ an easier to parse format. ** p11tool: After key generation, outputs the public key (useful in tokens that do not store the public key). +** danetool: It is being built even without libgnutls-dane (the +--check functionality is disabled though). + ** API and ABI modifications: gnutls_pkcs11_privkey_generate2: Added gnutls_x509_crt_get_policy: Added diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi index 79ff39794e..e03e609ff7 100644 --- a/doc/invoke-danetool.texi +++ b/doc/invoke-danetool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-danetool.texi) # -# It has been AutoGen-ed November 8, 2012 at 11:40:20 PM by AutoGen 5.16 +# It has been AutoGen-ed November 21, 2012 at 10:20:05 PM by AutoGen 5.16 # From the definitions ../src/danetool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -105,7 +105,7 @@ Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. @anchor{danetool check} @subheading check option -This is the ``check dane tlsa entry.'' option. +This is the ``check a host's dane tlsa entry.'' option. This option takes an argument string. Obtains the DANE TLSA entry from the given hostname and prints information. @anchor{danetool local-dns} diff --git a/src/Makefile.am b/src/Makefile.am index 8f5a4b1ab6..5aebf20655 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -46,9 +46,8 @@ endif if ENABLE_OCSP bin_PROGRAMS += ocsptool endif -if ENABLE_DANE + bin_PROGRAMS += danetool -endif if ENABLE_TROUSERS bin_PROGRAMS += tpmtool @@ -141,12 +140,12 @@ libcmd_certtool_la_LIBADD += $(LIBOPTS_LDADD) $(LTLIBINTL) libcmd_certtool_la_LIBADD += $(LTLIBREADLINE) libcmd_certtool_la_LIBADD += $(INET_PTON_LIB) -if ENABLE_DANE - danetool_SOURCES = danetool.c certtool-common.c certtool-extras.c common.c danetool_LDADD = ../lib/libgnutls.la danetool_LDADD += libcmd-danetool.la ../gl/libgnu.la +if ENABLE_DANE danetool_LDADD += ../libdane/libgnutls-dane.la +endif noinst_LTLIBRARIES += libcmd-danetool.la libcmd_danetool_la_CFLAGS = @@ -157,8 +156,6 @@ libcmd_danetool_la_LIBADD += $(LIBOPTS_LDADD) $(LTLIBINTL) libcmd_danetool_la_LIBADD += $(LTLIBREADLINE) libcmd_danetool_la_LIBADD += $(INET_PTON_LIB) -endif #ENABLE_DANE - # p11 tool if ENABLE_PKCS11 diff --git a/src/danetool-args.c b/src/danetool-args.c index d9f305bcb4..2303e52520 100644 --- a/src/danetool-args.c +++ b/src/danetool-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (danetool-args.c) * - * It has been AutoGen-ed November 8, 2012 at 11:35:55 PM by AutoGen 5.16 + * It has been AutoGen-ed November 21, 2012 at 10:22:22 PM by AutoGen 5.16 * From the definitions danetool-args.def * and the template file options * @@ -67,7 +67,7 @@ extern FILE * option_usage_fp; /* * danetool option static const strings */ -static char const danetool_opt_strs[2260] = +static char const danetool_opt_strs[2269] = /* 0 */ "danetool @VERSION@\n" "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -105,55 +105,55 @@ static char const danetool_opt_strs[2260] = /* 1110 */ "Hash algorithm to use for signing.\0" /* 1145 */ "HASH\0" /* 1150 */ "hash\0" -/* 1155 */ "Check DANE TLSA entry.\0" -/* 1178 */ "CHECK\0" -/* 1184 */ "check\0" -/* 1190 */ "Use the local DNS server for DNSSEC resolving.\0" -/* 1237 */ "LOCAL_DNS\0" -/* 1247 */ "no-local-dns\0" -/* 1260 */ "no\0" -/* 1263 */ "Use DER format for input certificates and private keys.\0" -/* 1319 */ "INDER\0" -/* 1325 */ "no-inder\0" -/* 1334 */ "This is an alias for 'inder'\0" -/* 1363 */ "inraw\0" -/* 1369 */ "Print the DANE RR data on a certificate or public key\0" -/* 1423 */ "TLSA_RR\0" -/* 1431 */ "tlsa-rr\0" -/* 1439 */ "Specify the hostname to be used in the DANE RR\0" -/* 1486 */ "HOST\0" -/* 1491 */ "host\0" -/* 1496 */ "The protocol set for DANE data (tcp, udp etc.)\0" -/* 1543 */ "PROTO\0" -/* 1549 */ "proto\0" -/* 1555 */ "Specify the port number for the DANE data.\0" -/* 1598 */ "PORT\0" -/* 1603 */ "port\0" -/* 1608 */ "Whether the provided certificate or public key is a Certificate\n" +/* 1155 */ "Check a host's DANE TLSA entry.\0" +/* 1187 */ "CHECK\0" +/* 1193 */ "check\0" +/* 1199 */ "Use the local DNS server for DNSSEC resolving.\0" +/* 1246 */ "LOCAL_DNS\0" +/* 1256 */ "no-local-dns\0" +/* 1269 */ "no\0" +/* 1272 */ "Use DER format for input certificates and private keys.\0" +/* 1328 */ "INDER\0" +/* 1334 */ "no-inder\0" +/* 1343 */ "This is an alias for 'inder'\0" +/* 1372 */ "inraw\0" +/* 1378 */ "Print the DANE RR data on a certificate or public key\0" +/* 1432 */ "TLSA_RR\0" +/* 1440 */ "tlsa-rr\0" +/* 1448 */ "Specify the hostname to be used in the DANE RR\0" +/* 1495 */ "HOST\0" +/* 1500 */ "host\0" +/* 1505 */ "The protocol set for DANE data (tcp, udp etc.)\0" +/* 1552 */ "PROTO\0" +/* 1558 */ "proto\0" +/* 1564 */ "Specify the port number for the DANE data.\0" +/* 1607 */ "PORT\0" +/* 1612 */ "port\0" +/* 1617 */ "Whether the provided certificate or public key is a Certificate\n" "Authority.\0" -/* 1683 */ "CA\0" -/* 1686 */ "ca\0" -/* 1689 */ "Use the hash of the X.509 certificate, rather than the public key.\0" -/* 1756 */ "X509\0" -/* 1761 */ "x509\0" -/* 1766 */ "The provided certificate or public key is a local entity.\0" -/* 1824 */ "LOCAL\0" -/* 1830 */ "local\0" -/* 1836 */ "Display extended usage information and exit\0" -/* 1880 */ "help\0" -/* 1885 */ "Extended usage information passed thru pager\0" -/* 1930 */ "more-help\0" -/* 1940 */ "Output version information and exit\0" -/* 1976 */ "version\0" -/* 1984 */ "DANETOOL\0" -/* 1993 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n" +/* 1692 */ "CA\0" +/* 1695 */ "ca\0" +/* 1698 */ "Use the hash of the X.509 certificate, rather than the public key.\0" +/* 1765 */ "X509\0" +/* 1770 */ "x509\0" +/* 1775 */ "The provided certificate or public key is a local entity.\0" +/* 1833 */ "LOCAL\0" +/* 1839 */ "local\0" +/* 1845 */ "Display extended usage information and exit\0" +/* 1889 */ "help\0" +/* 1894 */ "Extended usage information passed thru pager\0" +/* 1939 */ "more-help\0" +/* 1949 */ "Output version information and exit\0" +/* 1985 */ "version\0" +/* 1993 */ "DANETOOL\0" +/* 2002 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n" "USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" -/* 2096 */ "bug-gnutls@gnu.org\0" -/* 2115 */ "\n\n\0" -/* 2118 */ "\n" +/* 2105 */ "bug-gnutls@gnu.org\0" +/* 2124 */ "\n\n\0" +/* 2127 */ "\n" "Tool to generate DNS resource records for the DANE protocol.\n\0" -/* 2181 */ "danetool @VERSION@\0" -/* 2200 */ "danetool [options]\n" +/* 2190 */ "danetool @VERSION@\0" +/* 2209 */ "danetool [options]\n" "danetool --help for usage instructions.\n"; /* @@ -222,46 +222,46 @@ static char const danetool_opt_strs[2260] = * check option description: */ #define CHECK_DESC (danetool_opt_strs+1155) -#define CHECK_NAME (danetool_opt_strs+1178) -#define CHECK_name (danetool_opt_strs+1184) +#define CHECK_NAME (danetool_opt_strs+1187) +#define CHECK_name (danetool_opt_strs+1193) #define CHECK_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * local-dns option description: */ -#define LOCAL_DNS_DESC (danetool_opt_strs+1190) -#define LOCAL_DNS_NAME (danetool_opt_strs+1237) -#define NOT_LOCAL_DNS_name (danetool_opt_strs+1247) -#define NOT_LOCAL_DNS_PFX (danetool_opt_strs+1260) +#define LOCAL_DNS_DESC (danetool_opt_strs+1199) +#define LOCAL_DNS_NAME (danetool_opt_strs+1246) +#define NOT_LOCAL_DNS_name (danetool_opt_strs+1256) +#define NOT_LOCAL_DNS_PFX (danetool_opt_strs+1269) #define LOCAL_DNS_name (NOT_LOCAL_DNS_name + 3) #define LOCAL_DNS_FLAGS (OPTST_DISABLED) /* * inder option description: */ -#define INDER_DESC (danetool_opt_strs+1263) -#define INDER_NAME (danetool_opt_strs+1319) -#define NOT_INDER_name (danetool_opt_strs+1325) -#define NOT_INDER_PFX (danetool_opt_strs+1260) +#define INDER_DESC (danetool_opt_strs+1272) +#define INDER_NAME (danetool_opt_strs+1328) +#define NOT_INDER_name (danetool_opt_strs+1334) +#define NOT_INDER_PFX (danetool_opt_strs+1269) #define INDER_name (NOT_INDER_name + 3) #define INDER_FLAGS (OPTST_DISABLED) /* * inraw option description: */ -#define INRAW_DESC (danetool_opt_strs+1334) +#define INRAW_DESC (danetool_opt_strs+1343) #define INRAW_NAME NULL -#define INRAW_name (danetool_opt_strs+1363) +#define INRAW_name (danetool_opt_strs+1372) #define INRAW_FLAGS (INDER_FLAGS | OPTST_ALIAS) /* * tlsa-rr option description with * "Must also have options" and "Incompatible options": */ -#define TLSA_RR_DESC (danetool_opt_strs+1369) -#define TLSA_RR_NAME (danetool_opt_strs+1423) -#define TLSA_RR_name (danetool_opt_strs+1431) +#define TLSA_RR_DESC (danetool_opt_strs+1378) +#define TLSA_RR_NAME (danetool_opt_strs+1432) +#define TLSA_RR_name (danetool_opt_strs+1440) static int const aTlsa_RrMustList[] = { INDEX_OPT_HOST, NO_EQUIVALENT }; #define TLSA_RR_FLAGS (OPTST_DISABLED) @@ -269,62 +269,62 @@ static int const aTlsa_RrMustList[] = { /* * host option description: */ -#define HOST_DESC (danetool_opt_strs+1439) -#define HOST_NAME (danetool_opt_strs+1486) -#define HOST_name (danetool_opt_strs+1491) +#define HOST_DESC (danetool_opt_strs+1448) +#define HOST_NAME (danetool_opt_strs+1495) +#define HOST_name (danetool_opt_strs+1500) #define HOST_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * proto option description: */ -#define PROTO_DESC (danetool_opt_strs+1496) -#define PROTO_NAME (danetool_opt_strs+1543) -#define PROTO_name (danetool_opt_strs+1549) +#define PROTO_DESC (danetool_opt_strs+1505) +#define PROTO_NAME (danetool_opt_strs+1552) +#define PROTO_name (danetool_opt_strs+1558) #define PROTO_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* * port option description: */ -#define PORT_DESC (danetool_opt_strs+1555) -#define PORT_NAME (danetool_opt_strs+1598) -#define PORT_name (danetool_opt_strs+1603) +#define PORT_DESC (danetool_opt_strs+1564) +#define PORT_NAME (danetool_opt_strs+1607) +#define PORT_name (danetool_opt_strs+1612) #define PORT_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) /* * ca option description: */ -#define CA_DESC (danetool_opt_strs+1608) -#define CA_NAME (danetool_opt_strs+1683) -#define CA_name (danetool_opt_strs+1686) +#define CA_DESC (danetool_opt_strs+1617) +#define CA_NAME (danetool_opt_strs+1692) +#define CA_name (danetool_opt_strs+1695) #define CA_FLAGS (OPTST_DISABLED) /* * x509 option description: */ -#define X509_DESC (danetool_opt_strs+1689) -#define X509_NAME (danetool_opt_strs+1756) -#define X509_name (danetool_opt_strs+1761) +#define X509_DESC (danetool_opt_strs+1698) +#define X509_NAME (danetool_opt_strs+1765) +#define X509_name (danetool_opt_strs+1770) #define X509_FLAGS (OPTST_DISABLED) /* * local option description: */ -#define LOCAL_DESC (danetool_opt_strs+1766) -#define LOCAL_NAME (danetool_opt_strs+1824) -#define LOCAL_name (danetool_opt_strs+1830) +#define LOCAL_DESC (danetool_opt_strs+1775) +#define LOCAL_NAME (danetool_opt_strs+1833) +#define LOCAL_name (danetool_opt_strs+1839) #define LOCAL_FLAGS (OPTST_DISABLED) /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (danetool_opt_strs+1836) -#define HELP_name (danetool_opt_strs+1880) +#define HELP_DESC (danetool_opt_strs+1845) +#define HELP_name (danetool_opt_strs+1889) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (danetool_opt_strs+1885) -#define MORE_HELP_name (danetool_opt_strs+1930) +#define MORE_HELP_DESC (danetool_opt_strs+1894) +#define MORE_HELP_name (danetool_opt_strs+1939) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC NULL @@ -337,8 +337,8 @@ static int const aTlsa_RrMustList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (danetool_opt_strs+1940) -#define VER_name (danetool_opt_strs+1976) +#define VER_DESC (danetool_opt_strs+1949) +#define VER_name (danetool_opt_strs+1985) /* * Declare option callback procedures */ @@ -618,14 +618,14 @@ static tOptDesc optDesc[OPTION_CT] = { * * Define the danetool Option Environment */ -#define zPROGNAME (danetool_opt_strs+1984) -#define zUsageTitle (danetool_opt_strs+1993) +#define zPROGNAME (danetool_opt_strs+1993) +#define zUsageTitle (danetool_opt_strs+2002) #define zRcName NULL #define apzHomeList NULL -#define zBugsAddr (danetool_opt_strs+2096) -#define zExplain (danetool_opt_strs+2115) -#define zDetail (danetool_opt_strs+2118) -#define zFullVersion (danetool_opt_strs+2181) +#define zBugsAddr (danetool_opt_strs+2105) +#define zExplain (danetool_opt_strs+2124) +#define zDetail (danetool_opt_strs+2127) +#define zFullVersion (danetool_opt_strs+2190) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -639,7 +639,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define danetool_full_usage (NULL) -#define danetool_short_usage (danetool_opt_strs+2200) +#define danetool_short_usage (danetool_opt_strs+2209) #endif /* not defined __doxygen__ */ diff --git a/src/danetool-args.def b/src/danetool-args.def index e01dfdd9ee..e5ba03c81e 100644 --- a/src/danetool-args.def +++ b/src/danetool-args.def @@ -35,7 +35,7 @@ flag = { flag = { name = check; arg-type = string; - descrip = "Check DANE TLSA entry."; + descrip = "Check a host's DANE TLSA entry."; doc = "Obtains the DANE TLSA entry from the given hostname and prints information."; }; diff --git a/src/danetool-args.h b/src/danetool-args.h index 0cb2354914..a233656289 100644 --- a/src/danetool-args.h +++ b/src/danetool-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (danetool-args.h) * - * It has been AutoGen-ed November 8, 2012 at 11:35:55 PM by AutoGen 5.16 + * It has been AutoGen-ed November 21, 2012 at 10:22:22 PM by AutoGen 5.16 * From the definitions danetool-args.def * and the template file options * diff --git a/src/danetool.c b/src/danetool.c index cd8211ecd9..d2361e5c50 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -27,7 +27,10 @@ #include <gnutls/pkcs11.h> #include <gnutls/abstract.h> #include <gnutls/crypto.h> -#include <gnutls/dane.h> + +#ifdef HAVE_DANE +# include <gnutls/dane.h> +#endif #include <stdio.h> #include <stdlib.h> @@ -181,6 +184,7 @@ cmd_parser (int argc, char **argv) static void dane_check(const char* host, const char* proto, unsigned int port, common_info_st * cinfo) { +#ifdef HAVE_DANE dane_state_t s; dane_query_t q; int ret; @@ -236,7 +240,7 @@ size_t size; ret = gnutls_x509_crt_list_import2( &clist, &clist_size, &file, cinfo->incert_format, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_import2: %s", gnutls_strerror (ret)); - + if (clist_size > 0) { gnutls_datum_t certs[clist_size]; @@ -249,7 +253,7 @@ size_t size; if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_export2: %s", gnutls_strerror (ret)); } - + ret = dane_verify_crt( s, certs, clist_size, GNUTLS_CRT_X509, host, proto, port, 0, 0, &status); if (ret < 0) @@ -275,7 +279,10 @@ size_t size; dane_query_deinit(q); dane_state_deinit(s); - +#else + fprintf(stderr, "This functionality was disabled (GnuTLS was not compiled with support for DANE).\n"); + return; +#endif } static void dane_info(const char* host, const char* proto, unsigned int port, |