summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2014-08-09 09:23:43 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2014-08-09 09:23:43 +0200
commite6d195fbe36c5cbe260877ed06265437d8fd0ff9 (patch)
treea14dc9f0522c17491e5180a3cfda23edb3dc1325 /src
parent8b1eb11ac25fd06101212eb7be40c18574ed52d6 (diff)
downloadgnutls-e6d195fbe36c5cbe260877ed06265437d8fd0ff9.tar.gz
danetool: improvements in information presentation
Diffstat (limited to 'src')
-rw-r--r--src/danetool-args.def86
-rw-r--r--src/danetool.c58
-rw-r--r--src/socket.c4
3 files changed, 90 insertions, 58 deletions
diff --git a/src/danetool-args.def b/src/danetool-args.def
index f6a4cb7f70..80a26f20fc 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -44,7 +44,7 @@ flag = {
name = check;
arg-type = string;
descrip = "Check a host's DANE TLSA entry";
- doc = "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate.";
+ doc = "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero.";
};
flag = {
@@ -60,44 +60,6 @@ flag = {
};
flag = {
- name = insecure;
- descrip = "Do not verify any DNSSEC signature";
- doc = "Ignores any DNSSEC signature verification results.";
-};
-
-flag = {
- name = local-dns;
- descrip = "Use the local DNS server for DNSSEC resolving";
- disabled;
- disable = "no";
- doc = "This option will use the local DNS server for DNSSEC.
-This is disabled by default due to many servers not allowing DNSSEC.";
-};
-
-flag = {
- name = inder;
- descrip = "Use DER format for input certificates and private keys";
- disabled;
- disable = "no";
- doc = "The input files will be assumed to be in DER or RAW format.
-Unlike options that in PEM input would allow multiple input data (e.g. multiple
-certificates), when reading in DER format a single data structure is read.";
-};
-
-flag = {
- name = inraw;
- aliases = inder;
-};
-
-flag = {
- name = print-raw;
- descrip = "Print the received DANE data in raw format";
- disabled;
- disable = "no";
- doc = "This option will print the received DANE data.";
-};
-
-flag = {
name = tlsa-rr;
descrip = "Print the DANE RR data on a certificate or public key";
flags_must = host;
@@ -153,6 +115,52 @@ flag = {
doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.";
};
+flag = {
+ name = local-dns;
+ descrip = "Use the local DNS server for DNSSEC resolving";
+ disabled;
+ disable = "no";
+ doc = "This option will use the local DNS server for DNSSEC.
+This is disabled by default due to many servers not allowing DNSSEC.";
+};
+
+flag = {
+ name = insecure;
+ descrip = "Do not verify any DNSSEC signature";
+ doc = "Ignores any DNSSEC signature verification results.";
+};
+
+flag = {
+ name = inder;
+ descrip = "Use DER format for input certificates and private keys";
+ disabled;
+ disable = "no";
+ doc = "The input files will be assumed to be in DER or RAW format.
+Unlike options that in PEM input would allow multiple input data (e.g. multiple
+certificates), when reading in DER format a single data structure is read.";
+};
+
+flag = {
+ name = inraw;
+ aliases = inder;
+};
+
+flag = {
+ name = print-raw;
+ descrip = "Print the received DANE data in raw format";
+ disabled;
+ disable = "no";
+ doc = "This option will print the received DANE data.";
+};
+
+flag = {
+ name = quiet;
+ descrip = "Suppress several informational messages";
+ doc = "In that case on the exit code can be used as an indication of verification success";
+};
+
+
+
doc-section = {
ds-type = 'SEE ALSO';
ds-format = 'texi';
diff --git a/src/danetool.c b/src/danetool.c
index dd3cd62dd9..cce6b37471 100644
--- a/src/danetool.c
+++ b/src/danetool.c
@@ -51,7 +51,7 @@
#include "certtool-common.h"
#include "socket.h"
-static const char* obtain_cert(const char *hostname, const char *proto, unsigned int port);
+static const char* obtain_cert(const char *hostname, const char *proto, unsigned int port, unsigned quiet);
static void cmd_parser(int argc, char **argv);
static void dane_info(const char *host, const char *proto,
unsigned int port, unsigned int ca,
@@ -183,7 +183,7 @@ static void dane_check(const char *host, const char *proto,
#ifdef HAVE_DANE
dane_state_t s;
dane_query_t q;
- int ret, retcode = 0;
+ int ret, retcode = 1;
unsigned entries;
unsigned int flags = DANE_F_IGNORE_LOCAL_RESOLVER, i;
unsigned int usage, type, match;
@@ -191,6 +191,7 @@ static void dane_check(const char *host, const char *proto,
size_t size;
unsigned del = 0;
unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED;
+ const char *str;
if (ENABLED_OPT(LOCAL_DNS))
flags = 0;
@@ -285,22 +286,30 @@ static void dane_check(const char *host, const char *proto,
exit(1);
}
- if (entries > 1)
- printf("\nEntry %d:\n", i + 1);
+ if (entries > 1 && !HAVE_OPT(QUIET))
+ fprintf(outfile, "\n==== Entry %d ====\n", i + 1);
fprintf(outfile,
"_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n",
port, proto, host, usage, type, match, lbuffer);
- printf("Certificate usage: %s (%.2x)\n",
- dane_cert_usage_name(usage), usage);
- printf("Certificate type: %s (%.2x)\n",
- dane_cert_type_name(type), type);
- printf("Contents: %s (%.2x)\n",
- dane_match_type_name(match), match);
- printf("Data: %s\n\n", lbuffer);
+
+ if (!HAVE_OPT(QUIET)) {
+ str = dane_cert_usage_name(usage);
+ if (str == NULL) str= "Unknown";
+ fprintf(outfile, "Certificate usage: %s (%.2x)\n", str, usage);
+
+ str = dane_cert_type_name(type);
+ if (str == NULL) str= "Unknown";
+ fprintf(outfile, "Certificate type: %s (%.2x)\n", str, type);
+
+ str = dane_match_type_name(match);
+ if (str == NULL) str= "Unknown";
+ fprintf(outfile, "Contents: %s (%.2x)\n", str, match);
+ fprintf(outfile, "Data: %s\n\n", lbuffer);
+ }
if (!cinfo->cert) {
- cinfo->cert = obtain_cert(host, proto, port);
+ cinfo->cert = obtain_cert(host, proto, port, HAVE_OPT(QUIET));
del = 1;
}
@@ -373,11 +382,13 @@ static void dane_check(const char *host, const char *proto,
exit(1);
}
- printf("\nVerification: %s\n", out.data);
+ if (!HAVE_OPT(QUIET))
+ fprintf(outfile, "\nVerification: %s\n", out.data);
gnutls_free(out.data);
- if (status != 0)
- retcode = 1;
+ /* if there is at least one correct accept */
+ if (status == 0)
+ retcode = 0;
for (i = 0; i < clist_size; i++) {
gnutls_free(certs[i].data);
@@ -388,6 +399,7 @@ static void dane_check(const char *host, const char *proto,
if (del != 0) {
remove(cinfo->cert);
+ cinfo->cert = NULL;
}
} else {
fprintf(stderr,
@@ -621,20 +633,30 @@ static int get_cert(socket_st *hd, const char *hostname, unsigned udp, int fd)
return 0;
}
-static const char *obtain_cert(const char *hostname, const char *proto, unsigned int port)
+static const char *obtain_cert(const char *hostname, const char *proto, unsigned port, unsigned quiet)
{
socket_st hd;
char txt_port[16];
unsigned udp = 0;
- static char tmpfile[32] = "danetool-certXXXXXX";
+ static char tmpfile[32];
int fd, ret;
+ const char *str = "Obtaining certificate from";
if (strcmp(proto, "udp") == 0)
udp = 1;
+ else if (strcmp(proto, "tcp") != 0) {
+ /* we cannot handle this protocol */
+ return NULL;
+ }
+
+ strcpy(tmpfile, "danetool-certXXXXXX");
sockets_init();
snprintf(txt_port, sizeof(txt_port), "%u", port);
- socket_open(&hd, hostname, port_to_service(txt_port, proto), udp, "Obtaining certificate from");
+
+ if (quiet)
+ str = NULL;
+ socket_open(&hd, hostname, port_to_service(txt_port, proto), udp, str);
fd = mkstemp(tmpfile);
if (fd == -1) {
diff --git a/src/socket.c b/src/socket.c
index 1b2d851bec..ca38027f51 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -150,7 +150,9 @@ socket_open(socket_st * hd, const char *hostname, const char *service,
char buffer[MAX_BUF + 1];
char portname[16] = { 0 };
- printf("Resolving '%s'...\n", hostname);
+ if (msg != NULL)
+ printf("Resolving '%s'...\n", hostname);
+
/* get server name */
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = udp ? SOCK_DGRAM : SOCK_STREAM;