diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/danetool-args.def | 86 | ||||
-rw-r--r-- | src/danetool.c | 58 | ||||
-rw-r--r-- | src/socket.c | 4 |
3 files changed, 90 insertions, 58 deletions
diff --git a/src/danetool-args.def b/src/danetool-args.def index f6a4cb7f70..80a26f20fc 100644 --- a/src/danetool-args.def +++ b/src/danetool-args.def @@ -44,7 +44,7 @@ flag = { name = check; arg-type = string; descrip = "Check a host's DANE TLSA entry"; - doc = "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate."; + doc = "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero."; }; flag = { @@ -60,44 +60,6 @@ flag = { }; flag = { - name = insecure; - descrip = "Do not verify any DNSSEC signature"; - doc = "Ignores any DNSSEC signature verification results."; -}; - -flag = { - name = local-dns; - descrip = "Use the local DNS server for DNSSEC resolving"; - disabled; - disable = "no"; - doc = "This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC."; -}; - -flag = { - name = inder; - descrip = "Use DER format for input certificates and private keys"; - disabled; - disable = "no"; - doc = "The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read."; -}; - -flag = { - name = inraw; - aliases = inder; -}; - -flag = { - name = print-raw; - descrip = "Print the received DANE data in raw format"; - disabled; - disable = "no"; - doc = "This option will print the received DANE data."; -}; - -flag = { name = tlsa-rr; descrip = "Print the DANE RR data on a certificate or public key"; flags_must = host; @@ -153,6 +115,52 @@ flag = { doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved."; }; +flag = { + name = local-dns; + descrip = "Use the local DNS server for DNSSEC resolving"; + disabled; + disable = "no"; + doc = "This option will use the local DNS server for DNSSEC. +This is disabled by default due to many servers not allowing DNSSEC."; +}; + +flag = { + name = insecure; + descrip = "Do not verify any DNSSEC signature"; + doc = "Ignores any DNSSEC signature verification results."; +}; + +flag = { + name = inder; + descrip = "Use DER format for input certificates and private keys"; + disabled; + disable = "no"; + doc = "The input files will be assumed to be in DER or RAW format. +Unlike options that in PEM input would allow multiple input data (e.g. multiple +certificates), when reading in DER format a single data structure is read."; +}; + +flag = { + name = inraw; + aliases = inder; +}; + +flag = { + name = print-raw; + descrip = "Print the received DANE data in raw format"; + disabled; + disable = "no"; + doc = "This option will print the received DANE data."; +}; + +flag = { + name = quiet; + descrip = "Suppress several informational messages"; + doc = "In that case on the exit code can be used as an indication of verification success"; +}; + + + doc-section = { ds-type = 'SEE ALSO'; ds-format = 'texi'; diff --git a/src/danetool.c b/src/danetool.c index dd3cd62dd9..cce6b37471 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -51,7 +51,7 @@ #include "certtool-common.h" #include "socket.h" -static const char* obtain_cert(const char *hostname, const char *proto, unsigned int port); +static const char* obtain_cert(const char *hostname, const char *proto, unsigned int port, unsigned quiet); static void cmd_parser(int argc, char **argv); static void dane_info(const char *host, const char *proto, unsigned int port, unsigned int ca, @@ -183,7 +183,7 @@ static void dane_check(const char *host, const char *proto, #ifdef HAVE_DANE dane_state_t s; dane_query_t q; - int ret, retcode = 0; + int ret, retcode = 1; unsigned entries; unsigned int flags = DANE_F_IGNORE_LOCAL_RESOLVER, i; unsigned int usage, type, match; @@ -191,6 +191,7 @@ static void dane_check(const char *host, const char *proto, size_t size; unsigned del = 0; unsigned vflags = DANE_VFLAG_FAIL_IF_NOT_CHECKED; + const char *str; if (ENABLED_OPT(LOCAL_DNS)) flags = 0; @@ -285,22 +286,30 @@ static void dane_check(const char *host, const char *proto, exit(1); } - if (entries > 1) - printf("\nEntry %d:\n", i + 1); + if (entries > 1 && !HAVE_OPT(QUIET)) + fprintf(outfile, "\n==== Entry %d ====\n", i + 1); fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port, proto, host, usage, type, match, lbuffer); - printf("Certificate usage: %s (%.2x)\n", - dane_cert_usage_name(usage), usage); - printf("Certificate type: %s (%.2x)\n", - dane_cert_type_name(type), type); - printf("Contents: %s (%.2x)\n", - dane_match_type_name(match), match); - printf("Data: %s\n\n", lbuffer); + + if (!HAVE_OPT(QUIET)) { + str = dane_cert_usage_name(usage); + if (str == NULL) str= "Unknown"; + fprintf(outfile, "Certificate usage: %s (%.2x)\n", str, usage); + + str = dane_cert_type_name(type); + if (str == NULL) str= "Unknown"; + fprintf(outfile, "Certificate type: %s (%.2x)\n", str, type); + + str = dane_match_type_name(match); + if (str == NULL) str= "Unknown"; + fprintf(outfile, "Contents: %s (%.2x)\n", str, match); + fprintf(outfile, "Data: %s\n\n", lbuffer); + } if (!cinfo->cert) { - cinfo->cert = obtain_cert(host, proto, port); + cinfo->cert = obtain_cert(host, proto, port, HAVE_OPT(QUIET)); del = 1; } @@ -373,11 +382,13 @@ static void dane_check(const char *host, const char *proto, exit(1); } - printf("\nVerification: %s\n", out.data); + if (!HAVE_OPT(QUIET)) + fprintf(outfile, "\nVerification: %s\n", out.data); gnutls_free(out.data); - if (status != 0) - retcode = 1; + /* if there is at least one correct accept */ + if (status == 0) + retcode = 0; for (i = 0; i < clist_size; i++) { gnutls_free(certs[i].data); @@ -388,6 +399,7 @@ static void dane_check(const char *host, const char *proto, if (del != 0) { remove(cinfo->cert); + cinfo->cert = NULL; } } else { fprintf(stderr, @@ -621,20 +633,30 @@ static int get_cert(socket_st *hd, const char *hostname, unsigned udp, int fd) return 0; } -static const char *obtain_cert(const char *hostname, const char *proto, unsigned int port) +static const char *obtain_cert(const char *hostname, const char *proto, unsigned port, unsigned quiet) { socket_st hd; char txt_port[16]; unsigned udp = 0; - static char tmpfile[32] = "danetool-certXXXXXX"; + static char tmpfile[32]; int fd, ret; + const char *str = "Obtaining certificate from"; if (strcmp(proto, "udp") == 0) udp = 1; + else if (strcmp(proto, "tcp") != 0) { + /* we cannot handle this protocol */ + return NULL; + } + + strcpy(tmpfile, "danetool-certXXXXXX"); sockets_init(); snprintf(txt_port, sizeof(txt_port), "%u", port); - socket_open(&hd, hostname, port_to_service(txt_port, proto), udp, "Obtaining certificate from"); + + if (quiet) + str = NULL; + socket_open(&hd, hostname, port_to_service(txt_port, proto), udp, str); fd = mkstemp(tmpfile); if (fd == -1) { diff --git a/src/socket.c b/src/socket.c index 1b2d851bec..ca38027f51 100644 --- a/src/socket.c +++ b/src/socket.c @@ -150,7 +150,9 @@ socket_open(socket_st * hd, const char *hostname, const char *service, char buffer[MAX_BUF + 1]; char portname[16] = { 0 }; - printf("Resolving '%s'...\n", hostname); + if (msg != NULL) + printf("Resolving '%s'...\n", hostname); + /* get server name */ memset(&hints, 0, sizeof(hints)); hints.ai_socktype = udp ? SOCK_DGRAM : SOCK_STREAM; |