[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-55-g4ee5251
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-55-g4ee5251 |
|
Date: |
Thu, 01 Nov 2012 23:04:31 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=4ee52510ba8a6362afb3540645eccfac79bf3748
The branch, master has been updated
via 4ee52510ba8a6362afb3540645eccfac79bf3748 (commit)
via 67250f5517e2cc6921a8357c2d49e1844683aa21 (commit)
via 944dcceea3246cda6b37c8ec3843fc59acc9e42e (commit)
via 2e902a26e55f407c89481fc8ca3fee07ae09f90c (commit)
via 6d839746ef4964daac20723e8e7e5505eb51dcf9 (commit)
via 4fd86806bdb42743bd2a96f9c3138ee1a3ee3a6e (commit)
via 91dd6004d7725a35e5fed730447fbf3f2e3093ec (commit)
via e20ce503acb15e63d4df992356b9d3501352e324 (commit)
via 1123708437bcf9659cfd7daaef942cf8bb52e4af (commit)
via 9823e11ff617660c6d21016eebc14e9a76723356 (commit)
via a8a6d58617f1a3d05d517e38a2ba9d71f32aa082 (commit)
from 8cf976ce8bd94915509fd80665807db2d954cbc8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4ee52510ba8a6362afb3540645eccfac79bf3748
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri Nov 2 00:04:08 2012 +0100
Added gnutls_srtp_get_keys().
commit 67250f5517e2cc6921a8357c2d49e1844683aa21
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 23:06:50 2012 +0100
corrected typos
commit 944dcceea3246cda6b37c8ec3843fc59acc9e42e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 23:04:20 2012 +0100
gnutls_srtp_get_profile_by_name -> gnutls_srtp_get_profile_id
commit 2e902a26e55f407c89481fc8ca3fee07ae09f90c
Author: Martin Storsjo <address@hidden>
Date: Thu Nov 1 22:49:00 2012 +0200
Fix typos in error messages
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 6d839746ef4964daac20723e8e7e5505eb51dcf9
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 22:48:25 2012 +0100
better verification messages.
commit 4fd86806bdb42743bd2a96f9c3138ee1a3ee3a6e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 22:48:11 2012 +0100
optimized printing
commit 91dd6004d7725a35e5fed730447fbf3f2e3093ec
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 19:46:43 2012 +0100
Added dane_verification_status_print() and danetool can verify a DANE entry.
commit e20ce503acb15e63d4df992356b9d3501352e324
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 19:46:05 2012 +0100
avoid unnecessary newline
commit 1123708437bcf9659cfd7daaef942cf8bb52e4af
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 19:35:55 2012 +0100
gettext.h was moved to gnutls_str.h
commit 9823e11ff617660c6d21016eebc14e9a76723356
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 18:13:03 2012 +0100
Added --check option to danetool.
commit a8a6d58617f1a3d05d517e38a2ba9d71f32aa082
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu Nov 1 18:11:15 2012 +0100
Added new functions to convert types to strings.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 ++-
doc/cha-intro-tls.texi | 19 +++
doc/invoke-danetool.texi | 30 ++++-
lib/ext/srtp.c | 121 +++++++++++++++++--
lib/gnutls_cert.c | 2 -
lib/gnutls_state.c | 4 +-
lib/gnutls_str.h | 2 +
lib/includes/gnutls/gnutls.h.in | 11 ++-
lib/libgnutls.map | 15 ++-
lib/openpgp/output.c | 4 -
lib/x509/output.c | 4 -
libdane/Makefile.am | 9 +-
libdane/dane-params.c | 147 +++++++++++++++++++++++
libdane/dane.c | 45 +++++++
libdane/includes/gnutls/dane.h | 8 +-
libdane/libdane.map | 4 +
src/Makefile.am | 1 +
src/cli.c | 20 ++--
src/common.c | 2 +-
src/danetool-args.c | 253 +++++++++++++++++++++++----------------
src/danetool-args.def | 27 ++++-
src/danetool-args.h | 50 ++++----
src/danetool.c | 113 +++++++++++++++++-
src/serv.c | 2 +-
tests/mini-dtls-srtp.c | 58 ++++++++-
25 files changed, 770 insertions(+), 190 deletions(-)
create mode 100644 libdane/dane-params.c
diff --git a/NEWS b/NEWS
index d4bda8c..c68e4ce 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ for SRTP.
** danetool: Corrected bug that prevented loading PEM files.
+** danetool: Added --check option to allow querying and verifying
+a site's DANE data.
+
** libgnutls-dane: Added pkg-config file for the library.
** API and ABI modifications:
@@ -30,8 +33,12 @@ gnutls_srtp_set_profile: Added
gnutls_srtp_set_profile_direct: Added
gnutls_srtp_get_selected_profile: Added
gnutls_srtp_get_profile_name: Added
-gnutls_srtp_get_profile_by_name: Added
+gnutls_srtp_get_profile_id: Added
gnutls_srtp_profile_t: Added
+dane_cert_type_name: Added
+dane_match_type_name: Added
+dane_cert_usage_name: Added
+dane_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added
GNUTLS_CERT_REVOCATION_DATA_INVALID: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index f53cc96..d72ae2b 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -399,6 +399,7 @@ and they will be discussed in the subsections that follow.
* HeartBeat::
* Safe renegotiation::
* OCSP status request::
+* SRTP::
@end menu
@node Maximum fragment length negotiation
@@ -592,6 +593,24 @@ ocsptool --ask --load-cert server_cert.pem --load-issuer
the_issuer.pem
Since version 3.1.3 GnuTLS clients transparently support the certificate status
request.
address@hidden SRTP
address@hidden SRTP
address@hidden SRTP
address@hidden Secure RTP
+
+The TLS protocol was extended in @xcite{RFC5764} to provide keying material to
the
+Secure RTP (SRTP) protocol. The SRTP protocol provides an encapsulation of
encrypted
+data that is optimized for voice data. With the SRTP TLS extension two peers
can
+negotiate keys using TLS or DTLS and obtain keying material for use with SRTP.
+
+To enable use the following functions.
+
address@hidden,gnutls_srtp_set_profile_direct}
+
+Other helper functions are listed below.
+
address@hidden,gnutls_srtp_get_profile_name,gnutls_srtp_get_profile_id}
+
@include sec-tls-app.texi
@node On SSL 2 and older protocols
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index 636ab98..e840936 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
#
-# It has been AutoGen-ed October 29, 2012 at 07:37:13 PM by AutoGen 5.16
+# It has been AutoGen-ed November 1, 2012 at 07:51:08 PM by AutoGen 5.16
# From the definitions ../src/danetool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -48,6 +48,9 @@ USAGE: danetool [ -<flag> [<val>] | --<name>address@hidden|
@}<val>] ]...
--load-pubkey=str Loads a public key file
--load-certificate=str Loads a certificate file
--hash=str Hash algorithm to use for signing.
+ --check=str Check DANE TLSA entry.
+ --local-dns Use the local DNS server for DNSSEC resolving.
+ - disabled as --no-local-dns
--inder Use DER format for input certificates and
private keys.
- disabled as --no-inder
--inraw This is an alias for 'inder'
@@ -58,7 +61,7 @@ USAGE: danetool [ -<flag> [<val>] | --<name>address@hidden|
@}<val>] ]...
--proto=str The protocol set for DANE data (tcp, udp etc.)
--port=num Specify the port number for the DANE data.
--ca Whether the provided certificate or public key
is a Certificate
-authority.
+Authority.
--x509 Use the hash of the X.509 certificate, rather
than the public key.
--local The provided certificate or public key is a
local entity.
-v, --version[=arg] Output version information and exit
@@ -104,6 +107,20 @@ This can be either a file or a PKCS #11 URL
This is the ``hash algorithm to use for signing.'' option.
This option takes an argument string.
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
address@hidden check}
address@hidden check option
address@hidden danetool-check
+
+This is the ``check dane tlsa entry.'' option.
+This option takes an argument string.
+Obtains the DANE TLSA entry from the given hostname and prints information.
address@hidden local-dns}
address@hidden local-dns option
address@hidden danetool-local-dns
+
+This is the ``use the local dns server for dnssec resolving.'' option.
+This option will use the local DNS server for DNSSEC.
+This is disabled by default due to many servers not allowing DNSSEC.
@anchor{danetool inder}
@subheading inder option
@cindex danetool-inder
@@ -206,8 +223,13 @@ $ danetool --tlsa-rr --host www.example.com
--load-certificate cert.pem \
--ca
@end example
-To read a server's DANE TLSA entry, using the dig tool, use:
+To read a server's DANE TLSA entry, use:
address@hidden
+$ danetool --check www.example.com --proto tcp --port 443
address@hidden example
+
+To verify a server's DANE TLSA entry, use:
@example
-$ dig +short TYPE52 _443._tcp.www.example.com
+$ danetool --check www.example.com --proto tcp --port 443 --load-certificate
chain.pem
@end example
diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
index c7b0e86..e989911 100644
--- a/lib/ext/srtp.c
+++ b/lib/ext/srtp.c
@@ -55,31 +55,49 @@ typedef struct
{
const char *name;
gnutls_srtp_profile_t id;
+ unsigned int key_length;
+ unsigned int salt_length;
} srtp_profile_st;
static const srtp_profile_st profile_names[] = {
{
"SRTP_AES128_CM_SHA1_80",
GNUTLS_SRTP_AES128_CM_SHA1_80,
+ 16,14
},
{
"SRTP_AES128_CM_SHA1_32",
GNUTLS_SRTP_AES128_CM_SHA1_32,
+ 16,14
},
{
"SRTP_NULL_SHA1_80",
GNUTLS_SRTP_NULL_SHA1_80,
+ 16,14
},
{
"SRTP_NULL_SHA1_32",
GNUTLS_SRTP_NULL_SHA1_32,
+ 16,14
},
{
NULL,
- 0
+ 0,0,0
}
};
+static const srtp_profile_st *get_profile (gnutls_srtp_profile_t profile)
+{
+ const srtp_profile_st *p = profile_names;
+ while (p->name != NULL)
+ {
+ if (p->id == profile)
+ return p;
+ p++;
+ }
+ return NULL;
+}
+
static gnutls_srtp_profile_t find_profile (const char *str, const char *end)
{
const srtp_profile_st *prof = profile_names;
@@ -105,7 +123,7 @@ static gnutls_srtp_profile_t find_profile (const char *str,
const char *end)
}
/**
- * gnutls_srtp_get_profile_by_name
+ * gnutls_srtp_get_profile_id
* @name: The name of the profile to look up
* @profile: Will hold the profile id
*
@@ -116,8 +134,8 @@ static gnutls_srtp_profile_t find_profile (const char *str,
const char *end)
*
* Since 3.1.4
**/
-int gnutls_srtp_get_profile_by_name (const char *name,
- gnutls_srtp_profile_t *profile)
+int gnutls_srtp_get_profile_id (const char *name,
+ gnutls_srtp_profile_t *profile)
{
*profile = find_profile (name, NULL);
if (*profile == 0)
@@ -141,13 +159,11 @@ int gnutls_srtp_get_profile_by_name (const char *name,
**/
const char *gnutls_srtp_get_profile_name (gnutls_srtp_profile_t profile)
{
- const srtp_profile_st *p = profile_names;
- while (p->name != NULL)
- {
- if (p->id == profile)
- return p->name;
- p++;
- }
+ const srtp_profile_st *p = get_profile(profile);
+
+ if (p != NULL)
+ return p->name;
+
return NULL;
}
@@ -419,6 +435,89 @@ gnutls_srtp_set_profile_direct (gnutls_session_t session,
return 0;
}
+/**
+ * gnutls_srtp_get_keys:
+ * @session: is a #gnutls_session_t structure.
+ * @key_material: Space to hold the generated key material
+ * @key_material_size: The maximum size of the key material
+ * @client_key: The master client write key, pointing inside the key material
+ * @server_key: The master server write key, pointing inside the key material
+ * @client_salt: The master client write salt, pointing inside the key material
+ * @server_salt: The master server write salt, pointing inside the key material
+ *
+ * This is a helper function to generate the keying material for SRTP.
+ * It requires the space of the key material to be pre-allocated (should be at
least
+ * 2x the maximum key size and salt size). The @client_key, @client_salt,
@server_key
+ * and @server_salt are convenience datums that point inside the key material.
The may
+ * be %NULL.
+ *
+ * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the buffer given is not
sufficient,
+ * %GNUTLS_E_SUCCESS on success, or an error code.
+ *
+ * Since 3.1.4
+ **/
+int
+gnutls_srtp_get_keys (gnutls_session_t session,
+ void *key_material,
+ unsigned int key_material_size,
+ gnutls_datum_t *client_key,
+ gnutls_datum_t *client_salt,
+ gnutls_datum_t *server_key,
+ gnutls_datum_t *server_salt)
+{
+int ret;
+const srtp_profile_st *p;
+gnutls_srtp_profile_t profile;
+unsigned int msize;
+uint8_t *km = key_material;
+
+ ret = gnutls_srtp_get_selected_profile (session, &profile);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ p = get_profile(profile);
+ if (p == NULL)
+ return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM);
+
+ msize = 2*(p->key_length+p->salt_length);
+ if (msize > key_material_size)
+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+
+ if (msize == 0)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+ ret = gnutls_prf(session, sizeof("EXTRACTOR-dtls_srtp")-1,
"EXTRACTOR-dtls_srtp", 0, 0,
+ NULL, msize, key_material);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (client_key)
+ {
+ client_key->data = km;
+ client_key->size = p->key_length;
+ }
+
+ if (server_key)
+ {
+ server_key->data = km + p->key_length;
+ server_key->size = p->key_length;
+ }
+
+ if (client_salt)
+ {
+ client_salt->data = km + 2*p->key_length;
+ client_salt->size = p->salt_length;
+ }
+
+ if (server_salt)
+ {
+ server_salt->data = km + 2*p->key_length + p->salt_length;
+ server_salt->size = p->salt_length;
+ }
+
+ return 0;
+}
+
static void
_gnutls_srtp_deinit_data (extension_priv_data_t priv)
{
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 90bcc6b..9e73d91 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -982,8 +982,6 @@ gnutls_certificate_verification_status_print (unsigned int
status,
if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
_gnutls_buffer_append_str (&str, _("The name in the certificate does not
match the expected. "));
- _gnutls_buffer_append_str (&str, "\n");
-
ret = _gnutls_buffer_to_datum( &str, out);
if (out->size > 0) out->size--;
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 84a62b7..25a08cd 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -977,7 +977,7 @@ _gnutls_PRF (gnutls_session_t session,
* @seed_size: length of the @seed variable.
* @seed: optional extra data to seed the PRF with.
* @outsize: size of pre-allocated output buffer to hold the output.
- * @out: pre-allocate buffer to hold the generated data.
+ * @out: pre-allocated buffer to hold the generated data.
*
* Apply the TLS Pseudo-Random-Function (PRF) on the master secret
* and the provided data.
@@ -1024,7 +1024,7 @@ gnutls_prf_raw (gnutls_session_t session,
* @extra_size: length of the @extra variable.
* @extra: optional extra data to seed the PRF with.
* @outsize: size of pre-allocated output buffer to hold the output.
- * @out: pre-allocate buffer to hold the generated data.
+ * @out: pre-allocated buffer to hold the generated data.
*
* Apply the TLS Pseudo-Random-Function (PRF) on the master secret
* and the provided data, seeded with the client and server random fields.
diff --git a/lib/gnutls_str.h b/lib/gnutls_str.h
index f8671c2..afd99cb 100644
--- a/lib/gnutls_str.h
+++ b/lib/gnutls_str.h
@@ -25,6 +25,8 @@
#include <gnutls_int.h>
#include <gnutls_datum.h>
+#include "gettext.h"
+#define _(String) dgettext (PACKAGE, String)
void _gnutls_str_cpy (char *dest, size_t dest_tot_size, const char *src);
void _gnutls_mem_cpy (char *dest, size_t dest_tot_size, const char *src,
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 3a80fc9..a64db31 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -990,8 +990,15 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
gnutls_srtp_profile_t *profile);
const char *gnutls_srtp_get_profile_name (gnutls_srtp_profile_t profile);
- int gnutls_srtp_get_profile_by_name (const char *name,
- gnutls_srtp_profile_t *profile);
+ int gnutls_srtp_get_profile_id (const char *name,
+ gnutls_srtp_profile_t *profile);
+ int gnutls_srtp_get_keys (gnutls_session_t session,
+ void *key_material,
+ unsigned int key_material_size,
+ gnutls_datum_t *client_key,
+ gnutls_datum_t *client_salt,
+ gnutls_datum_t *server_key,
+ gnutls_datum_t *server_salt);
int gnutls_key_generate (gnutls_datum_t * key, unsigned int key_size);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index b1f5b91..2843f26 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -354,11 +354,6 @@ GNUTLS_1_4
gnutls_srp_set_server_credentials_file;
gnutls_srp_set_server_credentials_function;
gnutls_srp_verifier;
- gnutls_srtp_get_profile_by_name;
- gnutls_srtp_get_profile_name;
- gnutls_srtp_get_selected_profile;
- gnutls_srtp_set_profile;
- gnutls_srtp_set_profile_direct;
gnutls_strdup;
gnutls_strerror;
gnutls_strerror_name;
@@ -866,6 +861,12 @@ GNUTLS_3_1_0 {
gnutls_certificate_update_verify_flags;
gnutls_certificate_verify_peers3;
gnutls_certificate_verification_status_print;
+ gnutls_srtp_get_profile_id;
+ gnutls_srtp_get_profile_name;
+ gnutls_srtp_get_selected_profile;
+ gnutls_srtp_set_profile;
+ gnutls_srtp_set_profile_direct;
+ gnutls_srtp_get_keys;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
@@ -896,7 +897,9 @@ GNUTLS_PRIVATE {
_gnutls_buffer_append_data_prefix;
_gnutls_buffer_pop_data;
_gnutls_buffer_pop_prefix;
-
+ _gnutls_buffer_init;
+ _gnutls_buffer_append_str;
+ _gnutls_buffer_to_datum;
# Internal symbols needed by psktool:
# Internal symbols needed by gnutls-cli-debug:
diff --git a/lib/openpgp/output.c b/lib/openpgp/output.c
index 88f522d..cc25342 100644
--- a/lib/openpgp/output.c
+++ b/lib/openpgp/output.c
@@ -28,10 +28,6 @@
#include <gnutls_errors.h>
#include <extras/randomart.h>
-/* I18n of error codes. */
-#include "gettext.h"
-#define _(String) dgettext (PACKAGE, String)
-
#define addf _gnutls_buffer_append_printf
#define adds _gnutls_buffer_append_str
diff --git a/lib/x509/output.c b/lib/x509/output.c
index ec1a6f2..c2f0cb4 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -31,10 +31,6 @@
#include <gnutls_errors.h>
#include <extras/randomart.h>
-/* I18n of error codes. */
-#include "gettext.h"
-#define _(String) dgettext (PACKAGE, String)
-
#define addf _gnutls_buffer_append_printf
#define adds _gnutls_buffer_append_str
diff --git a/libdane/Makefile.am b/libdane/Makefile.am
index 91d18ad..d880cc8 100644
--- a/libdane/Makefile.am
+++ b/libdane/Makefile.am
@@ -22,12 +22,13 @@ ACLOCAL_AMFLAGS = -I ../m4 -I ../gl/m4
AM_CFLAGS = $(WERROR_CFLAGS) $(WSTACK_CFLAGS) $(WARN_CFLAGS)
AM_CPPFLAGS = \
- -I$(srcdir)/../gl \
- -I$(builddir)/../gl \
+ -I$(srcdir)/../gl \
+ -I$(builddir)/../gl \
-I$(builddir)/../lib/includes \
-I$(srcdir)/../lib/includes \
-I$(srcdir)/includes \
- -I$(builddir)/includes
+ -I$(builddir)/includes \
+ -I$(srcdir)/../lib
SUBDIRS = includes
@@ -40,7 +41,7 @@ libgnutls_dane_la_LDFLAGS = -no-undefined
if ENABLE_DANE
lib_LTLIBRARIES = libgnutls-dane.la
-libgnutls_dane_la_SOURCES = dane.c errors.c libdane.map
+libgnutls_dane_la_SOURCES = dane.c dane-params.c errors.c libdane.map
libgnutls_dane_la_LIBADD = ../gl/libgnu.la \
../lib/libgnutls.la
diff --git a/libdane/dane-params.c b/libdane/dane-params.c
new file mode 100644
index 0000000..53d8473
--- /dev/null
+++ b/libdane/dane-params.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2012 KU Leuven
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of libdane.
+ *
+ * libdane is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <unbound.h>
+#include <gnutls/dane.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+
+typedef struct cert_type_entry
+{
+ const char* name;
+ dane_cert_type_t type;
+} cert_type_entry;
+
+static const cert_type_entry dane_cert_types[] =
+{
+ {"X.509", DANE_CERT_X509},
+ {"SubjectPublicKeyInfo", DANE_CERT_PK},
+ {NULL, 0}
+};
+
+typedef struct match_type_entry
+{
+ const char* name;
+ dane_match_type_t type;
+} match_type_entry;
+
+static const match_type_entry dane_match_types[] =
+{
+ {"Exact match", DANE_MATCH_EXACT},
+ {"SHA2-256 hash", DANE_MATCH_SHA2_256},
+ {"SHA2-512 hash", DANE_MATCH_SHA2_512},
+ {NULL, 0}
+};
+
+typedef struct cert_usage_entry
+{
+ const char* name;
+ dane_cert_usage_t usage;
+} cert_usage_entry;
+
+static const cert_usage_entry dane_cert_usages[] =
+{
+ {"CA", DANE_CERT_USAGE_CA},
+ {"End-entity", DANE_CERT_USAGE_EE},
+ {"Local CA", DANE_CERT_USAGE_LOCAL_CA},
+ {"Local end-entity", DANE_CERT_USAGE_LOCAL_EE},
+ {NULL, 0}
+};
+
+
+
+/**
+ * dane_cert_type_name:
+ * @type: is a DANE match type
+ *
+ * Convert a #dane_cert_type_t value to a string.
+ *
+ * Returns: a string that contains the name of the specified
+ * type, or %NULL.
+ **/
+const char* dane_cert_type_name(dane_cert_type_t type)
+{
+const cert_type_entry* e = dane_cert_types;
+
+ while(e->name != NULL)
+ {
+ if (e->type == type)
+ return e->name;
+ e++;
+ }
+
+ return NULL;
+}
+
+/**
+ * dane_match_type_name:
+ * @type: is a DANE match type
+ *
+ * Convert a #dane_match_type_t value to a string.
+ *
+ * Returns: a string that contains the name of the specified
+ * type, or %NULL.
+ **/
+const char* dane_match_type_name(dane_match_type_t type)
+{
+const match_type_entry* e = dane_match_types;
+
+ while(e->name != NULL)
+ {
+ if (e->type == type)
+ return e->name;
+ e++;
+ }
+
+ return NULL;
+}
+
+/**
+ * dane_cert_usage_name:
+ * @type: is a DANE match type
+ *
+ * Convert a #dane_cert_usage_t value to a string.
+ *
+ * Returns: a string that contains the name of the specified
+ * type, or %NULL.
+ **/
+const char* dane_cert_usage_name(dane_cert_usage_t usage)
+{
+const cert_usage_entry* e = dane_cert_usages;
+
+ while(e->name != NULL)
+ {
+ if (e->usage == usage)
+ return e->name;
+ e++;
+ }
+
+ return NULL;
+
+}
diff --git a/libdane/dane.c b/libdane/dane.c
index 052a0fa..7114ae7 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -32,6 +32,7 @@
#include <gnutls/x509.h>
#include <gnutls/abstract.h>
#include <gnutls/crypto.h>
+#include "../lib/gnutls_int.h"
#define MAX_DATA_ENTRIES 4
@@ -601,3 +602,47 @@ unsigned int type;
return dane_verify_crt(s, cert_list, cert_list_size, type, hostname,
proto, port, sflags, vflags, verify);
}
+
+/**
+ * dane_verification_status_print:
+ * @status: The status flags to be printed
+ * @type: The certificate type
+ * @out: Newly allocated datum with (0) terminated string.
+ * @flags: should be zero
+ *
+ * This function will pretty print the status of a verification
+ * process -- eg. the one obtained by dane_verify_crt().
+ *
+ * The output @out needs to be deallocated using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+dane_verification_status_print (unsigned int status,
+ gnutls_datum_t * out, unsigned int flags)
+{
+ gnutls_buffer_st str;
+ int ret;
+
+ _gnutls_buffer_init (&str);
+
+ if (status == 0)
+ _gnutls_buffer_append_str (&str, _("Certificate matches. "));
+ else
+ _gnutls_buffer_append_str (&str, _("Verification failed. "));
+
+ if (status & DANE_VERIFY_CA_CONSTRAINS_VIOLATED)
+ _gnutls_buffer_append_str (&str, _("CA constrains were violated. "));
+
+ if (status & DANE_VERIFY_CERT_DIFFERS)
+ _gnutls_buffer_append_str (&str, _("The certificate differs. "));
+
+ if (status & DANE_VERIFY_NO_DANE_INFO)
+ _gnutls_buffer_append_str (&str, _("There were no DANE information. "));
+
+ ret = _gnutls_buffer_to_datum( &str, out);
+ if (out->size > 0) out->size--;
+
+ return ret;
+}
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 59392da..75d2e36 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -101,7 +101,7 @@ typedef struct dane_query_st *dane_query_t;
typedef enum dane_state_flags_t
{
DANE_F_IGNORE_LOCAL_RESOLVER = 1,
-} dane_verify_flags_t;
+} dane_state_flags_t;
int dane_state_init (dane_state_t* s, unsigned int flags);
void dane_state_deinit (dane_state_t s);
@@ -115,6 +115,9 @@ int dane_query_data(dane_query_t q, unsigned int idx,
unsigned int *match, gnutls_datum_t * data);
void dane_query_deinit(dane_query_t q);
+const char* dane_cert_type_name(dane_cert_type_t type);
+const char* dane_match_type_name(dane_match_type_t type);
+const char* dane_cert_usage_name(dane_cert_usage_t usage);
/**
* dane_verify_status_t:
@@ -131,6 +134,9 @@ typedef enum dane_verify_status_t
DANE_VERIFY_NO_DANE_INFO = 1<<2,
} dane_verify_status_t;
+int
+dane_verification_status_print (unsigned int status,
+ gnutls_datum_t * out, unsigned int flags);
int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
diff --git a/libdane/libdane.map b/libdane/libdane.map
index 0bdd7a0..b3894e1 100644
--- a/libdane/libdane.map
+++ b/libdane/libdane.map
@@ -13,6 +13,10 @@ DANE_0_0
dane_query_deinit;
dane_verify_session_crt;
dane_verify_crt;
+ dane_cert_type_name;
+ dane_match_type_name;
+ dane_cert_usage_name;
+ dane_verification_status_print;
local:
*;
};
diff --git a/src/Makefile.am b/src/Makefile.am
index 5d5f4e6..9935f0d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -146,6 +146,7 @@ if ENABLE_DANE
danetool_SOURCES = danetool.c certtool-common.c certtool-extras.c common.c
danetool_LDADD = ../lib/libgnutls.la
danetool_LDADD += libcmd-danetool.la ../gl/libgnu.la
+danetool_LDADD += ../libdane/libgnutls-dane.la
noinst_LTLIBRARIES += libcmd-danetool.la
libcmd_danetool_la_CFLAGS =
diff --git a/src/cli.c b/src/cli.c
index 6064ad4..954cde1 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -498,20 +498,18 @@ cert_verify_callback (gnutls_session_t session)
}
else
{
- if (status != 0)
+ gnutls_datum_t out;
+
+ rc = dane_verification_status_print( status, &out, 0);
+ if (rc < 0)
{
- fprintf(stderr, "*** DANE certificate verification failed (flags
%x).\n", status);
- if (status & DANE_VERIFY_CA_CONSTRAINS_VIOLATED)
- fprintf(stderr, "- CA constrains were violated.\n");
- if (status & DANE_VERIFY_CERT_DIFFERS)
- fprintf(stderr, "- The certificate differs.\n");
- if (status & DANE_VERIFY_NO_DANE_INFO)
- fprintf(stderr, "- There was no DANE information.\n");
+ fprintf(stderr, "*** DANE error: %s\n", dane_strerror(rc));
if (!insecure)
return -1;
}
- else
- printf("- DANE verification didn't reject the certificate.\n");
+
+ fprintf(stderr, "- %s\n", out.data);
+ gnutls_free(out.data);
}
}
@@ -680,7 +678,7 @@ init_tls_session (const char *hostname)
ret = gnutls_srtp_set_profile_direct (session, OPT_ARG(SRTP_PROFILES),
&err);
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at:
%s\n", err);
else
- fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
+ fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret));
exit (1);
}
diff --git a/src/common.c b/src/common.c
index 7841d43..9836125 100644
--- a/src/common.c
+++ b/src/common.c
@@ -340,7 +340,7 @@ cert_verify (gnutls_session_t session, const char* hostname)
return 0;
}
- printf ("- %s", out.data);
+ printf ("- %s\n", out.data);
gnutls_free(out.data);
diff --git a/src/danetool-args.c b/src/danetool-args.c
index 03036ba..d50d476 100644
--- a/src/danetool-args.c
+++ b/src/danetool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.c)
*
- * It has been AutoGen-ed October 28, 2012 at 11:58:30 PM by AutoGen 5.16
+ * It has been AutoGen-ed November 1, 2012 at 07:45:47 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* danetool option static const strings
*/
-static char const danetool_opt_strs[2152] =
+static char const danetool_opt_strs[2257] =
/* 0 */ "danetool @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -105,49 +105,55 @@ static char const danetool_opt_strs[2152] =
/* 1110 */ "Hash algorithm to use for signing.\0"
/* 1145 */ "HASH\0"
/* 1150 */ "hash\0"
-/* 1155 */ "Use DER format for input certificates and private keys.\0"
-/* 1211 */ "INDER\0"
-/* 1217 */ "no-inder\0"
-/* 1226 */ "no\0"
-/* 1229 */ "This is an alias for 'inder'\0"
-/* 1258 */ "inraw\0"
-/* 1264 */ "Print the DANE RR data on a certificate or public key\0"
-/* 1318 */ "TLSA_RR\0"
-/* 1326 */ "tlsa-rr\0"
-/* 1334 */ "Specify the hostname to be used in the DANE RR\0"
-/* 1381 */ "HOST\0"
-/* 1386 */ "host\0"
-/* 1391 */ "The protocol set for DANE data (tcp, udp etc.)\0"
-/* 1438 */ "PROTO\0"
-/* 1444 */ "proto\0"
-/* 1450 */ "Specify the port number for the DANE data.\0"
-/* 1493 */ "PORT\0"
-/* 1498 */ "port\0"
-/* 1503 */ "Whether the provided certificate or public key is a Certificate\n"
- "authority.\0"
-/* 1578 */ "CA\0"
-/* 1581 */ "ca\0"
-/* 1584 */ "Use the hash of the X.509 certificate, rather than the public
key.\0"
-/* 1651 */ "X509\0"
-/* 1656 */ "x509\0"
-/* 1661 */ "The provided certificate or public key is a local entity.\0"
-/* 1719 */ "LOCAL\0"
-/* 1725 */ "local\0"
-/* 1731 */ "Display extended usage information and exit\0"
-/* 1775 */ "help\0"
-/* 1780 */ "Extended usage information passed thru pager\0"
-/* 1825 */ "more-help\0"
-/* 1835 */ "Output version information and exit\0"
-/* 1871 */ "version\0"
-/* 1879 */ "DANETOOL\0"
-/* 1888 */ "danetool - GnuTLS DANE tool - Ver. @address@hidden"
+/* 1155 */ "Check DANE TLSA entry.\0"
+/* 1178 */ "CHECK\0"
+/* 1184 */ "check\0"
+/* 1190 */ "Use the local DNS server for DNSSEC resolving.\0"
+/* 1237 */ "LOCAL_DNS\0"
+/* 1247 */ "no-local-dns\0"
+/* 1260 */ "no\0"
+/* 1263 */ "Use DER format for input certificates and private keys.\0"
+/* 1319 */ "INDER\0"
+/* 1325 */ "no-inder\0"
+/* 1334 */ "This is an alias for 'inder'\0"
+/* 1363 */ "inraw\0"
+/* 1369 */ "Print the DANE RR data on a certificate or public key\0"
+/* 1423 */ "TLSA_RR\0"
+/* 1431 */ "tlsa-rr\0"
+/* 1439 */ "Specify the hostname to be used in the DANE RR\0"
+/* 1486 */ "HOST\0"
+/* 1491 */ "host\0"
+/* 1496 */ "The protocol set for DANE data (tcp, udp etc.)\0"
+/* 1543 */ "PROTO\0"
+/* 1549 */ "proto\0"
+/* 1555 */ "Specify the port number for the DANE data.\0"
+/* 1598 */ "PORT\0"
+/* 1603 */ "port\0"
+/* 1608 */ "Whether the provided certificate or public key is a Certificate\n"
+ "Authority.\0"
+/* 1683 */ "CA\0"
+/* 1686 */ "ca\0"
+/* 1689 */ "Use the hash of the X.509 certificate, rather than the public
key.\0"
+/* 1756 */ "X509\0"
+/* 1761 */ "x509\0"
+/* 1766 */ "The provided certificate or public key is a local entity.\0"
+/* 1824 */ "LOCAL\0"
+/* 1830 */ "local\0"
+/* 1836 */ "Display extended usage information and exit\0"
+/* 1880 */ "help\0"
+/* 1885 */ "Extended usage information passed thru pager\0"
+/* 1930 */ "more-help\0"
+/* 1940 */ "Output version information and exit\0"
+/* 1976 */ "version\0"
+/* 1984 */ "DANETOOL\0"
+/* 1993 */ "danetool - GnuTLS DANE tool - Ver. @address@hidden"
"USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
-/* 1991 */ "address@hidden"
-/* 2010 */ "\n\n\0"
-/* 2013 */ "\n"
+/* 2096 */ "address@hidden"
+/* 2115 */ "\n\n\0"
+/* 2118 */ "\n"
"Tool generate DNS resource records for the DANE protocol.\n\0"
-/* 2073 */ "danetool @address@hidden"
-/* 2092 */ "danetool [options]\n"
+/* 2178 */ "danetool @address@hidden"
+/* 2197 */ "danetool [options]\n"
"danetool --help for usage instructions.\n";
/*
@@ -213,30 +219,49 @@ static char const danetool_opt_strs[2152] =
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
+ * check option description:
+ */
+#define CHECK_DESC (danetool_opt_strs+1155)
+#define CHECK_NAME (danetool_opt_strs+1178)
+#define CHECK_name (danetool_opt_strs+1184)
+#define CHECK_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
+
+/*
+ * local-dns option description:
+ */
+#define LOCAL_DNS_DESC (danetool_opt_strs+1190)
+#define LOCAL_DNS_NAME (danetool_opt_strs+1237)
+#define NOT_LOCAL_DNS_name (danetool_opt_strs+1247)
+#define NOT_LOCAL_DNS_PFX (danetool_opt_strs+1260)
+#define LOCAL_DNS_name (NOT_LOCAL_DNS_name + 3)
+#define LOCAL_DNS_FLAGS (OPTST_DISABLED)
+
+/*
* inder option description:
*/
-#define INDER_DESC (danetool_opt_strs+1155)
-#define INDER_NAME (danetool_opt_strs+1211)
-#define NOT_INDER_name (danetool_opt_strs+1217)
-#define NOT_INDER_PFX (danetool_opt_strs+1226)
+#define INDER_DESC (danetool_opt_strs+1263)
+#define INDER_NAME (danetool_opt_strs+1319)
+#define NOT_INDER_name (danetool_opt_strs+1325)
+#define NOT_INDER_PFX (danetool_opt_strs+1260)
#define INDER_name (NOT_INDER_name + 3)
#define INDER_FLAGS (OPTST_DISABLED)
/*
* inraw option description:
*/
-#define INRAW_DESC (danetool_opt_strs+1229)
+#define INRAW_DESC (danetool_opt_strs+1334)
#define INRAW_NAME NULL
-#define INRAW_name (danetool_opt_strs+1258)
+#define INRAW_name (danetool_opt_strs+1363)
#define INRAW_FLAGS (INDER_FLAGS | OPTST_ALIAS)
/*
* tlsa-rr option description with
* "Must also have options" and "Incompatible options":
*/
-#define TLSA_RR_DESC (danetool_opt_strs+1264)
-#define TLSA_RR_NAME (danetool_opt_strs+1318)
-#define TLSA_RR_name (danetool_opt_strs+1326)
+#define TLSA_RR_DESC (danetool_opt_strs+1369)
+#define TLSA_RR_NAME (danetool_opt_strs+1423)
+#define TLSA_RR_name (danetool_opt_strs+1431)
static int const aTlsa_RrMustList[] = {
INDEX_OPT_HOST, NO_EQUIVALENT };
#define TLSA_RR_FLAGS (OPTST_DISABLED)
@@ -244,62 +269,62 @@ static int const aTlsa_RrMustList[] = {
/*
* host option description:
*/
-#define HOST_DESC (danetool_opt_strs+1334)
-#define HOST_NAME (danetool_opt_strs+1381)
-#define HOST_name (danetool_opt_strs+1386)
+#define HOST_DESC (danetool_opt_strs+1439)
+#define HOST_NAME (danetool_opt_strs+1486)
+#define HOST_name (danetool_opt_strs+1491)
#define HOST_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* proto option description:
*/
-#define PROTO_DESC (danetool_opt_strs+1391)
-#define PROTO_NAME (danetool_opt_strs+1438)
-#define PROTO_name (danetool_opt_strs+1444)
+#define PROTO_DESC (danetool_opt_strs+1496)
+#define PROTO_NAME (danetool_opt_strs+1543)
+#define PROTO_name (danetool_opt_strs+1549)
#define PROTO_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* port option description:
*/
-#define PORT_DESC (danetool_opt_strs+1450)
-#define PORT_NAME (danetool_opt_strs+1493)
-#define PORT_name (danetool_opt_strs+1498)
+#define PORT_DESC (danetool_opt_strs+1555)
+#define PORT_NAME (danetool_opt_strs+1598)
+#define PORT_name (danetool_opt_strs+1603)
#define PORT_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* ca option description:
*/
-#define CA_DESC (danetool_opt_strs+1503)
-#define CA_NAME (danetool_opt_strs+1578)
-#define CA_name (danetool_opt_strs+1581)
+#define CA_DESC (danetool_opt_strs+1608)
+#define CA_NAME (danetool_opt_strs+1683)
+#define CA_name (danetool_opt_strs+1686)
#define CA_FLAGS (OPTST_DISABLED)
/*
* x509 option description:
*/
-#define X509_DESC (danetool_opt_strs+1584)
-#define X509_NAME (danetool_opt_strs+1651)
-#define X509_name (danetool_opt_strs+1656)
+#define X509_DESC (danetool_opt_strs+1689)
+#define X509_NAME (danetool_opt_strs+1756)
+#define X509_name (danetool_opt_strs+1761)
#define X509_FLAGS (OPTST_DISABLED)
/*
* local option description:
*/
-#define LOCAL_DESC (danetool_opt_strs+1661)
-#define LOCAL_NAME (danetool_opt_strs+1719)
-#define LOCAL_name (danetool_opt_strs+1725)
+#define LOCAL_DESC (danetool_opt_strs+1766)
+#define LOCAL_NAME (danetool_opt_strs+1824)
+#define LOCAL_name (danetool_opt_strs+1830)
#define LOCAL_FLAGS (OPTST_DISABLED)
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (danetool_opt_strs+1731)
-#define HELP_name (danetool_opt_strs+1775)
+#define HELP_DESC (danetool_opt_strs+1836)
+#define HELP_name (danetool_opt_strs+1880)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (danetool_opt_strs+1780)
-#define MORE_HELP_name (danetool_opt_strs+1825)
+#define MORE_HELP_DESC (danetool_opt_strs+1885)
+#define MORE_HELP_name (danetool_opt_strs+1930)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC NULL
@@ -312,8 +337,8 @@ static int const aTlsa_RrMustList[] = {
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (danetool_opt_strs+1835)
-#define VER_name (danetool_opt_strs+1871)
+#define VER_DESC (danetool_opt_strs+1940)
+#define VER_name (danetool_opt_strs+1976)
/*
* Declare option callback procedures
*/
@@ -417,8 +442,32 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ HASH_DESC, HASH_NAME, HASH_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 7, VALUE_OPT_INDER,
- /* equiv idx, value */ 7, VALUE_OPT_INDER,
+ { /* entry idx, value */ 7, VALUE_OPT_CHECK,
+ /* equiv idx, value */ 7, VALUE_OPT_CHECK,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ CHECK_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --check */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ CHECK_DESC, CHECK_NAME, CHECK_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 8, VALUE_OPT_LOCAL_DNS,
+ /* equiv idx, value */ 8, VALUE_OPT_LOCAL_DNS,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ LOCAL_DNS_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --local-dns */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ LOCAL_DNS_DESC, LOCAL_DNS_NAME, LOCAL_DNS_name,
+ /* disablement strs */ NOT_LOCAL_DNS_name, NOT_LOCAL_DNS_PFX },
+
+ { /* entry idx, value */ 9, VALUE_OPT_INDER,
+ /* equiv idx, value */ 9, VALUE_OPT_INDER,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ INDER_FLAGS, 0,
@@ -429,8 +478,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ INDER_DESC, INDER_NAME, INDER_name,
/* disablement strs */ NOT_INDER_name, NOT_INDER_PFX },
- { /* entry idx, value */ 8, VALUE_OPT_INRAW,
- /* equiv idx, value */ 8, VALUE_OPT_INRAW,
+ { /* entry idx, value */ 10, VALUE_OPT_INRAW,
+ /* equiv idx, value */ 10, VALUE_OPT_INRAW,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ INRAW_FLAGS, 0,
@@ -441,8 +490,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ INRAW_DESC, INRAW_NAME, INRAW_name,
/* disablement strs */ 0, 0 },
- { /* entry idx, value */ 9, VALUE_OPT_TLSA_RR,
- /* equiv idx, value */ 9, VALUE_OPT_TLSA_RR,
+ { /* entry idx, value */ 11, VALUE_OPT_TLSA_RR,
+ /* equiv idx, value */ 11, VALUE_OPT_TLSA_RR,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ TLSA_RR_FLAGS, 0,
@@ -453,8 +502,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ TLSA_RR_DESC, TLSA_RR_NAME, TLSA_RR_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 10, VALUE_OPT_HOST,
- /* equiv idx, value */ 10, VALUE_OPT_HOST,
+ { /* entry idx, value */ 12, VALUE_OPT_HOST,
+ /* equiv idx, value */ 12, VALUE_OPT_HOST,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ HOST_FLAGS, 0,
@@ -465,8 +514,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ HOST_DESC, HOST_NAME, HOST_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 11, VALUE_OPT_PROTO,
- /* equiv idx, value */ 11, VALUE_OPT_PROTO,
+ { /* entry idx, value */ 13, VALUE_OPT_PROTO,
+ /* equiv idx, value */ 13, VALUE_OPT_PROTO,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PROTO_FLAGS, 0,
@@ -477,8 +526,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PROTO_DESC, PROTO_NAME, PROTO_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 12, VALUE_OPT_PORT,
- /* equiv idx, value */ 12, VALUE_OPT_PORT,
+ { /* entry idx, value */ 14, VALUE_OPT_PORT,
+ /* equiv idx, value */ 14, VALUE_OPT_PORT,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ PORT_FLAGS, 0,
@@ -489,8 +538,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PORT_DESC, PORT_NAME, PORT_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 13, VALUE_OPT_CA,
- /* equiv idx, value */ 13, VALUE_OPT_CA,
+ { /* entry idx, value */ 15, VALUE_OPT_CA,
+ /* equiv idx, value */ 15, VALUE_OPT_CA,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ CA_FLAGS, 0,
@@ -501,8 +550,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ CA_DESC, CA_NAME, CA_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 14, VALUE_OPT_X509,
- /* equiv idx, value */ 14, VALUE_OPT_X509,
+ { /* entry idx, value */ 16, VALUE_OPT_X509,
+ /* equiv idx, value */ 16, VALUE_OPT_X509,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ X509_FLAGS, 0,
@@ -513,8 +562,8 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ X509_DESC, X509_NAME, X509_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 15, VALUE_OPT_LOCAL,
- /* equiv idx, value */ 15, VALUE_OPT_LOCAL,
+ { /* entry idx, value */ 17, VALUE_OPT_LOCAL,
+ /* equiv idx, value */ 17, VALUE_OPT_LOCAL,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ LOCAL_FLAGS, 0,
@@ -569,14 +618,14 @@ static tOptDesc optDesc[OPTION_CT] = {
*
* Define the danetool Option Environment
*/
-#define zPROGNAME (danetool_opt_strs+1879)
-#define zUsageTitle (danetool_opt_strs+1888)
+#define zPROGNAME (danetool_opt_strs+1984)
+#define zUsageTitle (danetool_opt_strs+1993)
#define zRcName NULL
#define apzHomeList NULL
-#define zBugsAddr (danetool_opt_strs+1991)
-#define zExplain (danetool_opt_strs+2010)
-#define zDetail (danetool_opt_strs+2013)
-#define zFullVersion (danetool_opt_strs+2073)
+#define zBugsAddr (danetool_opt_strs+2096)
+#define zExplain (danetool_opt_strs+2115)
+#define zDetail (danetool_opt_strs+2118)
+#define zFullVersion (danetool_opt_strs+2178)
/* extracted from optcode.tlib near line 350 */
#if defined(ENABLE_NLS)
@@ -590,7 +639,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define danetool_full_usage (NULL)
-#define danetool_short_usage (danetool_opt_strs+2092)
+#define danetool_short_usage (danetool_opt_strs+2197)
#endif /* not defined __doxygen__ */
@@ -749,7 +798,7 @@ tOptions danetoolOptions = {
NO_EQUIVALENT, /* '-#' option index */
NO_EQUIVALENT /* index of default opt */
},
- 19 /* full option count */, 16 /* user option count */,
+ 21 /* full option count */, 18 /* user option count */,
danetool_full_usage, danetool_short_usage,
NULL, NULL,
PKGDATADIR, danetool_packager_info
diff --git a/src/danetool-args.def b/src/danetool-args.def
index 2510230..dc29c4f 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -33,6 +33,22 @@ flag = {
};
flag = {
+ name = check;
+ arg-type = string;
+ descrip = "Check DANE TLSA entry.";
+ doc = "Obtains the DANE TLSA entry from the given hostname and prints
information.";
+};
+
+flag = {
+ name = local-dns;
+ descrip = "Use the local DNS server for DNSSEC resolving.";
+ disabled;
+ disable = "no";
+ doc = "This option will use the local DNS server for DNSSEC.
+This is disabled by default due to many servers not allowing DNSSEC.";
+};
+
+flag = {
name = inder;
descrip = "Use DER format for input certificates and private keys.";
disabled;
@@ -80,7 +96,7 @@ flag = {
flag = {
name = ca;
- descrip = "Whether the provided certificate or public key is a
Certificate authority.";
+ descrip = "Whether the provided certificate or public key is a
Certificate Authority.";
doc = "Marks the DANE RR as a CA certificate if specified.";
};
@@ -132,9 +148,14 @@ $ danetool --tlsa-rr --host www.example.com
--load-certificate cert.pem \
--ca
@end example
-To read a server's DANE TLSA entry, using the dig tool, use:
+To read a server's DANE TLSA entry, use:
address@hidden
+$ danetool --check www.example.com --proto tcp --port 443
address@hidden example
+
+To verify a server's DANE TLSA entry, use:
@example
-$ dig +short TYPE52 _443._tcp.www.example.com
+$ danetool --check www.example.com --proto tcp --port 443 --load-certificate
chain.pem
@end example
_EOT_;
};
diff --git a/src/danetool-args.h b/src/danetool-args.h
index 7c6747f..dfab6bb 100644
--- a/src/danetool-args.h
+++ b/src/danetool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (danetool-args.h)
*
- * It has been AutoGen-ed October 28, 2012 at 11:58:30 PM by AutoGen 5.16
+ * It has been AutoGen-ed November 1, 2012 at 07:45:46 PM by AutoGen 5.16
* From the definitions danetool-args.def
* and the template file options
*
@@ -74,21 +74,23 @@ typedef enum {
INDEX_OPT_LOAD_PUBKEY = 4,
INDEX_OPT_LOAD_CERTIFICATE = 5,
INDEX_OPT_HASH = 6,
- INDEX_OPT_INDER = 7,
- INDEX_OPT_INRAW = 8,
- INDEX_OPT_TLSA_RR = 9,
- INDEX_OPT_HOST = 10,
- INDEX_OPT_PROTO = 11,
- INDEX_OPT_PORT = 12,
- INDEX_OPT_CA = 13,
- INDEX_OPT_X509 = 14,
- INDEX_OPT_LOCAL = 15,
- INDEX_OPT_VERSION = 16,
- INDEX_OPT_HELP = 17,
- INDEX_OPT_MORE_HELP = 18
+ INDEX_OPT_CHECK = 7,
+ INDEX_OPT_LOCAL_DNS = 8,
+ INDEX_OPT_INDER = 9,
+ INDEX_OPT_INRAW = 10,
+ INDEX_OPT_TLSA_RR = 11,
+ INDEX_OPT_HOST = 12,
+ INDEX_OPT_PROTO = 13,
+ INDEX_OPT_PORT = 14,
+ INDEX_OPT_CA = 15,
+ INDEX_OPT_X509 = 16,
+ INDEX_OPT_LOCAL = 17,
+ INDEX_OPT_VERSION = 18,
+ INDEX_OPT_HELP = 19,
+ INDEX_OPT_MORE_HELP = 20
} teOptIndex;
-#define OPTION_CT 19
+#define OPTION_CT 21
#define DANETOOL_VERSION "@VERSION@"
#define DANETOOL_FULL_VERSION "danetool @VERSION@"
@@ -135,17 +137,19 @@ typedef enum {
#define VALUE_OPT_LOAD_PUBKEY 4
#define VALUE_OPT_LOAD_CERTIFICATE 5
#define VALUE_OPT_HASH 6
-#define VALUE_OPT_INDER 7
-#define VALUE_OPT_INRAW 8
-#define VALUE_OPT_TLSA_RR 9
-#define VALUE_OPT_HOST 10
-#define VALUE_OPT_PROTO 11
-#define VALUE_OPT_PORT 12
+#define VALUE_OPT_CHECK 7
+#define VALUE_OPT_LOCAL_DNS 8
+#define VALUE_OPT_INDER 9
+#define VALUE_OPT_INRAW 10
+#define VALUE_OPT_TLSA_RR 11
+#define VALUE_OPT_HOST 12
+#define VALUE_OPT_PROTO 13
+#define VALUE_OPT_PORT 14
#define OPT_VALUE_PORT (DESC(PORT).optArg.argInt)
-#define VALUE_OPT_CA 13
-#define VALUE_OPT_X509 14
-#define VALUE_OPT_LOCAL 15
+#define VALUE_OPT_CA 15
+#define VALUE_OPT_X509 16
+#define VALUE_OPT_LOCAL 17
#define VALUE_OPT_HELP 'h'
#define VALUE_OPT_MORE_HELP '!'
#define VALUE_OPT_VERSION 'v'
diff --git a/src/danetool.c b/src/danetool.c
index 2014cd6..a662296 100644
--- a/src/danetool.c
+++ b/src/danetool.c
@@ -27,6 +27,7 @@
#include <gnutls/pkcs11.h>
#include <gnutls/abstract.h>
#include <gnutls/crypto.h>
+#include <gnutls/dane.h>
#include <stdio.h>
#include <stdlib.h>
@@ -53,6 +54,9 @@ static void cmd_parser (int argc, char **argv);
static void dane_info(const char* host, const char* proto, unsigned int port,
unsigned int ca, unsigned int local, common_info_st *
cinfo);
+static void dane_check(const char* host, const char* proto, unsigned int port,
+ common_info_st * cinfo);
+
FILE *outfile;
static gnutls_digest_algorithm_t default_dig;
@@ -82,6 +86,8 @@ cmd_parser (int argc, char **argv)
{
int ret, privkey_op = 0;
common_info_st cinfo;
+ const char* proto = "tcp";
+ unsigned int port = 443;
optionProcess( &danetoolOptions, argc, argv);
@@ -150,9 +156,17 @@ cmd_parser (int argc, char **argv)
if (HAVE_OPT(LOAD_CERTIFICATE))
cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
+ if (HAVE_OPT(PORT))
+ port = OPT_VALUE_PORT;
+ if (HAVE_OPT(PROTO))
+ proto = OPT_ARG(PROTO);
+
if (HAVE_OPT(TLSA_RR))
- dane_info (OPT_ARG(HOST), OPT_ARG(PROTO), OPT_VALUE_PORT,
+ dane_info (OPT_ARG(HOST), proto, port,
HAVE_OPT(CA), HAVE_OPT(LOCAL), &cinfo);
+ else if (HAVE_OPT(CHECK))
+ dane_check (OPT_ARG(CHECK), proto, port,
+ &cinfo);
else
USAGE(1);
@@ -164,6 +178,103 @@ cmd_parser (int argc, char **argv)
gnutls_global_deinit ();
}
+static void dane_check(const char* host, const char* proto, unsigned int port,
+ common_info_st * cinfo)
+{
+dane_state_t s;
+dane_query_t q;
+int ret;
+unsigned int flags = DANE_F_IGNORE_LOCAL_RESOLVER, i;
+unsigned int usage, type, match;
+gnutls_datum_t data, file;
+size_t size;
+
+ if (ENABLED_OPT(LOCAL_DNS))
+ flags = 0;
+
+ printf("Querying on %s (%s:%d)...\n", host, proto, port);
+ ret = dane_state_init(&s, flags);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "dane_state_init: %s", dane_strerror (ret));
+
+ ret = dane_query_tlsa(s, &q, host, proto, port);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "dane_query_tlsa: %s", dane_strerror (ret));
+
+ for (i=0;i<dane_query_entries(q);i++)
+ {
+ ret = dane_query_data(q, i, &usage, &type, &match, &data);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "dane_query_data: %s", dane_strerror (ret));
+
+
+ size = buffer_size;
+ ret = gnutls_hex_encode(&data, (void*)buffer, &size);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_hex_encode: %s", dane_strerror (ret));
+
+ fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port,
proto, host, usage, type, match, buffer);
+
+ printf("\nCertificate usage: %s\n", dane_cert_usage_name(usage));
+ printf("Certificate type: %s\n", dane_cert_type_name(type));
+ printf("Contents: %s\n", dane_match_type_name(match));
+ printf("Data: %s\n", buffer);
+
+ }
+
+ /* Verify the DANE data */
+ if (cinfo->cert)
+ {
+ gnutls_x509_crt_t *clist;
+ unsigned int clist_size, status;
+
+ ret = gnutls_load_file(cinfo->cert, &file);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_load_file: %s", gnutls_strerror (ret));
+
+ ret = gnutls_x509_crt_list_import2( &clist, &clist_size, &file,
cinfo->incert_format, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_import2: %s",
gnutls_strerror (ret));
+
+ if (clist_size > 0)
+ {
+ gnutls_datum_t certs[clist_size];
+ gnutls_datum_t out;
+ unsigned int i;
+
+ for (i=0;i<clist_size;i++)
+ {
+ ret = gnutls_x509_crt_export2( clist[i], GNUTLS_X509_FMT_DER,
&certs[i]);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_export2: %s",
gnutls_strerror (ret));
+ }
+
+ ret = dane_verify_crt( s, certs, clist_size, GNUTLS_CRT_X509,
+ host, proto, port, 0, 0, &status);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "dane_verify_crt: %s", dane_strerror
(ret));
+
+ ret = dane_verification_status_print(status, &out, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "dane_verification_status_print: %s",
dane_strerror (ret));
+
+ printf("\nVerification: %s\n", out.data);
+ gnutls_free(out.data);
+
+ for (i=0;i<clist_size;i++)
+ {
+ gnutls_free(certs[i].data);
+ gnutls_x509_crt_deinit(clist[i]);
+ }
+ gnutls_free(clist);
+ }
+ }
+
+ dane_query_deinit(q);
+ dane_state_deinit(s);
+
+}
+
static void dane_info(const char* host, const char* proto, unsigned int port,
unsigned int ca, unsigned int local, common_info_st *
cinfo)
{
diff --git a/src/serv.c b/src/serv.c
index db6b9e4..3541fbd 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -399,7 +399,7 @@ gnutls_session_t initialize_session (int dtls)
ret = gnutls_srtp_set_profile_direct (session, OPT_ARG(SRTP_PROFILES),
&err);
if (ret == GNUTLS_E_INVALID_REQUEST) fprintf (stderr, "Syntax error at:
%s\n", err);
else
- fprintf(stderr, "Error in priorities: %s\n", gnutls_strerror(ret));
+ fprintf(stderr, "Error in profiles: %s\n", gnutls_strerror(ret));
exit (1);
}
diff --git a/tests/mini-dtls-srtp.c b/tests/mini-dtls-srtp.c
index 8f41d61..76edfdf 100644
--- a/tests/mini-dtls-srtp.c
+++ b/tests/mini-dtls-srtp.c
@@ -69,7 +69,8 @@ client_log_func (int level, const char *str)
/* These are global */
static pid_t child;
-/* A very basic DTLS client, with anonymous authentication, that exchanges
heartbeats.
+#define MAX_KEY_MATERIAL 64*4
+/* A very basic DTLS client, with anonymous authentication, that negotiates
SRTP
*/
static void
@@ -78,6 +79,9 @@ client (int fd, int profile)
gnutls_session_t session;
int ret;
gnutls_anon_client_credentials_t anoncred;
+ uint8_t km[MAX_KEY_MATERIAL];
+ char buf[2*MAX_KEY_MATERIAL];
+ gnutls_datum_t cli_key, cli_salt, server_key, server_salt;
/* Need to enable anonymous KX specifically. */
gnutls_global_init ();
@@ -144,14 +148,33 @@ client (int fd, int profile)
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
-/*
- ret = gnutls_prf(session, sizeof("EXTRACTOR-dtls_srtp")-1,
"EXTRACTOR-dtls_srtp", 0, ctx_len, ctx, 32, out);
+ ret = gnutls_srtp_get_keys (session, km, sizeof(km), &cli_key, &cli_salt,
&server_key, &server_salt);
if (ret < 0)
{
gnutls_perror(ret);
exit(1);
}
-*/
+
+ if (debug)
+ {
+ size_t size = sizeof(buf);
+ gnutls_hex_encode(&cli_key, buf, &size);
+ success ("Client key: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&cli_salt, buf, &size);
+ success ("Client salt: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&server_key, buf, &size);
+ success ("Server key: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&server_salt, buf, &size);
+ success ("Server salt: %s\n", buf);
+ }
+
+
gnutls_bye (session, GNUTLS_SHUT_WR);
close (fd);
@@ -179,6 +202,10 @@ server (int fd, int profile)
int ret;
gnutls_session_t session;
gnutls_anon_server_credentials_t anoncred;
+ uint8_t km[MAX_KEY_MATERIAL];
+ char buf[2*MAX_KEY_MATERIAL];
+ gnutls_datum_t cli_key, cli_salt, server_key, server_salt;
+
/* this must be called once in the program
*/
gnutls_global_init ();
@@ -239,14 +266,31 @@ server (int fd, int profile)
gnutls_protocol_get_name (gnutls_protocol_get_version
(session)));
-/*
- ret = gnutls_prf(session, sizeof("EXTRACTOR-dtls_srtp")-1,
"EXTRACTOR-dtls_srtp", 0, ctx_len, ctx, 32, out);
+ ret = gnutls_srtp_get_keys (session, km, sizeof(km), &cli_key, &cli_salt,
&server_key, &server_salt);
if (ret < 0)
{
gnutls_perror(ret);
exit(1);
}
-*/
+
+ if (debug)
+ {
+ size_t size = sizeof(buf);
+ gnutls_hex_encode(&cli_key, buf, &size);
+ success ("Client key: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&cli_salt, buf, &size);
+ success ("Client salt: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&server_key, buf, &size);
+ success ("Server key: %s\n", buf);
+
+ size = sizeof(buf);
+ gnutls_hex_encode(&server_salt, buf, &size);
+ success ("Server salt: %s\n", buf);
+ }
/* do not wait for the peer to close the connection.
*/
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_3-55-g4ee5251,
Nikos Mavrogiannopoulos <=