[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-69-gb69e8d5
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-69-gb69e8d5 |
|
Date: |
Tue, 09 Oct 2012 22:59:31 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=b69e8d5531cc4db35fbb046e395eda559b5f499a
The branch, master has been updated
via b69e8d5531cc4db35fbb046e395eda559b5f499a (commit)
via da5b010814a04930b64a9f137b12da6d5e0cd9d0 (commit)
from f74101bf4114d625cdac874cbcac4a1ddc9688c8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b69e8d5531cc4db35fbb046e395eda559b5f499a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed Oct 10 00:24:41 2012 +0200
Updates in DANE support. Allow caching of queries.
commit da5b010814a04930b64a9f137b12da6d5e0cd9d0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Oct 9 22:58:30 2012 +0200
dane-rr -> dane-tlsa-rr
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 3 +-
NEWS | 13 ++--
doc/cha-cert-auth.texi | 7 +-
doc/invoke-certtool.texi | 24 ++++----
libdane/dane.c | 140 ++++++++++++++++++++++++----------------
libdane/includes/gnutls/dane.h | 40 ++++++-----
libdane/libdane.map | 14 ++--
src/Makefile.am | 2 +-
src/certtool-args.c | 104 +++++++++++++++---------------
src/certtool-args.def | 10 ++--
src/certtool-args.h | 10 ++--
src/certtool.c | 4 +-
src/cli.c | 2 +-
13 files changed, 202 insertions(+), 171 deletions(-)
diff --git a/.gitignore b/.gitignore
index 80ac853..3d9f114 100644
--- a/.gitignore
+++ b/.gitignore
@@ -596,4 +596,5 @@ tests/mini-dtls-heartbeat
tests/mini-handshake-timeout
tests/mini-x509-callbacks
doc/manpages/stamp_mans
-libdane/libdane.la
+libdane/libgnutls-dane.la
+doc/latex/dane-api.tex
diff --git a/NEWS b/NEWS
index 561c681..b5bb53e 100644
--- a/NEWS
+++ b/NEWS
@@ -27,7 +27,7 @@ certificate verification.
** gnutls-cli: Added --dane option to enable DANE certificate verification.
-** certtool: The --dane-rr option generates DANE TLSA Resource Records (RR).
+** certtool: The --dane-tlsa-rr option generates DANE TLSA Resource Records
(RR).
** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function: Added
@@ -50,14 +50,15 @@ gnutls_pkcs11_obj_export2: Added
gnutls_pkcs12_export2: Added
gnutls_pubkey_import_openpgp_raw: Added
gnutls_pubkey_import_x509_raw: Added
-dane_query_init: Added
-dane_query_deinit: Added
-dane_query_resolve_tlsa: Added
-dane_query_data: Added
+dane_state_init: Added
+dane_state_deinit: Added
+dane_query_tlsa: Added
dane_query_status: Added
dane_query_entries: Added
-dane_verify_crt: Added
+dane_query_data: Added
+dane_query_deinit: Added
dane_verify_session_crt: Added
+dane_verify_crt: Added
dane_strerror: Added
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index e6c7c96..10f0ef9 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -507,10 +507,9 @@ high level verification functions are shown below.
@showfuncB{dane_verify_session_crt,dane_strerror}
-The allowed flags for the verification function follow.
-
address@hidden,The DANE verification flags.}
-
+Note that the @code{dane_state_t} structure that is accepted by both
+verification functions is optional. It is required when many queries
+are performed to facilitate caching.
The following flags are returned by the verify functions to
indicate the status of the verification.
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index 21f3bcb..8228754 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
-# It has been AutoGen-ed October 9, 2012 at 08:27:51 PM by AutoGen 5.16
+# It has been AutoGen-ed October 9, 2012 at 10:59:40 PM by AutoGen 5.16
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -108,7 +108,7 @@ USAGE: certtool [ -<flag> [<val>] |
--<name>address@hidden| @}<val>] ]...
--template=file Template file to use for non-interactive
operation
- file must pre-exist
--pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
- --dane-rr Print the DANE RR data on a certificate or
public key
+ --dane-tlsa-rr Print the DANE RR data on a certificate or
public key
- requires these options:
dane-host
--dane-host=str Specify the hostname to be used in the DANE RR
@@ -116,7 +116,7 @@ USAGE: certtool [ -<flag> [<val>] |
--<name>address@hidden| @}<val>] ]...
--dane-port=num Specify the port number for the DANE data.
--dane-ca Whether the provided certificate or public key
is a Certificate
authority.
- --dane-full-x509 Use the hash of the X.509 certificate, rather
than the public key.
+ --dane-x509 Use the hash of the X.509 certificate, rather
than the public key.
--dane-local The provided certificate or public key is a
local entity.
-v, --version[=arg] Output version information and exit
-h, --help Display extended usage information and exit
@@ -290,9 +290,9 @@ This is alternative to the bits option.
This is the ``cipher to use for pkcs #8 and #12 operations'' option.
This option takes an argument string @file{Cipher}.
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40,
arcfour.
address@hidden dane-rr}
address@hidden dane-rr option
address@hidden certtool-dane-rr
address@hidden dane-tlsa-rr}
address@hidden dane-tlsa-rr option
address@hidden certtool-dane-tlsa-rr
This is the ``print the dane rr data on a certificate or public key'' option.
@@ -325,9 +325,9 @@ This command specifies the protocol for the service set in
the DANE data.
This is the ``whether the provided certificate or public key is a certificate
authority.'' option.
Marks the DANE RR as a CA certificate if specified.
address@hidden dane-full-x509}
address@hidden dane-full-x509 option
address@hidden certtool-dane-full-x509
address@hidden dane-x509}
address@hidden dane-x509 option
address@hidden certtool-dane-x509
This is the ``use the hash of the x.509 certificate, rather than the public
key.'' option.
This option forces the generated record to contain the hash of the full X.509
certificate. By default only the hash of the public key is used.
@@ -476,12 +476,12 @@ $ certtool --verify-crl --load-ca-certificate x509-ca.pem
< crl.pem
To create a DANE TLSA resource record for a CA signed certificate use the
following commands.
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem
@end example
For a self signed certificate use:
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem \
--dane-local
@end example
@@ -491,7 +491,7 @@ certificate using DANE.
In order to create a record for the signer of your certificate use:
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem \
--dane-ca
@end example
diff --git a/libdane/dane.c b/libdane/dane.c
index e008ad8..4f4569a 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -35,22 +35,27 @@
#define MAX_DATA_ENTRIES 4
+struct dane_state_st
+{
+ struct ub_ctx* ctx;
+ unsigned int flags;
+};
+
struct dane_query_st
{
+ struct ub_result* result;
unsigned int data_entries;
dane_cert_usage_t usage[MAX_DATA_ENTRIES];
dane_cert_type_t type[MAX_DATA_ENTRIES];
dane_match_type_t match[MAX_DATA_ENTRIES];
gnutls_datum_t data[MAX_DATA_ENTRIES];
- struct ub_ctx* ctx;
- struct ub_result* result;
unsigned int flags;
dane_query_status_t status;
};
/**
* dane_query_status:
- * @q: The query structure
+ * @q: The query result structure
*
* This function will return the status of the query response.
* See %dane_query_status_t for the possible types.
@@ -64,7 +69,7 @@ dane_query_status_t dane_query_status(dane_query_t q)
/**
* dane_query_entries:
- * @q: The query structure
+ * @q: The query result structure
*
* This function will return the number of entries in a query.
*
@@ -77,7 +82,7 @@ unsigned int dane_query_entries(dane_query_t q)
/**
* dane_query_data:
- * @q: The query structure
+ * @q: The query result structure
* @idx: The index of the query response.
* @usage: The certificate usage (see %dane_cert_usage_t)
* @type: The certificate type (see %dane_cert_type_t)
@@ -112,22 +117,22 @@ int dane_query_data(dane_query_t q, unsigned int idx,
}
/**
- * dane_query_init:
- * @q: The structure to be initialized
- * @flags: flags from the DANE_F_* definitions
+ * dane_state_init:
+ * @s: The structure to be initialized
+ * @flags: flags from the %dane_state_flags enumeration
*
* This function will initialize a DANE query structure.
*
* Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
-int dane_query_init(dane_query_t* q, unsigned int flags)
+int dane_state_init(dane_state_t* s, unsigned int flags)
{
struct ub_ctx* ctx;
int ret;
- *q = calloc(1, sizeof(struct dane_query_st));
- if (*q == NULL)
+ *s = calloc(1, sizeof(struct dane_state_st));
+ if (*s == NULL)
return DANE_E_MEMORY_ERROR;
ctx = ub_ctx_create();
@@ -155,38 +160,50 @@ int dane_query_init(dane_query_t* q, unsigned int flags)
goto cleanup;
}
- (*q)->ctx = ctx;
- (*q)->flags = flags;
+ (*s)->ctx = ctx;
+ (*s)->flags = flags;
return DANE_E_SUCCESS;
cleanup:
if (ctx)
ub_ctx_delete(ctx);
- free(*q);
+ free(*s);
return ret;
}
/**
- * dane_query_init:
- * @q: The structure to be deinitialized
+ * dane_state_deinit:
+ * @s: The structure to be deinitialized
*
* This function will deinitialize a DANE query structure.
*
**/
-void dane_query_deinit(dane_query_t q)
+void dane_state_deinit(dane_state_t s)
{
- if (q->result)
- ub_ctx_delete(q->ctx);
- ub_resolve_free(q->result);
+ ub_ctx_delete(s->ctx);
+ free(s);
+}
+
+/**
+ * dane_query_deinit:
+ * @q: The structure to be deinitialized
+ *
+ * This function will deinitialize a DANE query result structure.
+ *
+ **/
+void dane_query_deinit(dane_query_t q)
+{
+ ub_resolve_free(q->result);
free(q);
}
/**
- * dane_query_resolve_tlsa:
- * @q: The query structure
+ * dane_query_tlsa:
+ * @s: The DANE state structure
+ * @r: A structure to place the result
* @host: The host name to resolve.
* @proto: The protocol type (tcp, udp, etc.)
* @port: The service port number (eg. 443).
@@ -197,62 +214,61 @@ void dane_query_deinit(dane_query_t q)
* Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
-int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char*
proto, unsigned int port)
+int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const
char* proto, unsigned int port)
{
char ns[1024];
int ret;
unsigned int i;
- if (q->result) {
- ub_resolve_free(q->result);
- q->result = NULL;
- }
-
+ *r = calloc(1, sizeof(struct dane_query_st));
+ if (*r == NULL)
+ return DANE_E_MEMORY_ERROR;
+
snprintf(ns, sizeof(ns), "_%u._%s.%s", port, proto, host);
/* query for webserver */
- ret = ub_resolve(q->ctx, ns, 52, 1, &q->result);
+ ret = ub_resolve(s->ctx, ns, 52, 1, &(*r)->result);
if(ret != 0) {
return DANE_E_RESOLVING_ERROR;
}
/* show first result */
- if(!q->result->havedata) {
+ if(!(*r)->result->havedata) {
return DANE_E_NO_DANE_DATA;
}
i = 0;
do {
- if (q->result->len[i] > 3)
+ if ((*r)->result->len[i] > 3)
ret = DANE_E_SUCCESS;
else {
return DANE_E_RECEIVED_CORRUPT_DATA;
}
- q->usage[i] = q->result->data[i][0];
- q->type[i] = q->result->data[i][1];
- q->match[i] = q->result->data[i][2];
- q->data[i].data = (void*)&q->result->data[i][3];
- q->data[i].size = q->result->len[i] - 3;
+ (*r)->usage[i] = (*r)->result->data[i][0];
+ (*r)->type[i] = (*r)->result->data[i][1];
+ (*r)->match[i] = (*r)->result->data[i][2];
+ (*r)->data[i].data = (void*)&(*r)->result->data[i][3];
+ (*r)->data[i].size = (*r)->result->len[i] - 3;
i++;
- } while(q->result->data[i] != NULL);
+ } while((*r)->result->data[i] != NULL);
- q->data_entries = i;
+ (*r)->data_entries = i;
- if (!q->result->secure) {
- if (q->result->bogus)
+ if (!(*r)->result->secure) {
+ if ((*r)->result->bogus)
ret = DANE_E_INVALID_DNSSEC_SIG;
else
ret = DANE_E_NO_DNSSEC_SIG;
}
/* show security status */
- if (q->result->secure)
- q->status = DANE_QUERY_DNSSEC_VERIFIED;
- else if (q->result->bogus)
- q->status = DANE_QUERY_BOGUS;
- else q->status = DANE_QUERY_NO_DNSSEC;
+ if ((*r)->result->secure)
+ (*r)->status = DANE_QUERY_DNSSEC_VERIFIED;
+ else if ((*r)->result->bogus)
+ (*r)->status = DANE_QUERY_BOGUS;
+ else (*r)->status = DANE_QUERY_NO_DNSSEC;
return ret;
}
@@ -413,13 +429,14 @@ cleanup:
/**
* dane_verify_crt:
+ * @s: A DANE state structure (may be NULL)
* @chain: A certificate chain
* @chain_size: The size of the chain
* @chain_type: The type of the certificate chain
* @hostname: The hostname associated with the chain
* @proto: The protocol of the service connecting (e.g. tcp)
* @port: The port of the service connecting (e.g. 443)
- * @flags: The %DANE_F flags.
+ * @flags: should be zero
* @verify: An OR'ed list of %dane_verify_status_t.
*
* This function will verify the given certificate chain against the
@@ -433,17 +450,20 @@ cleanup:
* it may be better to mention: DANE verification did not reject the
certificate,
* rather than mentioning a successful DANE verication.
*
+ * If the @q parameter is provided it will be used for caching entries.
+ *
* Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
**/
-int dane_verify_crt (
+int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,
const char * hostname, const char* proto, unsigned int port,
unsigned int flags, unsigned int *verify)
{
-dane_query_t q;
+dane_state_t _s = NULL;
+dane_query_t r = NULL;
int ret;
unsigned int usage, type, match, idx;
gnutls_datum_t data;
@@ -453,19 +473,22 @@ gnutls_datum_t data;
*verify = 0;
- ret = dane_query_init(&q, flags);
- if (ret < 0) {
- return ret;
- }
+ if (s == NULL) {
+ ret = dane_state_init(&_s, flags);
+ if (ret < 0) {
+ return ret;
+ }
+ } else
+ _s = s;
- ret = dane_query_resolve_tlsa(q, hostname, proto, port);
+ ret = dane_query_tlsa(_s, &r, hostname, proto, port);
if (ret < 0) {
goto cleanup;
}
idx = 0;
do {
- ret = dane_query_data(q, idx++, &usage, &type, &match, &data);
+ ret = dane_query_data(r, idx++, &usage, &type, &match, &data);
if (ret == DANE_E_REQUESTED_DATA_NOT_AVAILABLE)
break;
@@ -488,17 +511,19 @@ gnutls_datum_t data;
ret = 0;
cleanup:
- dane_query_deinit(q);
+ if (s == NULL) dane_state_deinit(_s);
+ if (r != NULL) dane_query_deinit(r);
return ret;
}
/**
* dane_verify_session_crt:
+ * @s: A DANE state structure (may be NULL)
* @session: A gnutls session
* @hostname: The hostname associated with the chain
* @proto: The protocol of the service connecting (e.g. tcp)
* @port: The port of the service connecting (e.g. 443)
- * @flags: The %DANE_F flags.
+ * @flags: should be zero.
* @verify: An OR'ed list of %dane_verify_status_t.
*
* This function will verify session's certificate chain against the
@@ -510,6 +535,7 @@ cleanup:
*
**/
int dane_verify_session_crt (
+ dane_state_t s,
gnutls_session_t session,
const char * hostname, const char* proto, unsigned int port,
unsigned int flags, unsigned int *verify)
@@ -525,5 +551,5 @@ unsigned int type;
type = gnutls_certificate_type_get(session);
- return dane_verify_crt(cert_list, cert_list_size, type, hostname,
proto, port, flags, verify);
+ return dane_verify_crt(s, cert_list, cert_list_size, type, hostname,
proto, port, flags, verify);
}
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 366d10a..74a28f9 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -89,17 +89,31 @@ typedef enum dane_query_status_t
DANE_QUERY_NO_DNSSEC
} dane_query_status_t;
+typedef struct dane_state_st *dane_state_t;
typedef struct dane_query_st *dane_query_t;
+/**
+ * dane_state_flags_t:
+ * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that
case the local resolver is ignored, and a direct recursive resolve occurs.
+ *
+ * Enumeration of different verification flags.
+ */
+typedef enum dane_state_flags_t
+{
+ DANE_F_IGNORE_LOCAL_RESOLVER = 1,
+} dane_verify_flags_t;
+
+int dane_state_init (dane_state_t* s, unsigned int flags);
+void dane_state_deinit (dane_state_t s);
+
+int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const
char* proto, unsigned int port);
-int dane_query_init (dane_query_t* q, unsigned int flags);
-void dane_query_deinit (dane_query_t q);
-int dane_query_resolve_tlsa (dane_query_t q, const char* host, const char*
proto, unsigned int port);
-int dane_query_data(dane_query_t q, unsigned int idx,
- unsigned int *usage, unsigned int *type,
- unsigned int *match, gnutls_datum_t *
data);
dane_query_status_t dane_query_status(dane_query_t q);
unsigned int dane_query_entries(dane_query_t q);
+int dane_query_data(dane_query_t q, unsigned int idx,
+ unsigned int *usage, unsigned int *type,
+ unsigned int *match, gnutls_datum_t * data);
+void dane_query_deinit(dane_query_t q);
/**
@@ -117,25 +131,15 @@ typedef enum dane_verify_status_t
DANE_VERIFY_NO_DANE_INFO = 1<<2,
} dane_verify_status_t;
-/**
- * dane_verify_flags_t:
- * @DANE_F_REQUIRE_DNSSEC: Require DNSSEC for verification.
- * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that
case the local resolver is ignored, and a direct recursive resolve occurs.
- *
- * Enumeration of different verification flags.
- */
-typedef enum dane_verify_flags_t
-{
- DANE_F_IGNORE_LOCAL_RESOLVER = 1,
-} dane_verify_flags_t;
-int dane_verify_crt (
+int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,
const char * hostname, const char* proto, unsigned int port,
unsigned int flags, unsigned int *verify);
int dane_verify_session_crt (
+ dane_state_t s,
gnutls_session_t session,
const char * hostname, const char* proto, unsigned int port,
unsigned int flags, unsigned int *verify);
diff --git a/libdane/libdane.map b/libdane/libdane.map
index a5af353..0bdd7a0 100644
--- a/libdane/libdane.map
+++ b/libdane/libdane.map
@@ -4,15 +4,15 @@ DANE_0_0
{
global:
dane_strerror;
- dane_verify_session_crt;
- dane_verify_crt;
- dane_query_init;
- dane_query_deinit;
- dane_query_resolve_tlsa;
- dane_query_data;
+ dane_state_init;
+ dane_state_deinit;
+ dane_query_tlsa;
dane_query_status;
dane_query_entries;
-
+ dane_query_data;
+ dane_query_deinit;
+ dane_verify_session_crt;
+ dane_verify_crt;
local:
*;
};
diff --git a/src/Makefile.am b/src/Makefile.am
index f4aa7e0..4796c70 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -104,7 +104,7 @@ gnutls_cli_SOURCES = cli.c common.h common.c \
$(BENCHMARK_SRCS)
gnutls_cli_LDADD = ../lib/libgnutls.la
if ENABLE_DANE
-gnutls_cli_LDADD += ../libdane/libdane.la
+gnutls_cli_LDADD += ../libdane/libgnutls-dane.la
endif
gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la $(LIBOPTS_LDADD) $(LTLIBINTL)
gnutls_cli_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) $(LIB_CLOCK_GETTIME) \
diff --git a/src/certtool-args.c b/src/certtool-args.c
index d416fe6..8d75122 100644
--- a/src/certtool-args.c
+++ b/src/certtool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.c)
*
- * It has been AutoGen-ed October 9, 2012 at 08:27:12 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 9, 2012 at 10:58:10 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
@@ -249,24 +249,24 @@ static char const certtool_opt_strs[5231] =
/* 4125 */ "PKCS_CIPHER\0"
/* 4137 */ "pkcs-cipher\0"
/* 4149 */ "Print the DANE RR data on a certificate or public key\0"
-/* 4203 */ "DANE_RR\0"
-/* 4211 */ "dane-rr\0"
-/* 4219 */ "Specify the hostname to be used in the DANE RR\0"
-/* 4266 */ "DANE_HOST\0"
-/* 4276 */ "dane-host\0"
-/* 4286 */ "The protocol set for DANE data (tcp, udp etc.)\0"
-/* 4333 */ "DANE_PROTO\0"
-/* 4344 */ "dane-proto\0"
-/* 4355 */ "Specify the port number for the DANE data.\0"
-/* 4398 */ "DANE_PORT\0"
-/* 4408 */ "dane-port\0"
-/* 4418 */ "Whether the provided certificate or public key is a Certificate\n"
+/* 4203 */ "DANE_TLSA_RR\0"
+/* 4216 */ "dane-tlsa-rr\0"
+/* 4229 */ "Specify the hostname to be used in the DANE RR\0"
+/* 4276 */ "DANE_HOST\0"
+/* 4286 */ "dane-host\0"
+/* 4296 */ "The protocol set for DANE data (tcp, udp etc.)\0"
+/* 4343 */ "DANE_PROTO\0"
+/* 4354 */ "dane-proto\0"
+/* 4365 */ "Specify the port number for the DANE data.\0"
+/* 4408 */ "DANE_PORT\0"
+/* 4418 */ "dane-port\0"
+/* 4428 */ "Whether the provided certificate or public key is a Certificate\n"
"authority.\0"
-/* 4493 */ "DANE_CA\0"
-/* 4501 */ "dane-ca\0"
-/* 4509 */ "Use the hash of the X.509 certificate, rather than the public
key.\0"
-/* 4576 */ "DANE_FULL_X509\0"
-/* 4591 */ "dane-full-x509\0"
+/* 4503 */ "DANE_CA\0"
+/* 4511 */ "dane-ca\0"
+/* 4519 */ "Use the hash of the X.509 certificate, rather than the public
key.\0"
+/* 4586 */ "DANE_X509\0"
+/* 4596 */ "dane-x509\0"
/* 4606 */ "The provided certificate or public key is a local entity.\0"
/* 4664 */ "DANE_LOCAL\0"
/* 4675 */ "dane-local\0"
@@ -758,58 +758,58 @@ static int const aTo_P12MustList[] = {
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
- * dane-rr option description with
+ * dane-tlsa-rr option description with
* "Must also have options" and "Incompatible options":
*/
-#define DANE_RR_DESC (certtool_opt_strs+4149)
-#define DANE_RR_NAME (certtool_opt_strs+4203)
-#define DANE_RR_name (certtool_opt_strs+4211)
-static int const aDane_RrMustList[] = {
+#define DANE_TLSA_RR_DESC (certtool_opt_strs+4149)
+#define DANE_TLSA_RR_NAME (certtool_opt_strs+4203)
+#define DANE_TLSA_RR_name (certtool_opt_strs+4216)
+static int const aDane_Tlsa_RrMustList[] = {
INDEX_OPT_DANE_HOST, NO_EQUIVALENT };
-#define DANE_RR_FLAGS (OPTST_DISABLED)
+#define DANE_TLSA_RR_FLAGS (OPTST_DISABLED)
/*
* dane-host option description:
*/
-#define DANE_HOST_DESC (certtool_opt_strs+4219)
-#define DANE_HOST_NAME (certtool_opt_strs+4266)
-#define DANE_HOST_name (certtool_opt_strs+4276)
+#define DANE_HOST_DESC (certtool_opt_strs+4229)
+#define DANE_HOST_NAME (certtool_opt_strs+4276)
+#define DANE_HOST_name (certtool_opt_strs+4286)
#define DANE_HOST_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* dane-proto option description:
*/
-#define DANE_PROTO_DESC (certtool_opt_strs+4286)
-#define DANE_PROTO_NAME (certtool_opt_strs+4333)
-#define DANE_PROTO_name (certtool_opt_strs+4344)
+#define DANE_PROTO_DESC (certtool_opt_strs+4296)
+#define DANE_PROTO_NAME (certtool_opt_strs+4343)
+#define DANE_PROTO_name (certtool_opt_strs+4354)
#define DANE_PROTO_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
* dane-port option description:
*/
-#define DANE_PORT_DESC (certtool_opt_strs+4355)
-#define DANE_PORT_NAME (certtool_opt_strs+4398)
-#define DANE_PORT_name (certtool_opt_strs+4408)
+#define DANE_PORT_DESC (certtool_opt_strs+4365)
+#define DANE_PORT_NAME (certtool_opt_strs+4408)
+#define DANE_PORT_name (certtool_opt_strs+4418)
#define DANE_PORT_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
/*
* dane-ca option description:
*/
-#define DANE_CA_DESC (certtool_opt_strs+4418)
-#define DANE_CA_NAME (certtool_opt_strs+4493)
-#define DANE_CA_name (certtool_opt_strs+4501)
+#define DANE_CA_DESC (certtool_opt_strs+4428)
+#define DANE_CA_NAME (certtool_opt_strs+4503)
+#define DANE_CA_name (certtool_opt_strs+4511)
#define DANE_CA_FLAGS (OPTST_DISABLED)
/*
- * dane-full-x509 option description:
+ * dane-x509 option description:
*/
-#define DANE_FULL_X509_DESC (certtool_opt_strs+4509)
-#define DANE_FULL_X509_NAME (certtool_opt_strs+4576)
-#define DANE_FULL_X509_name (certtool_opt_strs+4591)
-#define DANE_FULL_X509_FLAGS (OPTST_DISABLED)
+#define DANE_X509_DESC (certtool_opt_strs+4519)
+#define DANE_X509_NAME (certtool_opt_strs+4586)
+#define DANE_X509_name (certtool_opt_strs+4596)
+#define DANE_X509_FLAGS (OPTST_DISABLED)
/*
* dane-local option description:
@@ -1522,16 +1522,16 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PKCS_CIPHER_DESC, PKCS_CIPHER_NAME,
PKCS_CIPHER_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 55, VALUE_OPT_DANE_RR,
- /* equiv idx, value */ 55, VALUE_OPT_DANE_RR,
+ { /* entry idx, value */ 55, VALUE_OPT_DANE_TLSA_RR,
+ /* equiv idx, value */ 55, VALUE_OPT_DANE_TLSA_RR,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ DANE_RR_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --dane-rr */
+ /* opt state flags */ DANE_TLSA_RR_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-tlsa-rr */
/* arg list/cookie */ NULL,
- /* must/cannot opts */ aDane_RrMustList, NULL,
+ /* must/cannot opts */ aDane_Tlsa_RrMustList, NULL,
/* option proc */ NULL,
- /* desc, NAME, name */ DANE_RR_DESC, DANE_RR_NAME, DANE_RR_name,
+ /* desc, NAME, name */ DANE_TLSA_RR_DESC, DANE_TLSA_RR_NAME,
DANE_TLSA_RR_name,
/* disablement strs */ NULL, NULL },
{ /* entry idx, value */ 56, VALUE_OPT_DANE_HOST,
@@ -1582,16 +1582,16 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ DANE_CA_DESC, DANE_CA_NAME, DANE_CA_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 60, VALUE_OPT_DANE_FULL_X509,
- /* equiv idx, value */ 60, VALUE_OPT_DANE_FULL_X509,
+ { /* entry idx, value */ 60, VALUE_OPT_DANE_X509,
+ /* equiv idx, value */ 60, VALUE_OPT_DANE_X509,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ DANE_FULL_X509_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --dane-full-x509 */
+ /* opt state flags */ DANE_X509_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-x509 */
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
/* option proc */ NULL,
- /* desc, NAME, name */ DANE_FULL_X509_DESC, DANE_FULL_X509_NAME,
DANE_FULL_X509_name,
+ /* desc, NAME, name */ DANE_X509_DESC, DANE_X509_NAME, DANE_X509_name,
/* disablement strs */ NULL, NULL },
{ /* entry idx, value */ 61, VALUE_OPT_DANE_LOCAL,
diff --git a/src/certtool-args.def b/src/certtool-args.def
index 5fce872..50a69ad 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -355,7 +355,7 @@ flag = {
};
flag = {
- name = dane-rr;
+ name = dane-tlsa-rr;
descrip = "Print the DANE RR data on a certificate or public key";
flags_must = dane-host;
doc = "This command prints the DANE RR data needed to enable DANE on a DNS
server.";
@@ -392,7 +392,7 @@ flag = {
};
flag = {
- name = dane-full-x509;
+ name = dane-x509;
descrip = "Use the hash of the X.509 certificate, rather than the public
key.";
doc = "This option forces the generated record to contain the hash of
the full X.509 certificate. By default only the hash of the public key is
used.";
};
@@ -538,12 +538,12 @@ $ certtool --verify-crl --load-ca-certificate x509-ca.pem
< crl.pem
To create a DANE TLSA resource record for a CA signed certificate use the
following commands.
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem
@end example
For a self signed certificate use:
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem \
--dane-local
@end example
@@ -553,7 +553,7 @@ certificate using DANE.
In order to create a record for the signer of your certificate use:
@example
-$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate
cert.pem \
--dane-ca
@end example
_EOT_;
diff --git a/src/certtool-args.h b/src/certtool-args.h
index 1a4273c..92b384c 100644
--- a/src/certtool-args.h
+++ b/src/certtool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.h)
*
- * It has been AutoGen-ed October 9, 2012 at 08:27:12 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 9, 2012 at 10:58:10 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
@@ -122,12 +122,12 @@ typedef enum {
INDEX_OPT_DISABLE_QUICK_RANDOM = 52,
INDEX_OPT_TEMPLATE = 53,
INDEX_OPT_PKCS_CIPHER = 54,
- INDEX_OPT_DANE_RR = 55,
+ INDEX_OPT_DANE_TLSA_RR = 55,
INDEX_OPT_DANE_HOST = 56,
INDEX_OPT_DANE_PROTO = 57,
INDEX_OPT_DANE_PORT = 58,
INDEX_OPT_DANE_CA = 59,
- INDEX_OPT_DANE_FULL_X509 = 60,
+ INDEX_OPT_DANE_X509 = 60,
INDEX_OPT_DANE_LOCAL = 61,
INDEX_OPT_VERSION = 62,
INDEX_OPT_HELP = 63,
@@ -231,14 +231,14 @@ typedef enum {
#define VALUE_OPT_DISABLE_QUICK_RANDOM 148
#define VALUE_OPT_TEMPLATE 149
#define VALUE_OPT_PKCS_CIPHER 150
-#define VALUE_OPT_DANE_RR 151
+#define VALUE_OPT_DANE_TLSA_RR 151
#define VALUE_OPT_DANE_HOST 152
#define VALUE_OPT_DANE_PROTO 153
#define VALUE_OPT_DANE_PORT 154
#define OPT_VALUE_DANE_PORT (DESC(DANE_PORT).optArg.argInt)
#define VALUE_OPT_DANE_CA 155
-#define VALUE_OPT_DANE_FULL_X509 156
+#define VALUE_OPT_DANE_X509 156
#define VALUE_OPT_DANE_LOCAL 157
#define VALUE_OPT_HELP 'h'
#define VALUE_OPT_MORE_HELP '!'
diff --git a/src/certtool.c b/src/certtool.c
index 17aefd2..10e0478 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1081,7 +1081,7 @@ cmd_parser (int argc, char **argv)
#endif
else if (HAVE_OPT(CRQ_INFO))
crq_info ();
- else if (HAVE_OPT(DANE_RR))
+ else if (HAVE_OPT(DANE_TLSA_RR))
dane_info (OPT_ARG(DANE_HOST), OPT_ARG(DANE_PROTO), OPT_VALUE_DANE_PORT,
HAVE_OPT(DANE_CA), HAVE_OPT(DANE_LOCAL), &cinfo);
else
@@ -1112,7 +1112,7 @@ static void dane_info(const char* host, const char*
proto, unsigned int port,
port = 443;
crt = load_cert (0, cinfo);
- if (crt != NULL && HAVE_OPT(DANE_FULL_X509))
+ if (crt != NULL && HAVE_OPT(DANE_X509))
{
selector = 0; /* X.509 */
diff --git a/src/cli.c b/src/cli.c
index ca3a4f8..8dad548 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -484,7 +484,7 @@ cert_verify_callback (gnutls_session_t session)
#ifdef HAVE_DANE
if (dane) /* try DANE auth */
{
- rc = dane_verify_session_crt( session, hostname, udp?"udp":"tcp",
atoi(service),
+ rc = dane_verify_session_crt( NULL, session, hostname, udp?"udp":"tcp",
atoi(service),
DANE_F_IGNORE_LOCAL_RESOLVER, &status);
if (rc < 0)
{
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-69-gb69e8d5,
Nikos Mavrogiannopoulos <=