From 4ac2ca1bdb8ff0e862927c3e1162c3686449c50a Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Thu, 28 Jan 2016 18:24:27 -0500
Subject: systemd-resolve: allow easy querying of openpgp keys

$ systemd-resolve --openpgp zbyszek@fedoraproject.org
d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY
        mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlM
        yfMFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAyn
        ...
---
 src/resolve/resolve-tool.c | 69 ++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 61 insertions(+), 8 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 9bee953839..6d1bc6d0f9 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -19,6 +19,7 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include <gcrypt.h>
 #include <getopt.h>
 #include <net/if.h>
 
@@ -30,6 +31,7 @@
 #include "bus-util.h"
 #include "escape.h"
 #include "in-addr-util.h"
+#include "gcrypt-util.h"
 #include "parse-util.h"
 #include "resolved-def.h"
 #include "resolved-dns-packet.h"
@@ -48,6 +50,7 @@ static enum {
         MODE_RESOLVE_HOST,
         MODE_RESOLVE_RECORD,
         MODE_RESOLVE_SERVICE,
+        MODE_RESOLVE_OPENPGP,
         MODE_STATISTICS,
         MODE_RESET_STATISTICS,
 } arg_mode = MODE_RESOLVE_HOST;
@@ -547,15 +550,10 @@ static int resolve_rfc4501(sd_bus *bus, const char *name) {
         } else
                 n = p;
 
-        if (type == 0)
-                type = arg_type;
-        if (type == 0)
-                type = DNS_TYPE_A;
-
         if (class == 0)
-                class = arg_class;
-        if (class == 0)
-                class = DNS_CLASS_IN;
+                class = arg_class ?: DNS_CLASS_IN;
+        if (type == 0)
+                type = arg_type ?: DNS_TYPE_A;
 
         return resolve_record(bus, n, class, type);
 
@@ -765,6 +763,36 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons
         return 0;
 }
 
+static int resolve_openpgp(sd_bus *bus, const char *address) {
+        const char *domain, *full;
+        int r;
+        _cleanup_free_ char *hashed = NULL;
+
+        assert(bus);
+        assert(address);
+
+        domain = strrchr(address, '@');
+        if (!domain) {
+                log_error("Address does not contain '@': \"%s\"", address);
+                return -EINVAL;
+        } else if (domain == address || domain[1] == '\0') {
+                log_error("Address starts or ends with '@': \"%s\"", address);
+                return -EINVAL;
+        }
+        domain++;
+
+        r = string_hashsum(address, domain - 1 - address, GCRY_MD_SHA224, &hashed);
+        if (r < 0)
+                return log_error_errno(r, "Hashing failed: %m");
+
+        full = strjoina(hashed, "._openpgpkey.", domain);
+        log_debug("Looking up \"%s\".", full);
+
+        return resolve_record(bus, full,
+                              arg_class ?: DNS_CLASS_IN,
+                              arg_type ?: DNS_TYPE_OPENPGPKEY);
+}
+
 static int show_statistics(sd_bus *bus) {
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
@@ -947,6 +975,7 @@ static void help(void) {
                "     --service                Resolve service (SRV)\n"
                "     --service-address=BOOL   Do [not] resolve address for services\n"
                "     --service-txt=BOOL       Do [not] resolve TXT records for services\n"
+               "     --openpgp                Query OpenPGP public key\n"
                "     --cname=BOOL             Do [not] follow CNAME redirects\n"
                "     --search=BOOL            Do [not] use search domains\n"
                "     --legend=BOOL            Do [not] print column headers and meta information\n"
@@ -963,6 +992,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_CNAME,
                 ARG_SERVICE_ADDRESS,
                 ARG_SERVICE_TXT,
+                ARG_OPENPGP,
                 ARG_SEARCH,
                 ARG_STATISTICS,
                 ARG_RESET_STATISTICS,
@@ -980,6 +1010,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "service",          no_argument,       NULL, ARG_SERVICE          },
                 { "service-address",  required_argument, NULL, ARG_SERVICE_ADDRESS  },
                 { "service-txt",      required_argument, NULL, ARG_SERVICE_TXT      },
+                { "openpgp",          no_argument,       NULL, ARG_OPENPGP          },
                 { "search",           required_argument, NULL, ARG_SEARCH           },
                 { "statistics",       no_argument,       NULL, ARG_STATISTICS,      },
                 { "reset-statistics", no_argument,       NULL, ARG_RESET_STATISTICS },
@@ -1089,6 +1120,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_mode = MODE_RESOLVE_SERVICE;
                         break;
 
+                case ARG_OPENPGP:
+                        arg_mode = MODE_RESOLVE_OPENPGP;
+                        break;
+
                 case ARG_CNAME:
                         r = parse_boolean(optarg);
                         if (r < 0)
@@ -1248,6 +1283,24 @@ int main(int argc, char **argv) {
 
                 break;
 
+        case MODE_RESOLVE_OPENPGP:
+                if (argc < optind + 1) {
+                        log_error("E-mail address required.");
+                        r = -EINVAL;
+                        goto finish;
+
+                }
+
+                r = 0;
+                while (optind < argc) {
+                        int k;
+
+                        k = resolve_openpgp(bus, argv[optind++]);
+                        if (k < 0)
+                                r = k;
+                }
+                break;
+
         case MODE_STATISTICS:
                 if (argc > optind) {
                         log_error("Too many arguments.");
-- 
cgit v1.2.3-54-g00ecf


From 41815a4aa66c59070dc86aa99eebfa720e8a263e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 15 Feb 2016 21:25:33 +0100
Subject: resolve: print a noisy warning if we show crypto keys that could not
 be authenticated

Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn
loudly about it.
---
 src/resolve/dns-type.c     | 17 +++++++++++++++++
 src/resolve/dns-type.h     |  1 +
 src/resolve/resolve-tool.c | 17 +++++++++++++++++
 3 files changed, 35 insertions(+)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index b2f479cae5..78d9d5733f 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -193,6 +193,23 @@ bool dns_type_is_obsolete(uint16_t type) {
                       DNS_TYPE_NULL);
 }
 
+bool dns_type_needs_authentication(uint16_t type) {
+
+        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
+         * authenticated. I.e. everything that contains crypto keys. */
+
+        return IN_SET(type,
+                      DNS_TYPE_CERT,
+                      DNS_TYPE_SSHFP,
+                      DNS_TYPE_IPSECKEY,
+                      DNS_TYPE_DS,
+                      DNS_TYPE_DNSKEY,
+                      DNS_TYPE_TLSA,
+                      DNS_TYPE_CDNSKEY,
+                      DNS_TYPE_OPENPGPKEY,
+                      DNS_TYPE_CAA);
+}
+
 int dns_type_to_af(uint16_t t) {
         switch (t) {
 
diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h
index f18ac6eef3..fb7babf12a 100644
--- a/src/resolve/dns-type.h
+++ b/src/resolve/dns-type.h
@@ -132,6 +132,7 @@ bool dns_type_is_dnssec(uint16_t type);
 bool dns_type_is_obsolete(uint16_t type);
 bool dns_type_may_wildcard(uint16_t type);
 bool dns_type_apex_only(uint16_t type);
+bool dns_type_needs_authentication(uint16_t type);
 int dns_type_to_af(uint16_t t);
 
 bool dns_class_is_pseudo(uint16_t class);
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 9aade8e490..c1be03fbb2 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
         uint64_t flags;
         int r;
         usec_t ts;
+        bool needs_authentication = false;
 
         assert(name);
 
@@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
                         log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
 
                 printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+
+                if (dns_type_needs_authentication(t))
+                        needs_authentication = true;
+
                 n++;
         }
         if (r < 0)
@@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
 
         print_source(flags, ts);
 
+        if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) {
+                fflush(stdout);
+
+                fprintf(stderr, "\n%s"
+                       "WARNING: The resources shown contain cryptographic key data which could not be\n"
+                       "         authenticated. It is not suitable to authenticate any communication.\n"
+                       "         This is usually indication that DNSSEC authentication was not enabled\n"
+                       "         or is not available for the selected protocol or DNS servers.%s\n",
+                       ansi_highlight_red(),
+                       ansi_normal());
+        }
+
         return 0;
 }
 
-- 
cgit v1.2.3-54-g00ecf


From 1ace2438c6936e1d508b5b6c4346fa5ade8cd48e Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 15 Feb 2016 13:15:23 -0500
Subject: systemd-resolve: reword --help output

The output didn't specify if the default for --cname/--search/--legend and
other options was yes or no. Change the description to be explicit about that.

Also make the --help output and man page closer.
---
 man/systemd-resolve.xml    |  2 +-
 src/resolve/resolve-tool.c | 45 +++++++++++++++++++++++++--------------------
 2 files changed, 26 insertions(+), 21 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index 5bd05368d7..bec6213de2 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -65,7 +65,7 @@
       <command>systemd-resolve</command>
       <arg choice="opt" rep="repeat">OPTIONS</arg>
       <command> --type=<replaceable>TYPE</replaceable></command>
-      <arg choice="plain" rep="repeat"><replaceable>RRDOMAIN</replaceable></arg>
+      <arg choice="plain" rep="repeat"><replaceable>DOMAIN</replaceable></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index c1be03fbb2..ed9b0353cc 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -976,27 +976,32 @@ static void help_dns_classes(void) {
 }
 
 static void help(void) {
-        printf("%s [OPTIONS...] NAME...\n"
-               "%s [OPTIONS...] --service [[NAME] TYPE] DOMAIN\n\n"
+        printf("%1$s [OPTIONS...] HOSTNAME|ADDRESS...\n"
+               "%1$s [OPTIONS...] --service [[NAME] TYPE] DOMAIN\n"
+               "%1$s [OPTIONS...] --openpgp EMAIL@DOMAIN...\n"
+               "%1$s [OPTIONS...] --statistics\n"
+               "%1$s [OPTIONS...] --reset-statistics\n"
+               "\n"
                "Resolve domain names, IPv4 and IPv6 addresses, DNS resource records, and services.\n\n"
-               "  -h --help                   Show this help\n"
-               "     --version                Show package version\n"
-               "  -4                          Resolve IPv4 addresses\n"
-               "  -6                          Resolve IPv6 addresses\n"
-               "  -i --interface=INTERFACE    Look on interface\n"
-               "  -p --protocol=PROTOCOL|help Look via protocol\n"
-               "  -t --type=TYPE|help         Query RR with DNS type\n"
-               "  -c --class=CLASS|help       Query RR with DNS class\n"
-               "     --service                Resolve service (SRV)\n"
-               "     --service-address=BOOL   Do [not] resolve address for services\n"
-               "     --service-txt=BOOL       Do [not] resolve TXT records for services\n"
-               "     --openpgp                Query OpenPGP public key\n"
-               "     --cname=BOOL             Do [not] follow CNAME redirects\n"
-               "     --search=BOOL            Do [not] use search domains\n"
-               "     --legend=BOOL            Do [not] print column headers and meta information\n"
-               "     --statistics             Show resolver statistics\n"
-               "     --reset-statistics       Reset resolver statistics\n"
-               , program_invocation_short_name, program_invocation_short_name);
+               "  -h --help                 Show this help\n"
+               "     --version              Show package version\n"
+               "  -4                        Resolve IPv4 addresses\n"
+               "  -6                        Resolve IPv6 addresses\n"
+               "  -i --interface=INTERFACE  Look on interface\n"
+               "  -p --protocol=PROTO|help  Look via protocol\n"
+               "  -t --type=TYPE|help       Query RR with DNS type\n"
+               "  -c --class=CLASS|help     Query RR with DNS class\n"
+               "     --service              Resolve service (SRV)\n"
+               "     --service-address=BOOL Resolve address for services (default: yes)\n"
+               "     --service-txt=BOOL     Resolve TXT records for services (default: yes)\n"
+               "     --openpgp              Query OpenPGP public key\n"
+               "     --cname=BOOL           Follow CNAME redirects (default: yes)\n"
+               "     --search=BOOL          Use search domains for single-label names\n"
+               "                                                              (default: yes)\n"
+               "     --legend=BOOL          Print headers and additional info (default: yes)\n"
+               "     --statistics           Show resolver statistics\n"
+               "     --reset-statistics     Reset resolver statistics\n"
+               , program_invocation_short_name);
 }
 
 static int parse_argv(int argc, char *argv[]) {
-- 
cgit v1.2.3-54-g00ecf


From 2e74028a5cf636760191656d7fabfa9f43db96e2 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Thu, 28 Jan 2016 18:24:28 -0500
Subject: systemd-resolve: allow keys to be dumped in binary form

$ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
---
 src/resolve/resolve-tool.c    | 40 +++++++++++++++++++++++++++++++++-------
 src/resolve/resolved-dns-rr.c | 38 ++++++++++++++++++++++++++++++++++++++
 src/resolve/resolved-dns-rr.h |  2 ++
 3 files changed, 73 insertions(+), 7 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index ed9b0353cc..a24bb546d4 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -43,6 +43,7 @@ static uint16_t arg_type = 0;
 static uint16_t arg_class = 0;
 static bool arg_legend = true;
 static uint64_t arg_flags = 0;
+static bool arg_raw = false;
 
 static enum {
         MODE_RESOLVE_HOST,
@@ -379,7 +380,6 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
         while ((r = sd_bus_message_enter_container(reply, 'r', "iqqay")) > 0) {
                 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
                 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
-                const char *s;
                 uint16_t c, t;
                 int ifindex;
                 const void *d;
@@ -413,13 +413,27 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
                 if (r < 0)
                         return log_error_errno(r, "Failed to parse RR: %m");
 
-                s = dns_resource_record_to_string(rr);
-                if (!s)
-                        return log_oom();
+                if (arg_raw) {
+                        void *data;
+                        ssize_t k;
 
-                ifname[0] = 0;
-                if (ifindex > 0 && !if_indextoname(ifindex, ifname))
-                        log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
+                        k = dns_resource_record_payload(rr, &data);
+                        if (k < 0)
+                                return log_error_errno(k, "Cannot dump RR: %m");
+                        fwrite(data, 1, k, stdout);
+                } else {
+                        const char *s;
+
+                        s = dns_resource_record_to_string(rr);
+                        if (!s)
+                                return log_oom();
+
+                        ifname[0] = 0;
+                        if (ifindex > 0 && !if_indextoname(ifindex, ifname))
+                                log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
+
+                        printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+                }
 
                 printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
 
@@ -1013,6 +1027,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_SERVICE_ADDRESS,
                 ARG_SERVICE_TXT,
                 ARG_OPENPGP,
+                ARG_RAW,
                 ARG_SEARCH,
                 ARG_STATISTICS,
                 ARG_RESET_STATISTICS,
@@ -1031,6 +1046,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "service-address",  required_argument, NULL, ARG_SERVICE_ADDRESS  },
                 { "service-txt",      required_argument, NULL, ARG_SERVICE_TXT      },
                 { "openpgp",          no_argument,       NULL, ARG_OPENPGP          },
+                { "raw",              no_argument,       NULL, ARG_RAW              },
                 { "search",           required_argument, NULL, ARG_SEARCH           },
                 { "statistics",       no_argument,       NULL, ARG_STATISTICS,      },
                 { "reset-statistics", no_argument,       NULL, ARG_RESET_STATISTICS },
@@ -1144,6 +1160,16 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_mode = MODE_RESOLVE_OPENPGP;
                         break;
 
+                case ARG_RAW:
+                        if (on_tty()) {
+                                log_error("Refusing to write binary data to tty.");
+                                return -ENOTTY;
+                        }
+
+                        arg_raw = true;
+                        arg_legend = false;
+                        break;
+
                 case ARG_CNAME:
                         r = parse_boolean(optarg);
                         if (r < 0)
diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index 6397005a68..919a0d3c2c 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1204,6 +1204,44 @@ const char *dns_resource_record_to_string(DnsResourceRecord *rr) {
         return s;
 }
 
+ssize_t dns_resource_record_payload(DnsResourceRecord *rr, void **out) {
+        assert(rr);
+        assert(out);
+
+        switch(rr->unparseable ? _DNS_TYPE_INVALID : rr->key->type) {
+        case DNS_TYPE_SRV:
+        case DNS_TYPE_PTR:
+        case DNS_TYPE_NS:
+        case DNS_TYPE_CNAME:
+        case DNS_TYPE_DNAME:
+        case DNS_TYPE_HINFO:
+        case DNS_TYPE_SPF:
+        case DNS_TYPE_TXT:
+        case DNS_TYPE_A:
+        case DNS_TYPE_AAAA:
+        case DNS_TYPE_SOA:
+        case DNS_TYPE_MX:
+        case DNS_TYPE_LOC:
+        case DNS_TYPE_DS:
+        case DNS_TYPE_SSHFP:
+        case DNS_TYPE_DNSKEY:
+        case DNS_TYPE_RRSIG:
+        case DNS_TYPE_NSEC:
+        case DNS_TYPE_NSEC3:
+                return -EINVAL;
+
+        case DNS_TYPE_TLSA:
+                *out = rr->tlsa.data;
+                return rr->tlsa.data_size;
+
+
+        case DNS_TYPE_OPENPGPKEY:
+        default:
+                *out = rr->generic.data;
+                return rr->generic.data_size;
+        }
+}
+
 int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical) {
 
         DnsPacket packet = {
diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h
index 23749790b4..964bf7e77a 100644
--- a/src/resolve/resolved-dns-rr.h
+++ b/src/resolve/resolved-dns-rr.h
@@ -303,6 +303,8 @@ int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr,
 int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain);
 int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa);
 int dns_resource_key_to_string(const DnsResourceKey *key, char **ret);
+ssize_t dns_resource_record_payload(DnsResourceRecord *rr, void **out);
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceKey*, dns_resource_key_unref);
 
 static inline bool dns_key_is_shared(const DnsResourceKey *key) {
-- 
cgit v1.2.3-54-g00ecf


From dab48ea63a461e2fe2bd491ba28570424bcaf362 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 31 Jan 2016 00:06:49 -0500
Subject: systemd-resolve: allow whole packets to be dumped in binary form

---
 man/systemd-resolve.xml    |  10 +++++
 src/resolve/resolve-tool.c | 109 +++++++++++++++++++++++++++++----------------
 2 files changed, 80 insertions(+), 39 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index bec6213de2..c288fd974e 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -232,6 +232,16 @@
         logic is disabled.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--raw</option><optional>=payload|packet</optional></term>
+
+        <listitem><para>Dump the answer as binary data. If there is no argument or if the argument is
+        <literal>payload</literal>, the payload of the packet is exported. If the argument is
+        <literal>packet</literal>, the whole packet is dumped in wire format, prefixed by
+        length specified as a little-endian 64-bit number. This format allows multiple packets
+        to be dumped and unambigously parsed.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--legend=</option><replaceable>BOOL</replaceable></term>
 
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index a24bb546d4..a519074278 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -43,7 +43,14 @@ static uint16_t arg_type = 0;
 static uint16_t arg_class = 0;
 static bool arg_legend = true;
 static uint64_t arg_flags = 0;
-static bool arg_raw = false;
+
+typedef enum RawType {
+        RAW_NONE,
+        RAW_PAYLOAD,
+        RAW_PACKET,
+} RawType;
+
+static RawType arg_raw = RAW_NONE;
 
 static enum {
         MODE_RESOLVE_HOST,
@@ -332,6 +339,50 @@ static int parse_address(const char *s, int *family, union in_addr_union *addres
         return 0;
 }
 
+static int output_rr_packet(const void *d, size_t l, int ifindex) {
+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
+        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+        int r;
+        char ifname[IF_NAMESIZE] = "";
+
+        r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0);
+        if (r < 0)
+                return log_oom();
+
+        p->refuse_compression = true;
+
+        r = dns_packet_append_blob(p, d, l, NULL);
+        if (r < 0)
+                return log_oom();
+
+        r = dns_packet_read_rr(p, &rr, NULL, NULL);
+        if (r < 0)
+                return log_error_errno(r, "Failed to parse RR: %m");
+
+        if (arg_raw == RAW_PAYLOAD) {
+                void *data;
+                ssize_t k;
+
+                k = dns_resource_record_payload(rr, &data);
+                if (k < 0)
+                        return log_error_errno(k, "Cannot dump RR: %m");
+                fwrite(data, 1, k, stdout);
+        } else {
+                const char *s;
+
+                s = dns_resource_record_to_string(rr);
+                if (!s)
+                        return log_oom();
+
+                if (ifindex > 0 && !if_indextoname(ifindex, ifname))
+                        log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
+
+                printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+        }
+
+        return 0;
+}
+
 static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_t type) {
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL, *reply = NULL;
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
@@ -378,8 +429,6 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
                 return bus_log_parse_error(r);
 
         while ((r = sd_bus_message_enter_container(reply, 'r', "iqqay")) > 0) {
-                _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
-                _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
                 uint16_t c, t;
                 int ifindex;
                 const void *d;
@@ -399,44 +448,17 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
                 if (r < 0)
                         return bus_log_parse_error(r);
 
-                r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0);
-                if (r < 0)
-                        return log_oom();
-
-                p->refuse_compression = true;
-
-                r = dns_packet_append_blob(p, d, l, NULL);
-                if (r < 0)
-                        return log_oom();
+                if (arg_raw == RAW_PACKET) {
+                        uint64_t u64 = htole64(l);
 
-                r = dns_packet_read_rr(p, &rr, NULL, NULL);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to parse RR: %m");
-
-                if (arg_raw) {
-                        void *data;
-                        ssize_t k;
-
-                        k = dns_resource_record_payload(rr, &data);
-                        if (k < 0)
-                                return log_error_errno(k, "Cannot dump RR: %m");
-                        fwrite(data, 1, k, stdout);
+                        fwrite(&u64, sizeof(u64), 1, stdout);
+                        fwrite(d, 1, l, stdout);
                 } else {
-                        const char *s;
-
-                        s = dns_resource_record_to_string(rr);
-                        if (!s)
-                                return log_oom();
-
-                        ifname[0] = 0;
-                        if (ifindex > 0 && !if_indextoname(ifindex, ifname))
-                                log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
-
-                        printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+                        r = output_rr_packet(d, l, ifindex);
+                        if (r < 0)
+                                return r;
                 }
 
-                printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
-
                 if (dns_type_needs_authentication(t))
                         needs_authentication = true;
 
@@ -1012,6 +1034,7 @@ static void help(void) {
                "     --cname=BOOL           Follow CNAME redirects (default: yes)\n"
                "     --search=BOOL          Use search domains for single-label names\n"
                "                                                              (default: yes)\n"
+               "     --raw[=payload|packet] Dump the answer as binary data\n"
                "     --legend=BOOL          Print headers and additional info (default: yes)\n"
                "     --statistics           Show resolver statistics\n"
                "     --reset-statistics     Reset resolver statistics\n"
@@ -1046,7 +1069,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "service-address",  required_argument, NULL, ARG_SERVICE_ADDRESS  },
                 { "service-txt",      required_argument, NULL, ARG_SERVICE_TXT      },
                 { "openpgp",          no_argument,       NULL, ARG_OPENPGP          },
-                { "raw",              no_argument,       NULL, ARG_RAW              },
+                { "raw",              optional_argument, NULL, ARG_RAW              },
                 { "search",           required_argument, NULL, ARG_SEARCH           },
                 { "statistics",       no_argument,       NULL, ARG_STATISTICS,      },
                 { "reset-statistics", no_argument,       NULL, ARG_RESET_STATISTICS },
@@ -1166,7 +1189,15 @@ static int parse_argv(int argc, char *argv[]) {
                                 return -ENOTTY;
                         }
 
-                        arg_raw = true;
+                        if (optarg == NULL || streq(optarg, "payload"))
+                                arg_raw = RAW_PAYLOAD;
+                        else if (streq(optarg, "packet"))
+                                arg_raw = RAW_PACKET;
+                        else {
+                                log_error("Unknown --raw specifier \"%s\".", optarg);
+                                return -EINVAL;
+                        }
+
                         arg_legend = false;
                         break;
 
-- 
cgit v1.2.3-54-g00ecf


From 82d1d24093e2f17cc6550e8f16be85fa4376c182 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 17 Feb 2016 21:08:57 -0500
Subject: systemd-resolve: easy querying of TLSA records

$ systemd-resolve --tlsa fedoraproject.org
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
        -- Cert. usage: CA constraint
        -- Selector: Full Certificate
        -- Matching type: SHA-256

$ systemd-resolve --tlsa=tcp fedoraproject.org:443
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
        ...

$ systemd-resolve --tlsa=udp fedoraproject.org
_443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found

v2:
- use uint16_t
- refuse port 0
---
 man/systemd-resolve.xml    | 40 ++++++++++++++++++-
 src/resolve/resolve-tool.c | 97 +++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 134 insertions(+), 3 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index c288fd974e..320663ce69 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -83,6 +83,13 @@
       <arg choice="plain"><replaceable>USER@DOMAIN</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>systemd-resolve</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
+      <command> --tlsa</command>
+      <arg choice="plain"><replaceable>DOMAIN<optional>:PORT</optional></replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>systemd-resolve</command>
       <arg choice="opt" rep="repeat">OPTIONS</arg>
@@ -121,10 +128,15 @@
     is assumed to be a domain name, that is already prefixed with an SRV type, and an SRV lookup is done (no
     TXT).</para>
 
-    <para>The <option>--openpgp</option> switch may be use to query PGP keys stored as the
+    <para>The <option>--openpgp</option> switch may be used to query PGP keys stored as
     <ulink url="https://tools.ietf.org/html/draft-wouters-dane-openpgp-02">OPENPGPKEY</ulink> resource records.
     When this option is specified one or more e-mail address must be specified.</para>
 
+    <para>The <option>--tlsa</option> switch maybe be used to query TLS public
+    keys stored as
+    <ulink url="https://tools.ietf.org/html/rfc6698">TLSA</ulink> resource records.
+    When this option is specified one or more domain names must be specified.</para>
+
     <para>The <option>--statistics</option> switch may be used to show resolver statistics, including information about
     the number of successful and failed DNSSEC validations.</para>
 
@@ -216,6 +228,20 @@
         printed.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--tlsa</option></term>
+
+        <listitem><para>Enables TLSA resource record resolution (see above).
+        A query will be performed for each of the specified names prefixed with
+        the port and family
+        (<literal>_<replaceable>port</replaceable>._<replaceable>family</replaceable>.<replaceable>domain</replaceable></literal>).
+        The port number may be specified after a colon
+        (<literal>:</literal>), otherwise <constant>443</constant> will be used
+        by default. The family may be specified as an argument after
+        <option>--tlsa</option>, otherwise <constant>tcp</constant> will be
+        used.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--cname=</option><replaceable>BOOL</replaceable></term>
 
@@ -323,6 +349,18 @@ d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproje
         mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlMyf
         MFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAynCsSs
         ...
+</programlisting>
+    </example>
+
+    <example>
+      <title>Retrieve a TLS key (<literal>=tcp</literal> and
+      <literal>:443</literal> could be skipped)</title>
+
+      <programlisting>$ systemd-resolve --tlsa=tcp fedoraproject.org:443
+_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
+        -- Cert. usage: CA constraint
+        -- Selector: Full Certificate
+        -- Matching type: SHA-256
 </programlisting>
     </example>
   </refsect1>
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index a519074278..484fbb4d92 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -44,12 +44,19 @@ static uint16_t arg_class = 0;
 static bool arg_legend = true;
 static uint64_t arg_flags = 0;
 
+typedef enum ServiceFamily {
+        SERVICE_FAMILY_TCP,
+        SERVICE_FAMILY_UDP,
+        SERVICE_FAMILY_SCTP,
+        _SERVICE_FAMILY_INVALID = -1,
+} ServiceFamily;
+static ServiceFamily arg_service_family = SERVICE_FAMILY_TCP;
+
 typedef enum RawType {
         RAW_NONE,
         RAW_PAYLOAD,
         RAW_PACKET,
 } RawType;
-
 static RawType arg_raw = RAW_NONE;
 
 static enum {
@@ -57,10 +64,34 @@ static enum {
         MODE_RESOLVE_RECORD,
         MODE_RESOLVE_SERVICE,
         MODE_RESOLVE_OPENPGP,
+        MODE_RESOLVE_TLSA,
         MODE_STATISTICS,
         MODE_RESET_STATISTICS,
 } arg_mode = MODE_RESOLVE_HOST;
 
+static ServiceFamily service_family_from_string(const char *s) {
+        if (s == NULL || streq(s, "tcp"))
+                return SERVICE_FAMILY_TCP;
+        if (streq(s, "udp"))
+                return SERVICE_FAMILY_UDP;
+        if (streq(s, "sctp"))
+                return SERVICE_FAMILY_SCTP;
+        return _SERVICE_FAMILY_INVALID;
+}
+
+static const char* service_family_to_string(ServiceFamily service) {
+        switch(service) {
+        case SERVICE_FAMILY_TCP:
+                return "_tcp";
+        case SERVICE_FAMILY_UDP:
+                return "_udp";
+        case SERVICE_FAMILY_SCTP:
+                return "_sctp";
+        default:
+                assert_not_reached("invalid service");
+        }
+}
+
 static void print_source(uint64_t flags, usec_t rtt) {
         char rtt_str[FORMAT_TIMESTAMP_MAX];
 
@@ -844,6 +875,38 @@ static int resolve_openpgp(sd_bus *bus, const char *address) {
                               arg_type ?: DNS_TYPE_OPENPGPKEY);
 }
 
+static int resolve_tlsa(sd_bus *bus, const char *address) {
+        const char *port;
+        uint16_t port_num = 443;
+        _cleanup_free_ char *full = NULL;
+        int r;
+
+        assert(bus);
+        assert(address);
+
+        port = strrchr(address, ':');
+        if (port) {
+                r = safe_atou16(port + 1, &port_num);
+                if (r < 0 || port_num == 0)
+                        return log_error_errno(r, "Invalid port \"%s\".", port + 1);
+
+                address = strndupa(address, port - address);
+        }
+
+        r = asprintf(&full, "_%u.%s.%s",
+                     port_num,
+                     service_family_to_string(arg_service_family),
+                     address);
+        if (r < 0)
+                return log_oom();
+
+        log_debug("Looking up \"%s\".", full);
+
+        return resolve_record(bus, full,
+                              arg_class ?: DNS_CLASS_IN,
+                              arg_type ?: DNS_TYPE_TLSA);
+}
+
 static int show_statistics(sd_bus *bus) {
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
@@ -1031,6 +1094,7 @@ static void help(void) {
                "     --service-address=BOOL Resolve address for services (default: yes)\n"
                "     --service-txt=BOOL     Resolve TXT records for services (default: yes)\n"
                "     --openpgp              Query OpenPGP public key\n"
+               "     --tlsa                 Query TLS public key\n"
                "     --cname=BOOL           Follow CNAME redirects (default: yes)\n"
                "     --search=BOOL          Use search domains for single-label names\n"
                "                                                              (default: yes)\n"
@@ -1050,6 +1114,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_SERVICE_ADDRESS,
                 ARG_SERVICE_TXT,
                 ARG_OPENPGP,
+                ARG_TLSA,
                 ARG_RAW,
                 ARG_SEARCH,
                 ARG_STATISTICS,
@@ -1069,6 +1134,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "service-address",  required_argument, NULL, ARG_SERVICE_ADDRESS  },
                 { "service-txt",      required_argument, NULL, ARG_SERVICE_TXT      },
                 { "openpgp",          no_argument,       NULL, ARG_OPENPGP          },
+                { "tlsa",             optional_argument, NULL, ARG_TLSA             },
                 { "raw",              optional_argument, NULL, ARG_RAW              },
                 { "search",           required_argument, NULL, ARG_SEARCH           },
                 { "statistics",       no_argument,       NULL, ARG_STATISTICS,      },
@@ -1183,6 +1249,15 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_mode = MODE_RESOLVE_OPENPGP;
                         break;
 
+                case ARG_TLSA:
+                        arg_mode = MODE_RESOLVE_TLSA;
+                        arg_service_family = service_family_from_string(optarg);
+                        if (arg_service_family < 0) {
+                                log_error("Unknown service family \"%s\".", optarg);
+                                return -EINVAL;
+                        }
+                        break;
+
                 case ARG_RAW:
                         if (on_tty()) {
                                 log_error("Refusing to write binary data to tty.");
@@ -1261,7 +1336,7 @@ static int parse_argv(int argc, char *argv[]) {
                 return -EINVAL;
         }
 
-        if (arg_type != 0 && arg_mode != MODE_RESOLVE_RECORD) {
+        if (arg_type != 0 && arg_mode == MODE_RESOLVE_SERVICE) {
                 log_error("--service and --type= may not be combined.");
                 return -EINVAL;
         }
@@ -1378,6 +1453,24 @@ int main(int argc, char **argv) {
                 }
                 break;
 
+        case MODE_RESOLVE_TLSA:
+                if (argc < optind + 1) {
+                        log_error("Domain name required.");
+                        r = -EINVAL;
+                        goto finish;
+
+                }
+
+                r = 0;
+                while (optind < argc) {
+                        int k;
+
+                        k = resolve_tlsa(bus, argv[optind++]);
+                        if (k < 0)
+                                r = k;
+                }
+                break;
+
         case MODE_STATISTICS:
                 if (argc > optind) {
                         log_error("Too many arguments.");
-- 
cgit v1.2.3-54-g00ecf


From 5883ff60179d01b55af8df27027be6a411881745 Mon Sep 17 00:00:00 2001
From: Alexander Kuleshov <kuleshovmail@gmail.com>
Date: Thu, 3 Mar 2016 23:30:37 +0600
Subject: tree-wide: use SET_FLAG() macro to make code more clear

---
 src/libsystemd/sd-bus/bus-message.c         | 15 +++------------
 src/libsystemd/sd-bus/sd-bus.c              |  5 +----
 src/libsystemd/sd-netlink/netlink-message.c |  5 +----
 src/network/networkd-network.c              |  5 +----
 src/resolve/resolve-tool.c                  | 20 ++++----------------
 src/shared/ptyfwd.c                         |  5 +----
 src/tmpfiles/tmpfiles.c                     |  5 +----
 7 files changed, 12 insertions(+), 48 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 542c37e41b..b8958ec7bb 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -1131,10 +1131,7 @@ _public_ int sd_bus_message_set_expect_reply(sd_bus_message *m, int b) {
         assert_return(!m->sealed, -EPERM);
         assert_return(m->header->type == SD_BUS_MESSAGE_METHOD_CALL, -EPERM);
 
-        if (b)
-                m->header->flags &= ~BUS_MESSAGE_NO_REPLY_EXPECTED;
-        else
-                m->header->flags |= BUS_MESSAGE_NO_REPLY_EXPECTED;
+        SET_FLAG(m->header->flags, BUS_MESSAGE_NO_REPLY_EXPECTED, !b);
 
         return 0;
 }
@@ -1143,10 +1140,7 @@ _public_ int sd_bus_message_set_auto_start(sd_bus_message *m, int b) {
         assert_return(m, -EINVAL);
         assert_return(!m->sealed, -EPERM);
 
-        if (b)
-                m->header->flags &= ~BUS_MESSAGE_NO_AUTO_START;
-        else
-                m->header->flags |= BUS_MESSAGE_NO_AUTO_START;
+        SET_FLAG(m->header->flags, BUS_MESSAGE_NO_AUTO_START, !b);
 
         return 0;
 }
@@ -1155,10 +1149,7 @@ _public_ int sd_bus_message_set_allow_interactive_authorization(sd_bus_message *
         assert_return(m, -EINVAL);
         assert_return(!m->sealed, -EPERM);
 
-        if (b)
-                m->header->flags |= BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION;
-        else
-                m->header->flags &= ~BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION;
+        SET_FLAG(m->header->flags, BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION, b);
 
         return 0;
 }
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index cc15afeb1c..862f26aad7 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -313,10 +313,7 @@ _public_ int sd_bus_negotiate_creds(sd_bus *bus, int b, uint64_t mask) {
         assert_return(!IN_SET(bus->state, BUS_CLOSING, BUS_CLOSED), -EPERM);
         assert_return(!bus_pid_changed(bus), -ECHILD);
 
-        if (b)
-                bus->creds_mask |= mask;
-        else
-                bus->creds_mask &= ~mask;
+        SET_FLAG(bus->creds_mask, mask, b);
 
         /* The well knowns we need unconditionally, so that matches can work */
         bus->creds_mask |= SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME;
diff --git a/src/libsystemd/sd-netlink/netlink-message.c b/src/libsystemd/sd-netlink/netlink-message.c
index 3924300817..f56798674c 100644
--- a/src/libsystemd/sd-netlink/netlink-message.c
+++ b/src/libsystemd/sd-netlink/netlink-message.c
@@ -107,10 +107,7 @@ int sd_netlink_message_request_dump(sd_netlink_message *m, int dump) {
                       m->hdr->nlmsg_type == RTM_GETNEIGH,
                       -EINVAL);
 
-        if (dump)
-                m->hdr->nlmsg_flags |= NLM_F_DUMP;
-        else
-                m->hdr->nlmsg_flags &= ~NLM_F_DUMP;
+        SET_FLAG(m->hdr->nlmsg_flags, NLM_F_DUMP, dump);
 
         return 0;
 }
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index f175788977..491b9a3efa 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -629,10 +629,7 @@ int config_parse_ipv4ll(
          * config_parse_address_family_boolean(), except that it
          * applies only to IPv4 */
 
-        if (parse_boolean(rvalue))
-                *link_local |= ADDRESS_FAMILY_IPV4;
-        else
-                *link_local &= ~ADDRESS_FAMILY_IPV4;
+        SET_FLAG(*link_local, ADDRESS_FAMILY_IPV4, parse_boolean(rvalue));
 
         return 0;
 }
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 484fbb4d92..009cc73aec 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -1280,40 +1280,28 @@ static int parse_argv(int argc, char *argv[]) {
                         r = parse_boolean(optarg);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse --cname= argument.");
-                        if (r == 0)
-                                arg_flags |= SD_RESOLVED_NO_CNAME;
-                        else
-                                arg_flags &= ~SD_RESOLVED_NO_CNAME;
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_CNAME, r == 0);
                         break;
 
                 case ARG_SERVICE_ADDRESS:
                         r = parse_boolean(optarg);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse --service-address= argument.");
-                        if (r == 0)
-                                arg_flags |= SD_RESOLVED_NO_ADDRESS;
-                        else
-                                arg_flags &= ~SD_RESOLVED_NO_ADDRESS;
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_ADDRESS, r == 0);
                         break;
 
                 case ARG_SERVICE_TXT:
                         r = parse_boolean(optarg);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse --service-txt= argument.");
-                        if (r == 0)
-                                arg_flags |= SD_RESOLVED_NO_TXT;
-                        else
-                                arg_flags &= ~SD_RESOLVED_NO_TXT;
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_TXT, r == 0);
                         break;
 
                 case ARG_SEARCH:
                         r = parse_boolean(optarg);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse --search argument.");
-                        if (r == 0)
-                                arg_flags |= SD_RESOLVED_NO_SEARCH;
-                        else
-                                arg_flags &= ~SD_RESOLVED_NO_SEARCH;
+                        SET_FLAG(arg_flags, SD_RESOLVED_NO_SEARCH, r == 0);
                         break;
 
                 case ARG_STATISTICS:
diff --git a/src/shared/ptyfwd.c b/src/shared/ptyfwd.c
index 061d31f4de..02c03b98d8 100644
--- a/src/shared/ptyfwd.c
+++ b/src/shared/ptyfwd.c
@@ -461,10 +461,7 @@ int pty_forward_set_ignore_vhangup(PTYForward *f, bool b) {
         if (!!(f->flags & PTY_FORWARD_IGNORE_VHANGUP) == b)
                 return 0;
 
-        if (b)
-                f->flags |= PTY_FORWARD_IGNORE_VHANGUP;
-        else
-                f->flags &= ~PTY_FORWARD_IGNORE_VHANGUP;
+        SET_FLAG(f->flags, PTY_FORWARD_IGNORE_VHANGUP, b);
 
         if (!ignore_vhangup(f)) {
 
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 946808fbec..efd264b34d 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -917,10 +917,7 @@ static int parse_attribute_from_arg(Item *item) {
 
                 v = attributes[i].value;
 
-                if (mode == MODE_ADD || mode == MODE_SET)
-                        value |= v;
-                else
-                        value &= ~v;
+                SET_FLAG(value, v, (mode == MODE_ADD || mode == MODE_SET));
 
                 mask |= v;
         }
-- 
cgit v1.2.3-54-g00ecf


From b68f10bf1f7519e012da5e35fab3a57da7dc46d4 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 27 Mar 2016 17:33:54 -0400
Subject: build-sys: fix build with libgrcypt disabled

- Move gcrypt.h include inside grcrypt-util.h.
- Allow gcrypt-util.[ch] to be compiled even without gcrypt.
This allows the logic in files using gcrypt to be simplified.

- Fix compilation of systemd-resolve without gcrypt.
systemd-resolved already supported that.

Fixes #2711.
---
 Makefile.am                |  8 ++++----
 src/resolve/resolve-tool.c |  3 +--
 src/shared/gcrypt-util.c   |  4 +++-
 src/shared/gcrypt-util.h   | 14 ++++++++++++++
 4 files changed, 22 insertions(+), 7 deletions(-)

(limited to 'src/resolve/resolve-tool.c')

diff --git a/Makefile.am b/Makefile.am
index 2b72a53ecd..95eaa9af1a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4262,7 +4262,9 @@ libsystemd_journal_internal_la_SOURCES = \
 	src/journal/mmap-cache.h \
 	src/journal/compress.c \
 	src/journal/audit-type.h \
-	src/journal/audit-type.c
+	src/journal/audit-type.c \
+	src/shared/gcrypt-util.h \
+	src/shared/gcrypt-util.c
 
 nodist_libsystemd_journal_internal_la_SOURCES = \
 	src/journal/audit_type-to-name.h
@@ -4294,9 +4296,7 @@ libsystemd_journal_internal_la_SOURCES += \
 	src/journal/journal-authenticate.c \
 	src/journal/journal-authenticate.h \
 	src/journal/fsprg.c \
-	src/journal/fsprg.h \
-	src/shared/gcrypt-util.c \
-	src/shared/gcrypt-util.h
+	src/journal/fsprg.h
 
 libsystemd_journal_internal_la_LIBADD += \
 	$(GCRYPT_LIBS)
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 009cc73aec..14ee01c49d 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -17,7 +17,6 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
-#include <gcrypt.h>
 #include <getopt.h>
 #include <net/if.h>
 
@@ -863,7 +862,7 @@ static int resolve_openpgp(sd_bus *bus, const char *address) {
         }
         domain++;
 
-        r = string_hashsum(address, domain - 1 - address, GCRY_MD_SHA224, &hashed);
+        r = string_hashsum_sha224(address, domain - 1 - address, &hashed);
         if (r < 0)
                 return log_error_errno(r, "Hashing failed: %m");
 
diff --git a/src/shared/gcrypt-util.c b/src/shared/gcrypt-util.c
index 4ff94520c3..39b544b6f0 100644
--- a/src/shared/gcrypt-util.c
+++ b/src/shared/gcrypt-util.c
@@ -19,10 +19,11 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#ifdef HAVE_GCRYPT
 #include <gcrypt.h>
 
-#include "hexdecoct.h"
 #include "gcrypt-util.h"
+#include "hexdecoct.h"
 
 void initialize_libgcrypt(bool secmem) {
         const char *p;
@@ -67,3 +68,4 @@ int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
         *out = enc;
         return 0;
 }
+#endif
diff --git a/src/shared/gcrypt-util.h b/src/shared/gcrypt-util.h
index c7652c22d1..cf33b3c59c 100644
--- a/src/shared/gcrypt-util.h
+++ b/src/shared/gcrypt-util.h
@@ -19,7 +19,21 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include <errno.h>
 #include <stdbool.h>
+#include <stddef.h>
+
+#ifdef HAVE_GCRYPT
+#include <gcrypt.h>
 
 void initialize_libgcrypt(bool secmem);
 int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
+#endif
+
+static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
+#ifdef HAVE_GCRYPT
+        return string_hashsum(s, len, GCRY_MD_SHA224, out);
+#else
+        return -EOPNOTSUPP;
+#endif
+}
-- 
cgit v1.2.3-54-g00ecf