/* -*- c -*-
* Copyright (C) 2012 KU Leuven
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of libdane.
*
* libdane is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 3 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see
*
*/
#include /* for gnutls_datum_t */
/**
* dane_cert_usage_t:
* @DANE_CERT_USAGE_CA: CA constraint. The certificate/key
* presented must have signed the verified key.
* @DANE_CERT_USAGE_EE: The key or the certificate of the end
* entity.
* @DANE_CERT_USAGE_LOCAL_CA: The remote CA is local and possibly
* untrusted by the verifier.
* @DANE_CERT_USAGE_LOCAL_EE: The remote end-entity key is local
* and possibly untrusted by the verifier (not signed by a CA).
*
* Enumeration of different certificate usage types.
*/
typedef enum dane_cert_usage_t
{
DANE_CERT_USAGE_CA = 0,
DANE_CERT_USAGE_EE = 1,
DANE_CERT_USAGE_LOCAL_CA = 2,
DANE_CERT_USAGE_LOCAL_EE = 3
} dane_cert_usage_t;
/**
* dane_cert_type_t:
* @DANE_CERT_X509: An X.509 certificate.
* @DANE_CERT_PK: A public key.
*
* Enumeration of different certificate types.
*/
typedef enum dane_cert_type_t
{
DANE_CERT_X509 = 0,
DANE_CERT_PK = 1
} dane_cert_type_t;
/**
* dane_match_type_t:
* @DANE_MATCH_EXACT: The full content.
* @DANE_MATCH_SHA2_256: A SHA-256 hash of the content.
* @DANE_MATCH_SHA2_512: A SHA-512 hash of the content.
*
* Enumeration of different content matching types.
*/
typedef enum dane_match_type_t
{
DANE_MATCH_EXACT = 0,
DANE_MATCH_SHA2_256 = 1,
DANE_MATCH_SHA2_512 = 2
} dane_match_type_t;
/**
* dane_query_status_t:
* @DANE_QUERY_UNKNOWN: There was no query.
* @DANE_QUERY_DNSSEC_VERIFIED: The query was verified using DNSSEC.
* @DANE_QUERY_BOGUS: The query has wrong DNSSEC signature.
* @DANE_QUERY_NO_DNSSEC: The query has no DNSSEC data.
*
* Enumeration of different certificate types.
*/
typedef enum dane_query_status_t
{
DANE_QUERY_UNKNOWN = 0,
DANE_QUERY_DNSSEC_VERIFIED,
DANE_QUERY_BOGUS,
DANE_QUERY_NO_DNSSEC
} dane_query_status_t;
typedef struct dane_state_st *dane_state_t;
typedef struct dane_query_st *dane_query_t;
/**
* dane_state_flags_t:
* @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
* @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors.
*
* Enumeration of different verification flags.
*/
typedef enum dane_state_flags_t
{
DANE_F_IGNORE_LOCAL_RESOLVER = 1,
DANE_F_INSECURE=2,
} dane_state_flags_t;
int dane_state_init (dane_state_t* s, unsigned int flags);
int dane_state_set_dlv_file(dane_state_t s, const char* file);
void dane_state_deinit (dane_state_t s);
int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port);
dane_query_status_t dane_query_status(dane_query_t q);
unsigned int dane_query_entries(dane_query_t q);
int dane_query_data(dane_query_t q, unsigned int idx,
unsigned int *usage, unsigned int *type,
unsigned int *match, gnutls_datum_t * data);
void dane_query_deinit(dane_query_t q);
const char* dane_cert_type_name(dane_cert_type_t type);
const char* dane_match_type_name(dane_match_type_t type);
const char* dane_cert_usage_name(dane_cert_usage_t usage);
/**
* dane_verify_flags_t:
* @DANE_VFLAG_FAIL_IF_NOT_CHECKED: If irrelevant to this certificate DANE entries are received fail instead of succeeding.
* @DANE_VFLAG_ONLY_CHECK_EE_USAGE: The provided certificates will be verified only against any EE field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if EE entries are not present.
* @DANE_VFLAG_ONLY_CHECK_CA_USAGE: The provided certificates will be verified only against any CA field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if CA entries are not present.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_flags_t
{
DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1,
DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1<<1,
DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1<<2,
} dane_verify_flags_t;
/**
* dane_verify_status_t:
* @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
* @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_status_t
{
DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1<<1,
DANE_VERIFY_NO_DANE_INFO = 1<<2,
} dane_verify_status_t;
#define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
int
dane_verification_status_print (unsigned int status,
gnutls_datum_t * out, unsigned int flags);
int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,
const char * hostname, const char* proto, unsigned int port,
unsigned int sflags, unsigned int vflags,
unsigned int *verify);
int dane_verify_session_crt (
dane_state_t s,
gnutls_session_t session,
const char * hostname, const char* proto, unsigned int port,
unsigned int sflags, unsigned int vflags,
unsigned int *verify);
const char * dane_strerror (int error);
#define DANE_E_SUCCESS 0
#define DANE_E_INITIALIZATION_ERROR -1
#define DANE_E_RESOLVING_ERROR -2
#define DANE_E_NO_DANE_DATA -3
#define DANE_E_RECEIVED_CORRUPT_DATA -4
#define DANE_E_INVALID_DNSSEC_SIG -5
#define DANE_E_NO_DNSSEC_SIG -6
#define DANE_E_MEMORY_ERROR -7
#define DANE_E_REQUESTED_DATA_NOT_AVAILABLE -8
#define DANE_E_INVALID_REQUEST -9
#define DANE_E_PUBKEY_ERROR -10
#define DANE_E_NO_CERT -11
#define DANE_E_FILE_ERROR -12
#define DANE_E_CERT_ERROR -13
#define DANE_E_UNKNOWN_DANE_DATA -14