1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
/* -*- c -*-
* Copyright (C) 2012 KU Leuven
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of libdane.
*
* libdane is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 3 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
#include <gnutls/gnutls.h> /* for gnutls_datum_t */
/**
* dane_cert_usage_t:
* @DANE_CERT_USAGE_CA: CA constraint. The certificate/key
* presented must have signed the verified key.
* @DANE_CERT_USAGE_EE: The key or the certificate of the end
* entity.
* @DANE_CERT_USAGE_LOCAL_CA: The remote CA is local and possibly
* untrusted by the verifier.
* @DANE_CERT_USAGE_LOCAL_EE: The remote end-entity key is local
* and possibly untrusted by the verifier (not signed by a CA).
*
* Enumeration of different certificate usage types.
*/
typedef enum dane_cert_usage_t
{
DANE_CERT_USAGE_CA = 0,
DANE_CERT_USAGE_EE = 1,
DANE_CERT_USAGE_LOCAL_CA = 2,
DANE_CERT_USAGE_LOCAL_EE = 3
} dane_cert_usage_t;
/**
* dane_cert_type_t:
* @DANE_CERT_X509: An X.509 certificate.
* @DANE_CERT_PK: A public key.
*
* Enumeration of different certificate types.
*/
typedef enum dane_cert_type_t
{
DANE_CERT_X509 = 0,
DANE_CERT_PK = 1
} dane_cert_type_t;
/**
* dane_match_type_t:
* @DANE_MATCH_EXACT: The full content.
* @DANE_MATCH_SHA2_256: A SHA-256 hash of the content.
* @DANE_MATCH_SHA2_512: A SHA-512 hash of the content.
*
* Enumeration of different content matching types.
*/
typedef enum dane_match_type_t
{
DANE_MATCH_EXACT = 0,
DANE_MATCH_SHA2_256 = 1,
DANE_MATCH_SHA2_512 = 2
} dane_match_type_t;
/**
* dane_query_status_t:
* @DANE_QUERY_UNKNOWN: There was no query.
* @DANE_QUERY_DNSSEC_VERIFIED: The query was verified using DNSSEC.
* @DANE_QUERY_BOGUS: The query has wrong DNSSEC signature.
* @DANE_QUERY_NO_DNSSEC: The query has no DNSSEC data.
*
* Enumeration of different certificate types.
*/
typedef enum dane_query_status_t
{
DANE_QUERY_UNKNOWN = 0,
DANE_QUERY_DNSSEC_VERIFIED,
DANE_QUERY_BOGUS,
DANE_QUERY_NO_DNSSEC
} dane_query_status_t;
typedef struct dane_state_st *dane_state_t;
typedef struct dane_query_st *dane_query_t;
/**
* dane_state_flags_t:
* @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
* @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors.
*
* Enumeration of different verification flags.
*/
typedef enum dane_state_flags_t
{
DANE_F_IGNORE_LOCAL_RESOLVER = 1,
DANE_F_INSECURE=2,
} dane_state_flags_t;
int dane_state_init (dane_state_t* s, unsigned int flags);
int dane_state_set_dlv_file(dane_state_t s, const char* file);
void dane_state_deinit (dane_state_t s);
int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const char* proto, unsigned int port);
dane_query_status_t dane_query_status(dane_query_t q);
unsigned int dane_query_entries(dane_query_t q);
int dane_query_data(dane_query_t q, unsigned int idx,
unsigned int *usage, unsigned int *type,
unsigned int *match, gnutls_datum_t * data);
void dane_query_deinit(dane_query_t q);
const char* dane_cert_type_name(dane_cert_type_t type);
const char* dane_match_type_name(dane_match_type_t type);
const char* dane_cert_usage_name(dane_cert_usage_t usage);
/**
* dane_verify_flags_t:
* @DANE_VFLAG_FAIL_IF_NOT_CHECKED: If irrelevant to this certificate DANE entries are received fail instead of succeeding.
* @DANE_VFLAG_ONLY_CHECK_EE_USAGE: The provided certificates will be verified only against any EE field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if EE entries are not present.
* @DANE_VFLAG_ONLY_CHECK_CA_USAGE: The provided certificates will be verified only against any CA field. Combine with %DANE_VFLAG_FAIL_IF_NOT_CHECKED to fail if CA entries are not present.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_flags_t
{
DANE_VFLAG_FAIL_IF_NOT_CHECKED = 1,
DANE_VFLAG_ONLY_CHECK_EE_USAGE = 1<<1,
DANE_VFLAG_ONLY_CHECK_CA_USAGE = 1<<2,
} dane_verify_flags_t;
/**
* dane_verify_status_t:
* @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
* @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
* @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
*
* Enumeration of different verification status flags.
*/
typedef enum dane_verify_status_t
{
DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
DANE_VERIFY_CERT_DIFFERS = 1<<1,
DANE_VERIFY_NO_DANE_INFO = 1<<2,
} dane_verify_status_t;
#define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
int
dane_verification_status_print (unsigned int status,
gnutls_datum_t * out, unsigned int flags);
int dane_verify_crt (dane_state_t s,
const gnutls_datum_t *chain, unsigned chain_size,
gnutls_certificate_type_t chain_type,
const char * hostname, const char* proto, unsigned int port,
unsigned int sflags, unsigned int vflags,
unsigned int *verify);
int dane_verify_session_crt (
dane_state_t s,
gnutls_session_t session,
const char * hostname, const char* proto, unsigned int port,
unsigned int sflags, unsigned int vflags,
unsigned int *verify);
const char * dane_strerror (int error);
#define DANE_E_SUCCESS 0
#define DANE_E_INITIALIZATION_ERROR -1
#define DANE_E_RESOLVING_ERROR -2
#define DANE_E_NO_DANE_DATA -3
#define DANE_E_RECEIVED_CORRUPT_DATA -4
#define DANE_E_INVALID_DNSSEC_SIG -5
#define DANE_E_NO_DNSSEC_SIG -6
#define DANE_E_MEMORY_ERROR -7
#define DANE_E_REQUESTED_DATA_NOT_AVAILABLE -8
#define DANE_E_INVALID_REQUEST -9
#define DANE_E_PUBKEY_ERROR -10
#define DANE_E_NO_CERT -11
#define DANE_E_FILE_ERROR -12
#define DANE_E_CERT_ERROR -13
#define DANE_E_UNKNOWN_DANE_DATA -14
|