summaryrefslogtreecommitdiff
path: root/libdane/includes/gnutls/dane.h
blob: 366d10a98014c2a1af960f735c0997fffff21e47 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
/* -*- c -*-
 * Copyright (C) 2012 KU Leuven
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of libdane.
 *
 * libdane is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 3 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */


#include <gnutls/gnutls.h> /* for gnutls_datum_t */

/**
 * dane_cert_usage_t:
 * @DANE_CERT_USAGE_CA: CA constraint. The certificate/key
 *   presented must have signed the verified key.
 * @DANE_CERT_USAGE_EE: The key or the certificate of the end
 *   entity.
 * @DANE_CERT_USAGE_LOCAL_CA: The remote CA is local and possibly
 *   untrusted by the verifier.
 * @DANE_CERT_USAGE_LOCAL_EE: The remote end-entity key is local
 *   and possibly untrusted by the verifier (not signed by a CA).
 *
 * Enumeration of different certificate usage types.
 */
typedef enum dane_cert_usage_t
{
  DANE_CERT_USAGE_CA = 0,
  DANE_CERT_USAGE_EE = 1,
  DANE_CERT_USAGE_LOCAL_CA = 2,
  DANE_CERT_USAGE_LOCAL_EE = 3
} dane_cert_usage_t;

/**
 * dane_cert_type_t:
 * @DANE_CERT_X509: An X.509 certificate.
 * @DANE_CERT_PK: A public key.
 *
 * Enumeration of different certificate types.
 */
typedef enum dane_cert_type_t 
{
  DANE_CERT_X509 = 0,
  DANE_CERT_PK = 1
} dane_cert_type_t;

/**
 * dane_match_type_t:
 * @DANE_MATCH_EXACT: The full content.
 * @DANE_MATCH_SHA2_256: A SHA-256 hash of the content.
 * @DANE_MATCH_SHA2_512: A SHA-512 hash of the content.
 *
 * Enumeration of different content matching types.
 */
typedef enum dane_match_type_t 
{
  DANE_MATCH_EXACT = 0,
  DANE_MATCH_SHA2_256 = 1,
  DANE_MATCH_SHA2_512 = 2
} dane_match_type_t;

/**
 * dane_query_status_t:
 * @DANE_QUERY_UNKNOWN: There was no query.
 * @DANE_QUERY_DNSSEC_VERIFIED: The query was verified using DNSSEC.
 * @DANE_QUERY_BOGUS: The query has wrong DNSSEC signature.
 * @DANE_QUERY_NO_DNSSEC: The query has no DNSSEC data.
 *
 * Enumeration of different certificate types.
 */
typedef enum dane_query_status_t 
{
  DANE_QUERY_UNKNOWN = 0,
  DANE_QUERY_DNSSEC_VERIFIED,
  DANE_QUERY_BOGUS,
  DANE_QUERY_NO_DNSSEC
} dane_query_status_t;

typedef struct dane_query_st *dane_query_t;


int dane_query_init (dane_query_t* q, unsigned int flags);
void dane_query_deinit (dane_query_t q);
int dane_query_resolve_tlsa (dane_query_t q, const char* host, const char* proto, unsigned int port);
int dane_query_data(dane_query_t q, unsigned int idx,
					unsigned int *usage, unsigned int *type,
					unsigned int *match, gnutls_datum_t * data);
dane_query_status_t dane_query_status(dane_query_t q);
unsigned int dane_query_entries(dane_query_t q);


/**
 * dane_verify_status_t:
 * @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
 * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
 * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
 *
 * Enumeration of different verification status flags.
 */
typedef enum dane_verify_status_t 
{
  DANE_VERIFY_CA_CONSTRAINS_VIOLATED = 1,
  DANE_VERIFY_CERT_DIFFERS = 1<<1,
  DANE_VERIFY_NO_DANE_INFO = 1<<2,
} dane_verify_status_t;

/**
 * dane_verify_flags_t:
 * @DANE_F_REQUIRE_DNSSEC: Require DNSSEC for verification.
 * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
 *
 * Enumeration of different verification flags.
 */
typedef enum dane_verify_flags_t 
{
  DANE_F_IGNORE_LOCAL_RESOLVER = 1,
} dane_verify_flags_t;

int dane_verify_crt (
	const gnutls_datum_t *chain, unsigned chain_size,
	gnutls_certificate_type_t chain_type,
	const char * hostname, const char* proto, unsigned int port,
	unsigned int flags, unsigned int *verify);

int dane_verify_session_crt (
	gnutls_session_t session,
	const char * hostname, const char* proto, unsigned int port,
	unsigned int flags, unsigned int *verify);

const char * dane_strerror (int error);

#define DANE_E_SUCCESS 0
#define DANE_E_INITIALIZATION_ERROR -1
#define DANE_E_RESOLVING_ERROR -2
#define DANE_E_NO_DANE_DATA -3
#define DANE_E_RECEIVED_CORRUPT_DATA -4
#define DANE_E_INVALID_DNSSEC_SIG -5
#define DANE_E_NO_DNSSEC_SIG -6
#define DANE_E_MEMORY_ERROR -7
#define DANE_E_REQUESTED_DATA_NOT_AVAILABLE -8
#define DANE_E_INVALID_REQUEST -9
#define DANE_E_PUBKEY_ERROR -10
#define DANE_E_NO_CERT -11