1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
@subheading dane_cert_type_name
@anchor{dane_cert_type_name}
@deftypefun {const char *} {dane_cert_type_name} (dane_cert_type_t @var{type})
@var{type}: is a DANE match type
Convert a @code{dane_cert_type_t} value to a string.
@strong{Returns:} a string that contains the name of the specified
type, or @code{NULL} .
@end deftypefun
@subheading dane_cert_usage_name
@anchor{dane_cert_usage_name}
@deftypefun {const char *} {dane_cert_usage_name} (dane_cert_usage_t @var{usage})
@var{usage}: is a DANE certificate usage
Convert a @code{dane_cert_usage_t} value to a string.
@strong{Returns:} a string that contains the name of the specified
type, or @code{NULL} .
@end deftypefun
@subheading dane_match_type_name
@anchor{dane_match_type_name}
@deftypefun {const char *} {dane_match_type_name} (dane_match_type_t @var{type})
@var{type}: is a DANE match type
Convert a @code{dane_match_type_t} value to a string.
@strong{Returns:} a string that contains the name of the specified
type, or @code{NULL} .
@end deftypefun
@subheading dane_query_data
@anchor{dane_query_data}
@deftypefun {int} {dane_query_data} (dane_query_t @var{q}, unsigned int @var{idx}, unsigned int * @var{usage}, unsigned int * @var{type}, unsigned int * @var{match}, gnutls_datum_t * @var{data})
@var{q}: The query result structure
@var{idx}: The index of the query response.
@var{usage}: The certificate usage (see @code{dane_cert_usage_t} )
@var{type}: The certificate type (see @code{dane_cert_type_t} )
@var{match}: The DANE matching type (see @code{dane_match_type_t} )
@var{data}: The DANE data.
This function will provide the DANE data from the query
response.
@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_query_deinit
@anchor{dane_query_deinit}
@deftypefun {void} {dane_query_deinit} (dane_query_t @var{q})
@var{q}: The structure to be deinitialized
This function will deinitialize a DANE query result structure.
@end deftypefun
@subheading dane_query_entries
@anchor{dane_query_entries}
@deftypefun {unsigned int} {dane_query_entries} (dane_query_t @var{q})
@var{q}: The query result structure
This function will return the number of entries in a query.
@strong{Returns:} The number of entries.
@end deftypefun
@subheading dane_query_status
@anchor{dane_query_status}
@deftypefun {dane_query_status_t} {dane_query_status} (dane_query_t @var{q})
@var{q}: The query result structure
This function will return the status of the query response.
See @code{dane_query_status_t} for the possible types.
@strong{Returns:} The status type.
@end deftypefun
@subheading dane_query_tlsa
@anchor{dane_query_tlsa}
@deftypefun {int} {dane_query_tlsa} (dane_state_t @var{s}, dane_query_t * @var{r}, const char * @var{host}, const char * @var{proto}, unsigned int @var{port})
@var{s}: The DANE state structure
@var{r}: A structure to place the result
@var{host}: The host name to resolve.
@var{proto}: The protocol type (tcp, udp, etc.)
@var{port}: The service port number (eg. 443).
This function will query the DNS server for the TLSA (DANE)
data for the given host.
@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_query_to_raw_tlsa
@anchor{dane_query_to_raw_tlsa}
@deftypefun {int} {dane_query_to_raw_tlsa} (dane_query_t @var{q}, unsigned int * @var{data_entries}, char *** @var{dane_data}, int ** @var{dane_data_len}, int * @var{secure}, int * @var{bogus})
@var{q}: The query result structure
@var{data_entries}: Pointer set to the number of entries in the query
@var{dane_data}: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until @code{dane_query_deinit()} is called.
@var{dane_data_len}: Pointer to contain the length n bytes of the dane_data items
@var{secure}: Pointer set true if the result is validated securely, false if
validation failed or the domain queried has no security info
@var{bogus}: Pointer set true if the result was not secure due to a security failure
This function will provide the DANE data from the query
response.
The pointers dane_data and dane_data_len are allocated with @code{gnutls_malloc()}
to contain the data from the query result structure (individual
@code{dane_data} items simply point to the original data and are not allocated separately).
The returned @code{dane_data} are only valid during the lifetime of @code{q} .
@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_raw_tlsa
@anchor{dane_raw_tlsa}
@deftypefun {int} {dane_raw_tlsa} (dane_state_t @var{s}, dane_query_t * @var{r}, char *const * @var{dane_data}, const int * @var{dane_data_len}, int @var{secure}, int @var{bogus})
@var{s}: The DANE state structure
@var{r}: A structure to place the result
@var{dane_data}: array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until @code{dane_query_deinit()} is called.
@var{dane_data_len}: the length n bytes of the dane_data items
@var{secure}: true if the result is validated securely, false if
validation failed or the domain queried has no security info
@var{bogus}: if the result was not secure (secure = 0) due to a security failure,
and the result is due to a security failure, bogus is true.
This function will fill in the TLSA (DANE) structure from
the given raw DNS record data. The @code{dane_data} must be valid
during the lifetime of the query.
@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_state_deinit
@anchor{dane_state_deinit}
@deftypefun {void} {dane_state_deinit} (dane_state_t @var{s})
@var{s}: The structure to be deinitialized
This function will deinitialize a DANE query structure.
@end deftypefun
@subheading dane_state_init
@anchor{dane_state_init}
@deftypefun {int} {dane_state_init} (dane_state_t * @var{s}, unsigned int @var{flags})
@var{s}: The structure to be initialized
@var{flags}: flags from the @code{dane_state_flags} enumeration
This function will initialize the backend resolver. It is
intended to be used in scenarios where multiple resolvings
occur, to optimize against multiple re-initializations.
@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_state_set_dlv_file
@anchor{dane_state_set_dlv_file}
@deftypefun {int} {dane_state_set_dlv_file} (dane_state_t @var{s}, const char * @var{file})
@var{s}: The structure to be deinitialized
@var{file}: The file holding the DLV keys.
This function will set a file with trusted keys
for DLV (DNSSEC Lookaside Validation).
@end deftypefun
@subheading dane_strerror
@anchor{dane_strerror}
@deftypefun {const char *} {dane_strerror} (int @var{error})
@var{error}: is a DANE error code, a negative error code
This function is similar to strerror. The difference is that it
accepts an error number returned by a gnutls function; In case of
an unknown error a descriptive string is sent instead of @code{NULL} .
Error codes are always a negative error code.
@strong{Returns:} A string explaining the DANE error message.
@end deftypefun
@subheading dane_verification_status_print
@anchor{dane_verification_status_print}
@deftypefun {int} {dane_verification_status_print} (unsigned int @var{status}, gnutls_datum_t * @var{out}, unsigned int @var{flags})
@var{status}: The status flags to be printed
@var{out}: Newly allocated datum with (0) terminated string.
@var{flags}: should be zero
This function will pretty print the status of a verification
process -- eg. the one obtained by @code{dane_verify_crt()} .
The output @code{out} needs to be deallocated using @code{gnutls_free()} .
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a
negative error value.
@end deftypefun
@subheading dane_verify_crt
@anchor{dane_verify_crt}
@deftypefun {int} {dane_verify_crt} (dane_state_t @var{s}, const gnutls_datum_t * @var{chain}, unsigned @var{chain_size}, gnutls_certificate_type_t @var{chain_type}, const char * @var{hostname}, const char * @var{proto}, unsigned int @var{port}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
@var{s}: A DANE state structure (may be NULL)
@var{chain}: A certificate chain
@var{chain_size}: The size of the chain
@var{chain_type}: The type of the certificate chain
@var{hostname}: The hostname associated with the chain
@var{proto}: The protocol of the service connecting (e.g. tcp)
@var{port}: The port of the service connecting (e.g. 443)
@var{sflags}: Flags for the initialization of @code{s} (if NULL)
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
This function will verify the given certificate chain against the
CA constrains and/or the certificate available via DANE.
If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_INFO}
is set. If a DNSSEC signature is not available for the DANE
record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA} is set.
Due to the many possible options of DANE, there is no single threat
model countered. When notifying the user about DANE verification results
it may be better to mention: DANE verification did not reject the certificate,
rather than mentioning a successful DANE verication.
Note that this function is designed to be run in addition to
PKIX - certificate chain - verification. To be run independently
the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE} flag should be specified;
then the function will check whether the key of the peer matches the
key advertized in the DANE entry.
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see @code{verify} for that information). If
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
will be returned.
@end deftypefun
@subheading dane_verify_crt_raw
@anchor{dane_verify_crt_raw}
@deftypefun {int} {dane_verify_crt_raw} (dane_state_t @var{s}, const gnutls_datum_t * @var{chain}, unsigned @var{chain_size}, gnutls_certificate_type_t @var{chain_type}, dane_query_t @var{r}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
@var{s}: A DANE state structure (may be NULL)
@var{chain}: A certificate chain
@var{chain_size}: The size of the chain
@var{chain_type}: The type of the certificate chain
@var{r}: DANE data to check against
@var{sflags}: Flags for the initialization of @code{s} (if NULL)
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
This is the low-level function of @code{dane_verify_crt()} . See the
high level function for documentation.
This function does not perform any resolving, it utilizes
cached entries from @code{r} .
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see @code{verify} for that information). If
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
will be returned.
@end deftypefun
@subheading dane_verify_session_crt
@anchor{dane_verify_session_crt}
@deftypefun {int} {dane_verify_session_crt} (dane_state_t @var{s}, gnutls_session_t @var{session}, const char * @var{hostname}, const char * @var{proto}, unsigned int @var{port}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
@var{s}: A DANE state structure (may be NULL)
@var{session}: A gnutls session
@var{hostname}: The hostname associated with the chain
@var{proto}: The protocol of the service connecting (e.g. tcp)
@var{port}: The port of the service connecting (e.g. 443)
@var{sflags}: Flags for the initialization of @code{s} (if NULL)
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
This function will verify session's certificate chain against the
CA constrains and/or the certificate available via DANE.
See @code{dane_verify_crt()} for more information.
This will not verify the chain for validity; unless the DANE
verification is restricted to end certificates, this must be
be performed separately using @code{gnutls_certificate_verify_peers3()} .
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see @code{verify} for that information). If
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
will be returned.
@end deftypefun
|
