| blob | 6f9a2db4cdba0933dd1e88ff2ab6674ea22cc200 |
1 /*
2 * Copyright (C) 2012 KU Leuven
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of libdane.
7 *
8 * libdane is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 #include <config.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <arpa/inet.h>
30 #include <unbound.h>
31 #include <gnutls/dane.h>
32 #include <gnutls/x509.h>
33 #include <gnutls/abstract.h>
34 #include <gnutls/crypto.h>
36 #define MAX_DATA_ENTRIES 4
38 struct dane_query_st
39 {
48 dane_query_status_t status;
49 };
51 /**
52 * dane_query_status:
53 * @q: The query structure
54 *
55 * This function will return the status of the query response.
56 * See %dane_query_status_t for the possible types.
57 *
58 * Returns: The status type.
59 **/
61 {
63 }
65 /**
66 * dane_query_entries:
67 * @q: The query structure
68 *
69 * This function will return the number of entries in a query.
70 *
71 * Returns: The number of entries.
72 **/
74 {
76 }
78 /**
79 * dane_query_data:
80 * @q: The query structure
81 * @idx: The index of the query response.
82 * @usage: The certificate usage (see %dane_cert_usage_t)
83 * @type: The certificate type (see %dane_cert_type_t)
84 * @match: The DANE matching type (see %dane_match_type_t)
85 * @data: The DANE data.
86 *
87 * This function will provide the DANE data from the query
88 * response.
89 *
90 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
91 * negative error value.
92 **/
96 {
109 }
112 }
114 /**
115 * dane_query_init:
116 * @q: The structure to be initialized
117 * @flags: flags from the DANE_F_* definitions
118 *
119 * This function will initialize a DANE query structure.
120 *
121 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
122 * negative error value.
123 **/
125 {
137 }
144 }
149 }
150 }
152 /* read public keys for DNSSEC verification */
156 }
162 cleanup:
169 }
171 /**
172 * dane_query_init:
173 * @q: The structure to be deinitialized
174 *
175 * This function will deinitialize a DANE query structure.
176 *
177 **/
179 {
185 }
187 /**
188 * dane_query_resolve_tlsa:
189 * @q: The query structure
190 * @host: The host name to resolve.
191 * @proto: The protocol type (tcp, udp, etc.)
192 * @port: The service port number (eg. 443).
193 *
194 * This function will query the DNS server for the TLSA (DANE)
195 * data for the given host.
196 *
197 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
198 * negative error value.
199 **/
200 int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto, unsigned int port)
201 {
209 }
213 /* query for webserver */
217 }
219 /* show first result */
222 }
231 }
238 i++;
246 else
248 }
250 /* show security status */
258 }
261 dane_match_type_t match)
262 {
299 }
302 }
305 {
321 }
327 }
333 }
340 }
346 }
352 }
359 cleanup:
361 clean_certs:
368 }
371 gnutls_certificate_type_t crt_type,
372 dane_cert_type_t ctype,
375 {
394 }
397 cleanup:
400 }
405 {
422 }
425 cleanup:
428 }
430 /**
431 * dane_verify_crt:
432 * @chain: A certificate chain
433 * @chain_size: The size of the chain
434 * @chain_type: The type of the certificate chain
435 * @hostname: The hostname associated with the chain
436 * @proto: The protocol of the service connecting (e.g. tcp)
437 * @port: The port of the service connecting (e.g. 443)
438 * @flags: The %DANE_F flags.
439 * @verify: An OR'ed list of %dane_verify_status_t.
440 *
441 * This function will verify the given certificate chain against the
442 * CA constrains and/or the certificate available via DANE.
443 * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO
444 * is set. If a DNSSEC signature is not available for the DANE
445 * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
446 *
447 * Due to the many possible options of DANE, there is no single threat
448 * model countered. When notifying the user about DANE verification results
449 * it may be better to mention: DANE verification did not reject the certificate,
450 * rather than mentioning a successful DANE verication.
451 *
452 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
453 * negative error value.
454 *
455 **/
458 gnutls_certificate_type_t chain_type,
461 {
462 dane_query_t q;
465 gnutls_datum_t data;
475 }
480 }
489 }
499 }
510 }
515 cleanup:
518 }
520 /**
521 * dane_verify_session_crt:
522 * @session: A gnutls session
523 * @hostname: The hostname associated with the chain
524 * @proto: The protocol of the service connecting (e.g. tcp)
525 * @port: The port of the service connecting (e.g. 443)
526 * @flags: The %DANE_F flags.
527 * @verify: An OR'ed list of %dane_verify_status_t.
528 *
529 * This function will verify session's certificate chain against the
530 * CA constrains and/or the certificate available via DANE.
531 * See dane_verify_crt() for more information.
532 *
533 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
534 * negative error value.
535 *
536 **/
538 gnutls_session_t session,
541 {
549 }
554 }