| blob | f3d28341e3eed0240aa087911da585c3969a9a98 |
1 /*
2 * Copyright (C) 2012 KU Leuven
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of libdane.
7 *
8 * libdane is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
23 #include <config.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <errno.h>
29 #include <arpa/inet.h>
30 #include <unbound.h>
31 #include <gnutls/dane.h>
32 #include <gnutls/x509.h>
33 #include <gnutls/abstract.h>
34 #include <gnutls/crypto.h>
36 #define MAX_DATA_ENTRIES 4
38 struct dane_query_st
39 {
48 dane_query_status_t status;
49 };
51 /**
52 * dane_query_status:
53 * @q: The query structure
54 *
55 * This function will return the status of the query response.
56 * See %dane_query_status_t for the possible types.
57 *
58 * Returns: The status type.
59 **/
61 {
63 }
65 /**
66 * dane_query_entries:
67 * @q: The query structure
68 *
69 * This function will return the number of entries in a query.
70 *
71 * Returns: The number of entries.
72 **/
74 {
76 }
78 /**
79 * dane_query_data:
80 * @q: The query structure
81 * @idx: The index of the query response.
82 * @usage: The certificate usage (see %dane_cert_usage_t)
83 * @type: The certificate type (see %dane_cert_type_t)
84 * @match: The DANE matching type (see %dane_match_type_t)
85 * @data: The DANE data.
86 *
87 * This function will provide the DANE data from the query
88 * response.
89 *
90 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
91 * negative error value.
92 **/
96 {
109 }
112 }
114 /**
115 * dane_query_init:
116 * @q: The structure to be initialized
117 * @flags: flags from the DANE_F_* definitions
118 *
119 * This function will initialize a DANE query structure.
120 *
121 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
122 * negative error value.
123 **/
125 {
137 }
144 }
149 }
150 }
152 /* read public keys for DNSSEC verification */
156 }
162 cleanup:
169 }
171 /**
172 * dane_query_init:
173 * @q: The structure to be deinitialized
174 *
175 * This function will deinitialize a DANE query structure.
176 *
177 **/
179 {
185 }
187 /**
188 * dane_query_resolve_tlsa:
189 * @q: The query structure
190 * @host: The host name to resolve.
191 * @proto: The protocol type (tcp, udp, etc.)
192 * @port: The service port number (eg. 443).
193 *
194 * This function will query the DNS server for the TLSA (DANE)
195 * data for the given host.
196 *
197 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
198 * negative error value.
199 **/
200 int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto, unsigned int port)
201 {
209 }
213 /* query for webserver */
217 }
219 /* show first result */
222 }
231 }
238 i++;
247 else
249 }
250 }
252 /* show security status */
260 }
263 dane_match_type_t match)
264 {
301 }
304 }
307 {
323 }
329 }
335 }
342 }
348 }
354 }
361 cleanup:
363 clean_certs:
370 }
373 gnutls_certificate_type_t crt_type,
374 dane_cert_type_t ctype,
377 {
396 }
399 cleanup:
402 }
407 {
424 }
427 cleanup:
430 }
432 /**
433 * dane_verify_crt:
434 * @chain: A certificate chain
435 * @chain_size: The size of the chain
436 * @chain_type: The type of the certificate chain
437 * @hostname: The hostname associated with the chain
438 * @proto: The protocol of the service connecting (e.g. tcp)
439 * @port: The port of the service connecting (e.g. 443)
440 * @flags: The %DANE_F flags.
441 * @verify: An OR'ed list of %dane_verify_status_t.
442 *
443 * This function will verify the given certificate chain against the
444 * CA constrains and/or the certificate available via DANE.
445 * If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO
446 * is set. If a DNSSEC signature is not available for the DANE
447 * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
448 *
449 * Note that when verifying untrusted certificates, it is recommended to
450 * use the %DANE_F_REQUIRE_DNSSEC flag.
451 *
452 * Due to the many possible options of DANE, there is no single threat
453 * model countered. When notifying the user about DANE verification results
454 * it may be better to mention: DANE verification did not reject the certificate,
455 * rather than mentioning a successful DANE verication.
456 *
457 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
458 * negative error value.
459 *
460 **/
463 gnutls_certificate_type_t chain_type,
466 {
467 dane_query_t q;
470 gnutls_datum_t data;
480 }
485 }
494 }
504 }
515 }
520 cleanup:
523 }
525 /**
526 * dane_verify_session_crt:
527 * @session: A gnutls session
528 * @hostname: The hostname associated with the chain
529 * @proto: The protocol of the service connecting (e.g. tcp)
530 * @port: The port of the service connecting (e.g. 443)
531 * @flags: The %DANE_F flags.
532 * @verify: An OR'ed list of %dane_verify_status_t.
533 *
534 * This function will verify session's certificate chain against the
535 * CA constrains and/or the certificate available via DANE.
536 * See dane_verify_crt() for more information.
537 *
538 * Returns: On success, %DANE_E_SUCCESS (0) is returned, otherwise a
539 * negative error value.
540 *
541 **/
543 gnutls_session_t session,
546 {
554 }
559 }