source-git / gnutls

Clone
Source Code
GIT

Blame doc/dane-api.texi

c8 c8s master
  1.   c8
  2.   doc
  3.   dane-api.texi
Blob History Raw
Packit aea12f
Packit aea12f 
@subheading dane_cert_type_name
Packit aea12f 
@anchor{dane_cert_type_name}
Packit aea12f 
@deftypefun {const char *} {dane_cert_type_name} (dane_cert_type_t @var{type})
Packit aea12f 
@var{type}: is a DANE match type
Packit aea12f
Packit aea12f 
Convert a @code{dane_cert_type_t}  value to a string.
Packit aea12f
Packit aea12f 
@strong{Returns:} a string that contains the name of the specified
Packit aea12f 
type, or @code{NULL} .
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_cert_usage_name
Packit aea12f 
@anchor{dane_cert_usage_name}
Packit aea12f 
@deftypefun {const char *} {dane_cert_usage_name} (dane_cert_usage_t @var{usage})
Packit aea12f 
@var{usage}: is a DANE certificate usage
Packit aea12f
Packit aea12f 
Convert a @code{dane_cert_usage_t}  value to a string.
Packit aea12f
Packit aea12f 
@strong{Returns:} a string that contains the name of the specified
Packit aea12f 
type, or @code{NULL} .
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_match_type_name
Packit aea12f 
@anchor{dane_match_type_name}
Packit aea12f 
@deftypefun {const char *} {dane_match_type_name} (dane_match_type_t @var{type})
Packit aea12f 
@var{type}: is a DANE match type
Packit aea12f
Packit aea12f 
Convert a @code{dane_match_type_t}  value to a string.
Packit aea12f
Packit aea12f 
@strong{Returns:} a string that contains the name of the specified
Packit aea12f 
type, or @code{NULL} .
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_data
Packit aea12f 
@anchor{dane_query_data}
Packit aea12f 
@deftypefun {int} {dane_query_data} (dane_query_t @var{q}, unsigned int @var{idx}, unsigned int * @var{usage}, unsigned int * @var{type}, unsigned int * @var{match}, gnutls_datum_t * @var{data})
Packit aea12f 
@var{q}: The query result structure
Packit aea12f
Packit aea12f 
@var{idx}: The index of the query response.
Packit aea12f
Packit aea12f 
@var{usage}: The certificate usage (see @code{dane_cert_usage_t} )
Packit aea12f
Packit aea12f 
@var{type}: The certificate type (see @code{dane_cert_type_t} )
Packit aea12f
Packit aea12f 
@var{match}: The DANE matching type (see @code{dane_match_type_t} )
Packit aea12f
Packit aea12f 
@var{data}: The DANE data.
Packit aea12f
Packit aea12f 
This function will provide the DANE data from the query
Packit aea12f 
response.
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{DANE_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_deinit
Packit aea12f 
@anchor{dane_query_deinit}
Packit aea12f 
@deftypefun {void} {dane_query_deinit} (dane_query_t @var{q})
Packit aea12f 
@var{q}: The structure to be deinitialized
Packit aea12f
Packit aea12f 
This function will deinitialize a DANE query result structure.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_entries
Packit aea12f 
@anchor{dane_query_entries}
Packit aea12f 
@deftypefun {unsigned int} {dane_query_entries} (dane_query_t @var{q})
Packit aea12f 
@var{q}: The query result structure
Packit aea12f
Packit aea12f 
This function will return the number of entries in a query.
Packit aea12f
Packit aea12f 
@strong{Returns:} The number of entries.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_status
Packit aea12f 
@anchor{dane_query_status}
Packit aea12f 
@deftypefun {dane_query_status_t} {dane_query_status} (dane_query_t @var{q})
Packit aea12f 
@var{q}: The query result structure
Packit aea12f
Packit aea12f 
This function will return the status of the query response.
Packit aea12f 
See @code{dane_query_status_t}  for the possible types.
Packit aea12f
Packit aea12f 
@strong{Returns:} The status type.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_tlsa
Packit aea12f 
@anchor{dane_query_tlsa}
Packit aea12f 
@deftypefun {int} {dane_query_tlsa} (dane_state_t @var{s}, dane_query_t * @var{r}, const char * @var{host}, const char * @var{proto}, unsigned int @var{port})
Packit aea12f 
@var{s}: The DANE state structure
Packit aea12f
Packit aea12f 
@var{r}: A structure to place the result
Packit aea12f
Packit aea12f 
@var{host}: The host name to resolve.
Packit aea12f
Packit aea12f 
@var{proto}: The protocol type (tcp, udp, etc.)
Packit aea12f
Packit aea12f 
@var{port}: The service port number (eg. 443).
Packit aea12f
Packit aea12f 
This function will query the DNS server for the TLSA (DANE)
Packit aea12f 
data for the given host.
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{DANE_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_query_to_raw_tlsa
Packit aea12f 
@anchor{dane_query_to_raw_tlsa}
Packit aea12f 
@deftypefun {int} {dane_query_to_raw_tlsa} (dane_query_t @var{q}, unsigned int * @var{data_entries}, char *** @var{dane_data}, int ** @var{dane_data_len}, int * @var{secure}, int * @var{bogus})
Packit aea12f 
@var{q}: The query result structure
Packit aea12f
Packit aea12f 
@var{data_entries}: Pointer set to the number of entries in the query
Packit aea12f
Packit aea12f 
@var{dane_data}: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer;
Packit aea12f 
caller must guarantee that the referenced data remains
Packit aea12f 
valid until @code{dane_query_deinit()}  is called.
Packit aea12f
Packit aea12f 
@var{dane_data_len}: Pointer to contain the length n bytes of the dane_data items
Packit aea12f
Packit aea12f 
@var{secure}: Pointer set true if the result is validated securely, false if
Packit aea12f 
validation failed or the domain queried has no security info
Packit aea12f
Packit aea12f 
@var{bogus}: Pointer set true if the result was not secure due to a security failure
Packit aea12f
Packit aea12f 
This function will provide the DANE data from the query
Packit aea12f 
response.
Packit aea12f
Packit aea12f 
The pointers dane_data and dane_data_len are allocated with @code{gnutls_malloc()}
Packit aea12f 
to contain the data from the query result structure (individual
Packit aea12f 
 @code{dane_data} items simply point to the original data and are not allocated separately).
Packit aea12f 
The returned  @code{dane_data} are only valid during the lifetime of  @code{q} .
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{DANE_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_raw_tlsa
Packit aea12f 
@anchor{dane_raw_tlsa}
Packit aea12f 
@deftypefun {int} {dane_raw_tlsa} (dane_state_t @var{s}, dane_query_t * @var{r}, char *const * @var{dane_data}, const int * @var{dane_data_len}, int @var{secure}, int @var{bogus})
Packit aea12f 
@var{s}: The DANE state structure
Packit aea12f
Packit aea12f 
@var{r}: A structure to place the result
Packit aea12f
Packit aea12f 
@var{dane_data}: array of DNS rdata items, terminated with a NULL pointer;
Packit aea12f 
caller must guarantee that the referenced data remains
Packit aea12f 
valid until @code{dane_query_deinit()}  is called.
Packit aea12f
Packit aea12f 
@var{dane_data_len}: the length n bytes of the dane_data items
Packit aea12f
Packit aea12f 
@var{secure}: true if the result is validated securely, false if
Packit aea12f 
validation failed or the domain queried has no security info
Packit aea12f
Packit aea12f 
@var{bogus}: if the result was not secure (secure = 0) due to a security failure,
Packit aea12f 
and the result is due to a security failure, bogus is true.
Packit aea12f
Packit aea12f 
This function will fill in the TLSA (DANE) structure from
Packit aea12f 
the given raw DNS record data. The  @code{dane_data} must be valid
Packit aea12f 
during the lifetime of the query.
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{DANE_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_state_deinit
Packit aea12f 
@anchor{dane_state_deinit}
Packit aea12f 
@deftypefun {void} {dane_state_deinit} (dane_state_t @var{s})
Packit aea12f 
@var{s}: The structure to be deinitialized
Packit aea12f
Packit aea12f 
This function will deinitialize a DANE query structure.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_state_init
Packit aea12f 
@anchor{dane_state_init}
Packit aea12f 
@deftypefun {int} {dane_state_init} (dane_state_t * @var{s}, unsigned int @var{flags})
Packit aea12f 
@var{s}: The structure to be initialized
Packit aea12f
Packit aea12f 
@var{flags}: flags from the @code{dane_state_flags}  enumeration
Packit aea12f
Packit aea12f 
This function will initialize the backend resolver. It is
Packit aea12f 
intended to be used in scenarios where multiple resolvings
Packit aea12f 
occur, to optimize against multiple re-initializations.
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{DANE_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_state_set_dlv_file
Packit aea12f 
@anchor{dane_state_set_dlv_file}
Packit aea12f 
@deftypefun {int} {dane_state_set_dlv_file} (dane_state_t @var{s}, const char * @var{file})
Packit aea12f 
@var{s}: The structure to be deinitialized
Packit aea12f
Packit aea12f 
@var{file}: The file holding the DLV keys.
Packit aea12f
Packit aea12f 
This function will set a file with trusted keys
Packit aea12f 
for DLV (DNSSEC Lookaside Validation).
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_strerror
Packit aea12f 
@anchor{dane_strerror}
Packit aea12f 
@deftypefun {const char *} {dane_strerror} (int @var{error})
Packit aea12f 
@var{error}: is a DANE error code, a negative error code
Packit aea12f
Packit aea12f 
This function is similar to strerror.  The difference is that it
Packit aea12f 
accepts an error number returned by a gnutls function; In case of
Packit aea12f 
an unknown error a descriptive string is sent instead of @code{NULL} .
Packit aea12f
Packit aea12f 
Error codes are always a negative error code.
Packit aea12f
Packit aea12f 
@strong{Returns:} A string explaining the DANE error message.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_verification_status_print
Packit aea12f 
@anchor{dane_verification_status_print}
Packit aea12f 
@deftypefun {int} {dane_verification_status_print} (unsigned int @var{status}, gnutls_datum_t * @var{out}, unsigned int @var{flags})
Packit aea12f 
@var{status}: The status flags to be printed
Packit aea12f
Packit aea12f 
@var{out}: Newly allocated datum with (0) terminated string.
Packit aea12f
Packit aea12f 
@var{flags}: should be zero
Packit aea12f
Packit aea12f 
This function will pretty print the status of a verification
Packit aea12f 
process -- eg. the one obtained by @code{dane_verify_crt()} .
Packit aea12f
Packit aea12f 
The output  @code{out} needs to be deallocated using @code{gnutls_free()} .
Packit aea12f
Packit aea12f 
@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS}  (0) is returned, otherwise a
Packit aea12f 
negative error value.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_verify_crt
Packit aea12f 
@anchor{dane_verify_crt}
Packit aea12f 
@deftypefun {int} {dane_verify_crt} (dane_state_t @var{s}, const gnutls_datum_t * @var{chain}, unsigned @var{chain_size}, gnutls_certificate_type_t @var{chain_type}, const char * @var{hostname}, const char * @var{proto}, unsigned int @var{port}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
Packit aea12f 
@var{s}: A DANE state structure (may be NULL)
Packit aea12f
Packit aea12f 
@var{chain}: A certificate chain
Packit aea12f
Packit aea12f 
@var{chain_size}: The size of the chain
Packit aea12f
Packit aea12f 
@var{chain_type}: The type of the certificate chain
Packit aea12f
Packit aea12f 
@var{hostname}: The hostname associated with the chain
Packit aea12f
Packit aea12f 
@var{proto}: The protocol of the service connecting (e.g. tcp)
Packit aea12f
Packit aea12f 
@var{port}: The port of the service connecting (e.g. 443)
Packit aea12f
Packit aea12f 
@var{sflags}: Flags for the initialization of  @code{s} (if NULL)
Packit aea12f
Packit aea12f 
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
Packit aea12f
Packit aea12f 
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
Packit aea12f
Packit aea12f 
This function will verify the given certificate chain against the
Packit aea12f 
CA constrains and/or the certificate available via DANE.
Packit aea12f 
If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_INFO}
Packit aea12f 
is set. If a DNSSEC signature is not available for the DANE
Packit aea12f 
record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA}  is set.
Packit aea12f
Packit aea12f 
Due to the many possible options of DANE, there is no single threat
Packit aea12f 
model countered. When notifying the user about DANE verification results
Packit aea12f 
it may be better to mention: DANE verification did not reject the certificate,
Packit aea12f 
rather than mentioning a successful DANE verication.
Packit aea12f
Packit aea12f 
Note that this function is designed to be run in addition to
Packit aea12f 
PKIX - certificate chain - verification. To be run independently
Packit aea12f 
the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE}  flag should be specified;
Packit aea12f 
then the function will check whether the key of the peer matches the
Packit aea12f 
key advertized in the DANE entry.
Packit aea12f
Packit aea12f 
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS}  (0)
Packit aea12f 
when the DANE entries were successfully parsed, irrespective of
Packit aea12f 
whether they were verified (see  @code{verify} for that information). If
Packit aea12f 
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
Packit aea12f 
will be returned.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_verify_crt_raw
Packit aea12f 
@anchor{dane_verify_crt_raw}
Packit aea12f 
@deftypefun {int} {dane_verify_crt_raw} (dane_state_t @var{s}, const gnutls_datum_t * @var{chain}, unsigned @var{chain_size}, gnutls_certificate_type_t @var{chain_type}, dane_query_t @var{r}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
Packit aea12f 
@var{s}: A DANE state structure (may be NULL)
Packit aea12f
Packit aea12f 
@var{chain}: A certificate chain
Packit aea12f
Packit aea12f 
@var{chain_size}: The size of the chain
Packit aea12f
Packit aea12f 
@var{chain_type}: The type of the certificate chain
Packit aea12f
Packit aea12f 
@var{r}: DANE data to check against
Packit aea12f
Packit aea12f 
@var{sflags}: Flags for the initialization of  @code{s} (if NULL)
Packit aea12f
Packit aea12f 
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
Packit aea12f
Packit aea12f 
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
Packit aea12f
Packit aea12f 
This is the low-level function of @code{dane_verify_crt()} . See the
Packit aea12f 
high level function for documentation.
Packit aea12f
Packit aea12f 
This function does not perform any resolving, it utilizes
Packit aea12f 
cached entries from  @code{r} .
Packit aea12f
Packit aea12f 
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS}  (0)
Packit aea12f 
when the DANE entries were successfully parsed, irrespective of
Packit aea12f 
whether they were verified (see  @code{verify} for that information). If
Packit aea12f 
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
Packit aea12f 
will be returned.
Packit aea12f 
@end deftypefun
Packit aea12f
Packit aea12f 
@subheading dane_verify_session_crt
Packit aea12f 
@anchor{dane_verify_session_crt}
Packit aea12f 
@deftypefun {int} {dane_verify_session_crt} (dane_state_t @var{s}, gnutls_session_t @var{session}, const char * @var{hostname}, const char * @var{proto}, unsigned int @var{port}, unsigned int @var{sflags}, unsigned int @var{vflags}, unsigned int * @var{verify})
Packit aea12f 
@var{s}: A DANE state structure (may be NULL)
Packit aea12f
Packit aea12f 
@var{session}: A gnutls session
Packit aea12f
Packit aea12f 
@var{hostname}: The hostname associated with the chain
Packit aea12f
Packit aea12f 
@var{proto}: The protocol of the service connecting (e.g. tcp)
Packit aea12f
Packit aea12f 
@var{port}: The port of the service connecting (e.g. 443)
Packit aea12f
Packit aea12f 
@var{sflags}: Flags for the initialization of  @code{s} (if NULL)
Packit aea12f
Packit aea12f 
@var{vflags}: Verification flags; an OR'ed list of @code{dane_verify_flags_t} .
Packit aea12f
Packit aea12f 
@var{verify}: An OR'ed list of @code{dane_verify_status_t} .
Packit aea12f
Packit aea12f 
This function will verify session's certificate chain against the
Packit aea12f 
CA constrains and/or the certificate available via DANE.
Packit aea12f 
See @code{dane_verify_crt()}  for more information.
Packit aea12f
Packit aea12f 
This will not verify the chain for validity; unless the DANE
Packit aea12f 
verification is restricted to end certificates, this must be
Packit aea12f 
be performed separately using @code{gnutls_certificate_verify_peers3()} .
Packit aea12f
Packit aea12f 
@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS}  (0)
Packit aea12f 
when the DANE entries were successfully parsed, irrespective of
Packit aea12f 
whether they were verified (see  @code{verify} for that information). If
Packit aea12f 
no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE}
Packit aea12f 
will be returned.
Packit aea12f 
@end deftypefun
Packit aea12f

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation