dane.c
Go to the documentation of this file.
1/*
2 * Verify or create TLS authentication with DANE (RFC6698)
3 *
4 * (c) NLnetLabs 2012-2020
5 *
6 * See the file LICENSE for the license.
7 *
8 */
9
10#include <ldns/config.h>
11#ifdef USE_DANE
12
13#include <ldns/ldns.h>
14#include <ldns/dane.h>
15
16#include <unistd.h>
17#include <stdlib.h>
18#include <sys/types.h>
19#ifdef HAVE_SYS_SOCKET_H
20#include <sys/socket.h>
21#endif
22#ifdef HAVE_NETDB_H
23#include <netdb.h>
24#endif
25
26#ifdef HAVE_SSL
27#include <openssl/ssl.h>
28#include <openssl/err.h>
29#include <openssl/x509v3.h>
30#endif
31
32/* OpenSSL context options. At the moment, disable SSLv2, SSLv3
33 * and Compression, if available. TLSv1.0 is allowed at the moment.
34 * TLSv1.1 is the first to provide elliptic curves, so it is usually
35 * allowed in a TLS stack. TLSv1.2 is the first to provide authentication
36 * modes of operation, like GCM. The defines below are a moving
37 * target based on OpenSSL library version. Grep is useful to find
38 * the defines: grep -IR SSL_OP_NO_ /usr/include/openssl.
39 */
40#ifdef HAVE_SSL
41# ifdef SSL_OP_NO_SSLv2
42 const long NoOpenSSLv2 = SSL_OP_NO_SSLv2;
43# else
44 const long NoOpenSSLv2 = 0L;
45# endif
46# ifdef SSL_OP_NO_SSLv3
47 const long NoOpenSSLv3 = SSL_OP_NO_SSLv3;
48# else
49 const long NoOpenSSLv3 = 0L;
50# endif
51# ifdef SSL_OP_NO_TLSv1
52 const long NoOpenTLSv1 = SSL_OP_NO_TLSv1;
53# else
54 const long NoOpenTLSv1 = 0L;
55# endif
56# ifdef SSL_OP_NO_DTLSv1
57 const long NoOpenDTLSv1 = SSL_OP_NO_DTLSv1;
58# else
59 const long NoOpenDTLSv1 = 0L;
60# endif
61# ifdef SSL_OP_NO_COMPRESSION
62 const long NoOpenSSLCompression = SSL_OP_NO_COMPRESSION;
63# else
64 const long NoOpenSSLCompression = 0L;
65# endif
66#endif
67
68#if defined(USE_DANE_VERIFY) && defined(USE_DANE_TA_USAGE)
69static SSL_CTX*
70ldns_dane_new_ssl_context(void)
71{
72 SSL_CTX* ssl_ctx;
73
74 ssl_ctx = SSL_CTX_new(TLS_client_method());
75 if (ssl_ctx != NULL)
76 {
77 /* ldns allows TLS and DTLS v1.0 at the moment. Some may disagree.
78 * Sometime in the future they may be disabled, too. Maybe
79 * --disable-tlsv1 and --disable-dtlsv1 should be configure options.
80 */
81 long flags = NoOpenSSLv2 | NoOpenSSLv3 | NoOpenSSLCompression;
82 SSL_CTX_set_options(ssl_ctx, flags);
83 }
84
85 return ssl_ctx;
86}
87#endif
88
89ldns_status
90ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
91 uint16_t port, ldns_dane_transport transport)
92{
93 char buf[LDNS_MAX_DOMAINLEN];
94 size_t s;
95
96 assert(tlsa_owner != NULL);
97 assert(name != NULL);
98 assert(ldns_rdf_get_type(name) == LDNS_RDF_TYPE_DNAME);
99
100 s = (size_t)snprintf(buf, LDNS_MAX_DOMAINLEN, "X_%d", (int)port);
101 buf[0] = (char)(s - 1);
102
103 switch(transport) {
104 case LDNS_DANE_TRANSPORT_TCP:
105 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_tcp");
106 break;
107
108 case LDNS_DANE_TRANSPORT_UDP:
109 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_udp");
110 break;
111
112 case LDNS_DANE_TRANSPORT_SCTP:
113 s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\005_sctp");
114 break;
115
116 default:
117 return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
118 }
119 if (s + ldns_rdf_size(name) > LDNS_MAX_DOMAINLEN) {
120 return LDNS_STATUS_DOMAINNAME_OVERFLOW;
121 }
122 memcpy(buf + s, ldns_rdf_data(name), ldns_rdf_size(name));
123 *tlsa_owner = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_DNAME,
124 s + ldns_rdf_size(name), buf);
125 if (*tlsa_owner == NULL) {
126 return LDNS_STATUS_MEM_ERR;
127 }
128 return LDNS_STATUS_OK;
129}
130
131
132#ifdef HAVE_SSL
133ldns_status
134ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
135 ldns_tlsa_selector selector,
136 ldns_tlsa_matching_type matching_type)
137{
138 unsigned char* buf = NULL;
139 size_t len;
140
141 X509_PUBKEY* xpubkey;
142 EVP_PKEY* epubkey;
143
144 unsigned char* digest;
145
146 assert(rdf != NULL);
147 assert(cert != NULL);
148
149 switch(selector) {
150 case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
151
152 len = (size_t)i2d_X509(cert, &buf);
153 break;
154
155 case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
156
157#ifndef S_SPLINT_S
158 xpubkey = X509_get_X509_PUBKEY(cert);
159#endif
160 if (! xpubkey) {
161 return LDNS_STATUS_SSL_ERR;
162 }
163 epubkey = X509_PUBKEY_get(xpubkey);
164 if (! epubkey) {
165 return LDNS_STATUS_SSL_ERR;
166 }
167 len = (size_t)i2d_PUBKEY(epubkey, &buf);
168 break;
169
170 default:
171 return LDNS_STATUS_DANE_UNKNOWN_SELECTOR;
172 }
173
174 switch(matching_type) {
175 case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
176
177 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, len, buf);
178
179 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
180 break;
181
182 case LDNS_TLSA_MATCHING_TYPE_SHA256:
183
184 digest = LDNS_XMALLOC(unsigned char, LDNS_SHA256_DIGEST_LENGTH);
185 if (digest == NULL) {
186 LDNS_FREE(buf);
187 return LDNS_STATUS_MEM_ERR;
188 }
189 (void) ldns_sha256(buf, (unsigned int)len, digest);
190 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA256_DIGEST_LENGTH,
191 digest);
192 LDNS_FREE(buf);
193
194 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
195 break;
196
197 case LDNS_TLSA_MATCHING_TYPE_SHA512:
198
199 digest = LDNS_XMALLOC(unsigned char, LDNS_SHA512_DIGEST_LENGTH);
200 if (digest == NULL) {
201 LDNS_FREE(buf);
202 return LDNS_STATUS_MEM_ERR;
203 }
204 (void) ldns_sha512(buf, (unsigned int)len, digest);
205 *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA512_DIGEST_LENGTH,
206 digest);
207 LDNS_FREE(buf);
208
209 return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
210 break;
211
212 default:
213 LDNS_FREE(buf);
214 return LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE;
215 }
216}
217
218
219/* Ordinary PKIX validation of cert (with extra_certs to help)
220 * against the CA's in store
221 */
222static ldns_status
223ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
224 X509_STORE* store)
225{
226 X509_STORE_CTX* vrfy_ctx;
227 ldns_status s;
228
229 if (! store) {
230 return LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
231 }
232 vrfy_ctx = X509_STORE_CTX_new();
233 if (! vrfy_ctx) {
234
235 return LDNS_STATUS_SSL_ERR;
236
237 } else if (X509_STORE_CTX_init(vrfy_ctx, store,
238 cert, extra_certs) != 1) {
239 s = LDNS_STATUS_SSL_ERR;
240
241 } else if (X509_verify_cert(vrfy_ctx) == 1) {
242
243 s = LDNS_STATUS_OK;
244
245 } else {
246 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
247 }
248 X509_STORE_CTX_free(vrfy_ctx);
249 return s;
250}
251
252
253/* Ordinary PKIX validation of cert (with extra_certs to help)
254 * against the CA's in store, but also return the validation chain.
255 */
256static ldns_status
257ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
258 STACK_OF(X509)* extra_certs, X509_STORE* store)
259{
260 ldns_status s;
261 X509_STORE* empty_store = NULL;
262 X509_STORE_CTX* vrfy_ctx;
263
264 assert(chain != NULL);
265
266 if (! store) {
267 store = empty_store = X509_STORE_new();
268 }
269 s = LDNS_STATUS_SSL_ERR;
270 vrfy_ctx = X509_STORE_CTX_new();
271 if (! vrfy_ctx) {
272
273 goto exit_free_empty_store;
274
275 } else if (X509_STORE_CTX_init(vrfy_ctx, store,
276 cert, extra_certs) != 1) {
277 goto exit_free_vrfy_ctx;
278
279 } else if (X509_verify_cert(vrfy_ctx) == 1) {
280
281 s = LDNS_STATUS_OK;
282
283 } else {
284 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
285 }
286 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
287 if (! *chain) {
288 s = LDNS_STATUS_SSL_ERR;
289 }
290
291exit_free_vrfy_ctx:
292 X509_STORE_CTX_free(vrfy_ctx);
293
294exit_free_empty_store:
295 if (empty_store) {
296 X509_STORE_free(empty_store);
297 }
298 return s;
299}
300
301
302/* Return the validation chain that can be build out of cert, with extra_certs.
303 */
304static ldns_status
305ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
306 X509* cert, STACK_OF(X509)* extra_certs)
307{
308 ldns_status s;
309 X509_STORE* empty_store = NULL;
310 X509_STORE_CTX* vrfy_ctx;
311
312 assert(chain != NULL);
313
314 empty_store = X509_STORE_new();
315 s = LDNS_STATUS_SSL_ERR;
316 vrfy_ctx = X509_STORE_CTX_new();
317 if (! vrfy_ctx) {
318
319 goto exit_free_empty_store;
320
321 } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
322 cert, extra_certs) != 1) {
323 goto exit_free_vrfy_ctx;
324 }
325 (void) X509_verify_cert(vrfy_ctx);
326 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
327 if (! *chain) {
328 s = LDNS_STATUS_SSL_ERR;
329 } else {
330 s = LDNS_STATUS_OK;
331 }
332exit_free_vrfy_ctx:
333 X509_STORE_CTX_free(vrfy_ctx);
334
335exit_free_empty_store:
336 X509_STORE_free(empty_store);
337 return s;
338}
339
340
341/* Pop n+1 certs and return the last popped.
342 */
343static ldns_status
344ldns_dane_get_nth_cert_from_validation_chain(
345 X509** cert, STACK_OF(X509)* chain, int n, bool ca)
346{
347 if (n >= sk_X509_num(chain) || n < 0) {
348 return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
349 }
350 *cert = sk_X509_pop(chain);
351 while (n-- > 0) {
352 X509_free(*cert);
353 *cert = sk_X509_pop(chain);
354 }
355 if (ca && ! X509_check_ca(*cert)) {
356 return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
357 }
358 return LDNS_STATUS_OK;
359}
360
361
362/* Create validation chain with cert and extra_certs and returns the last
363 * self-signed (if present).
364 */
365static ldns_status
366ldns_dane_pkix_get_last_self_signed(X509** out_cert,
367 X509* cert, STACK_OF(X509)* extra_certs)
368{
369 ldns_status s;
370 X509_STORE* empty_store = NULL;
371 X509_STORE_CTX* vrfy_ctx;
372
373 assert(out_cert != NULL);
374
375 empty_store = X509_STORE_new();
376 s = LDNS_STATUS_SSL_ERR;
377 vrfy_ctx = X509_STORE_CTX_new();
378 if (! vrfy_ctx) {
379 goto exit_free_empty_store;
380
381 } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
382 cert, extra_certs) != 1) {
383 goto exit_free_vrfy_ctx;
384
385 }
386 (void) X509_verify_cert(vrfy_ctx);
387 if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
388 X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
389
390 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
391 s = LDNS_STATUS_OK;
392 } else {
393 s = LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR;
394 }
395exit_free_vrfy_ctx:
396 X509_STORE_CTX_free(vrfy_ctx);
397
398exit_free_empty_store:
399 X509_STORE_free(empty_store);
400 return s;
401}
402
403
404ldns_status
405ldns_dane_select_certificate(X509** selected_cert,
406 X509* cert, STACK_OF(X509)* extra_certs,
407 X509_STORE* pkix_validation_store,
408 ldns_tlsa_certificate_usage cert_usage, int offset)
409{
410 ldns_status s;
411 STACK_OF(X509)* pkix_validation_chain = NULL;
412
413 assert(selected_cert != NULL);
414 assert(cert != NULL);
415
416 /* With PKIX validation explicitly turned off (pkix_validation_store
417 * == NULL), treat the "CA constraint" and "Service certificate
418 * constraint" the same as "Trust anchor assertion" and "Domain issued
419 * certificate" respectively.
420 */
421 if (pkix_validation_store == NULL) {
422 switch (cert_usage) {
423
424 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
425
426 cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
427 break;
428
429 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
430
431 cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
432 break;
433
434 default:
435 break;
436 }
437 }
438
439 /* Now what to do with each Certificate usage...
440 */
441 switch (cert_usage) {
442
443 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
444
445 s = ldns_dane_pkix_validate_and_get_chain(
446 &pkix_validation_chain,
447 cert, extra_certs,
448 pkix_validation_store);
449 if (! pkix_validation_chain) {
450 return s;
451 }
452 if (s == LDNS_STATUS_OK) {
453 if (offset == -1) {
454 offset = 0;
455 }
456 s = ldns_dane_get_nth_cert_from_validation_chain(
457 selected_cert, pkix_validation_chain,
458 offset, true);
459 }
460 sk_X509_pop_free(pkix_validation_chain, X509_free);
461 return s;
462 break;
463
464
465 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
466
467 *selected_cert = cert;
468 return ldns_dane_pkix_validate(cert, extra_certs,
469 pkix_validation_store);
470 break;
471
472
473 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
474
475 if (offset == -1) {
476 s = ldns_dane_pkix_get_last_self_signed(
477 selected_cert, cert, extra_certs);
478 return s;
479 } else {
480 s = ldns_dane_pkix_get_chain(
481 &pkix_validation_chain,
482 cert, extra_certs);
483 if (s == LDNS_STATUS_OK) {
484 s =
485 ldns_dane_get_nth_cert_from_validation_chain(
486 selected_cert, pkix_validation_chain,
487 offset, false);
488 } else if (! pkix_validation_chain) {
489 return s;
490 }
491 sk_X509_pop_free(pkix_validation_chain, X509_free);
492 return s;
493 }
494 break;
495
496
497 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
498
499 *selected_cert = cert;
500 return LDNS_STATUS_OK;
501 break;
502
503 default:
504 return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
505 break;
506 }
507}
508
509
510ldns_status
511ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
512 ldns_tlsa_certificate_usage certificate_usage,
513 ldns_tlsa_selector selector,
514 ldns_tlsa_matching_type matching_type,
515 X509* cert)
516{
517 ldns_rdf* rdf;
518 ldns_status s;
519
520 assert(tlsa != NULL);
521 assert(cert != NULL);
522
523 /* create rr */
524 *tlsa = ldns_rr_new_frm_type(LDNS_RR_TYPE_TLSA);
525 if (*tlsa == NULL) {
526 return LDNS_STATUS_MEM_ERR;
527 }
528
529 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
530 (uint8_t)certificate_usage);
531 if (rdf == NULL) {
532 goto memerror;
533 }
534 (void) ldns_rr_set_rdf(*tlsa, rdf, 0);
535
536 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)selector);
537 if (rdf == NULL) {
538 goto memerror;
539 }
540 (void) ldns_rr_set_rdf(*tlsa, rdf, 1);
541
542 rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)matching_type);
543 if (rdf == NULL) {
544 goto memerror;
545 }
546 (void) ldns_rr_set_rdf(*tlsa, rdf, 2);
547
548 s = ldns_dane_cert2rdf(&rdf, cert, selector, matching_type);
549 if (s == LDNS_STATUS_OK) {
550 (void) ldns_rr_set_rdf(*tlsa, rdf, 3);
551 return LDNS_STATUS_OK;
552 }
553 ldns_rr_free(*tlsa);
554 *tlsa = NULL;
555 return s;
556
557memerror:
558 ldns_rr_free(*tlsa);
559 *tlsa = NULL;
560 return LDNS_STATUS_MEM_ERR;
561}
562
563
564#ifdef USE_DANE_VERIFY
565/* Return tlsas that actually are TLSA resource records with known values
566 * for the Certificate usage, Selector and Matching type rdata fields.
567 */
568static ldns_rr_list*
569ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
570{
571 size_t i;
572 ldns_rr_list* r = ldns_rr_list_new();
573 ldns_rr* tlsa_rr;
574
575 if (! r) {
576 return NULL;
577 }
578 for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
579 tlsa_rr = ldns_rr_list_rr(tlsas, i);
580 if (ldns_rr_get_type(tlsa_rr) == LDNS_RR_TYPE_TLSA &&
581 ldns_rr_rd_count(tlsa_rr) == 4 &&
582 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) <= 3 &&
583 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) <= 1 &&
584 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) <= 2) {
585
586 if (! ldns_rr_list_push_rr(r, tlsa_rr)) {
587 ldns_rr_list_free(r);
588 return NULL;
589 }
590 }
591 }
592 return r;
593}
594
595
596#if !defined(USE_DANE_TA_USAGE)
597/* Return whether cert/selector/matching_type matches data.
598 */
599static ldns_status
600ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
601 ldns_tlsa_matching_type matching_type, ldns_rdf* data)
602{
603 ldns_status s;
604 ldns_rdf* match_data;
605
606 s = ldns_dane_cert2rdf(&match_data, cert, selector, matching_type);
607 if (s == LDNS_STATUS_OK) {
608 if (ldns_rdf_compare(data, match_data) != 0) {
609 s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
610 }
611 ldns_rdf_free(match_data);
612 }
613 return s;
614}
615
616
617/* Return whether any certificate from the chain with selector/matching_type
618 * matches data.
619 * ca should be true if the certificate has to be a CA certificate too.
620 */
621static ldns_status
622ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
623 ldns_tlsa_selector selector,
624 ldns_tlsa_matching_type matching_type,
625 ldns_rdf* data, bool ca)
626{
627 ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
628 int n, i;
629 X509* cert;
630
631 n = sk_X509_num(chain);
632 for (i = 0; i < n; i++) {
633 cert = sk_X509_pop(chain);
634 if (! cert) {
635 s = LDNS_STATUS_SSL_ERR;
636 break;
637 }
638 s = ldns_dane_match_cert_with_data(cert,
639 selector, matching_type, data);
640 if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
641 s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
642 }
643 X509_free(cert);
644 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
645 break;
646 }
647 /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
648 * try to match the next certificate
649 */
650 }
651 return s;
652}
653#endif /* !defined(USE_DANE_TA_USAGE) */
654#endif /* USE_DANE_VERIFY */
655
656#ifdef USE_DANE_VERIFY
657ldns_status
658ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
659 X509* cert, STACK_OF(X509)* extra_certs,
660 X509_STORE* pkix_validation_store)
661{
662#if defined(USE_DANE_TA_USAGE)
663 SSL_CTX *ssl_ctx = NULL;
664 SSL *ssl = NULL;
665 X509_STORE_CTX *store_ctx = NULL;
666#else
667 STACK_OF(X509)* pkix_validation_chain = NULL;
668#endif
669 ldns_status s = LDNS_STATUS_OK;
670
671 ldns_tlsa_certificate_usage usage;
672 ldns_tlsa_selector selector;
673 ldns_tlsa_matching_type mtype;
674 ldns_rdf* data;
675
676 if (! tlsa_rr || ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA ||
677 ldns_rr_rd_count(tlsa_rr) != 4 ||
678 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) > 3 ||
679 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) > 1 ||
680 ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) > 2 ) {
681 /* No (usable) TLSA, so regular PKIX validation
682 */
683 return ldns_dane_pkix_validate(cert, extra_certs,
684 pkix_validation_store);
685 }
686 usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
687 selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
688 mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
689 data = ldns_rr_rdf(tlsa_rr, 3) ;
690
691#if defined(USE_DANE_TA_USAGE)
692 /* Rely on OpenSSL dane functions.
693 *
694 * OpenSSL does not provide offline dane verification. The dane unit
695 * tests within openssl use the undocumented SSL_get0_dane() and
696 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
697 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
698 * verification. We use these undocumented means with the ldns
699 * dane function prototypes which did only offline dane verification.
700 */
701 if (!(ssl_ctx = ldns_dane_new_ssl_context()))
702 s = LDNS_STATUS_MEM_ERR;
703
704 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
705 s = LDNS_STATUS_SSL_ERR;
706
707 else if (SSL_CTX_dane_set_flags(
708 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
709 !(ssl = SSL_new(ssl_ctx)))
710 s = LDNS_STATUS_MEM_ERR;
711
712 else if (SSL_set_connect_state(ssl),
713 (SSL_dane_enable(ssl, NULL) <= 0))
714 s = LDNS_STATUS_SSL_ERR;
715
716 else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
717 ldns_rdf_data(data), ldns_rdf_size(data)) <= 0)
718 s = LDNS_STATUS_SSL_ERR;
719
720 else if (!(store_ctx = X509_STORE_CTX_new()))
721 s = LDNS_STATUS_MEM_ERR;
722
723 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
724 s = LDNS_STATUS_SSL_ERR;
725
726 else {
727 int ret;
728
729 X509_STORE_CTX_set_default(store_ctx,
730 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
731 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
732 SSL_get0_param(ssl));
733 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
734 if (SSL_get_verify_callback(ssl))
735 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
736
737 ret = X509_verify_cert(store_ctx);
738 if (!ret) {
739 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
740 s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
741 else
742 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
743 }
744 X509_STORE_CTX_cleanup(store_ctx);
745 }
746 if (store_ctx)
747 X509_STORE_CTX_free(store_ctx);
748 if (ssl)
749 SSL_free(ssl);
750 if (ssl_ctx)
751 SSL_CTX_free(ssl_ctx);
752 return s;
753#else
754 switch (usage) {
755 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
756 s = ldns_dane_pkix_validate_and_get_chain(
757 &pkix_validation_chain,
758 cert, extra_certs,
759 pkix_validation_store);
760 if (! pkix_validation_chain) {
761 return s;
762 }
763 if (s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
764 /*
765 * NO PKIX validation. We still try to match *any*
766 * certificate from the chain, so we return
767 * TLSA errors over PKIX errors.
768 *
769 * i.e. When the TLSA matches no certificate, we return
770 * TLSA_DID_NOT_MATCH and not PKIX_DID_NOT_VALIDATE
771 */
772 s = ldns_dane_match_any_cert_with_data(
773 pkix_validation_chain,
774 selector, mtype, data, true);
775
776 if (s == LDNS_STATUS_OK) {
777 /* A TLSA record did match a cert from the
778 * chain, thus the error is failed PKIX
779 * validation.
780 */
781 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
782 }
783
784 } else if (s == LDNS_STATUS_OK) {
785 /* PKIX validated, does the TLSA match too? */
786
787 s = ldns_dane_match_any_cert_with_data(
788 pkix_validation_chain,
789 selector, mtype, data, true);
790 }
791 sk_X509_pop_free(pkix_validation_chain, X509_free);
792 return s;
793 break;
794
795 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
796
797 s = ldns_dane_match_cert_with_data(cert,
798 selector, mtype, data);
799
800 if (s == LDNS_STATUS_OK) {
801 return ldns_dane_pkix_validate(cert, extra_certs,
802 pkix_validation_store);
803 }
804 return s;
805 break;
806
807 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
808#if 0
809 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
810 cert, extra_certs);
811
812 if (s == LDNS_STATUS_OK) {
813 s = ldns_dane_match_any_cert_with_data(
814 pkix_validation_chain,
815 selector, mtype, data, false);
816
817 } else if (! pkix_validation_chain) {
818 return s;
819 }
820 sk_X509_pop_free(pkix_validation_chain, X509_free);
821 return s;
822#else
823 return LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA;
824#endif
825 break;
826
827 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
828 return ldns_dane_match_cert_with_data(cert,
829 selector, mtype, data);
830 break;
831
832 default:
833 break;
834 }
835#endif
836 return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
837}
838
839
840ldns_status
841ldns_dane_verify(const ldns_rr_list* tlsas,
842 X509* cert, STACK_OF(X509)* extra_certs,
843 X509_STORE* pkix_validation_store)
844{
845#if defined(USE_DANE_TA_USAGE)
846 SSL_CTX *ssl_ctx = NULL;
847 ldns_rdf *basename_rdf = NULL;
848 char *basename = NULL;
849 SSL *ssl = NULL;
850 X509_STORE_CTX *store_ctx = NULL;
851#else
852 ldns_status ps;
853#endif
854 size_t i;
855 ldns_rr* tlsa_rr;
856 ldns_rr_list *usable_tlsas;
857 ldns_status s = LDNS_STATUS_OK;
858
859 assert(cert != NULL);
860
861 if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0)
862 /* No TLSA's, so regular PKIX validation
863 */
864 return ldns_dane_pkix_validate(cert, extra_certs,
865 pkix_validation_store);
866
867/* To enable name checks (which we don't) */
868#if defined(USE_DANE_TA_USAGE) && 0
869 else if (!(basename_rdf = ldns_dname_clone_from(
870 ldns_rr_list_owner(tlsas), 2)))
871 /* Could nog get DANE base name */
872 s = LDNS_STATUS_ERR;
873
874 else if (!(basename = ldns_rdf2str(basename_rdf)))
875 s = LDNS_STATUS_MEM_ERR;
876
877 else if (strlen(basename) && (basename[strlen(basename)-1] = 0))
878 s = LDNS_STATUS_ERR; /* Intended to be unreachable */
879#endif
880
881 else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
882 return LDNS_STATUS_MEM_ERR;
883
884 else if (ldns_rr_list_rr_count(usable_tlsas) == 0) {
885 /* No TLSA's, so regular PKIX validation
886 */
887 ldns_rr_list_free(usable_tlsas);
888 return ldns_dane_pkix_validate(cert, extra_certs,
889 pkix_validation_store);
890 }
891#if defined(USE_DANE_TA_USAGE)
892 /* Rely on OpenSSL dane functions.
893 *
894 * OpenSSL does not provide offline dane verification. The dane unit
895 * tests within openssl use the undocumented SSL_get0_dane() and
896 * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
897 * SSL_CTX to a X509_STORE_CTX that can be used to do offline
898 * verification. We use these undocumented means with the ldns
899 * dane function prototypes which did only offline dane verification.
900 */
901 if (!(ssl_ctx = ldns_dane_new_ssl_context()))
902 s = LDNS_STATUS_MEM_ERR;
903
904 else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
905 s = LDNS_STATUS_SSL_ERR;
906
907 else if (SSL_CTX_dane_set_flags(
908 ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
909 !(ssl = SSL_new(ssl_ctx)))
910 s = LDNS_STATUS_MEM_ERR;
911
912 else if (SSL_set_connect_state(ssl),
913 (SSL_dane_enable(ssl, basename) <= 0))
914 s = LDNS_STATUS_SSL_ERR;
915
916 else for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
917 ldns_tlsa_certificate_usage usage;
918 ldns_tlsa_selector selector;
919 ldns_tlsa_matching_type mtype;
920 ldns_rdf* data;
921
922 tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
923 usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,0));
924 selector= ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,1));
925 mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,2));
926 data = ldns_rr_rdf(tlsa_rr,3) ;
927
928 if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
929 ldns_rdf_data(data),
930 ldns_rdf_size(data)) <= 0) {
931 s = LDNS_STATUS_SSL_ERR;
932 break;
933 }
934 }
935 if (!s && !(store_ctx = X509_STORE_CTX_new()))
936 s = LDNS_STATUS_MEM_ERR;
937
938 else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
939 s = LDNS_STATUS_SSL_ERR;
940
941 else {
942 int ret;
943
944 X509_STORE_CTX_set_default(store_ctx,
945 SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
946 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
947 SSL_get0_param(ssl));
948 X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
949 if (SSL_get_verify_callback(ssl))
950 X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
951
952 ret = X509_verify_cert(store_ctx);
953 if (!ret) {
954 if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
955 s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
956 else
957 s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
958 }
959 X509_STORE_CTX_cleanup(store_ctx);
960 }
961 if (store_ctx)
962 X509_STORE_CTX_free(store_ctx);
963 if (ssl)
964 SSL_free(ssl);
965 if (ssl_ctx)
966 SSL_CTX_free(ssl_ctx);
967 if (basename)
968 free(basename);
969 ldns_rdf_deep_free(basename_rdf);
970#else
971 for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
972 tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
973 ps = s;
974 s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
975 pkix_validation_store);
976
977 if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
978 s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE &&
979 s != LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA) {
980
981 /* which would be LDNS_STATUS_OK (match)
982 * or some fatal error preventing use from
983 * trying the next TLSA record.
984 */
985 break;
986 }
987 s = (s > ps ? s : ps); /* pref NEED_OPENSSL_GE_1_1_FOR_DANE_TA
988 * over PKIX_DID_NOT_VALIDATE
989 * over TLSA_DID_NOT_MATCH
990 */
991 }
992#endif
993 ldns_rr_list_free(usable_tlsas);
994 return s;
995}
996#endif /* USE_DANE_VERIFY */
997#endif /* HAVE_SSL */
998#endif /* USE_DANE */
ldns_dane_cert2rdf
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded usin...
Definition dane.c:134
ldns_dane_create_tlsa_rr
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
Creates a TLSA resource record from the certificate.
Definition dane.c:511
NoOpenSSLv2
const long NoOpenSSLv2
Definition dane.c:44
NoOpenSSLCompression
const long NoOpenSSLCompression
Definition dane.c:64
ldns_dane_select_certificate
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset)
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cer...
Definition dane.c:405
NoOpenSSLv3
const long NoOpenSSLv3
Definition dane.c:49
NoOpenDTLSv1
const long NoOpenDTLSv1
Definition dane.c:59
ldns_dane_create_tlsa_owner
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _po...
Definition dane.c:90
NoOpenTLSv1
const long NoOpenTLSv1
Definition dane.c:54
dane.h
This module contains base functions for creating and verifying TLSA RR's with PKIX certificates,...
LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
@ LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
Definition dane.h:77
LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
@ LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
Definition dane.h:70
ldns_tlsa_selector
enum ldns_enum_tlsa_selector ldns_tlsa_selector
Definition dane.h:82
ldns_dane_transport
enum ldns_enum_dane_transport ldns_dane_transport
Definition dane.h:115
LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
@ LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
Definition dane.h:48
LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
@ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
Definition dane.h:54
LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
@ LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
Definition dane.h:51
LDNS_TLSA_USAGE_CA_CONSTRAINT
@ LDNS_TLSA_USAGE_CA_CONSTRAINT
Definition dane.h:45
ldns_dane_verify_rr
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
ldns_dane_verify
ldns_status ldns_dane_verify(const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
ldns_tlsa_certificate_usage
enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
Definition dane.h:58
ldns_tlsa_matching_type
enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
Definition dane.h:101
LDNS_DANE_TRANSPORT_UDP
@ LDNS_DANE_TRANSPORT_UDP
UDP.
Definition dane.h:111
LDNS_DANE_TRANSPORT_TCP
@ LDNS_DANE_TRANSPORT_TCP
TCP.
Definition dane.h:109
LDNS_DANE_TRANSPORT_SCTP
@ LDNS_DANE_TRANSPORT_SCTP
SCTP.
Definition dane.h:113
LDNS_TLSA_MATCHING_TYPE_SHA256
@ LDNS_TLSA_MATCHING_TYPE_SHA256
Definition dane.h:94
LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
@ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
Definition dane.h:91
LDNS_TLSA_MATCHING_TYPE_SHA512
@ LDNS_TLSA_MATCHING_TYPE_SHA512
Definition dane.h:97
ldns_dname_clone_from
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
Definition dname.c:160
LDNS_STATUS_DANE_UNKNOWN_SELECTOR
@ LDNS_STATUS_DANE_UNKNOWN_SELECTOR
Definition error.h:108
LDNS_STATUS_DANE_UNKNOWN_TRANSPORT
@ LDNS_STATUS_DANE_UNKNOWN_TRANSPORT
Definition error.h:111
LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
@ LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
Definition error.h:119
LDNS_STATUS_SSL_ERR
@ LDNS_STATUS_SSL_ERR
Definition error.h:36
LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA
@ LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA
Definition error.h:132
LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
@ LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
Definition error.h:117
LDNS_STATUS_ERR
@ LDNS_STATUS_ERR
Definition error.h:37
LDNS_STATUS_MEM_ERR
@ LDNS_STATUS_MEM_ERR
Definition error.h:34
LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE
@ LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE
Definition error.h:109
LDNS_STATUS_DANE_NON_CA_CERTIFICATE
@ LDNS_STATUS_DANE_NON_CA_CERTIFICATE
Definition error.h:118
LDNS_STATUS_OK
@ LDNS_STATUS_OK
Definition error.h:26
LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE
@ LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE
Definition error.h:114
LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE
@ LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE
Definition error.h:107
LDNS_STATUS_DOMAINNAME_OVERFLOW
@ LDNS_STATUS_DOMAINNAME_OVERFLOW
Definition error.h:29
LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR
@ LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR
Definition error.h:120
ldns_status
enum ldns_enum_status ldns_status
Definition error.h:148
ldns_rdf2str
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Definition host2str.c:3276
ldns.h
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf_data
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition rdata.c:38
ldns_rdf_get_type
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
Definition rdata.c:31
ldns_rdf_new_frm_data
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition rdata.c:193
ldns_rdf_deep_free
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition rdata.c:230
ldns_native2rdf_int8
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
Definition rdata.c:126
ldns_rdf2native_int8
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
Definition rdata.c:70
LDNS_RDF_TYPE_DNAME
@ LDNS_RDF_TYPE_DNAME
domain name
Definition rdata.h:50
LDNS_RDF_TYPE_HEX
@ LDNS_RDF_TYPE_HEX
hex string
Definition rdata.h:70
LDNS_RDF_TYPE_INT8
@ LDNS_RDF_TYPE_INT8
8 bits
Definition rdata.h:52
ldns_rdf_size
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition rdata.c:24
ldns_rdf_new
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
Definition rdata.c:179
ldns_rdf_free
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition rdata.c:241
ldns_rdf_compare
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.
Definition rdata.c:657
ldns_rr_list_free
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
Definition rr.c:1015
ldns_rr_free
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition rr.c:81
ldns_rr_list_new
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition rr.c:1004
ldns_rr_list_owner
ldns_rdf * ldns_rr_list_owner(const ldns_rr_list *rr_list)
Returns the owner domain name rdf of the first element of the RR If there are no elements present,...
Definition rr.c:2789
ldns_rr_new_frm_type
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition rr.c:48
LDNS_RR_TYPE_TLSA
@ LDNS_RR_TYPE_TLSA
Definition rr.h:179
ldns_rr_list_push_rr
signed char ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
Definition rr.c:1136
ldns_rr_rd_count
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
Definition rr.c:941
ldns_rr_rdf
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition rr.c:913
ldns_rr_list_rr_count
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition rr.c:961
ldns_rr_get_type
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition rr.c:947
ldns_rr_set_rdf
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
Definition rr.c:844
ldns_rr_list_rr
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition rr.c:994
LDNS_MAX_DOMAINLEN
#define LDNS_MAX_DOMAINLEN
Maximum length of a complete dname.
Definition rr.h:33
ldns_sha256
unsigned char * ldns_sha256(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition sha2.c:624
ldns_sha512
unsigned char * ldns_sha512(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition sha2.c:938
LDNS_SHA512_DIGEST_LENGTH
#define LDNS_SHA512_DIGEST_LENGTH
Definition sha2.h:69
LDNS_SHA256_DIGEST_LENGTH
#define LDNS_SHA256_DIGEST_LENGTH
Definition sha2.h:63
ldns_struct_rdf
Resource record data field.
Definition rdata.h:197
ldns_struct_rr_list
List or Set of Resource Records.
Definition rr.h:346
ldns_struct_rr
Resource Record.
Definition rr.h:318
LDNS_FREE
#define LDNS_FREE(ptr)
Definition util.h:60
LDNS_XMALLOC
#define LDNS_XMALLOC(type, count)
Definition util.h:51