ldns  1.7.0
dane.c
Go to the documentation of this file.
1 /*
2  * Verify or create TLS authentication with DANE (RFC6698)
3  *
4  * (c) NLnetLabs 2012
5  *
6  * See the file LICENSE for the license.
7  *
8  */
9 
10 #include <ldns/config.h>
11 #ifdef USE_DANE
12 
13 #include <ldns/ldns.h>
14 #include <ldns/dane.h>
15 
16 #include <unistd.h>
17 #include <stdlib.h>
18 #include <sys/types.h>
19 #ifdef HAVE_SYS_SOCKET_H
20 #include <sys/socket.h>
21 #endif
22 #ifdef HAVE_NETDB_H
23 #include <netdb.h>
24 #endif
25 
26 #ifdef HAVE_SSL
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/x509v3.h>
30 #endif
31 
32 ldns_status
33 ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
34  uint16_t port, ldns_dane_transport transport)
35 {
36  char buf[LDNS_MAX_DOMAINLEN];
37  size_t s;
38 
39  assert(tlsa_owner != NULL);
40  assert(name != NULL);
41  assert(ldns_rdf_get_type(name) == LDNS_RDF_TYPE_DNAME);
42 
43  s = (size_t)snprintf(buf, LDNS_MAX_DOMAINLEN, "X_%d", (int)port);
44  buf[0] = (char)(s - 1);
45 
46  switch(transport) {
47  case LDNS_DANE_TRANSPORT_TCP:
48  s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_tcp");
49  break;
50 
51  case LDNS_DANE_TRANSPORT_UDP:
52  s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\004_udp");
53  break;
54 
55  case LDNS_DANE_TRANSPORT_SCTP:
56  s += snprintf(buf + s, LDNS_MAX_DOMAINLEN - s, "\005_sctp");
57  break;
58 
59  default:
60  return LDNS_STATUS_DANE_UNKNOWN_TRANSPORT;
61  }
62  if (s + ldns_rdf_size(name) > LDNS_MAX_DOMAINLEN) {
63  return LDNS_STATUS_DOMAINNAME_OVERFLOW;
64  }
65  memcpy(buf + s, ldns_rdf_data(name), ldns_rdf_size(name));
66  *tlsa_owner = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_DNAME,
67  s + ldns_rdf_size(name), buf);
68  if (*tlsa_owner == NULL) {
69  return LDNS_STATUS_MEM_ERR;
70  }
71  return LDNS_STATUS_OK;
72 }
73 
74 
75 #ifdef HAVE_SSL
76 ldns_status
77 ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
78  ldns_tlsa_selector selector,
79  ldns_tlsa_matching_type matching_type)
80 {
81  unsigned char* buf = NULL;
82  size_t len;
83 
84  X509_PUBKEY* xpubkey;
85  EVP_PKEY* epubkey;
86 
87  unsigned char* digest;
88 
89  assert(rdf != NULL);
90  assert(cert != NULL);
91 
92  switch(selector) {
93  case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
94 
95  len = (size_t)i2d_X509(cert, &buf);
96  break;
97 
98  case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
99 
100 #ifndef S_SPLINT_S
101  xpubkey = X509_get_X509_PUBKEY(cert);
102 #endif
103  if (! xpubkey) {
104  return LDNS_STATUS_SSL_ERR;
105  }
106  epubkey = X509_PUBKEY_get(xpubkey);
107  if (! epubkey) {
108  return LDNS_STATUS_SSL_ERR;
109  }
110  len = (size_t)i2d_PUBKEY(epubkey, &buf);
111  break;
112 
113  default:
114  return LDNS_STATUS_DANE_UNKNOWN_SELECTOR;
115  }
116 
117  switch(matching_type) {
118  case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
119 
120  *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, len, buf);
121 
122  return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
123  break;
124 
125  case LDNS_TLSA_MATCHING_TYPE_SHA256:
126 
127  digest = LDNS_XMALLOC(unsigned char, LDNS_SHA256_DIGEST_LENGTH);
128  if (digest == NULL) {
129  LDNS_FREE(buf);
130  return LDNS_STATUS_MEM_ERR;
131  }
132  (void) ldns_sha256(buf, (unsigned int)len, digest);
133  *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA256_DIGEST_LENGTH,
134  digest);
135  LDNS_FREE(buf);
136 
137  return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
138  break;
139 
140  case LDNS_TLSA_MATCHING_TYPE_SHA512:
141 
142  digest = LDNS_XMALLOC(unsigned char, LDNS_SHA512_DIGEST_LENGTH);
143  if (digest == NULL) {
144  LDNS_FREE(buf);
145  return LDNS_STATUS_MEM_ERR;
146  }
147  (void) ldns_sha512(buf, (unsigned int)len, digest);
148  *rdf = ldns_rdf_new(LDNS_RDF_TYPE_HEX, LDNS_SHA512_DIGEST_LENGTH,
149  digest);
150  LDNS_FREE(buf);
151 
152  return *rdf ? LDNS_STATUS_OK : LDNS_STATUS_MEM_ERR;
153  break;
154 
155  default:
156  LDNS_FREE(buf);
157  return LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE;
158  }
159 }
160 
161 
162 /* Ordinary PKIX validation of cert (with extra_certs to help)
163  * against the CA's in store
164  */
165 static ldns_status
166 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
167  X509_STORE* store)
168 {
169  X509_STORE_CTX* vrfy_ctx;
170  ldns_status s;
171 
172  if (! store) {
173  return LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
174  }
175  vrfy_ctx = X509_STORE_CTX_new();
176  if (! vrfy_ctx) {
177 
178  return LDNS_STATUS_SSL_ERR;
179 
180  } else if (X509_STORE_CTX_init(vrfy_ctx, store,
181  cert, extra_certs) != 1) {
182  s = LDNS_STATUS_SSL_ERR;
183 
184  } else if (X509_verify_cert(vrfy_ctx) == 1) {
185 
186  s = LDNS_STATUS_OK;
187 
188  } else {
189  s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
190  }
191  X509_STORE_CTX_free(vrfy_ctx);
192  return s;
193 }
194 
195 
196 /* Orinary PKIX validation of cert (with extra_certs to help)
197  * against the CA's in store, but also return the validation chain.
198  */
199 static ldns_status
200 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
201  STACK_OF(X509)* extra_certs, X509_STORE* store)
202 {
203  ldns_status s;
204  X509_STORE* empty_store = NULL;
205  X509_STORE_CTX* vrfy_ctx;
206 
207  assert(chain != NULL);
208 
209  if (! store) {
210  store = empty_store = X509_STORE_new();
211  }
212  s = LDNS_STATUS_SSL_ERR;
213  vrfy_ctx = X509_STORE_CTX_new();
214  if (! vrfy_ctx) {
215 
216  goto exit_free_empty_store;
217 
218  } else if (X509_STORE_CTX_init(vrfy_ctx, store,
219  cert, extra_certs) != 1) {
220  goto exit_free_vrfy_ctx;
221 
222  } else if (X509_verify_cert(vrfy_ctx) == 1) {
223 
224  s = LDNS_STATUS_OK;
225 
226  } else {
227  s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
228  }
229  *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
230  if (! *chain) {
231  s = LDNS_STATUS_SSL_ERR;
232  }
233 
234 exit_free_vrfy_ctx:
235  X509_STORE_CTX_free(vrfy_ctx);
236 
237 exit_free_empty_store:
238  if (empty_store) {
239  X509_STORE_free(empty_store);
240  }
241  return s;
242 }
243 
244 
245 /* Return the validation chain that can be build out of cert, with extra_certs.
246  */
247 static ldns_status
248 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
249  X509* cert, STACK_OF(X509)* extra_certs)
250 {
251  ldns_status s;
252  X509_STORE* empty_store = NULL;
253  X509_STORE_CTX* vrfy_ctx;
254 
255  assert(chain != NULL);
256 
257  empty_store = X509_STORE_new();
258  s = LDNS_STATUS_SSL_ERR;
259  vrfy_ctx = X509_STORE_CTX_new();
260  if (! vrfy_ctx) {
261 
262  goto exit_free_empty_store;
263 
264  } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
265  cert, extra_certs) != 1) {
266  goto exit_free_vrfy_ctx;
267  }
268  (void) X509_verify_cert(vrfy_ctx);
269  *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
270  if (! *chain) {
271  s = LDNS_STATUS_SSL_ERR;
272  } else {
273  s = LDNS_STATUS_OK;
274  }
275 exit_free_vrfy_ctx:
276  X509_STORE_CTX_free(vrfy_ctx);
277 
278 exit_free_empty_store:
279  X509_STORE_free(empty_store);
280  return s;
281 }
282 
283 
284 /* Pop n+1 certs and return the last popped.
285  */
286 static ldns_status
287 ldns_dane_get_nth_cert_from_validation_chain(
288  X509** cert, STACK_OF(X509)* chain, int n, bool ca)
289 {
290  if (n >= sk_X509_num(chain) || n < 0) {
291  return LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE;
292  }
293  *cert = sk_X509_pop(chain);
294  while (n-- > 0) {
295  X509_free(*cert);
296  *cert = sk_X509_pop(chain);
297  }
298  if (ca && ! X509_check_ca(*cert)) {
299  return LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
300  }
301  return LDNS_STATUS_OK;
302 }
303 
304 
305 /* Create validation chain with cert and extra_certs and returns the last
306  * self-signed (if present).
307  */
308 static ldns_status
309 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
310  X509* cert, STACK_OF(X509)* extra_certs)
311 {
312  ldns_status s;
313  X509_STORE* empty_store = NULL;
314  X509_STORE_CTX* vrfy_ctx;
315 
316  assert(out_cert != NULL);
317 
318  empty_store = X509_STORE_new();
319  s = LDNS_STATUS_SSL_ERR;
320  vrfy_ctx = X509_STORE_CTX_new();
321  if (! vrfy_ctx) {
322  goto exit_free_empty_store;
323 
324  } else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
325  cert, extra_certs) != 1) {
326  goto exit_free_vrfy_ctx;
327 
328  }
329  (void) X509_verify_cert(vrfy_ctx);
330  if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
331  X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
332 
333  *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
334  s = LDNS_STATUS_OK;
335  } else {
336  s = LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR;
337  }
338 exit_free_vrfy_ctx:
339  X509_STORE_CTX_free(vrfy_ctx);
340 
341 exit_free_empty_store:
342  X509_STORE_free(empty_store);
343  return s;
344 }
345 
346 
347 ldns_status
348 ldns_dane_select_certificate(X509** selected_cert,
349  X509* cert, STACK_OF(X509)* extra_certs,
350  X509_STORE* pkix_validation_store,
351  ldns_tlsa_certificate_usage cert_usage, int offset)
352 {
353  ldns_status s;
354  STACK_OF(X509)* pkix_validation_chain = NULL;
355 
356  assert(selected_cert != NULL);
357  assert(cert != NULL);
358 
359  /* With PKIX validation explicitly turned off (pkix_validation_store
360  * == NULL), treat the "CA constraint" and "Service certificate
361  * constraint" the same as "Trust anchor assertion" and "Domain issued
362  * certificate" respectively.
363  */
364  if (pkix_validation_store == NULL) {
365  switch (cert_usage) {
366 
367  case LDNS_TLSA_USAGE_CA_CONSTRAINT:
368 
369  cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
370  break;
371 
372  case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
373 
374  cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
375  break;
376 
377  default:
378  break;
379  }
380  }
381 
382  /* Now what to do with each Certificate usage...
383  */
384  switch (cert_usage) {
385 
386  case LDNS_TLSA_USAGE_CA_CONSTRAINT:
387 
388  s = ldns_dane_pkix_validate_and_get_chain(
389  &pkix_validation_chain,
390  cert, extra_certs,
391  pkix_validation_store);
392  if (! pkix_validation_chain) {
393  return s;
394  }
395  if (s == LDNS_STATUS_OK) {
396  if (offset == -1) {
397  offset = 0;
398  }
399  s = ldns_dane_get_nth_cert_from_validation_chain(
400  selected_cert, pkix_validation_chain,
401  offset, true);
402  }
403  sk_X509_pop_free(pkix_validation_chain, X509_free);
404  return s;
405  break;
406 
407 
408  case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
409 
410  *selected_cert = cert;
411  return ldns_dane_pkix_validate(cert, extra_certs,
412  pkix_validation_store);
413  break;
414 
415 
416  case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
417 
418  if (offset == -1) {
419  s = ldns_dane_pkix_get_last_self_signed(
420  selected_cert, cert, extra_certs);
421  return s;
422  } else {
423  s = ldns_dane_pkix_get_chain(
424  &pkix_validation_chain,
425  cert, extra_certs);
426  if (s == LDNS_STATUS_OK) {
427  s =
428  ldns_dane_get_nth_cert_from_validation_chain(
429  selected_cert, pkix_validation_chain,
430  offset, false);
431  } else if (! pkix_validation_chain) {
432  return s;
433  }
434  sk_X509_pop_free(pkix_validation_chain, X509_free);
435  return s;
436  }
437  break;
438 
439 
440  case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
441 
442  *selected_cert = cert;
443  return LDNS_STATUS_OK;
444  break;
445 
446  default:
447  return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
448  break;
449  }
450 }
451 
452 
453 ldns_status
454 ldns_dane_create_tlsa_rr(ldns_rr** tlsa,
455  ldns_tlsa_certificate_usage certificate_usage,
456  ldns_tlsa_selector selector,
457  ldns_tlsa_matching_type matching_type,
458  X509* cert)
459 {
460  ldns_rdf* rdf;
461  ldns_status s;
462 
463  assert(tlsa != NULL);
464  assert(cert != NULL);
465 
466  /* create rr */
467  *tlsa = ldns_rr_new_frm_type(LDNS_RR_TYPE_TLSA);
468  if (*tlsa == NULL) {
469  return LDNS_STATUS_MEM_ERR;
470  }
471 
472  rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
473  (uint8_t)certificate_usage);
474  if (rdf == NULL) {
475  goto memerror;
476  }
477  (void) ldns_rr_set_rdf(*tlsa, rdf, 0);
478 
479  rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)selector);
480  if (rdf == NULL) {
481  goto memerror;
482  }
483  (void) ldns_rr_set_rdf(*tlsa, rdf, 1);
484 
485  rdf = ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, (uint8_t)matching_type);
486  if (rdf == NULL) {
487  goto memerror;
488  }
489  (void) ldns_rr_set_rdf(*tlsa, rdf, 2);
490 
491  s = ldns_dane_cert2rdf(&rdf, cert, selector, matching_type);
492  if (s == LDNS_STATUS_OK) {
493  (void) ldns_rr_set_rdf(*tlsa, rdf, 3);
494  return LDNS_STATUS_OK;
495  }
496  ldns_rr_free(*tlsa);
497  *tlsa = NULL;
498  return s;
499 
500 memerror:
501  ldns_rr_free(*tlsa);
502  *tlsa = NULL;
503  return LDNS_STATUS_MEM_ERR;
504 }
505 
506 
507 #ifdef USE_DANE_VERIFY
508 /* Return tlsas that actually are TLSA resource records with known values
509  * for the Certificate usage, Selector and Matching type rdata fields.
510  */
511 static ldns_rr_list*
512 ldns_dane_filter_unusable_records(const ldns_rr_list* tlsas)
513 {
514  size_t i;
515  ldns_rr_list* r = ldns_rr_list_new();
516  ldns_rr* tlsa_rr;
517 
518  if (! r) {
519  return NULL;
520  }
521  for (i = 0; i < ldns_rr_list_rr_count(tlsas); i++) {
522  tlsa_rr = ldns_rr_list_rr(tlsas, i);
523  if (ldns_rr_get_type(tlsa_rr) == LDNS_RR_TYPE_TLSA &&
524  ldns_rr_rd_count(tlsa_rr) == 4 &&
525  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) <= 3 &&
526  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) <= 1 &&
527  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) <= 2) {
528 
529  if (! ldns_rr_list_push_rr(r, tlsa_rr)) {
530  ldns_rr_list_free(r);
531  return NULL;
532  }
533  }
534  }
535  return r;
536 }
537 
538 
539 #if !defined(USE_DANE_TA_USAGE)
540 /* Return whether cert/selector/matching_type matches data.
541  */
542 static ldns_status
543 ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
544  ldns_tlsa_matching_type matching_type, ldns_rdf* data)
545 {
546  ldns_status s;
547  ldns_rdf* match_data;
548 
549  s = ldns_dane_cert2rdf(&match_data, cert, selector, matching_type);
550  if (s == LDNS_STATUS_OK) {
551  if (ldns_rdf_compare(data, match_data) != 0) {
552  s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
553  }
554  ldns_rdf_free(match_data);
555  }
556  return s;
557 }
558 
559 
560 /* Return whether any certificate from the chain with selector/matching_type
561  * matches data.
562  * ca should be true if the certificate has to be a CA certificate too.
563  */
564 static ldns_status
565 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
566  ldns_tlsa_selector selector,
567  ldns_tlsa_matching_type matching_type,
568  ldns_rdf* data, bool ca)
569 {
570  ldns_status s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
571  size_t n, i;
572  X509* cert;
573 
574  n = (size_t)sk_X509_num(chain);
575  for (i = 0; i < n; i++) {
576  cert = sk_X509_pop(chain);
577  if (! cert) {
578  s = LDNS_STATUS_SSL_ERR;
579  break;
580  }
581  s = ldns_dane_match_cert_with_data(cert,
582  selector, matching_type, data);
583  if (ca && s == LDNS_STATUS_OK && ! X509_check_ca(cert)) {
584  s = LDNS_STATUS_DANE_NON_CA_CERTIFICATE;
585  }
586  X509_free(cert);
587  if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) {
588  break;
589  }
590  /* when s == LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH,
591  * try to match the next certificate
592  */
593  }
594  return s;
595 }
596 #endif /* !defined(USE_DANE_TA_USAGE) */
597 #endif /* USE_DANE_VERIFY */
598 
599 #ifdef USE_DANE_VERIFY
600 ldns_status
601 ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
602  X509* cert, STACK_OF(X509)* extra_certs,
603  X509_STORE* pkix_validation_store)
604 {
605 #if defined(USE_DANE_TA_USAGE)
606  SSL_CTX *ssl_ctx = NULL;
607  SSL *ssl = NULL;
608  X509_STORE_CTX *store_ctx = NULL;
609 #else
610  STACK_OF(X509)* pkix_validation_chain = NULL;
611 #endif
612  ldns_status s = LDNS_STATUS_OK;
613 
614  ldns_tlsa_certificate_usage usage;
615  ldns_tlsa_selector selector;
616  ldns_tlsa_matching_type mtype;
617  ldns_rdf* data;
618 
619  if (! tlsa_rr || ldns_rr_get_type(tlsa_rr) != LDNS_RR_TYPE_TLSA ||
620  ldns_rr_rd_count(tlsa_rr) != 4 ||
621  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) > 3 ||
622  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)) > 1 ||
623  ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)) > 2 ) {
624  /* No (usable) TLSA, so regular PKIX validation
625  */
626  return ldns_dane_pkix_validate(cert, extra_certs,
627  pkix_validation_store);
628  }
629  usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0));
630  selector = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1));
631  mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2));
632  data = ldns_rr_rdf(tlsa_rr, 3) ;
633 
634 #if defined(USE_DANE_TA_USAGE)
635  /* Rely on OpenSSL dane functions.
636  *
637  * OpenSSL does not provide offline dane verification. The dane unit
638  * tests within openssl use the undocumented SSL_get0_dane() and
639  * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
640  * SSL_CTX to a X509_STORE_CTX that can be used to do offline
641  * verification. We use these undocumented means with the ldns
642  * dane function prototypes which did only offline dane verification.
643  */
644  if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
645  s = LDNS_STATUS_MEM_ERR;
646 
647  else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
648  s = LDNS_STATUS_SSL_ERR;
649 
650  else if (SSL_CTX_dane_set_flags(
651  ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
652  !(ssl = SSL_new(ssl_ctx)))
653  s = LDNS_STATUS_MEM_ERR;
654 
655  else if (SSL_set_connect_state(ssl),
656  (SSL_dane_enable(ssl, NULL) <= 0))
657  s = LDNS_STATUS_SSL_ERR;
658 
659  else if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
660  ldns_rdf_data(data), ldns_rdf_size(data)) <= 0)
661  s = LDNS_STATUS_SSL_ERR;
662 
663  else if (!(store_ctx = X509_STORE_CTX_new()))
664  s = LDNS_STATUS_MEM_ERR;
665 
666  else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
667  s = LDNS_STATUS_SSL_ERR;
668 
669  else {
670  int ret;
671 
672  X509_STORE_CTX_set_default(store_ctx,
673  SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
674  X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
675  SSL_get0_param(ssl));
676  X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
677  if (SSL_get_verify_callback(ssl))
678  X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
679 
680  ret = X509_verify_cert(store_ctx);
681  if (!ret) {
682  if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
683  s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
684  else
685  s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
686  }
687  X509_STORE_CTX_cleanup(store_ctx);
688  }
689  if (store_ctx)
690  X509_STORE_CTX_free(store_ctx);
691  if (ssl)
692  SSL_free(ssl);
693  if (ssl_ctx)
694  SSL_CTX_free(ssl_ctx);
695  return s;
696 #else
697  switch (usage) {
698  case LDNS_TLSA_USAGE_CA_CONSTRAINT:
699  s = ldns_dane_pkix_validate_and_get_chain(
700  &pkix_validation_chain,
701  cert, extra_certs,
702  pkix_validation_store);
703  if (! pkix_validation_chain) {
704  return s;
705  }
706  if (s == LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE) {
707  /*
708  * NO PKIX validation. We still try to match *any*
709  * certificate from the chain, so we return
710  * TLSA errors over PKIX errors.
711  *
712  * i.e. When the TLSA matches no certificate, we return
713  * TLSA_DID_NOT_MATCH and not PKIX_DID_NOT_VALIDATE
714  */
715  s = ldns_dane_match_any_cert_with_data(
716  pkix_validation_chain,
717  selector, mtype, data, true);
718 
719  if (s == LDNS_STATUS_OK) {
720  /* A TLSA record did match a cert from the
721  * chain, thus the error is failed PKIX
722  * validation.
723  */
724  s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
725  }
726 
727  } else if (s == LDNS_STATUS_OK) {
728  /* PKIX validated, does the TLSA match too? */
729 
730  s = ldns_dane_match_any_cert_with_data(
731  pkix_validation_chain,
732  selector, mtype, data, true);
733  }
734  sk_X509_pop_free(pkix_validation_chain, X509_free);
735  return s;
736  break;
737 
738  case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
739 
740  s = ldns_dane_match_cert_with_data(cert,
741  selector, mtype, data);
742 
743  if (s == LDNS_STATUS_OK) {
744  return ldns_dane_pkix_validate(cert, extra_certs,
745  pkix_validation_store);
746  }
747  return s;
748  break;
749 
750  case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
751 #if 0
752  s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
753  cert, extra_certs);
754 
755  if (s == LDNS_STATUS_OK) {
756  s = ldns_dane_match_any_cert_with_data(
757  pkix_validation_chain,
758  selector, mtype, data, false);
759 
760  } else if (! pkix_validation_chain) {
761  return s;
762  }
763  sk_X509_pop_free(pkix_validation_chain, X509_free);
764  return s;
765 #else
766  return LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA;
767 #endif
768  break;
769 
770  case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
771  return ldns_dane_match_cert_with_data(cert,
772  selector, mtype, data);
773  break;
774 
775  default:
776  break;
777  }
778 #endif
779  return LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE;
780 }
781 
782 
783 ldns_status
784 ldns_dane_verify(const ldns_rr_list* tlsas,
785  X509* cert, STACK_OF(X509)* extra_certs,
786  X509_STORE* pkix_validation_store)
787 {
788 #if defined(USE_DANE_TA_USAGE)
789  SSL_CTX *ssl_ctx = NULL;
790  ldns_rdf *basename_rdf = NULL;
791  char *basename = NULL;
792  SSL *ssl = NULL;
793  X509_STORE_CTX *store_ctx = NULL;
794 #else
795  ldns_status ps;
796 #endif
797  size_t i;
798  ldns_rr* tlsa_rr;
799  ldns_rr_list *usable_tlsas;
800  ldns_status s = LDNS_STATUS_OK;
801 
802  assert(cert != NULL);
803 
804  if (! tlsas || ldns_rr_list_rr_count(tlsas) == 0)
805  /* No TLSA's, so regular PKIX validation
806  */
807  return ldns_dane_pkix_validate(cert, extra_certs,
808  pkix_validation_store);
809 
810 /* To enable name checks (which we don't) */
811 #if defined(USE_DANE_TA_USAGE) && 0
812  else if (!(basename_rdf = ldns_dname_clone_from(
813  ldns_rr_list_owner(tlsas), 2)))
814  /* Could nog get DANE base name */
815  s = LDNS_STATUS_ERR;
816 
817  else if (!(basename = ldns_rdf2str(basename_rdf)))
818  s = LDNS_STATUS_MEM_ERR;
819 
820  else if (strlen(basename) && (basename[strlen(basename)-1] = 0))
821  s = LDNS_STATUS_ERR; /* Intended to be unreachable */
822 #endif
823 
824  else if (!(usable_tlsas = ldns_dane_filter_unusable_records(tlsas)))
825  return LDNS_STATUS_MEM_ERR;
826 
827  else if (ldns_rr_list_rr_count(usable_tlsas) == 0) {
828  /* No TLSA's, so regular PKIX validation
829  */
830  ldns_rr_list_free(usable_tlsas);
831  return ldns_dane_pkix_validate(cert, extra_certs,
832  pkix_validation_store);
833  }
834 #if defined(USE_DANE_TA_USAGE)
835  /* Rely on OpenSSL dane functions.
836  *
837  * OpenSSL does not provide offline dane verification. The dane unit
838  * tests within openssl use the undocumented SSL_get0_dane() and
839  * X509_STORE_CTX_set0_dane() to convey dane parameters set on SSL and
840  * SSL_CTX to a X509_STORE_CTX that can be used to do offline
841  * verification. We use these undocumented means with the ldns
842  * dane function prototypes which did only offline dane verification.
843  */
844  if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
845  s = LDNS_STATUS_MEM_ERR;
846 
847  else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
848  s = LDNS_STATUS_SSL_ERR;
849 
850  else if (SSL_CTX_dane_set_flags(
851  ssl_ctx, DANE_FLAG_NO_DANE_EE_NAMECHECKS),
852  !(ssl = SSL_new(ssl_ctx)))
853  s = LDNS_STATUS_MEM_ERR;
854 
855  else if (SSL_set_connect_state(ssl),
856  (SSL_dane_enable(ssl, basename) <= 0))
857  s = LDNS_STATUS_SSL_ERR;
858 
859  else for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
860  ldns_tlsa_certificate_usage usage;
861  ldns_tlsa_selector selector;
862  ldns_tlsa_matching_type mtype;
863  ldns_rdf* data;
864 
865  tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
866  usage = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,0));
867  selector= ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,1));
868  mtype = ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr,2));
869  data = ldns_rr_rdf(tlsa_rr,3) ;
870 
871  if (SSL_dane_tlsa_add(ssl, usage, selector, mtype,
872  ldns_rdf_data(data),
873  ldns_rdf_size(data)) <= 0) {
874  s = LDNS_STATUS_SSL_ERR;
875  break;
876  }
877  }
878  if (!s && !(store_ctx = X509_STORE_CTX_new()))
879  s = LDNS_STATUS_MEM_ERR;
880 
881  else if (!X509_STORE_CTX_init(store_ctx, pkix_validation_store, cert, extra_certs))
882  s = LDNS_STATUS_SSL_ERR;
883 
884  else {
885  int ret;
886 
887  X509_STORE_CTX_set_default(store_ctx,
888  SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
889  X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx),
890  SSL_get0_param(ssl));
891  X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl));
892  if (SSL_get_verify_callback(ssl))
893  X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl));
894 
895  ret = X509_verify_cert(store_ctx);
896  if (!ret) {
897  if (X509_STORE_CTX_get_error(store_ctx) == X509_V_ERR_DANE_NO_MATCH)
898  s = LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH;
899  else
900  s = LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE;
901  }
902  X509_STORE_CTX_cleanup(store_ctx);
903  }
904  if (store_ctx)
905  X509_STORE_CTX_free(store_ctx);
906  if (ssl)
907  SSL_free(ssl);
908  if (ssl_ctx)
909  SSL_CTX_free(ssl_ctx);
910  if (basename)
911  free(basename);
912  ldns_rdf_deep_free(basename_rdf);
913 #else
914  for (i = 0; i < ldns_rr_list_rr_count(usable_tlsas); i++) {
915  tlsa_rr = ldns_rr_list_rr(usable_tlsas, i);
916  ps = s;
917  s = ldns_dane_verify_rr(tlsa_rr, cert, extra_certs,
918  pkix_validation_store);
919 
920  if (s != LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH &&
921  s != LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE &&
922  s != LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA) {
923 
924  /* which would be LDNS_STATUS_OK (match)
925  * or some fatal error preventing use from
926  * trying the next TLSA record.
927  */
928  break;
929  }
930  s = (s > ps ? s : ps); /* pref NEED_OPENSSL_GE_1_1_FOR_DANE_TA
931  * over PKIX_DID_NOT_VALIDATE
932  * over TLSA_DID_NOT_MATCH
933  */
934  }
935 #endif
936  ldns_rr_list_free(usable_tlsas);
937  return s;
938 }
939 #endif /* USE_DANE_VERIFY */
940 #endif /* HAVE_SSL */
941 #endif /* USE_DANE */
ldns_rr_rdf
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition: rr.c:895
ldns_struct_rr_list
List or Set of Resource Records.
Definition: rr.h:330
ldns_rdf_size
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition: rdata.c:24
LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
@ LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
Definition: error.h:119
ldns_sha256
unsigned char * ldns_sha256(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:620
LDNS_TLSA_MATCHING_TYPE_SHA256
@ LDNS_TLSA_MATCHING_TYPE_SHA256
Definition: dane.h:94
LDNS_RDF_TYPE_HEX
@ LDNS_RDF_TYPE_HEX
hex string
Definition: rdata.h:70
LDNS_STATUS_SSL_ERR
@ LDNS_STATUS_SSL_ERR
Definition: error.h:36
LDNS_SHA256_DIGEST_LENGTH
#define LDNS_SHA256_DIGEST_LENGTH
Definition: sha2.h:70
LDNS_STATUS_DANE_UNKNOWN_SELECTOR
@ LDNS_STATUS_DANE_UNKNOWN_SELECTOR
Definition: error.h:108
ldns_dname_clone_from
ldns_rdf * ldns_dname_clone_from(const ldns_rdf *d, uint16_t n)
Clones the given dname from the nth label on.
Definition: dname.c:160
LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE
@ LDNS_STATUS_DANE_OFFSET_OUT_OF_RANGE
Definition: error.h:114
ldns_native2rdf_int8
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
Definition: rdata.c:126
ldns_struct_rr
Resource Record.
Definition: rr.h:302
LDNS_FREE
#define LDNS_FREE(ptr)
Definition: util.h:60
LDNS_TLSA_MATCHING_TYPE_SHA512
@ LDNS_TLSA_MATCHING_TYPE_SHA512
Definition: dane.h:97
ldns_dane_create_tlsa_rr
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
Creates a TLSA resource record from the certificate.
Definition: dane.c:454
LDNS_STATUS_OK
@ LDNS_STATUS_OK
Definition: error.h:26
LDNS_STATUS_ERR
@ LDNS_STATUS_ERR
Definition: error.h:37
LDNS_SHA512_DIGEST_LENGTH
#define LDNS_SHA512_DIGEST_LENGTH
Definition: sha2.h:76
ldns_rr_list_push_rr
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
Definition: rr.c:1118
LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA
@ LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA
Definition: error.h:132
ldns_sha512
unsigned char * ldns_sha512(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:931
ldns_dane_cert2rdf
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded usin...
Definition: dane.c:77
LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
@ LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
Definition: error.h:117
ldns_tlsa_matching_type
enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
Definition: dane.h:101
ldns_rdf2str
char * ldns_rdf2str(const ldns_rdf *rdf)
Converts the data in the rdata field to presentation format and returns that as a char *.
Definition: host2str.c:2288
LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
@ LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
Definition: dane.h:51
LDNS_STATUS_DANE_UNKNOWN_TRANSPORT
@ LDNS_STATUS_DANE_UNKNOWN_TRANSPORT
Definition: error.h:111
ldns_tlsa_certificate_usage
enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
Definition: dane.h:58
LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR
@ LDNS_STATUS_DANE_PKIX_NO_SELF_SIGNED_TRUST_ANCHOR
Definition: error.h:120
ldns_rr_free
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition: rr.c:75
ldns_rr_list_owner
ldns_rdf * ldns_rr_list_owner(const ldns_rr_list *rr_list)
Returns the owner domain name rdf of the first element of the RR If there are no elements present,...
Definition: rr.c:2714
LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
@ LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
Definition: dane.h:77
ldns_rdf_new
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
Definition: rdata.c:179
ldns_rdf_new_frm_data
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition: rdata.c:193
ldns_dane_select_certificate
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset)
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cer...
Definition: dane.c:348
ldns_rdf_free
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition: rdata.c:241
ldns_rdf2native_int8
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
Definition: rdata.c:70
LDNS_STATUS_DOMAINNAME_OVERFLOW
@ LDNS_STATUS_DOMAINNAME_OVERFLOW
Definition: error.h:29
LDNS_STATUS_DANE_NON_CA_CERTIFICATE
@ LDNS_STATUS_DANE_NON_CA_CERTIFICATE
Definition: error.h:118
ldns_tlsa_selector
enum ldns_enum_tlsa_selector ldns_tlsa_selector
Definition: dane.h:82
LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE
@ LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE
Definition: error.h:107
ldns_rdf_compare
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.
Definition: rdata.c:651
LDNS_DANE_TRANSPORT_SCTP
@ LDNS_DANE_TRANSPORT_SCTP
SCTP.
Definition: dane.h:113
ldns_rdf_deep_free
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition: rdata.c:230
ldns_rr_new_frm_type
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition: rr.c:42
ldns_dane_verify
ldns_status ldns_dane_verify(const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
Definition: dane.c:784
ldns_status
enum ldns_enum_status ldns_status
Definition: error.h:134
LDNS_XMALLOC
#define LDNS_XMALLOC(type, count)
Definition: util.h:51
LDNS_RDF_TYPE_DNAME
@ LDNS_RDF_TYPE_DNAME
domain name
Definition: rdata.h:50
LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
@ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
Definition: dane.h:54
ldns_dane_verify_rr
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
Definition: dane.c:601
config.h
ldns_rr_rd_count
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
Definition: rr.c:923
LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
@ LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
Definition: dane.h:70
ldns_struct_rdf
Resource record data field.
Definition: rdata.h:174
LDNS_RR_TYPE_TLSA
@ LDNS_RR_TYPE_TLSA
Definition: rr.h:182
LDNS_RDF_TYPE_INT8
@ LDNS_RDF_TYPE_INT8
8 bits
Definition: rdata.h:52
ldns_rdf_data
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition: rdata.c:38
LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
@ LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
Definition: dane.h:48
LDNS_DANE_TRANSPORT_TCP
@ LDNS_DANE_TRANSPORT_TCP
TCP.
Definition: dane.h:109
ldns.h
ldns_rr_list_new
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition: rr.c:986
ldns_rr_set_rdf
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
Definition: rr.c:826
ldns_rr_list_rr
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition: rr.c:976
LDNS_STATUS_MEM_ERR
@ LDNS_STATUS_MEM_ERR
Definition: error.h:34
ldns_rr_list_free
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
Definition: rr.c:997
ldns_dane_transport
enum ldns_enum_dane_transport ldns_dane_transport
Definition: dane.h:115
LDNS_TLSA_USAGE_CA_CONSTRAINT
@ LDNS_TLSA_USAGE_CA_CONSTRAINT
Definition: dane.h:45
ldns_dane_create_tlsa_owner
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _po...
Definition: dane.c:33
ldns_rdf_get_type
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
Definition: rdata.c:31
dane.h
LDNS_DANE_TRANSPORT_UDP
@ LDNS_DANE_TRANSPORT_UDP
UDP.
Definition: dane.h:111
LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
@ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
Definition: dane.h:91
LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE
@ LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE
Definition: error.h:109
LDNS_MAX_DOMAINLEN
#define LDNS_MAX_DOMAINLEN
Maximum length of a complete dname.
Definition: rr.h:33
ldns_rr_get_type
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition: rr.c:929
ldns_rr_list_rr_count
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition: rr.c:943
Generated on Mon Apr 13 2020 01:12:45 for ldns by   doxygen 1.8.17