1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.5.4 of GnuTLS.
Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.5.4: DANE API</title>
<meta name="description" content="GnuTLS 3.5.4: DANE API">
<meta name="keywords" content="GnuTLS 3.5.4: DANE API">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="API-reference.html#API-reference" rel="up" title="API reference">
<link href="Cryptographic-API.html#Cryptographic-API" rel="next" title="Cryptographic API">
<link href="Socket-specific-API.html#Socket-specific-API" rel="prev" title="Socket specific API">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
border-spacing: 7px;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en">
<a name="DANE-API"></a>
<div class="header">
<p>
Next: <a href="Cryptographic-API.html#Cryptographic-API" accesskey="n" rel="next">Cryptographic API</a>, Previous: <a href="Socket-specific-API.html#Socket-specific-API" accesskey="p" rel="prev">Socket specific API</a>, Up: <a href="API-reference.html#API-reference" accesskey="u" rel="up">API reference</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="DANE-API-1"></a>
<h3 class="section">E.12 DANE API</h3>
<p>The following functions are to be used for DANE certificate verification.
Their prototypes lie in <samp>gnutls/dane.h</samp>. Note that you need to link
with the <code>libgnutls-dane</code> library to use them.
</p>
<a name="dane_005fcert_005ftype_005fname-1"></a>
<h4 class="subheading">dane_cert_type_name</h4>
<a name="dane_005fcert_005ftype_005fname"></a><dl>
<dt><a name="index-dane_005fcert_005ftype_005fname"></a>Function: <em>const char *</em> <strong>dane_cert_type_name</strong> <em>(dane_cert_type_t <var>type</var>)</em></dt>
<dd><p><var>type</var>: is a DANE match type
</p>
<p>Convert a <code>dane_cert_type_t</code> value to a string.
</p>
<p><strong>Returns:</strong> a string that contains the name of the specified
type, or <code>NULL</code> .
</p></dd></dl>
<a name="dane_005fcert_005fusage_005fname-1"></a>
<h4 class="subheading">dane_cert_usage_name</h4>
<a name="dane_005fcert_005fusage_005fname"></a><dl>
<dt><a name="index-dane_005fcert_005fusage_005fname"></a>Function: <em>const char *</em> <strong>dane_cert_usage_name</strong> <em>(dane_cert_usage_t <var>usage</var>)</em></dt>
<dd><p><var>usage</var>: – undescribed –
</p>
<p>Convert a <code>dane_cert_usage_t</code> value to a string.
</p>
<p><strong>Returns:</strong> a string that contains the name of the specified
type, or <code>NULL</code> .
</p></dd></dl>
<a name="dane_005fmatch_005ftype_005fname-1"></a>
<h4 class="subheading">dane_match_type_name</h4>
<a name="dane_005fmatch_005ftype_005fname"></a><dl>
<dt><a name="index-dane_005fmatch_005ftype_005fname"></a>Function: <em>const char *</em> <strong>dane_match_type_name</strong> <em>(dane_match_type_t <var>type</var>)</em></dt>
<dd><p><var>type</var>: is a DANE match type
</p>
<p>Convert a <code>dane_match_type_t</code> value to a string.
</p>
<p><strong>Returns:</strong> a string that contains the name of the specified
type, or <code>NULL</code> .
</p></dd></dl>
<a name="dane_005fquery_005fdata-1"></a>
<h4 class="subheading">dane_query_data</h4>
<a name="dane_005fquery_005fdata"></a><dl>
<dt><a name="index-dane_005fquery_005fdata"></a>Function: <em>int</em> <strong>dane_query_data</strong> <em>(dane_query_t <var>q</var>, unsigned int <var>idx</var>, unsigned int * <var>usage</var>, unsigned int * <var>type</var>, unsigned int * <var>match</var>, gnutls_datum_t * <var>data</var>)</em></dt>
<dd><p><var>q</var>: The query result structure
</p>
<p><var>idx</var>: The index of the query response.
</p>
<p><var>usage</var>: The certificate usage (see <code>dane_cert_usage_t</code> )
</p>
<p><var>type</var>: The certificate type (see <code>dane_cert_type_t</code> )
</p>
<p><var>match</var>: The DANE matching type (see <code>dane_match_type_t</code> )
</p>
<p><var>data</var>: The DANE data.
</p>
<p>This function will provide the DANE data from the query
response.
</p>
<p><strong>Returns:</strong> On success, <code>DANE_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fquery_005fdeinit-1"></a>
<h4 class="subheading">dane_query_deinit</h4>
<a name="dane_005fquery_005fdeinit"></a><dl>
<dt><a name="index-dane_005fquery_005fdeinit"></a>Function: <em>void</em> <strong>dane_query_deinit</strong> <em>(dane_query_t <var>q</var>)</em></dt>
<dd><p><var>q</var>: The structure to be deinitialized
</p>
<p>This function will deinitialize a DANE query result structure.
</p></dd></dl>
<a name="dane_005fquery_005fentries-1"></a>
<h4 class="subheading">dane_query_entries</h4>
<a name="dane_005fquery_005fentries"></a><dl>
<dt><a name="index-dane_005fquery_005fentries"></a>Function: <em>unsigned int</em> <strong>dane_query_entries</strong> <em>(dane_query_t <var>q</var>)</em></dt>
<dd><p><var>q</var>: The query result structure
</p>
<p>This function will return the number of entries in a query.
</p>
<p><strong>Returns:</strong> The number of entries.
</p></dd></dl>
<a name="dane_005fquery_005fstatus-1"></a>
<h4 class="subheading">dane_query_status</h4>
<a name="dane_005fquery_005fstatus"></a><dl>
<dt><a name="index-dane_005fquery_005fstatus"></a>Function: <em>dane_query_status_t</em> <strong>dane_query_status</strong> <em>(dane_query_t <var>q</var>)</em></dt>
<dd><p><var>q</var>: The query result structure
</p>
<p>This function will return the status of the query response.
See <code>dane_query_status_t</code> for the possible types.
</p>
<p><strong>Returns:</strong> The status type.
</p></dd></dl>
<a name="dane_005fquery_005ftlsa-1"></a>
<h4 class="subheading">dane_query_tlsa</h4>
<a name="dane_005fquery_005ftlsa"></a><dl>
<dt><a name="index-dane_005fquery_005ftlsa"></a>Function: <em>int</em> <strong>dane_query_tlsa</strong> <em>(dane_state_t <var>s</var>, dane_query_t * <var>r</var>, const char * <var>host</var>, const char * <var>proto</var>, unsigned int <var>port</var>)</em></dt>
<dd><p><var>s</var>: The DANE state structure
</p>
<p><var>r</var>: A structure to place the result
</p>
<p><var>host</var>: The host name to resolve.
</p>
<p><var>proto</var>: The protocol type (tcp, udp, etc.)
</p>
<p><var>port</var>: The service port number (eg. 443).
</p>
<p>This function will query the DNS server for the TLSA (DANE)
data for the given host.
</p>
<p><strong>Returns:</strong> On success, <code>DANE_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fquery_005fto_005fraw_005ftlsa-1"></a>
<h4 class="subheading">dane_query_to_raw_tlsa</h4>
<a name="dane_005fquery_005fto_005fraw_005ftlsa"></a><dl>
<dt><a name="index-dane_005fquery_005fto_005fraw_005ftlsa"></a>Function: <em>int</em> <strong>dane_query_to_raw_tlsa</strong> <em>(dane_query_t <var>q</var>, unsigned int * <var>data_entries</var>, char *** <var>dane_data</var>, int ** <var>dane_data_len</var>, int * <var>secure</var>, int * <var>bogus</var>)</em></dt>
<dd><p><var>q</var>: The query result structure
</p>
<p><var>data_entries</var>: Pointer set to the number of entries in the query
</p>
<p><var>dane_data</var>: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until <code>dane_query_deinit()</code> is called.
</p>
<p><var>dane_data_len</var>: Pointer to contain the length n bytes of the dane_data items
</p>
<p><var>secure</var>: Pointer set true if the result is validated securely, false if
validation failed or the domain queried has no security info
</p>
<p><var>bogus</var>: Pointer set true if the result was not secure due to a security failure
</p>
<p>This function will provide the DANE data from the query
response.
</p>
<p>The pointers dane_data and dane_data_len are allocated with <code>gnutls_malloc()</code>
to contain the data from the query result structure (individual
<code>dane_data</code> items simply point to the original data and are not allocated separately).
The returned <code>dane_data</code> are only valid during the lifetime of <code>q</code> .
</p>
<p><strong>Returns:</strong> On success, <code>DANE_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fraw_005ftlsa-1"></a>
<h4 class="subheading">dane_raw_tlsa</h4>
<a name="dane_005fraw_005ftlsa"></a><dl>
<dt><a name="index-dane_005fraw_005ftlsa"></a>Function: <em>int</em> <strong>dane_raw_tlsa</strong> <em>(dane_state_t <var>s</var>, dane_query_t * <var>r</var>, char *const * <var>dane_data</var>, const int * <var>dane_data_len</var>, int <var>secure</var>, int <var>bogus</var>)</em></dt>
<dd><p><var>s</var>: The DANE state structure
</p>
<p><var>r</var>: A structure to place the result
</p>
<p><var>dane_data</var>: array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until <code>dane_query_deinit()</code> is called.
</p>
<p><var>dane_data_len</var>: the length n bytes of the dane_data items
</p>
<p><var>secure</var>: true if the result is validated securely, false if
validation failed or the domain queried has no security info
</p>
<p><var>bogus</var>: if the result was not secure (secure = 0) due to a security failure,
and the result is due to a security failure, bogus is true.
</p>
<p>This function will fill in the TLSA (DANE) structure from
the given raw DNS record data. The <code>dane_data</code> must be valid
during the lifetime of the query.
</p>
<p><strong>Returns:</strong> On success, <code>DANE_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fstate_005fdeinit-1"></a>
<h4 class="subheading">dane_state_deinit</h4>
<a name="dane_005fstate_005fdeinit"></a><dl>
<dt><a name="index-dane_005fstate_005fdeinit"></a>Function: <em>void</em> <strong>dane_state_deinit</strong> <em>(dane_state_t <var>s</var>)</em></dt>
<dd><p><var>s</var>: The structure to be deinitialized
</p>
<p>This function will deinitialize a DANE query structure.
</p></dd></dl>
<a name="dane_005fstate_005finit-1"></a>
<h4 class="subheading">dane_state_init</h4>
<a name="dane_005fstate_005finit"></a><dl>
<dt><a name="index-dane_005fstate_005finit"></a>Function: <em>int</em> <strong>dane_state_init</strong> <em>(dane_state_t * <var>s</var>, unsigned int <var>flags</var>)</em></dt>
<dd><p><var>s</var>: The structure to be initialized
</p>
<p><var>flags</var>: flags from the <code>dane_state_flags</code> enumeration
</p>
<p>This function will initialize the backend resolver. It is
intended to be used in scenarios where multiple resolvings
occur, to optimize against multiple re-initializations.
</p>
<p><strong>Returns:</strong> On success, <code>DANE_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fstate_005fset_005fdlv_005ffile-1"></a>
<h4 class="subheading">dane_state_set_dlv_file</h4>
<a name="dane_005fstate_005fset_005fdlv_005ffile"></a><dl>
<dt><a name="index-dane_005fstate_005fset_005fdlv_005ffile"></a>Function: <em>int</em> <strong>dane_state_set_dlv_file</strong> <em>(dane_state_t <var>s</var>, const char * <var>file</var>)</em></dt>
<dd><p><var>s</var>: The structure to be deinitialized
</p>
<p><var>file</var>: The file holding the DLV keys.
</p>
<p>This function will set a file with trusted keys
for DLV (DNSSEC Lookaside Validation).
</p></dd></dl>
<a name="dane_005fstrerror-1"></a>
<h4 class="subheading">dane_strerror</h4>
<a name="dane_005fstrerror"></a><dl>
<dt><a name="index-dane_005fstrerror"></a>Function: <em>const char *</em> <strong>dane_strerror</strong> <em>(int <var>error</var>)</em></dt>
<dd><p><var>error</var>: is a DANE error code, a negative error code
</p>
<p>This function is similar to strerror. The difference is that it
accepts an error number returned by a gnutls function; In case of
an unknown error a descriptive string is sent instead of <code>NULL</code> .
</p>
<p>Error codes are always a negative error code.
</p>
<p><strong>Returns:</strong> A string explaining the DANE error message.
</p></dd></dl>
<a name="dane_005fverification_005fstatus_005fprint-1"></a>
<h4 class="subheading">dane_verification_status_print</h4>
<a name="dane_005fverification_005fstatus_005fprint"></a><dl>
<dt><a name="index-dane_005fverification_005fstatus_005fprint"></a>Function: <em>int</em> <strong>dane_verification_status_print</strong> <em>(unsigned int <var>status</var>, gnutls_datum_t * <var>out</var>, unsigned int <var>flags</var>)</em></dt>
<dd><p><var>status</var>: The status flags to be printed
</p>
<p><var>out</var>: Newly allocated datum with (0) terminated string.
</p>
<p><var>flags</var>: should be zero
</p>
<p>This function will pretty print the status of a verification
process – eg. the one obtained by <code>dane_verify_crt()</code> .
</p>
<p>The output <code>out</code> needs to be deallocated using <code>gnutls_free()</code> .
</p>
<p><strong>Returns:</strong> On success, <code>GNUTLS_E_SUCCESS</code> (0) is returned, otherwise a
negative error value.
</p></dd></dl>
<a name="dane_005fverify_005fcrt-1"></a>
<h4 class="subheading">dane_verify_crt</h4>
<a name="dane_005fverify_005fcrt"></a><dl>
<dt><a name="index-dane_005fverify_005fcrt-1"></a>Function: <em>int</em> <strong>dane_verify_crt</strong> <em>(dane_state_t <var>s</var>, const gnutls_datum_t * <var>chain</var>, unsigned <var>chain_size</var>, gnutls_certificate_type_t <var>chain_type</var>, const char * <var>hostname</var>, const char * <var>proto</var>, unsigned int <var>port</var>, unsigned int <var>sflags</var>, unsigned int <var>vflags</var>, unsigned int * <var>verify</var>)</em></dt>
<dd><p><var>s</var>: A DANE state structure (may be NULL)
</p>
<p><var>chain</var>: A certificate chain
</p>
<p><var>chain_size</var>: The size of the chain
</p>
<p><var>chain_type</var>: The type of the certificate chain
</p>
<p><var>hostname</var>: The hostname associated with the chain
</p>
<p><var>proto</var>: The protocol of the service connecting (e.g. tcp)
</p>
<p><var>port</var>: The port of the service connecting (e.g. 443)
</p>
<p><var>sflags</var>: Flags for the the initialization of <code>s</code> (if NULL)
</p>
<p><var>vflags</var>: Verification flags; an OR’ed list of <code>dane_verify_flags_t</code> .
</p>
<p><var>verify</var>: An OR’ed list of <code>dane_verify_status_t</code> .
</p>
<p>This function will verify the given certificate chain against the
CA constrains and/or the certificate available via DANE.
If no information via DANE can be obtained the flag <code>DANE_VERIFY_NO_DANE_INFO</code>
is set. If a DNSSEC signature is not available for the DANE
record then the verify flag <code>DANE_VERIFY_NO_DNSSEC_DATA</code> is set.
</p>
<p>Due to the many possible options of DANE, there is no single threat
model countered. When notifying the user about DANE verification results
it may be better to mention: DANE verification did not reject the certificate,
rather than mentioning a successful DANE verication.
</p>
<p>Note that this function is designed to be run in addition to
PKIX - certificate chain - verification. To be run independently
the <code>DANE_VFLAG_ONLY_CHECK_EE_USAGE</code> flag should be specified;
then the function will check whether the key of the peer matches the
key advertized in the DANE entry.
</p>
<p><strong>Returns:</strong> a negative error code on error and <code>DANE_E_SUCCESS</code> (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see <code>verify</code> for that information). If
no usable entries were encountered <code>DANE_E_REQUESTED_DATA_NOT_AVAILABLE</code>
will be returned.
</p></dd></dl>
<a name="dane_005fverify_005fcrt_005fraw-1"></a>
<h4 class="subheading">dane_verify_crt_raw</h4>
<a name="dane_005fverify_005fcrt_005fraw"></a><dl>
<dt><a name="index-dane_005fverify_005fcrt_005fraw"></a>Function: <em>int</em> <strong>dane_verify_crt_raw</strong> <em>(dane_state_t <var>s</var>, const gnutls_datum_t * <var>chain</var>, unsigned <var>chain_size</var>, gnutls_certificate_type_t <var>chain_type</var>, dane_query_t <var>r</var>, unsigned int <var>sflags</var>, unsigned int <var>vflags</var>, unsigned int * <var>verify</var>)</em></dt>
<dd><p><var>s</var>: A DANE state structure (may be NULL)
</p>
<p><var>chain</var>: A certificate chain
</p>
<p><var>chain_size</var>: The size of the chain
</p>
<p><var>chain_type</var>: The type of the certificate chain
</p>
<p><var>r</var>: DANE data to check against
</p>
<p><var>sflags</var>: Flags for the the initialization of <code>s</code> (if NULL)
</p>
<p><var>vflags</var>: Verification flags; an OR’ed list of <code>dane_verify_flags_t</code> .
</p>
<p><var>verify</var>: An OR’ed list of <code>dane_verify_status_t</code> .
</p>
<p>This is the low-level function of <code>dane_verify_crt()</code> . See the
high level function for documentation.
</p>
<p>This function does not perform any resolving, it utilizes
cached entries from <code>r</code> .
</p>
<p><strong>Returns:</strong> a negative error code on error and <code>DANE_E_SUCCESS</code> (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see <code>verify</code> for that information). If
no usable entries were encountered <code>DANE_E_REQUESTED_DATA_NOT_AVAILABLE</code>
will be returned.
</p></dd></dl>
<a name="dane_005fverify_005fsession_005fcrt-1"></a>
<h4 class="subheading">dane_verify_session_crt</h4>
<a name="dane_005fverify_005fsession_005fcrt"></a><dl>
<dt><a name="index-dane_005fverify_005fsession_005fcrt"></a>Function: <em>int</em> <strong>dane_verify_session_crt</strong> <em>(dane_state_t <var>s</var>, gnutls_session_t <var>session</var>, const char * <var>hostname</var>, const char * <var>proto</var>, unsigned int <var>port</var>, unsigned int <var>sflags</var>, unsigned int <var>vflags</var>, unsigned int * <var>verify</var>)</em></dt>
<dd><p><var>s</var>: A DANE state structure (may be NULL)
</p>
<p><var>session</var>: A gnutls session
</p>
<p><var>hostname</var>: The hostname associated with the chain
</p>
<p><var>proto</var>: The protocol of the service connecting (e.g. tcp)
</p>
<p><var>port</var>: The port of the service connecting (e.g. 443)
</p>
<p><var>sflags</var>: Flags for the the initialization of <code>s</code> (if NULL)
</p>
<p><var>vflags</var>: Verification flags; an OR’ed list of <code>dane_verify_flags_t</code> .
</p>
<p><var>verify</var>: An OR’ed list of <code>dane_verify_status_t</code> .
</p>
<p>This function will verify session’s certificate chain against the
CA constrains and/or the certificate available via DANE.
See <code>dane_verify_crt()</code> for more information.
</p>
<p>This will not verify the chain for validity; unless the DANE
verification is restricted to end certificates, this must be
be performed separately using <code>gnutls_certificate_verify_peers3()</code> .
</p>
<p><strong>Returns:</strong> a negative error code on error and <code>DANE_E_SUCCESS</code> (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see <code>verify</code> for that information). If
no usable entries were encountered <code>DANE_E_REQUESTED_DATA_NOT_AVAILABLE</code>
will be returned.
</p></dd></dl>
<hr>
<div class="header">
<p>
Next: <a href="Cryptographic-API.html#Cryptographic-API" accesskey="n" rel="next">Cryptographic API</a>, Previous: <a href="Socket-specific-API.html#Socket-specific-API" accesskey="p" rel="prev">Socket specific API</a>, Up: <a href="API-reference.html#API-reference" accesskey="u" rel="up">API reference</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
