summaryrefslogtreecommitdiff
path: root/Cryptlib/Include/internal/dane.h
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@canonical.com>2019-02-09 21:28:06 -0800
committerSteve Langasek <steve.langasek@canonical.com>2019-02-09 21:32:44 -0800
commitab4c731c1dd379acd3e95971af57401fb0a650a1 (patch)
tree6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Cryptlib/Include/internal/dane.h
parent0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff)
parent9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff)
downloadefi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz
efi-boot-shim-debian/15+1533136590.3beb971-1.zip
* New upstream release.debian/15+1533136590.3beb971-1
- debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager.
Diffstat (limited to 'Cryptlib/Include/internal/dane.h')
-rw-r--r--Cryptlib/Include/internal/dane.h103
1 files changed, 103 insertions, 0 deletions
diff --git a/Cryptlib/Include/internal/dane.h b/Cryptlib/Include/internal/dane.h
new file mode 100644
index 00000000..a1cb5488
--- /dev/null
+++ b/Cryptlib/Include/internal/dane.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_INTERNAL_DANE_H
+#define HEADER_INTERNAL_DANE_H
+
+#include <openssl/safestack.h>
+
+/*-
+ * Certificate usages:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.1
+ */
+#define DANETLS_USAGE_PKIX_TA 0
+#define DANETLS_USAGE_PKIX_EE 1
+#define DANETLS_USAGE_DANE_TA 2
+#define DANETLS_USAGE_DANE_EE 3
+#define DANETLS_USAGE_LAST DANETLS_USAGE_DANE_EE
+
+/*-
+ * Selectors:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.2
+ */
+#define DANETLS_SELECTOR_CERT 0
+#define DANETLS_SELECTOR_SPKI 1
+#define DANETLS_SELECTOR_LAST DANETLS_SELECTOR_SPKI
+
+/*-
+ * Matching types:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.3
+ */
+#define DANETLS_MATCHING_FULL 0
+#define DANETLS_MATCHING_2256 1
+#define DANETLS_MATCHING_2512 2
+#define DANETLS_MATCHING_LAST DANETLS_MATCHING_2512
+
+typedef struct danetls_record_st {
+ uint8_t usage;
+ uint8_t selector;
+ uint8_t mtype;
+ unsigned char *data;
+ size_t dlen;
+ EVP_PKEY *spki;
+} danetls_record;
+
+DEFINE_STACK_OF(danetls_record)
+
+/*
+ * Shared DANE context
+ */
+struct dane_ctx_st {
+ const EVP_MD **mdevp; /* mtype -> digest */
+ uint8_t *mdord; /* mtype -> preference */
+ uint8_t mdmax; /* highest supported mtype */
+ unsigned long flags; /* feature bitmask */
+};
+
+/*
+ * Per connection DANE state
+ */
+struct ssl_dane_st {
+ struct dane_ctx_st *dctx;
+ STACK_OF(danetls_record) *trecs;
+ STACK_OF(X509) *certs; /* DANE-TA(2) Cert(0) Full(0) certs */
+ danetls_record *mtlsa; /* Matching TLSA record */
+ X509 *mcert; /* DANE matched cert */
+ uint32_t umask; /* Usages present */
+ int mdpth; /* Depth of matched cert */
+ int pdpth; /* Depth of PKIX trust */
+ unsigned long flags; /* feature bitmask */
+};
+
+#define DANETLS_ENABLED(dane) \
+ ((dane) != NULL && sk_danetls_record_num((dane)->trecs) > 0)
+
+#define DANETLS_USAGE_BIT(u) (((uint32_t)1) << u)
+
+#define DANETLS_PKIX_TA_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_PKIX_TA))
+#define DANETLS_PKIX_EE_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_PKIX_EE))
+#define DANETLS_DANE_TA_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_DANE_TA))
+#define DANETLS_DANE_EE_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_DANE_EE))
+
+#define DANETLS_PKIX_MASK (DANETLS_PKIX_TA_MASK | DANETLS_PKIX_EE_MASK)
+#define DANETLS_DANE_MASK (DANETLS_DANE_TA_MASK | DANETLS_DANE_EE_MASK)
+#define DANETLS_TA_MASK (DANETLS_PKIX_TA_MASK | DANETLS_DANE_TA_MASK)
+#define DANETLS_EE_MASK (DANETLS_PKIX_EE_MASK | DANETLS_DANE_EE_MASK)
+
+#define DANETLS_HAS_PKIX(dane) ((dane) && ((dane)->umask & DANETLS_PKIX_MASK))
+#define DANETLS_HAS_DANE(dane) ((dane) && ((dane)->umask & DANETLS_DANE_MASK))
+#define DANETLS_HAS_TA(dane) ((dane) && ((dane)->umask & DANETLS_TA_MASK))
+#define DANETLS_HAS_EE(dane) ((dane) && ((dane)->umask & DANETLS_EE_MASK))
+
+#define DANETLS_HAS_PKIX_TA(dane) ((dane)&&((dane)->umask & DANETLS_PKIX_TA_MASK))
+#define DANETLS_HAS_PKIX_EE(dane) ((dane)&&((dane)->umask & DANETLS_PKIX_EE_MASK))
+#define DANETLS_HAS_DANE_TA(dane) ((dane)&&((dane)->umask & DANETLS_DANE_TA_MASK))
+#define DANETLS_HAS_DANE_EE(dane) ((dane)&&((dane)->umask & DANETLS_DANE_EE_MASK))
+
+#endif /* HEADER_INTERNAL_DANE_H */
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-02 07:51:47 +0000