12787e39aSDag-Erling Smørgrav /* 22787e39aSDag-Erling Smørgrav * dane.h -- defines for the DNS-Based Authentication of Named Entities (DANE) 32787e39aSDag-Erling Smørgrav * Transport Layer Security (TLS) Protocol: TLSA 42787e39aSDag-Erling Smørgrav * 52787e39aSDag-Erling Smørgrav * Copyright (c) 2012, NLnet Labs. All rights reserved. 62787e39aSDag-Erling Smørgrav * 72787e39aSDag-Erling Smørgrav * See LICENSE for the license. 82787e39aSDag-Erling Smørgrav * 92787e39aSDag-Erling Smørgrav */ 102787e39aSDag-Erling Smørgrav 112787e39aSDag-Erling Smørgrav /** 122787e39aSDag-Erling Smørgrav * \file 132787e39aSDag-Erling Smørgrav * 142787e39aSDag-Erling Smørgrav * This module contains base functions for creating and verifying TLSA RR's 152787e39aSDag-Erling Smørgrav * with PKIX certificates, certificate chains and validation stores. 162787e39aSDag-Erling Smørgrav * (See RFC6394 and RFC6698). 172787e39aSDag-Erling Smørgrav * 182787e39aSDag-Erling Smørgrav * Since those functions heavily rely op cryptographic operations, 192787e39aSDag-Erling Smørgrav * this module is dependent on openssl. 202787e39aSDag-Erling Smørgrav */ 212787e39aSDag-Erling Smørgrav 222787e39aSDag-Erling Smørgrav 232787e39aSDag-Erling Smørgrav #ifndef LDNS_DANE_H 242787e39aSDag-Erling Smørgrav #define LDNS_DANE_H 252787e39aSDag-Erling Smørgrav 262787e39aSDag-Erling Smørgrav #include <ldns/common.h> 272787e39aSDag-Erling Smørgrav #include <ldns/rdata.h> 282787e39aSDag-Erling Smørgrav #include <ldns/rr.h> 292787e39aSDag-Erling Smørgrav #if LDNS_BUILD_CONFIG_HAVE_SSL 302787e39aSDag-Erling Smørgrav #include <openssl/ssl.h> 312787e39aSDag-Erling Smørgrav #include <openssl/err.h> 322787e39aSDag-Erling Smørgrav #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 332787e39aSDag-Erling Smørgrav 342787e39aSDag-Erling Smørgrav #ifdef __cplusplus 352787e39aSDag-Erling Smørgrav extern "C" { 362787e39aSDag-Erling Smørgrav #endif 372787e39aSDag-Erling Smørgrav 382787e39aSDag-Erling Smørgrav /** 392787e39aSDag-Erling Smørgrav * The different "Certificate usage" rdata field values for a TLSA RR. 402787e39aSDag-Erling Smørgrav */ 412787e39aSDag-Erling Smørgrav enum ldns_enum_tlsa_certificate_usage 422787e39aSDag-Erling Smørgrav { 432787e39aSDag-Erling Smørgrav /** CA constraint */ 44986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_PKIX_TA = 0, 452787e39aSDag-Erling Smørgrav LDNS_TLSA_USAGE_CA_CONSTRAINT = 0, 46*5afab0e5SDag-Erling Smørgrav /** Service certificate constraint */ 47986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_PKIX_EE = 1, 482787e39aSDag-Erling Smørgrav LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT = 1, 492787e39aSDag-Erling Smørgrav /** Trust anchor assertion */ 50986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_DANE_TA = 2, 512787e39aSDag-Erling Smørgrav LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION = 2, 522787e39aSDag-Erling Smørgrav /** Domain issued certificate */ 53986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_DANE_EE = 3, 54986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE = 3, 55986ba33cSDag-Erling Smørgrav /** Reserved for Private Use */ 56986ba33cSDag-Erling Smørgrav LDNS_TLSA_USAGE_PRIVCERT = 255 572787e39aSDag-Erling Smørgrav }; 582787e39aSDag-Erling Smørgrav typedef enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage; 592787e39aSDag-Erling Smørgrav 602787e39aSDag-Erling Smørgrav /** 612787e39aSDag-Erling Smørgrav * The different "Selector" rdata field values for a TLSA RR. 622787e39aSDag-Erling Smørgrav */ 632787e39aSDag-Erling Smørgrav enum ldns_enum_tlsa_selector 642787e39aSDag-Erling Smørgrav { 652787e39aSDag-Erling Smørgrav /** 662787e39aSDag-Erling Smørgrav * Full certificate: the Certificate binary structure 672787e39aSDag-Erling Smørgrav * as defined in [RFC5280] 682787e39aSDag-Erling Smørgrav */ 69986ba33cSDag-Erling Smørgrav LDNS_TLSA_SELECTOR_CERT = 0, 702787e39aSDag-Erling Smørgrav LDNS_TLSA_SELECTOR_FULL_CERTIFICATE = 0, 712787e39aSDag-Erling Smørgrav 722787e39aSDag-Erling Smørgrav /** 732787e39aSDag-Erling Smørgrav * SubjectPublicKeyInfo: DER-encoded binary structure 742787e39aSDag-Erling Smørgrav * as defined in [RFC5280] 752787e39aSDag-Erling Smørgrav */ 76986ba33cSDag-Erling Smørgrav LDNS_TLSA_SELECTOR_SPKI = 1, 77986ba33cSDag-Erling Smørgrav LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO = 1, 78986ba33cSDag-Erling Smørgrav 79986ba33cSDag-Erling Smørgrav /** Reserved for Private Use */ 80986ba33cSDag-Erling Smørgrav LDNS_TLSA_SELECTOR_PRIVSEL = 255 812787e39aSDag-Erling Smørgrav }; 822787e39aSDag-Erling Smørgrav typedef enum ldns_enum_tlsa_selector ldns_tlsa_selector; 832787e39aSDag-Erling Smørgrav 842787e39aSDag-Erling Smørgrav /** 852787e39aSDag-Erling Smørgrav * The different "Matching type" rdata field values for a TLSA RR. 862787e39aSDag-Erling Smørgrav */ 872787e39aSDag-Erling Smørgrav enum ldns_enum_tlsa_matching_type 882787e39aSDag-Erling Smørgrav { 892787e39aSDag-Erling Smørgrav /** Exact match on selected content */ 90986ba33cSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_FULL = 0, 912787e39aSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED = 0, 922787e39aSDag-Erling Smørgrav /** SHA-256 hash of selected content [RFC6234] */ 93986ba33cSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_SHA2_256 = 1, 942787e39aSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_SHA256 = 1, 952787e39aSDag-Erling Smørgrav /** SHA-512 hash of selected content [RFC6234] */ 96986ba33cSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_SHA2_512 = 2, 97986ba33cSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_SHA512 = 2, 98986ba33cSDag-Erling Smørgrav /** Reserved for Private Use */ 99986ba33cSDag-Erling Smørgrav LDNS_TLSA_MATCHING_TYPE_PRIVMATCH = 255 1002787e39aSDag-Erling Smørgrav }; 1012787e39aSDag-Erling Smørgrav typedef enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type; 1022787e39aSDag-Erling Smørgrav 1032787e39aSDag-Erling Smørgrav /** 1042787e39aSDag-Erling Smørgrav * Known transports to use with TLSA owner names. 1052787e39aSDag-Erling Smørgrav */ 1062787e39aSDag-Erling Smørgrav enum ldns_enum_dane_transport 1072787e39aSDag-Erling Smørgrav { 1082787e39aSDag-Erling Smørgrav /** TCP */ 1092787e39aSDag-Erling Smørgrav LDNS_DANE_TRANSPORT_TCP = 0, 1102787e39aSDag-Erling Smørgrav /** UDP */ 1112787e39aSDag-Erling Smørgrav LDNS_DANE_TRANSPORT_UDP = 1, 1122787e39aSDag-Erling Smørgrav /** SCTP */ 1132787e39aSDag-Erling Smørgrav LDNS_DANE_TRANSPORT_SCTP = 2 1142787e39aSDag-Erling Smørgrav }; 1152787e39aSDag-Erling Smørgrav typedef enum ldns_enum_dane_transport ldns_dane_transport; 1162787e39aSDag-Erling Smørgrav 1172787e39aSDag-Erling Smørgrav 118986ba33cSDag-Erling Smørgrav #if LDNS_BUILD_CONFIG_USE_DANE 1192787e39aSDag-Erling Smørgrav /** 1202787e39aSDag-Erling Smørgrav * Creates a dname consisting of the given name, prefixed by the service port 1212787e39aSDag-Erling Smørgrav * and type of transport: _<EM>port</EM>._<EM>transport</EM>.<EM>name</EM>. 1222787e39aSDag-Erling Smørgrav * 1232787e39aSDag-Erling Smørgrav * \param[out] tlsa_owner The created dname. 1242787e39aSDag-Erling Smørgrav * \param[in] name The dname that should be prefixed. 125*5afab0e5SDag-Erling Smørgrav * \param[in] port The service port number for which the name should be created. 126986ba33cSDag-Erling Smørgrav * \param[in] transport The transport for which the name should be created. 1272787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success or an error code otherwise. 1282787e39aSDag-Erling Smørgrav */ 1292787e39aSDag-Erling Smørgrav ldns_status ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, 1302787e39aSDag-Erling Smørgrav const ldns_rdf* name, uint16_t port, 1312787e39aSDag-Erling Smørgrav ldns_dane_transport transport); 1322787e39aSDag-Erling Smørgrav 1332787e39aSDag-Erling Smørgrav 1342787e39aSDag-Erling Smørgrav #if LDNS_BUILD_CONFIG_HAVE_SSL 1352787e39aSDag-Erling Smørgrav /** 136986ba33cSDag-Erling Smørgrav * Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by 1372787e39aSDag-Erling Smørgrav * the selector and encoded using matching_type. 1382787e39aSDag-Erling Smørgrav * 1392787e39aSDag-Erling Smørgrav * \param[out] rdf The created created rdf of type LDNS_RDF_TYPE_HEX. 1402787e39aSDag-Erling Smørgrav * \param[in] cert The certificate from which the data is selected 1412787e39aSDag-Erling Smørgrav * \param[in] selector The full certificate or the public key 1422787e39aSDag-Erling Smørgrav * \param[in] matching_type The full data or the SHA256 or SHA512 hash 1432787e39aSDag-Erling Smørgrav * of the selected data 1442787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success or an error code otherwise. 1452787e39aSDag-Erling Smørgrav */ 1462787e39aSDag-Erling Smørgrav ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert, 1472787e39aSDag-Erling Smørgrav ldns_tlsa_selector selector, 1482787e39aSDag-Erling Smørgrav ldns_tlsa_matching_type matching_type); 1492787e39aSDag-Erling Smørgrav 1502787e39aSDag-Erling Smørgrav 1512787e39aSDag-Erling Smørgrav /** 1522787e39aSDag-Erling Smørgrav * Selects the certificate from cert, extra_certs or the pkix_validation_store 1532787e39aSDag-Erling Smørgrav * based on the value of cert_usage and index. 1542787e39aSDag-Erling Smørgrav * 1552787e39aSDag-Erling Smørgrav * \param[out] selected_cert The selected cert. 1562787e39aSDag-Erling Smørgrav * \param[in] cert The certificate to validate (or not) 1572787e39aSDag-Erling Smørgrav * \param[in] extra_certs Intermediate certificates that might be necessary 1582787e39aSDag-Erling Smørgrav * during validation. May be NULL, except when the certificate 1592787e39aSDag-Erling Smørgrav * usage is "Trust Anchor Assertion" because the trust anchor has 1602787e39aSDag-Erling Smørgrav * to be provided.(otherwise choose a "Domain issued certificate!" 1612787e39aSDag-Erling Smørgrav * \param[in] pkix_validation_store Used when the certificate usage is 1622787e39aSDag-Erling Smørgrav * "CA constraint" or "Service Certificate Constraint" to 1632787e39aSDag-Erling Smørgrav * validate the certificate and, in case of "CA constraint", 1642787e39aSDag-Erling Smørgrav * select the CA. 165986ba33cSDag-Erling Smørgrav * When pkix_validation_store is NULL, validation is explicitly 1662787e39aSDag-Erling Smørgrav * turned off and the behaviour is then the same as for "Trust 1672787e39aSDag-Erling Smørgrav * anchor assertion" and "Domain issued certificate" respectively. 1682787e39aSDag-Erling Smørgrav * \param[in] cert_usage Which certificate to use and how to validate. 1692787e39aSDag-Erling Smørgrav * \param[in] index Used to select the trust anchor when certificate usage 1702787e39aSDag-Erling Smørgrav * is "Trust Anchor Assertion". 0 is the last certificate in the 1712787e39aSDag-Erling Smørgrav * validation chain. 1 the one but last, etc. When index is -1, 1722787e39aSDag-Erling Smørgrav * the last certificate is used that MUST be self-signed. 1732787e39aSDag-Erling Smørgrav * This can help to make sure that the intended (self signed) 1742787e39aSDag-Erling Smørgrav * trust anchor is actually present in extra_certs (which is a 1752787e39aSDag-Erling Smørgrav * DANE requirement). 1762787e39aSDag-Erling Smørgrav * 1772787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success or an error code otherwise. 1782787e39aSDag-Erling Smørgrav */ 1792787e39aSDag-Erling Smørgrav ldns_status ldns_dane_select_certificate(X509** selected_cert, 1802787e39aSDag-Erling Smørgrav X509* cert, STACK_OF(X509)* extra_certs, 1812787e39aSDag-Erling Smørgrav X509_STORE* pkix_validation_store, 1822787e39aSDag-Erling Smørgrav ldns_tlsa_certificate_usage cert_usage, int index); 1832787e39aSDag-Erling Smørgrav 1842787e39aSDag-Erling Smørgrav /** 1852787e39aSDag-Erling Smørgrav * Creates a TLSA resource record from the certificate. 1862787e39aSDag-Erling Smørgrav * No PKIX validation is performed! The given certificate is used as data 1872787e39aSDag-Erling Smørgrav * regardless the value of certificate_usage. 1882787e39aSDag-Erling Smørgrav * 1892787e39aSDag-Erling Smørgrav * \param[out] tlsa The created TLSA resource record. 1902787e39aSDag-Erling Smørgrav * \param[in] certificate_usage The value for the Certificate Usage field 1912787e39aSDag-Erling Smørgrav * \param[in] selector The value for the Selector field 1922787e39aSDag-Erling Smørgrav * \param[in] matching_type The value for the Matching Type field 1932787e39aSDag-Erling Smørgrav * \param[in] cert The certificate which data will be represented 1942787e39aSDag-Erling Smørgrav * 1952787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success or an error code otherwise. 1962787e39aSDag-Erling Smørgrav */ 1972787e39aSDag-Erling Smørgrav ldns_status ldns_dane_create_tlsa_rr(ldns_rr** tlsa, 1982787e39aSDag-Erling Smørgrav ldns_tlsa_certificate_usage certificate_usage, 1992787e39aSDag-Erling Smørgrav ldns_tlsa_selector selector, 2002787e39aSDag-Erling Smørgrav ldns_tlsa_matching_type matching_type, 2012787e39aSDag-Erling Smørgrav X509* cert); 2022787e39aSDag-Erling Smørgrav 2032787e39aSDag-Erling Smørgrav /** 204986ba33cSDag-Erling Smørgrav * BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification 205986ba33cSDag-Erling Smørgrav * functions instead of the ones provided by ldns. When OpenSSL 1.1.0 was 206986ba33cSDag-Erling Smørgrav * available ldns will use the OpenSSL 1.1.0 dane verification functions 207986ba33cSDag-Erling Smørgrav * under the hood. When ldns was linked with OpenSSL < 1.1.0, this function 208986ba33cSDag-Erling Smørgrav * will not be able to verify TLSA records with DANE-TA usage types. 209986ba33cSDag-Erling Smørgrav * 210986ba33cSDag-Erling Smørgrav * BEWARE! The ldns dane verification functions do *not* do server name 211986ba33cSDag-Erling Smørgrav * checks. The user has to perform additional server name checks themselves! 212986ba33cSDag-Erling Smørgrav * 2132787e39aSDag-Erling Smørgrav * Verify if the given TLSA resource record matches the given certificate. 2142787e39aSDag-Erling Smørgrav * Reporting on a TLSA rr mismatch (LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) 2152787e39aSDag-Erling Smørgrav * is preferred over PKIX failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). 2162787e39aSDag-Erling Smørgrav * So when PKIX validation is required by the TLSA Certificate usage, 2172787e39aSDag-Erling Smørgrav * but the TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH 2182787e39aSDag-Erling Smørgrav * is returned whether the PKIX validated or not. 2192787e39aSDag-Erling Smørgrav * 220986ba33cSDag-Erling Smørgrav * When ldns is linked with OpenSSL < 1.1.0 and this function is available, 221986ba33cSDag-Erling Smørgrav * then the DANE-TA usage type will not be verified, and on a tlsa_rr with 222986ba33cSDag-Erling Smørgrav * this usage type, 223986ba33cSDag-Erling Smørgrav * LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA will be returned. 224986ba33cSDag-Erling Smørgrav * 2252787e39aSDag-Erling Smørgrav * \param[in] tlsa_rr The resource record that specifies what and how to 2262787e39aSDag-Erling Smørgrav * match the certificate. With tlsa_rr == NULL, regular PKIX 2272787e39aSDag-Erling Smørgrav * validation is performed. 2282787e39aSDag-Erling Smørgrav * \param[in] cert The certificate to match (and validate) 2292787e39aSDag-Erling Smørgrav * \param[in] extra_certs Intermediate certificates that might be necessary 2302787e39aSDag-Erling Smørgrav * creating the validation chain. 2312787e39aSDag-Erling Smørgrav * \param[in] pkix_validation_store Used when the certificate usage is 2322787e39aSDag-Erling Smørgrav * "CA constraint" or "Service Certificate Constraint" to 2332787e39aSDag-Erling Smørgrav * validate the certificate. 2342787e39aSDag-Erling Smørgrav * 2352787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, 236986ba33cSDag-Erling Smørgrav * LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when the 237986ba33cSDag-Erling Smørgrav * provided TLSA had the DANE-TA usage type, 2382787e39aSDag-Erling Smørgrav * LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, 2392787e39aSDag-Erling Smørgrav * LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, 2402787e39aSDag-Erling Smørgrav * but the PKIX validation failed, or other ldns_status errors. 2412787e39aSDag-Erling Smørgrav */ 2422787e39aSDag-Erling Smørgrav ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, 2432787e39aSDag-Erling Smørgrav X509* cert, STACK_OF(X509)* extra_certs, 2442787e39aSDag-Erling Smørgrav X509_STORE* pkix_validation_store); 2452787e39aSDag-Erling Smørgrav 2462787e39aSDag-Erling Smørgrav /** 247986ba33cSDag-Erling Smørgrav * BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification 248986ba33cSDag-Erling Smørgrav * functions instead of the ones provided by ldns. When OpenSSL 1.1.0 was 249986ba33cSDag-Erling Smørgrav * available ldns will use the OpenSSL 1.1.0 dane verification functions 250986ba33cSDag-Erling Smørgrav * under the hood. When ldns was linked with OpenSSL < 1.1.0, this function 251986ba33cSDag-Erling Smørgrav * will not be able to verify TLSA records with DANE-TA usage types. 252986ba33cSDag-Erling Smørgrav * 253986ba33cSDag-Erling Smørgrav * BEWARE! The ldns dane verification functions do *not* do server name 254986ba33cSDag-Erling Smørgrav * checks. The user has to perform additional server name checks themselves! 255986ba33cSDag-Erling Smørgrav * 2562787e39aSDag-Erling Smørgrav * Verify if any of the given TLSA resource records matches the given 2572787e39aSDag-Erling Smørgrav * certificate. 2582787e39aSDag-Erling Smørgrav * 2592787e39aSDag-Erling Smørgrav * \param[in] tlsas The resource records that specify what and how to 2602787e39aSDag-Erling Smørgrav * match the certificate. One must match for this function 2612787e39aSDag-Erling Smørgrav * to succeed. With tlsas == NULL or the number of TLSA records 2622787e39aSDag-Erling Smørgrav * in tlsas == 0, regular PKIX validation is performed. 2632787e39aSDag-Erling Smørgrav * \param[in] cert The certificate to match (and validate) 2642787e39aSDag-Erling Smørgrav * \param[in] extra_certs Intermediate certificates that might be necessary 2652787e39aSDag-Erling Smørgrav * creating the validation chain. 2662787e39aSDag-Erling Smørgrav * \param[in] pkix_validation_store Used when the certificate usage is 2672787e39aSDag-Erling Smørgrav * "CA constraint" or "Service Certificate Constraint" to 2682787e39aSDag-Erling Smørgrav * validate the certificate. 2692787e39aSDag-Erling Smørgrav * 2702787e39aSDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, 271986ba33cSDag-Erling Smørgrav * LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when at least one 272986ba33cSDag-Erling Smørgrav * of the TLSA's had usage type DANE-TA and none of the TLSA's matched 273986ba33cSDag-Erling Smørgrav * or PKIX validated, 2742787e39aSDag-Erling Smørgrav * LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's 2752787e39aSDag-Erling Smørgrav * matched but the PKIX validation failed, 2762787e39aSDag-Erling Smørgrav * LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, 2772787e39aSDag-Erling Smørgrav * or other ldns_status errors. 2782787e39aSDag-Erling Smørgrav */ 279986ba33cSDag-Erling Smørgrav ldns_status ldns_dane_verify(const ldns_rr_list* tlsas, 2802787e39aSDag-Erling Smørgrav X509* cert, STACK_OF(X509)* extra_certs, 2812787e39aSDag-Erling Smørgrav X509_STORE* pkix_validation_store); 2822787e39aSDag-Erling Smørgrav #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 283986ba33cSDag-Erling Smørgrav #endif /* LDNS_BUILD_CONFIG_USE_DANE */ 2842787e39aSDag-Erling Smørgrav 2852787e39aSDag-Erling Smørgrav #ifdef __cplusplus 2862787e39aSDag-Erling Smørgrav } 2872787e39aSDag-Erling Smørgrav #endif 2882787e39aSDag-Erling Smørgrav 2892787e39aSDag-Erling Smørgrav #endif /* LDNS_DANE_H */ 2902787e39aSDag-Erling Smørgrav 291