]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2b442ac8 LP |
2 | #pragma once |
3 | ||
547973de | 4 | typedef enum DnssecResult DnssecResult; |
59c5b597 | 5 | typedef enum DnssecVerdict DnssecVerdict; |
24710c48 | 6 | |
2b442ac8 LP |
7 | #include "dns-domain.h" |
8 | #include "resolved-dns-answer.h" | |
9 | #include "resolved-dns-rr.h" | |
10 | ||
547973de | 11 | enum DnssecResult { |
0c7bff0a | 12 | /* These five are returned by dnssec_verify_rrset() */ |
547973de | 13 | DNSSEC_VALIDATED, |
0c7bff0a | 14 | DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ |
2b442ac8 | 15 | DNSSEC_INVALID, |
203f1b35 LP |
16 | DNSSEC_SIGNATURE_EXPIRED, |
17 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
18 | ||
19 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
20 | DNSSEC_NO_SIGNATURE, |
21 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
22 | |
23 | /* These two are added by the DnsTransaction logic */ | |
24 | DNSSEC_UNSIGNED, | |
547973de | 25 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 26 | DNSSEC_NSEC_MISMATCH, |
b652d4a2 LP |
27 | DNSSEC_INCOMPATIBLE_SERVER, |
28 | ||
547973de LP |
29 | _DNSSEC_RESULT_MAX, |
30 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
31 | }; |
32 | ||
59c5b597 LP |
33 | enum DnssecVerdict { |
34 | DNSSEC_SECURE, | |
35 | DNSSEC_INSECURE, | |
36 | DNSSEC_BOGUS, | |
37 | DNSSEC_INDETERMINATE, | |
38 | ||
39 | _DNSSEC_VERDICT_MAX, | |
40 | _DNSSEC_VERDICT_INVALID = -1 | |
41 | }; | |
42 | ||
2b442ac8 LP |
43 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
44 | ||
72667f08 LP |
45 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
46 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
47 | ||
0c857028 | 48 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); |
105e1512 | 49 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
2b442ac8 | 50 | |
0c857028 | 51 | int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
0c7bff0a | 52 | int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); |
2b442ac8 | 53 | |
96bb7673 LP |
54 | int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); |
55 | int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); | |
2b442ac8 | 56 | |
105e1512 LP |
57 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
58 | ||
0c857028 | 59 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); |
2b442ac8 | 60 | |
1d3db294 | 61 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
72667f08 LP |
62 | |
63 | typedef enum DnssecNsecResult { | |
64 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
0c7bff0a | 65 | DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */ |
105e1512 | 66 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
72667f08 LP |
67 | DNSSEC_NSEC_NXDOMAIN, |
68 | DNSSEC_NSEC_NODATA, | |
69 | DNSSEC_NSEC_FOUND, | |
105e1512 | 70 | DNSSEC_NSEC_OPTOUT, |
72667f08 LP |
71 | } DnssecNsecResult; |
72 | ||
0c7bff0a | 73 | int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); |
e926785a | 74 | |
e926785a | 75 | int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); |
72667f08 | 76 | |
547973de LP |
77 | const char* dnssec_result_to_string(DnssecResult m) _const_; |
78 | DnssecResult dnssec_result_from_string(const char *s) _pure_; | |
59c5b597 LP |
79 | |
80 | const char* dnssec_verdict_to_string(DnssecVerdict m) _const_; | |
81 | DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_; |