src/resolve/resolved-dns-dnssec.h

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 #pragma once
   4
   5 /***
   6   This file is part of systemd.
   7
   8   Copyright 2015 Lennart Poettering
   9
  10   systemd is free software; you can redistribute it and/or modify it
  11   under the terms of the GNU Lesser General Public License as published by
  12   the Free Software Foundation; either version 2.1 of the License, or
  13   (at your option) any later version.
  14
  15   systemd is distributed in the hope that it will be useful, but
  16   WITHOUT ANY WARRANTY; without even the implied warranty of
  17   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  18   Lesser General Public License for more details.
  19
  20   You should have received a copy of the GNU Lesser General Public License
  21   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  22 ***/
  23
  24 typedef enum DnssecMode DnssecMode;
  25 typedef enum DnssecResult DnssecResult;
  26
  27 #include "dns-domain.h"
  28 #include "resolved-dns-answer.h"
  29 #include "resolved-dns-rr.h"
  30
  31 enum DnssecMode {
  32         /* No DNSSEC validation is done */
  33         DNSSEC_NO,
  34
  35         /* Validate locally, if the server knows DO, but if not,
  36          * don't. Don't trust the AD bit. If the server doesn't do
  37          * DNSSEC properly, downgrade to non-DNSSEC operation. Of
  38          * course, we then are vulnerable to a downgrade attack, but
  39          * that's life and what is configured. */
  40         DNSSEC_DOWNGRADE_OK,
  41
  42         /* Insist on DNSSEC server support, and rather fail than downgrading. */
  43         DNSSEC_YES,
  44
  45         _DNSSEC_MODE_MAX,
  46         _DNSSEC_MODE_INVALID = -1
  47 };
  48
  49 enum DnssecResult {
  50         /* These four are returned by dnssec_verify_rrset() */
  51         DNSSEC_VALIDATED,
  52         DNSSEC_INVALID,
  53         DNSSEC_SIGNATURE_EXPIRED,
  54         DNSSEC_UNSUPPORTED_ALGORITHM,
  55
  56         /* These two are added by dnssec_verify_rrset_search() */
  57         DNSSEC_NO_SIGNATURE,
  58         DNSSEC_MISSING_KEY,
  59
  60         /* These two are added by the DnsTransaction logic */
  61         DNSSEC_UNSIGNED,
  62         DNSSEC_FAILED_AUXILIARY,
  63         DNSSEC_NSEC_MISMATCH,
  64         DNSSEC_INCOMPATIBLE_SERVER,
  65
  66         _DNSSEC_RESULT_MAX,
  67         _DNSSEC_RESULT_INVALID = -1
  68 };
  69
  70 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
  71
  72 /* The longest digest we'll ever generate, of all digest algorithms we support */
  73 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
  74
  75 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
  76 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
  77
  78 int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
  79 int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);
  80
  81 int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
  82 int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
  83
  84 int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
  85
  86 uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
  87
  88 int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
  89
  90 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
  91
  92 typedef enum DnssecNsecResult {
  93         DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
  94         DNSSEC_NSEC_CNAME,     /* Would be NODATA, but for the existence of a CNAME RR */
  95         DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
  96         DNSSEC_NSEC_NXDOMAIN,
  97         DNSSEC_NSEC_NODATA,
  98         DNSSEC_NSEC_FOUND,
  99         DNSSEC_NSEC_OPTOUT,
 100 } DnssecNsecResult;
 101
 102 int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
 103
 104 const char* dnssec_mode_to_string(DnssecMode m) _const_;
 105 DnssecMode dnssec_mode_from_string(const char *s) _pure_;
 106
 107 const char* dnssec_result_to_string(DnssecResult m) _const_;
 108 DnssecResult dnssec_result_from_string(const char *s) _pure_;