]>
Commit | Line | Data |
---|---|---|
2b442ac8 LP |
1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
2 | ||
3 | #pragma once | |
4 | ||
5 | /*** | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2015 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
11 | under the terms of the GNU Lesser General Public License as published by | |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
13 | (at your option) any later version. | |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public License | |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
22 | ***/ | |
23 | ||
24710c48 | 24 | typedef enum DnssecMode DnssecMode; |
547973de | 25 | typedef enum DnssecResult DnssecResult; |
24710c48 | 26 | |
2b442ac8 LP |
27 | #include "dns-domain.h" |
28 | #include "resolved-dns-answer.h" | |
29 | #include "resolved-dns-rr.h" | |
30 | ||
24710c48 LP |
31 | enum DnssecMode { |
32 | /* No DNSSEC validation is done */ | |
33 | DNSSEC_NO, | |
34 | ||
35 | /* Trust the AD bit sent by the server. UNSAFE! */ | |
36 | DNSSEC_TRUST, | |
37 | ||
38 | /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */ | |
39 | DNSSEC_YES, | |
40 | ||
41 | _DNSSEC_MODE_MAX, | |
42 | _DNSSEC_MODE_INVALID = -1 | |
43 | }; | |
44 | ||
547973de | 45 | enum DnssecResult { |
203f1b35 | 46 | /* These four are returned by dnssec_verify_rrset() */ |
547973de | 47 | DNSSEC_VALIDATED, |
2b442ac8 | 48 | DNSSEC_INVALID, |
203f1b35 LP |
49 | DNSSEC_SIGNATURE_EXPIRED, |
50 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
51 | ||
52 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
53 | DNSSEC_NO_SIGNATURE, |
54 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
55 | |
56 | /* These two are added by the DnsTransaction logic */ | |
57 | DNSSEC_UNSIGNED, | |
547973de | 58 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 59 | DNSSEC_NSEC_MISMATCH, |
547973de LP |
60 | _DNSSEC_RESULT_MAX, |
61 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
62 | }; |
63 | ||
2b442ac8 LP |
64 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
65 | ||
72667f08 LP |
66 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
67 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
68 | ||
2b442ac8 LP |
69 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey); |
70 | int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig); | |
71 | ||
547973de LP |
72 | int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
73 | int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result); | |
2b442ac8 LP |
74 | |
75 | int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds); | |
547973de | 76 | int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); |
2b442ac8 LP |
77 | |
78 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey); | |
79 | ||
80 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
24710c48 | 81 | |
72667f08 LP |
82 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
83 | ||
84 | typedef enum DnssecNsecResult { | |
85 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
86 | DNSSEC_NSEC_NXDOMAIN, | |
87 | DNSSEC_NSEC_NODATA, | |
88 | DNSSEC_NSEC_FOUND, | |
89 | } DnssecNsecResult; | |
90 | ||
91 | int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result); | |
92 | ||
24710c48 LP |
93 | const char* dnssec_mode_to_string(DnssecMode m) _const_; |
94 | DnssecMode dnssec_mode_from_string(const char *s) _pure_; | |
547973de LP |
95 | |
96 | const char* dnssec_result_to_string(DnssecResult m) _const_; | |
97 | DnssecResult dnssec_result_from_string(const char *s) _pure_; |