[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

typedef enum DnssecMode DnssecMode;
typedef enum DnssecResult DnssecResult;

#include "dns-domain.h"
#include "resolved-dns-answer.h"
#include "resolved-dns-rr.h"

enum DnssecMode {
        /* No DNSSEC validation is done */
        DNSSEC_NO,

        /* Trust the AD bit sent by the server. UNSAFE! */
        DNSSEC_TRUST,

        /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
        DNSSEC_YES,

        _DNSSEC_MODE_MAX,
        _DNSSEC_MODE_INVALID = -1
};

enum DnssecResult {
        /* These four are returned by dnssec_verify_rrset() */
        DNSSEC_VALIDATED,
        DNSSEC_INVALID,
        DNSSEC_SIGNATURE_EXPIRED,
        DNSSEC_UNSUPPORTED_ALGORITHM,

        /* These two are added by dnssec_verify_rrset_search() */
        DNSSEC_NO_SIGNATURE,
        DNSSEC_MISSING_KEY,

        /* These two are added by the DnsTransaction logic */
        DNSSEC_UNSIGNED,
        DNSSEC_FAILED_AUXILIARY,
        DNSSEC_NSEC_MISMATCH,
        _DNSSEC_RESULT_MAX,
        _DNSSEC_RESULT_INVALID = -1
};

#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)

/* The longest digest we'll ever generate, of all digest algorithms we support */
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))

int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig);

int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);

int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);

uint16_t dnssec_keytag(DnsResourceRecord *dnskey);

int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);

int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);

typedef enum DnssecNsecResult {
        DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
        DNSSEC_NSEC_NXDOMAIN,
        DNSSEC_NSEC_NODATA,
        DNSSEC_NSEC_FOUND,
} DnssecNsecResult;

int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result);

const char* dnssec_mode_to_string(DnssecMode m) _const_;
DnssecMode dnssec_mode_from_string(const char *s) _pure_;

const char* dnssec_result_to_string(DnssecResult m) _const_;
DnssecResult dnssec_result_from_string(const char *s) _pure_;
Commit	Line	Data
2b442ac8 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	#pragma once
	4
	5	/***
	6	This file is part of systemd.
	7
	8	Copyright 2015 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
	11	under the terms of the GNU Lesser General Public License as published by
	12	the Free Software Foundation; either version 2.1 of the License, or
	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public License
	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
24710c48	24	typedef enum DnssecMode DnssecMode;
547973de	25	typedef enum DnssecResult DnssecResult;
24710c48	26
2b442ac8 LP	27	#include "dns-domain.h"
	28	#include "resolved-dns-answer.h"
	29	#include "resolved-dns-rr.h"
	30
24710c48 LP	31	enum DnssecMode {
	32	/* No DNSSEC validation is done */
	33	DNSSEC_NO,
	34
	35	/* Trust the AD bit sent by the server. UNSAFE! */
	36	DNSSEC_TRUST,
	37
	38	/* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
	39	DNSSEC_YES,
	40
	41	_DNSSEC_MODE_MAX,
	42	_DNSSEC_MODE_INVALID = -1
	43	};
	44
547973de	45	enum DnssecResult {
203f1b35	46	/* These four are returned by dnssec_verify_rrset() */
547973de	47	DNSSEC_VALIDATED,
2b442ac8	48	DNSSEC_INVALID,
203f1b35 LP	49	DNSSEC_SIGNATURE_EXPIRED,
	50	DNSSEC_UNSUPPORTED_ALGORITHM,
	51
	52	/* These two are added by dnssec_verify_rrset_search() */
2b442ac8 LP	53	DNSSEC_NO_SIGNATURE,
2b442ac8 LP	54	DNSSEC_MISSING_KEY,
203f1b35 LP	55
	56	/* These two are added by the DnsTransaction logic */
	57	DNSSEC_UNSIGNED,
547973de	58	DNSSEC_FAILED_AUXILIARY,
72667f08	59	DNSSEC_NSEC_MISMATCH,
547973de LP	60	_DNSSEC_RESULT_MAX,
547973de LP	61	_DNSSEC_RESULT_INVALID = -1
2b442ac8 LP	62	};
2b442ac8 LP	63
2b442ac8 LP	64	#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
2b442ac8 LP	65
72667f08 LP	66	/* The longest digest we'll ever generate, of all digest algorithms we support */
	67	#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
	68
2b442ac8 LP	69	int dnssec_rrsig_match_dnskey(DnsResourceRecord rrsig, DnsResourceRecord dnskey);
	70	int dnssec_key_match_rrsig(DnsResourceKey key, DnsResourceRecord rrsig);
	71
547973de LP	72	int dnssec_verify_rrset(DnsAnswer answer, DnsResourceKey key, DnsResourceRecord rrsig, DnsResourceRecord dnskey, usec_t realtime, DnssecResult *result);
547973de LP	73	int dnssec_verify_rrset_search(DnsAnswer answer, DnsResourceKey key, DnsAnswer validated_dnskeys, usec_t realtime, DnssecResult result);
2b442ac8 LP	74
2b442ac8 LP	75	int dnssec_verify_dnskey(DnsResourceRecord dnskey, DnsResourceRecord ds);
547973de	76	int dnssec_verify_dnskey_search(DnsResourceRecord dnskey, DnsAnswer validated_ds);
2b442ac8 LP	77
	78	uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
	79
	80	int dnssec_canonicalize(const char n, char buffer, size_t buffer_max);
24710c48	81
72667f08 LP	82	int dnssec_nsec3_hash(DnsResourceRecord nsec3, const char name, void *ret);
	83
	84	typedef enum DnssecNsecResult {
	85	DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
	86	DNSSEC_NSEC_NXDOMAIN,
	87	DNSSEC_NSEC_NODATA,
	88	DNSSEC_NSEC_FOUND,
	89	} DnssecNsecResult;
	90
	91	int dnssec_test_nsec(DnsAnswer answer, DnsResourceKey key, DnssecNsecResult *result);
	92
24710c48 LP	93	const char* dnssec_mode_to_string(DnssecMode m) _const_;
24710c48 LP	94	DnssecMode dnssec_mode_from_string(const char *s) _pure_;
547973de LP	95
	96	const char* dnssec_result_to_string(DnssecResult m) _const_;
	97	DnssecResult dnssec_result_from_string(const char *s) _pure_;