]>
Commit | Line | Data |
---|---|---|
2b442ac8 LP |
1 | #pragma once |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2015 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU Lesser General Public License as published by | |
10 | the Free Software Foundation; either version 2.1 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | Lesser General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU Lesser General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
547973de | 22 | typedef enum DnssecResult DnssecResult; |
59c5b597 | 23 | typedef enum DnssecVerdict DnssecVerdict; |
24710c48 | 24 | |
2b442ac8 LP |
25 | #include "dns-domain.h" |
26 | #include "resolved-dns-answer.h" | |
27 | #include "resolved-dns-rr.h" | |
28 | ||
547973de | 29 | enum DnssecResult { |
0c7bff0a | 30 | /* These five are returned by dnssec_verify_rrset() */ |
547973de | 31 | DNSSEC_VALIDATED, |
0c7bff0a | 32 | DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ |
2b442ac8 | 33 | DNSSEC_INVALID, |
203f1b35 LP |
34 | DNSSEC_SIGNATURE_EXPIRED, |
35 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
36 | ||
37 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
38 | DNSSEC_NO_SIGNATURE, |
39 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
40 | |
41 | /* These two are added by the DnsTransaction logic */ | |
42 | DNSSEC_UNSIGNED, | |
547973de | 43 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 44 | DNSSEC_NSEC_MISMATCH, |
b652d4a2 LP |
45 | DNSSEC_INCOMPATIBLE_SERVER, |
46 | ||
547973de LP |
47 | _DNSSEC_RESULT_MAX, |
48 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
49 | }; |
50 | ||
59c5b597 LP |
51 | enum DnssecVerdict { |
52 | DNSSEC_SECURE, | |
53 | DNSSEC_INSECURE, | |
54 | DNSSEC_BOGUS, | |
55 | DNSSEC_INDETERMINATE, | |
56 | ||
57 | _DNSSEC_VERDICT_MAX, | |
58 | _DNSSEC_VERDICT_INVALID = -1 | |
59 | }; | |
60 | ||
2b442ac8 LP |
61 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
62 | ||
72667f08 LP |
63 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
64 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
65 | ||
0c857028 | 66 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); |
105e1512 | 67 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
2b442ac8 | 68 | |
0c857028 | 69 | int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
0c7bff0a | 70 | int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); |
2b442ac8 | 71 | |
96bb7673 LP |
72 | int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); |
73 | int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); | |
2b442ac8 | 74 | |
105e1512 LP |
75 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
76 | ||
0c857028 | 77 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); |
2b442ac8 LP |
78 | |
79 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
24710c48 | 80 | |
1d3db294 | 81 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
72667f08 LP |
82 | |
83 | typedef enum DnssecNsecResult { | |
84 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
0c7bff0a | 85 | DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */ |
105e1512 | 86 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
72667f08 LP |
87 | DNSSEC_NSEC_NXDOMAIN, |
88 | DNSSEC_NSEC_NODATA, | |
89 | DNSSEC_NSEC_FOUND, | |
105e1512 | 90 | DNSSEC_NSEC_OPTOUT, |
72667f08 LP |
91 | } DnssecNsecResult; |
92 | ||
0c7bff0a | 93 | int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); |
e926785a | 94 | |
e926785a LP |
95 | |
96 | int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); | |
72667f08 | 97 | |
547973de LP |
98 | const char* dnssec_result_to_string(DnssecResult m) _const_; |
99 | DnssecResult dnssec_result_from_string(const char *s) _pure_; | |
59c5b597 LP |
100 | |
101 | const char* dnssec_verdict_to_string(DnssecVerdict m) _const_; | |
102 | DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_; |