[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.h

/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once

typedef enum DnssecResult DnssecResult;
typedef enum DnssecVerdict DnssecVerdict;

#include "dns-domain.h"
#include "resolved-dns-answer.h"
#include "resolved-dns-rr.h"

enum DnssecResult {
        /* These five are returned by dnssec_verify_rrset() */
        DNSSEC_VALIDATED,
        DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
        DNSSEC_INVALID,
        DNSSEC_SIGNATURE_EXPIRED,
        DNSSEC_UNSUPPORTED_ALGORITHM,

        /* These two are added by dnssec_verify_rrset_search() */
        DNSSEC_NO_SIGNATURE,
        DNSSEC_MISSING_KEY,

        /* These two are added by the DnsTransaction logic */
        DNSSEC_UNSIGNED,
        DNSSEC_FAILED_AUXILIARY,
        DNSSEC_NSEC_MISMATCH,
        DNSSEC_INCOMPATIBLE_SERVER,

        _DNSSEC_RESULT_MAX,
        _DNSSEC_RESULT_INVALID = -1
};

enum DnssecVerdict {
        DNSSEC_SECURE,
        DNSSEC_INSECURE,
        DNSSEC_BOGUS,
        DNSSEC_INDETERMINATE,

        _DNSSEC_VERDICT_MAX,
        _DNSSEC_VERDICT_INVALID = -1
};

#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)

/* The longest digest we'll ever generate, of all digest algorithms we support */
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))

int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);

int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);

int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);

int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);

uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);

int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);

int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);

typedef enum DnssecNsecResult {
        DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
        DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */
        DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
        DNSSEC_NSEC_NXDOMAIN,
        DNSSEC_NSEC_NODATA,
        DNSSEC_NSEC_FOUND,
        DNSSEC_NSEC_OPTOUT,
} DnssecNsecResult;

int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);

int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);

const char* dnssec_result_to_string(DnssecResult m) _const_;
DnssecResult dnssec_result_from_string(const char *s) _pure_;

const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
2b442ac8 LP	2	#pragma once
2b442ac8 LP	3
547973de	4	typedef enum DnssecResult DnssecResult;
59c5b597	5	typedef enum DnssecVerdict DnssecVerdict;
24710c48	6
2b442ac8 LP	7	#include "dns-domain.h"
	8	#include "resolved-dns-answer.h"
	9	#include "resolved-dns-rr.h"
	10
547973de	11	enum DnssecResult {
0c7bff0a	12	/* These five are returned by dnssec_verify_rrset() */
547973de	13	DNSSEC_VALIDATED,
0c7bff0a	14	DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
2b442ac8	15	DNSSEC_INVALID,
203f1b35 LP	16	DNSSEC_SIGNATURE_EXPIRED,
	17	DNSSEC_UNSUPPORTED_ALGORITHM,
	18
	19	/* These two are added by dnssec_verify_rrset_search() */
2b442ac8 LP	20	DNSSEC_NO_SIGNATURE,
2b442ac8 LP	21	DNSSEC_MISSING_KEY,
203f1b35 LP	22
	23	/* These two are added by the DnsTransaction logic */
	24	DNSSEC_UNSIGNED,
547973de	25	DNSSEC_FAILED_AUXILIARY,
72667f08	26	DNSSEC_NSEC_MISMATCH,
b652d4a2 LP	27	DNSSEC_INCOMPATIBLE_SERVER,
b652d4a2 LP	28
547973de LP	29	_DNSSEC_RESULT_MAX,
547973de LP	30	_DNSSEC_RESULT_INVALID = -1
2b442ac8 LP	31	};
2b442ac8 LP	32
59c5b597 LP	33	enum DnssecVerdict {
	34	DNSSEC_SECURE,
	35	DNSSEC_INSECURE,
	36	DNSSEC_BOGUS,
	37	DNSSEC_INDETERMINATE,
	38
	39	_DNSSEC_VERDICT_MAX,
	40	_DNSSEC_VERDICT_INVALID = -1
	41	};
	42
2b442ac8 LP	43	#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
2b442ac8 LP	44
72667f08 LP	45	/* The longest digest we'll ever generate, of all digest algorithms we support */
	46	#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
	47
0c857028	48	int dnssec_rrsig_match_dnskey(DnsResourceRecord rrsig, DnsResourceRecord dnskey, bool revoked_ok);
105e1512	49	int dnssec_key_match_rrsig(const DnsResourceKey key, DnsResourceRecord rrsig);
2b442ac8	50
0c857028	51	int dnssec_verify_rrset(DnsAnswer answer, const DnsResourceKey key, DnsResourceRecord rrsig, DnsResourceRecord dnskey, usec_t realtime, DnssecResult *result);
0c7bff0a	52	int dnssec_verify_rrset_search(DnsAnswer answer, const DnsResourceKey key, DnsAnswer validated_dnskeys, usec_t realtime, DnssecResult result, DnsResourceRecord **rrsig);
2b442ac8	53
96bb7673 LP	54	int dnssec_verify_dnskey_by_ds(DnsResourceRecord dnskey, DnsResourceRecord ds, bool mask_revoke);
96bb7673 LP	55	int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord dnskey, DnsAnswer validated_ds);
2b442ac8	56
105e1512 LP	57	int dnssec_has_rrsig(DnsAnswer a, const DnsResourceKey key);
105e1512 LP	58
0c857028	59	uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
2b442ac8 LP	60
2b442ac8 LP	61	int dnssec_canonicalize(const char n, char buffer, size_t buffer_max);
24710c48	62
1d3db294	63	int dnssec_nsec3_hash(DnsResourceRecord nsec3, const char name, void *ret);
72667f08 LP	64
	65	typedef enum DnssecNsecResult {
	66	DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
0c7bff0a	67	DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */
105e1512	68	DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
72667f08 LP	69	DNSSEC_NSEC_NXDOMAIN,
	70	DNSSEC_NSEC_NODATA,
	71	DNSSEC_NSEC_FOUND,
105e1512	72	DNSSEC_NSEC_OPTOUT,
72667f08 LP	73	} DnssecNsecResult;
72667f08 LP	74
0c7bff0a	75	int dnssec_nsec_test(DnsAnswer answer, DnsResourceKey key, DnssecNsecResult result, bool authenticated, uint32_t *ttl);
e926785a	76
e926785a	77	int dnssec_test_positive_wildcard(DnsAnswer a, const char name, const char source, const char zone, bool *authenticated);
72667f08	78
547973de LP	79	const char* dnssec_result_to_string(DnssecResult m) _const_;
547973de LP	80	DnssecResult dnssec_result_from_string(const char *s) _pure_;
59c5b597 LP	81
	82	const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
	83	DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;