]>
Commit | Line | Data |
---|---|---|
2b442ac8 LP |
1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
2 | ||
3 | #pragma once | |
4 | ||
5 | /*** | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2015 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
11 | under the terms of the GNU Lesser General Public License as published by | |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
13 | (at your option) any later version. | |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public License | |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
22 | ***/ | |
23 | ||
24710c48 | 24 | typedef enum DnssecMode DnssecMode; |
547973de | 25 | typedef enum DnssecResult DnssecResult; |
24710c48 | 26 | |
2b442ac8 LP |
27 | #include "dns-domain.h" |
28 | #include "resolved-dns-answer.h" | |
29 | #include "resolved-dns-rr.h" | |
30 | ||
24710c48 LP |
31 | enum DnssecMode { |
32 | /* No DNSSEC validation is done */ | |
33 | DNSSEC_NO, | |
34 | ||
b652d4a2 LP |
35 | /* Validate locally, if the server knows DO, but if not, |
36 | * don't. Don't trust the AD bit. If the server doesn't do | |
37 | * DNSSEC properly, downgrade to non-DNSSEC operation. Of | |
38 | * course, we then are vulnerable to a downgrade attack, but | |
39 | * that's life and what is configured. */ | |
40 | DNSSEC_DOWNGRADE_OK, | |
41 | ||
42 | /* Insist on DNSSEC server support, and rather fail than downgrading. */ | |
24710c48 LP |
43 | DNSSEC_YES, |
44 | ||
45 | _DNSSEC_MODE_MAX, | |
46 | _DNSSEC_MODE_INVALID = -1 | |
47 | }; | |
48 | ||
547973de | 49 | enum DnssecResult { |
203f1b35 | 50 | /* These four are returned by dnssec_verify_rrset() */ |
547973de | 51 | DNSSEC_VALIDATED, |
2b442ac8 | 52 | DNSSEC_INVALID, |
203f1b35 LP |
53 | DNSSEC_SIGNATURE_EXPIRED, |
54 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
55 | ||
56 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
57 | DNSSEC_NO_SIGNATURE, |
58 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
59 | |
60 | /* These two are added by the DnsTransaction logic */ | |
61 | DNSSEC_UNSIGNED, | |
547973de | 62 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 63 | DNSSEC_NSEC_MISMATCH, |
b652d4a2 LP |
64 | DNSSEC_INCOMPATIBLE_SERVER, |
65 | ||
547973de LP |
66 | _DNSSEC_RESULT_MAX, |
67 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
68 | }; |
69 | ||
2b442ac8 LP |
70 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
71 | ||
72667f08 LP |
72 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
73 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
74 | ||
2b442ac8 | 75 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey); |
105e1512 | 76 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
2b442ac8 | 77 | |
547973de LP |
78 | int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
79 | int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result); | |
2b442ac8 LP |
80 | |
81 | int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds); | |
547973de | 82 | int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); |
2b442ac8 | 83 | |
105e1512 LP |
84 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
85 | ||
2b442ac8 LP |
86 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey); |
87 | ||
88 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
24710c48 | 89 | |
6f76ec5a | 90 | int dnssec_nsec3_hash(const DnsResourceRecord *nsec3, const char *name, void *ret); |
72667f08 LP |
91 | |
92 | typedef enum DnssecNsecResult { | |
93 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
146035b3 | 94 | DNSSEC_NSEC_CNAME, /* Would be NODATA, but for the existence of a CNAME RR */ |
105e1512 | 95 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
72667f08 LP |
96 | DNSSEC_NSEC_NXDOMAIN, |
97 | DNSSEC_NSEC_NODATA, | |
98 | DNSSEC_NSEC_FOUND, | |
105e1512 | 99 | DNSSEC_NSEC_OPTOUT, |
72667f08 LP |
100 | } DnssecNsecResult; |
101 | ||
ed29bfdc | 102 | int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated); |
72667f08 | 103 | |
24710c48 LP |
104 | const char* dnssec_mode_to_string(DnssecMode m) _const_; |
105 | DnssecMode dnssec_mode_from_string(const char *s) _pure_; | |
547973de LP |
106 | |
107 | const char* dnssec_result_to_string(DnssecResult m) _const_; | |
108 | DnssecResult dnssec_result_from_string(const char *s) _pure_; |