projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
| 2b442ac8 LP |
2 | #pragma once |
| 3 | ||
| 4 | /*** | |
| 5 | This file is part of systemd. | |
| 6 | ||
| 7 | Copyright 2015 Lennart Poettering | |
| 8 | ||
| 9 | systemd is free software; you can redistribute it and/or modify it | |
| 10 | under the terms of the GNU Lesser General Public License as published by | |
| 11 | the Free Software Foundation; either version 2.1 of the License, or | |
| 12 | (at your option) any later version. | |
| 13 | ||
| 14 | systemd is distributed in the hope that it will be useful, but | |
| 15 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 17 | Lesser General Public License for more details. | |
| 18 | ||
| 19 | You should have received a copy of the GNU Lesser General Public License | |
| 20 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
| 21 | ***/ | |
| 22 | ||
| 547973de | 23 | typedef enum DnssecResult DnssecResult; |
| 59c5b597 | 24 | typedef enum DnssecVerdict DnssecVerdict; |
| 24710c48 | 25 | |
| 2b442ac8 LP |
26 | #include "dns-domain.h" |
| 27 | #include "resolved-dns-answer.h" | |
| 28 | #include "resolved-dns-rr.h" | |
| 29 | ||
| 547973de | 30 | enum DnssecResult { |
| 0c7bff0a | 31 | /* These five are returned by dnssec_verify_rrset() */ |
| 547973de | 32 | DNSSEC_VALIDATED, |
| 0c7bff0a | 33 | DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ |
| 2b442ac8 | 34 | DNSSEC_INVALID, |
| 203f1b35 LP |
35 | DNSSEC_SIGNATURE_EXPIRED, |
| 36 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
| 37 | ||
| 38 | /* These two are added by dnssec_verify_rrset_search() */ | |
| 2b442ac8 LP |
39 | DNSSEC_NO_SIGNATURE, |
| 40 | DNSSEC_MISSING_KEY, | |
| 203f1b35 LP |
41 | |
| 42 | /* These two are added by the DnsTransaction logic */ | |
| 43 | DNSSEC_UNSIGNED, | |
| 547973de | 44 | DNSSEC_FAILED_AUXILIARY, |
| 72667f08 | 45 | DNSSEC_NSEC_MISMATCH, |
| b652d4a2 LP |
46 | DNSSEC_INCOMPATIBLE_SERVER, |
| 47 | ||
| 547973de LP |
48 | _DNSSEC_RESULT_MAX, |
| 49 | _DNSSEC_RESULT_INVALID = -1 | |
| 2b442ac8 LP |
50 | }; |
| 51 | ||
| 59c5b597 LP |
52 | enum DnssecVerdict { |
| 53 | DNSSEC_SECURE, | |
| 54 | DNSSEC_INSECURE, | |
| 55 | DNSSEC_BOGUS, | |
| 56 | DNSSEC_INDETERMINATE, | |
| 57 | ||
| 58 | _DNSSEC_VERDICT_MAX, | |
| 59 | _DNSSEC_VERDICT_INVALID = -1 | |
| 60 | }; | |
| 61 | ||
| 2b442ac8 LP |
62 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
| 63 | ||
| 72667f08 LP |
64 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
| 65 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
| 66 | ||
| 0c857028 | 67 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); |
| 105e1512 | 68 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
| 2b442ac8 | 69 | |
| 0c857028 | 70 | int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
| 0c7bff0a | 71 | int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); |
| 2b442ac8 | 72 | |
| 96bb7673 LP |
73 | int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); |
| 74 | int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); | |
| 2b442ac8 | 75 | |
| 105e1512 LP |
76 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
| 77 | ||
| 0c857028 | 78 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); |
| 2b442ac8 LP |
79 | |
| 80 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
| 24710c48 | 81 | |
| 1d3db294 | 82 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
| 72667f08 LP |
83 | |
| 84 | typedef enum DnssecNsecResult { | |
| 85 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
| 0c7bff0a | 86 | DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */ |
| 105e1512 | 87 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
| 72667f08 LP |
88 | DNSSEC_NSEC_NXDOMAIN, |
| 89 | DNSSEC_NSEC_NODATA, | |
| 90 | DNSSEC_NSEC_FOUND, | |
| 105e1512 | 91 | DNSSEC_NSEC_OPTOUT, |
| 72667f08 LP |
92 | } DnssecNsecResult; |
| 93 | ||
| 0c7bff0a | 94 | int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); |
| e926785a | 95 | |
| e926785a LP |
96 | |
| 97 | int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); | |
| 72667f08 | 98 | |
| 547973de LP |
99 | const char* dnssec_result_to_string(DnssecResult m) _const_; |
| 100 | DnssecResult dnssec_result_from_string(const char *s) _pure_; | |
| 59c5b597 LP |
101 | |
| 102 | const char* dnssec_verdict_to_string(DnssecVerdict m) _const_; | |
| 103 | DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_; |