]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2b442ac8 LP |
2 | #pragma once |
3 | ||
4 | /*** | |
5 | This file is part of systemd. | |
6 | ||
7 | Copyright 2015 Lennart Poettering | |
8 | ||
9 | systemd is free software; you can redistribute it and/or modify it | |
10 | under the terms of the GNU Lesser General Public License as published by | |
11 | the Free Software Foundation; either version 2.1 of the License, or | |
12 | (at your option) any later version. | |
13 | ||
14 | systemd is distributed in the hope that it will be useful, but | |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | Lesser General Public License for more details. | |
18 | ||
19 | You should have received a copy of the GNU Lesser General Public License | |
20 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
21 | ***/ | |
22 | ||
547973de | 23 | typedef enum DnssecResult DnssecResult; |
59c5b597 | 24 | typedef enum DnssecVerdict DnssecVerdict; |
24710c48 | 25 | |
2b442ac8 LP |
26 | #include "dns-domain.h" |
27 | #include "resolved-dns-answer.h" | |
28 | #include "resolved-dns-rr.h" | |
29 | ||
547973de | 30 | enum DnssecResult { |
0c7bff0a | 31 | /* These five are returned by dnssec_verify_rrset() */ |
547973de | 32 | DNSSEC_VALIDATED, |
0c7bff0a | 33 | DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ |
2b442ac8 | 34 | DNSSEC_INVALID, |
203f1b35 LP |
35 | DNSSEC_SIGNATURE_EXPIRED, |
36 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
37 | ||
38 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
39 | DNSSEC_NO_SIGNATURE, |
40 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
41 | |
42 | /* These two are added by the DnsTransaction logic */ | |
43 | DNSSEC_UNSIGNED, | |
547973de | 44 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 45 | DNSSEC_NSEC_MISMATCH, |
b652d4a2 LP |
46 | DNSSEC_INCOMPATIBLE_SERVER, |
47 | ||
547973de LP |
48 | _DNSSEC_RESULT_MAX, |
49 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
50 | }; |
51 | ||
59c5b597 LP |
52 | enum DnssecVerdict { |
53 | DNSSEC_SECURE, | |
54 | DNSSEC_INSECURE, | |
55 | DNSSEC_BOGUS, | |
56 | DNSSEC_INDETERMINATE, | |
57 | ||
58 | _DNSSEC_VERDICT_MAX, | |
59 | _DNSSEC_VERDICT_INVALID = -1 | |
60 | }; | |
61 | ||
2b442ac8 LP |
62 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
63 | ||
72667f08 LP |
64 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
65 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
66 | ||
0c857028 | 67 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); |
105e1512 | 68 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
2b442ac8 | 69 | |
0c857028 | 70 | int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
0c7bff0a | 71 | int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); |
2b442ac8 | 72 | |
96bb7673 LP |
73 | int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); |
74 | int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); | |
2b442ac8 | 75 | |
105e1512 LP |
76 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
77 | ||
0c857028 | 78 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); |
2b442ac8 LP |
79 | |
80 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
24710c48 | 81 | |
1d3db294 | 82 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
72667f08 LP |
83 | |
84 | typedef enum DnssecNsecResult { | |
85 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
0c7bff0a | 86 | DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */ |
105e1512 | 87 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
72667f08 LP |
88 | DNSSEC_NSEC_NXDOMAIN, |
89 | DNSSEC_NSEC_NODATA, | |
90 | DNSSEC_NSEC_FOUND, | |
105e1512 | 91 | DNSSEC_NSEC_OPTOUT, |
72667f08 LP |
92 | } DnssecNsecResult; |
93 | ||
0c7bff0a | 94 | int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); |
e926785a | 95 | |
e926785a LP |
96 | |
97 | int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); | |
72667f08 | 98 | |
547973de LP |
99 | const char* dnssec_result_to_string(DnssecResult m) _const_; |
100 | DnssecResult dnssec_result_from_string(const char *s) _pure_; | |
59c5b597 LP |
101 | |
102 | const char* dnssec_verdict_to_string(DnssecVerdict m) _const_; | |
103 | DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_; |