[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

typedef enum DnssecMode DnssecMode;
typedef enum DnssecResult DnssecResult;

#include "dns-domain.h"
#include "resolved-dns-answer.h"
#include "resolved-dns-rr.h"

enum DnssecResult {
        /* These five are returned by dnssec_verify_rrset() */
        DNSSEC_VALIDATED,
        DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
        DNSSEC_INVALID,
        DNSSEC_SIGNATURE_EXPIRED,
        DNSSEC_UNSUPPORTED_ALGORITHM,

        /* These two are added by dnssec_verify_rrset_search() */
        DNSSEC_NO_SIGNATURE,
        DNSSEC_MISSING_KEY,

        /* These two are added by the DnsTransaction logic */
        DNSSEC_UNSIGNED,
        DNSSEC_FAILED_AUXILIARY,
        DNSSEC_NSEC_MISMATCH,
        DNSSEC_INCOMPATIBLE_SERVER,

        _DNSSEC_RESULT_MAX,
        _DNSSEC_RESULT_INVALID = -1
};

#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)

/* The longest digest we'll ever generate, of all digest algorithms we support */
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))

int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);

int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);

int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);

int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);

uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);

int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);

int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);

typedef enum DnssecNsecResult {
        DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
        DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */
        DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
        DNSSEC_NSEC_NXDOMAIN,
        DNSSEC_NSEC_NODATA,
        DNSSEC_NSEC_FOUND,
        DNSSEC_NSEC_OPTOUT,
} DnssecNsecResult;

int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);

int dnssec_nsec_test_enclosed(DnsAnswer *answer, uint16_t type, const char *name, const char *zone, bool *authenticated);

int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);

const char* dnssec_result_to_string(DnssecResult m) _const_;
DnssecResult dnssec_result_from_string(const char *s) _pure_;
Commit	Line	Data
2b442ac8 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	#pragma once
	4
	5	/***
	6	This file is part of systemd.
	7
	8	Copyright 2015 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
	11	under the terms of the GNU Lesser General Public License as published by
	12	the Free Software Foundation; either version 2.1 of the License, or
	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public License
	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
24710c48	24	typedef enum DnssecMode DnssecMode;
547973de	25	typedef enum DnssecResult DnssecResult;
24710c48	26
2b442ac8 LP	27	#include "dns-domain.h"
	28	#include "resolved-dns-answer.h"
	29	#include "resolved-dns-rr.h"
	30
547973de	31	enum DnssecResult {
0c7bff0a	32	/* These five are returned by dnssec_verify_rrset() */
547973de	33	DNSSEC_VALIDATED,
0c7bff0a	34	DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
2b442ac8	35	DNSSEC_INVALID,
203f1b35 LP	36	DNSSEC_SIGNATURE_EXPIRED,
	37	DNSSEC_UNSUPPORTED_ALGORITHM,
	38
	39	/* These two are added by dnssec_verify_rrset_search() */
2b442ac8 LP	40	DNSSEC_NO_SIGNATURE,
2b442ac8 LP	41	DNSSEC_MISSING_KEY,
203f1b35 LP	42
	43	/* These two are added by the DnsTransaction logic */
	44	DNSSEC_UNSIGNED,
547973de	45	DNSSEC_FAILED_AUXILIARY,
72667f08	46	DNSSEC_NSEC_MISMATCH,
b652d4a2 LP	47	DNSSEC_INCOMPATIBLE_SERVER,
b652d4a2 LP	48
547973de LP	49	_DNSSEC_RESULT_MAX,
547973de LP	50	_DNSSEC_RESULT_INVALID = -1
2b442ac8 LP	51	};
2b442ac8 LP	52
2b442ac8 LP	53	#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
2b442ac8 LP	54
72667f08 LP	55	/* The longest digest we'll ever generate, of all digest algorithms we support */
	56	#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
	57
0c857028	58	int dnssec_rrsig_match_dnskey(DnsResourceRecord rrsig, DnsResourceRecord dnskey, bool revoked_ok);
105e1512	59	int dnssec_key_match_rrsig(const DnsResourceKey key, DnsResourceRecord rrsig);
2b442ac8	60
0c857028	61	int dnssec_verify_rrset(DnsAnswer answer, const DnsResourceKey key, DnsResourceRecord rrsig, DnsResourceRecord dnskey, usec_t realtime, DnssecResult *result);
0c7bff0a	62	int dnssec_verify_rrset_search(DnsAnswer answer, const DnsResourceKey key, DnsAnswer validated_dnskeys, usec_t realtime, DnssecResult result, DnsResourceRecord **rrsig);
2b442ac8	63
0c857028	64	int dnssec_verify_dnskey(DnsResourceRecord dnskey, DnsResourceRecord ds, bool mask_revoke);
547973de	65	int dnssec_verify_dnskey_search(DnsResourceRecord dnskey, DnsAnswer validated_ds);
2b442ac8	66
105e1512 LP	67	int dnssec_has_rrsig(DnsAnswer a, const DnsResourceKey key);
105e1512 LP	68
0c857028	69	uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
2b442ac8 LP	70
2b442ac8 LP	71	int dnssec_canonicalize(const char n, char buffer, size_t buffer_max);
24710c48	72
1d3db294	73	int dnssec_nsec3_hash(DnsResourceRecord nsec3, const char name, void *ret);
72667f08 LP	74
	75	typedef enum DnssecNsecResult {
	76	DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
0c7bff0a	77	DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */
105e1512	78	DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
72667f08 LP	79	DNSSEC_NSEC_NXDOMAIN,
	80	DNSSEC_NSEC_NODATA,
	81	DNSSEC_NSEC_FOUND,
105e1512	82	DNSSEC_NSEC_OPTOUT,
72667f08 LP	83	} DnssecNsecResult;
72667f08 LP	84
0c7bff0a	85	int dnssec_nsec_test(DnsAnswer answer, DnsResourceKey key, DnssecNsecResult result, bool authenticated, uint32_t *ttl);
e926785a LP	86
	87	int dnssec_nsec_test_enclosed(DnsAnswer answer, uint16_t type, const char name, const char zone, bool authenticated);
	88
	89	int dnssec_test_positive_wildcard(DnsAnswer a, const char name, const char source, const char zone, bool *authenticated);
72667f08	90
547973de LP	91	const char* dnssec_result_to_string(DnssecResult m) _const_;
547973de LP	92	DnssecResult dnssec_result_from_string(const char *s) _pure_;