]>
Commit | Line | Data |
---|---|---|
2b442ac8 LP |
1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
2 | ||
3 | #pragma once | |
4 | ||
5 | /*** | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2015 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
11 | under the terms of the GNU Lesser General Public License as published by | |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
13 | (at your option) any later version. | |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public License | |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
22 | ***/ | |
23 | ||
24710c48 | 24 | typedef enum DnssecMode DnssecMode; |
547973de | 25 | typedef enum DnssecResult DnssecResult; |
24710c48 | 26 | |
2b442ac8 LP |
27 | #include "dns-domain.h" |
28 | #include "resolved-dns-answer.h" | |
29 | #include "resolved-dns-rr.h" | |
30 | ||
547973de | 31 | enum DnssecResult { |
0c7bff0a | 32 | /* These five are returned by dnssec_verify_rrset() */ |
547973de | 33 | DNSSEC_VALIDATED, |
0c7bff0a | 34 | DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ |
2b442ac8 | 35 | DNSSEC_INVALID, |
203f1b35 LP |
36 | DNSSEC_SIGNATURE_EXPIRED, |
37 | DNSSEC_UNSUPPORTED_ALGORITHM, | |
38 | ||
39 | /* These two are added by dnssec_verify_rrset_search() */ | |
2b442ac8 LP |
40 | DNSSEC_NO_SIGNATURE, |
41 | DNSSEC_MISSING_KEY, | |
203f1b35 LP |
42 | |
43 | /* These two are added by the DnsTransaction logic */ | |
44 | DNSSEC_UNSIGNED, | |
547973de | 45 | DNSSEC_FAILED_AUXILIARY, |
72667f08 | 46 | DNSSEC_NSEC_MISMATCH, |
b652d4a2 LP |
47 | DNSSEC_INCOMPATIBLE_SERVER, |
48 | ||
547973de LP |
49 | _DNSSEC_RESULT_MAX, |
50 | _DNSSEC_RESULT_INVALID = -1 | |
2b442ac8 LP |
51 | }; |
52 | ||
2b442ac8 LP |
53 | #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) |
54 | ||
72667f08 LP |
55 | /* The longest digest we'll ever generate, of all digest algorithms we support */ |
56 | #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) | |
57 | ||
0c857028 | 58 | int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); |
105e1512 | 59 | int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |
2b442ac8 | 60 | |
0c857028 | 61 | int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); |
0c7bff0a | 62 | int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); |
2b442ac8 | 63 | |
0c857028 | 64 | int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); |
547973de | 65 | int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); |
2b442ac8 | 66 | |
105e1512 LP |
67 | int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); |
68 | ||
0c857028 | 69 | uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); |
2b442ac8 LP |
70 | |
71 | int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); | |
24710c48 | 72 | |
1d3db294 | 73 | int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); |
72667f08 LP |
74 | |
75 | typedef enum DnssecNsecResult { | |
76 | DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ | |
0c7bff0a | 77 | DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */ |
105e1512 | 78 | DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, |
72667f08 LP |
79 | DNSSEC_NSEC_NXDOMAIN, |
80 | DNSSEC_NSEC_NODATA, | |
81 | DNSSEC_NSEC_FOUND, | |
105e1512 | 82 | DNSSEC_NSEC_OPTOUT, |
72667f08 LP |
83 | } DnssecNsecResult; |
84 | ||
0c7bff0a | 85 | int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); |
e926785a LP |
86 | |
87 | int dnssec_nsec_test_enclosed(DnsAnswer *answer, uint16_t type, const char *name, const char *zone, bool *authenticated); | |
88 | ||
89 | int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); | |
72667f08 | 90 | |
547973de LP |
91 | const char* dnssec_result_to_string(DnssecResult m) _const_; |
92 | DnssecResult dnssec_result_from_string(const char *s) _pure_; |