[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

typedef enum DnssecMode DnssecMode;
typedef enum DnssecResult DnssecResult;

#include "dns-domain.h"
#include "resolved-dns-answer.h"
#include "resolved-dns-rr.h"

enum DnssecMode {
        /* No DNSSEC validation is done */
        DNSSEC_NO,

        /* Trust the AD bit sent by the server. UNSAFE! */
        DNSSEC_TRUST,

        /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
        DNSSEC_YES,

        _DNSSEC_MODE_MAX,
        _DNSSEC_MODE_INVALID = -1
};

enum DnssecResult {
        /* These four are returned by dnssec_verify_rrset() */
        DNSSEC_VALIDATED,
        DNSSEC_INVALID,
        DNSSEC_SIGNATURE_EXPIRED,
        DNSSEC_UNSUPPORTED_ALGORITHM,

        /* These two are added by dnssec_verify_rrset_search() */
        DNSSEC_NO_SIGNATURE,
        DNSSEC_MISSING_KEY,

        /* These two are added by the DnsTransaction logic */
        DNSSEC_UNSIGNED,
        DNSSEC_FAILED_AUXILIARY,
        _DNSSEC_RESULT_MAX,
        _DNSSEC_RESULT_INVALID = -1
};

#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)

int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig);

int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);

int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);

uint16_t dnssec_keytag(DnsResourceRecord *dnskey);

int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);

const char* dnssec_mode_to_string(DnssecMode m) _const_;
DnssecMode dnssec_mode_from_string(const char *s) _pure_;

const char* dnssec_result_to_string(DnssecResult m) _const_;
DnssecResult dnssec_result_from_string(const char *s) _pure_;
Commit	Line	Data
2b442ac8 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	#pragma once
	4
	5	/***
	6	This file is part of systemd.
	7
	8	Copyright 2015 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
	11	under the terms of the GNU Lesser General Public License as published by
	12	the Free Software Foundation; either version 2.1 of the License, or
	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public License
	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
24710c48	24	typedef enum DnssecMode DnssecMode;
547973de	25	typedef enum DnssecResult DnssecResult;
24710c48	26
2b442ac8 LP	27	#include "dns-domain.h"
	28	#include "resolved-dns-answer.h"
	29	#include "resolved-dns-rr.h"
	30
24710c48 LP	31	enum DnssecMode {
	32	/* No DNSSEC validation is done */
	33	DNSSEC_NO,
	34
	35	/* Trust the AD bit sent by the server. UNSAFE! */
	36	DNSSEC_TRUST,
	37
	38	/* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
	39	DNSSEC_YES,
	40
	41	_DNSSEC_MODE_MAX,
	42	_DNSSEC_MODE_INVALID = -1
	43	};
	44
547973de	45	enum DnssecResult {
203f1b35	46	/* These four are returned by dnssec_verify_rrset() */
547973de	47	DNSSEC_VALIDATED,
2b442ac8	48	DNSSEC_INVALID,
203f1b35 LP	49	DNSSEC_SIGNATURE_EXPIRED,
	50	DNSSEC_UNSUPPORTED_ALGORITHM,
	51
	52	/* These two are added by dnssec_verify_rrset_search() */
2b442ac8 LP	53	DNSSEC_NO_SIGNATURE,
2b442ac8 LP	54	DNSSEC_MISSING_KEY,
203f1b35 LP	55
	56	/* These two are added by the DnsTransaction logic */
	57	DNSSEC_UNSIGNED,
547973de LP	58	DNSSEC_FAILED_AUXILIARY,
	59	_DNSSEC_RESULT_MAX,
	60	_DNSSEC_RESULT_INVALID = -1
2b442ac8 LP	61	};
2b442ac8 LP	62
2b442ac8 LP	63	#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
	64
	65	int dnssec_rrsig_match_dnskey(DnsResourceRecord rrsig, DnsResourceRecord dnskey);
	66	int dnssec_key_match_rrsig(DnsResourceKey key, DnsResourceRecord rrsig);
	67
547973de LP	68	int dnssec_verify_rrset(DnsAnswer answer, DnsResourceKey key, DnsResourceRecord rrsig, DnsResourceRecord dnskey, usec_t realtime, DnssecResult *result);
547973de LP	69	int dnssec_verify_rrset_search(DnsAnswer answer, DnsResourceKey key, DnsAnswer validated_dnskeys, usec_t realtime, DnssecResult result);
2b442ac8 LP	70
2b442ac8 LP	71	int dnssec_verify_dnskey(DnsResourceRecord dnskey, DnsResourceRecord ds);
547973de	72	int dnssec_verify_dnskey_search(DnsResourceRecord dnskey, DnsAnswer validated_ds);
2b442ac8 LP	73
	74	uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
	75
	76	int dnssec_canonicalize(const char n, char buffer, size_t buffer_max);
24710c48 LP	77
	78	const char* dnssec_mode_to_string(DnssecMode m) _const_;
	79	DnssecMode dnssec_mode_from_string(const char *s) _pure_;
547973de LP	80
	81	const char* dnssec_result_to_string(DnssecResult m) _const_;
	82	DnssecResult dnssec_result_from_string(const char *s) _pure_;