1 /* SPDX-License-Identifier: LGPL-2.1+ */
5 This file is part of systemd.
7 Copyright 2015 Lennart Poettering
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 typedef enum DnssecResult DnssecResult
;
24 typedef enum DnssecVerdict DnssecVerdict
;
26 #include "dns-domain.h"
27 #include "resolved-dns-answer.h"
28 #include "resolved-dns-rr.h"
31 /* These five are returned by dnssec_verify_rrset() */
33 DNSSEC_VALIDATED_WILDCARD
, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
35 DNSSEC_SIGNATURE_EXPIRED
,
36 DNSSEC_UNSUPPORTED_ALGORITHM
,
38 /* These two are added by dnssec_verify_rrset_search() */
42 /* These two are added by the DnsTransaction logic */
44 DNSSEC_FAILED_AUXILIARY
,
46 DNSSEC_INCOMPATIBLE_SERVER
,
49 _DNSSEC_RESULT_INVALID
= -1
59 _DNSSEC_VERDICT_INVALID
= -1
62 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
64 /* The longest digest we'll ever generate, of all digest algorithms we support */
65 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
67 int dnssec_rrsig_match_dnskey(DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, bool revoked_ok
);
68 int dnssec_key_match_rrsig(const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
);
70 int dnssec_verify_rrset(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, usec_t realtime
, DnssecResult
*result
);
71 int dnssec_verify_rrset_search(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsAnswer
*validated_dnskeys
, usec_t realtime
, DnssecResult
*result
, DnsResourceRecord
**rrsig
);
73 int dnssec_verify_dnskey_by_ds(DnsResourceRecord
*dnskey
, DnsResourceRecord
*ds
, bool mask_revoke
);
74 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord
*dnskey
, DnsAnswer
*validated_ds
);
76 int dnssec_has_rrsig(DnsAnswer
*a
, const DnsResourceKey
*key
);
78 uint16_t dnssec_keytag(DnsResourceRecord
*dnskey
, bool mask_revoke
);
80 int dnssec_canonicalize(const char *n
, char *buffer
, size_t buffer_max
);
82 int dnssec_nsec3_hash(DnsResourceRecord
*nsec3
, const char *name
, void *ret
);
84 typedef enum DnssecNsecResult
{
85 DNSSEC_NSEC_NO_RR
, /* No suitable NSEC/NSEC3 RR found */
86 DNSSEC_NSEC_CNAME
, /* Didn't find what was asked for, but did find CNAME */
87 DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
,
94 int dnssec_nsec_test(DnsAnswer
*answer
, DnsResourceKey
*key
, DnssecNsecResult
*result
, bool *authenticated
, uint32_t *ttl
);
97 int dnssec_test_positive_wildcard(DnsAnswer
*a
, const char *name
, const char *source
, const char *zone
, bool *authenticated
);
99 const char* dnssec_result_to_string(DnssecResult m
) _const_
;
100 DnssecResult
dnssec_result_from_string(const char *s
) _pure_
;
102 const char* dnssec_verdict_to_string(DnssecVerdict m
) _const_
;
103 DnssecVerdict
dnssec_verdict_from_string(const char *s
) _pure_
;
projects / thirdparty / systemd.git / blob