src/resolve/resolved-dns-dnssec.h

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 #pragma once
   4
   5 /***
   6   This file is part of systemd.
   7
   8   Copyright 2015 Lennart Poettering
   9
  10   systemd is free software; you can redistribute it and/or modify it
  11   under the terms of the GNU Lesser General Public License as published by
  12   the Free Software Foundation; either version 2.1 of the License, or
  13   (at your option) any later version.
  14
  15   systemd is distributed in the hope that it will be useful, but
  16   WITHOUT ANY WARRANTY; without even the implied warranty of
  17   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  18   Lesser General Public License for more details.
  19
  20   You should have received a copy of the GNU Lesser General Public License
  21   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  22 ***/
  23
  24 typedef enum DnssecMode DnssecMode;
  25 typedef enum DnssecResult DnssecResult;
  26
  27 #include "dns-domain.h"
  28 #include "resolved-dns-answer.h"
  29 #include "resolved-dns-rr.h"
  30
  31 enum DnssecMode {
  32         /* No DNSSEC validation is done */
  33         DNSSEC_NO,
  34
  35         /* Trust the AD bit sent by the server. UNSAFE! */
  36         DNSSEC_TRUST,
  37
  38         /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
  39         DNSSEC_YES,
  40
  41         _DNSSEC_MODE_MAX,
  42         _DNSSEC_MODE_INVALID = -1
  43 };
  44
  45 enum DnssecResult {
  46         /* These four are returned by dnssec_verify_rrset() */
  47         DNSSEC_VALIDATED,
  48         DNSSEC_INVALID,
  49         DNSSEC_SIGNATURE_EXPIRED,
  50         DNSSEC_UNSUPPORTED_ALGORITHM,
  51
  52         /* These two are added by dnssec_verify_rrset_search() */
  53         DNSSEC_NO_SIGNATURE,
  54         DNSSEC_MISSING_KEY,
  55
  56         /* These two are added by the DnsTransaction logic */
  57         DNSSEC_UNSIGNED,
  58         DNSSEC_FAILED_AUXILIARY,
  59         DNSSEC_NSEC_MISMATCH,
  60         _DNSSEC_RESULT_MAX,
  61         _DNSSEC_RESULT_INVALID = -1
  62 };
  63
  64 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
  65
  66 /* The longest digest we'll ever generate, of all digest algorithms we support */
  67 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
  68
  69 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
  70 int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig);
  71
  72 int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
  73 int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);
  74
  75 int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
  76 int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
  77
  78 uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
  79
  80 int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
  81
  82 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
  83
  84 typedef enum DnssecNsecResult {
  85         DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
  86         DNSSEC_NSEC_NXDOMAIN,
  87         DNSSEC_NSEC_NODATA,
  88         DNSSEC_NSEC_FOUND,
  89 } DnssecNsecResult;
  90
  91 int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result);
  92
  93 const char* dnssec_mode_to_string(DnssecMode m) _const_;
  94 DnssecMode dnssec_mode_from_string(const char *s) _pure_;
  95
  96 const char* dnssec_result_to_string(DnssecResult m) _const_;
  97 DnssecResult dnssec_result_from_string(const char *s) _pure_;