src/resolve/resolved-dns-dnssec.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   This file is part of systemd.
   6
   7   Copyright 2015 Lennart Poettering
   8 ***/
   9
  10 typedef enum DnssecResult DnssecResult;
  11 typedef enum DnssecVerdict DnssecVerdict;
  12
  13 #include "dns-domain.h"
  14 #include "resolved-dns-answer.h"
  15 #include "resolved-dns-rr.h"
  16
  17 enum DnssecResult {
  18         /* These five are returned by dnssec_verify_rrset() */
  19         DNSSEC_VALIDATED,
  20         DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
  21         DNSSEC_INVALID,
  22         DNSSEC_SIGNATURE_EXPIRED,
  23         DNSSEC_UNSUPPORTED_ALGORITHM,
  24
  25         /* These two are added by dnssec_verify_rrset_search() */
  26         DNSSEC_NO_SIGNATURE,
  27         DNSSEC_MISSING_KEY,
  28
  29         /* These two are added by the DnsTransaction logic */
  30         DNSSEC_UNSIGNED,
  31         DNSSEC_FAILED_AUXILIARY,
  32         DNSSEC_NSEC_MISMATCH,
  33         DNSSEC_INCOMPATIBLE_SERVER,
  34
  35         _DNSSEC_RESULT_MAX,
  36         _DNSSEC_RESULT_INVALID = -1
  37 };
  38
  39 enum DnssecVerdict {
  40         DNSSEC_SECURE,
  41         DNSSEC_INSECURE,
  42         DNSSEC_BOGUS,
  43         DNSSEC_INDETERMINATE,
  44
  45         _DNSSEC_VERDICT_MAX,
  46         _DNSSEC_VERDICT_INVALID = -1
  47 };
  48
  49 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
  50
  51 /* The longest digest we'll ever generate, of all digest algorithms we support */
  52 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
  53
  54 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
  55 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
  56
  57 int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
  58 int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
  59
  60 int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
  61 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
  62
  63 int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
  64
  65 uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
  66
  67 int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
  68
  69 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
  70
  71 typedef enum DnssecNsecResult {
  72         DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
  73         DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */
  74         DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
  75         DNSSEC_NSEC_NXDOMAIN,
  76         DNSSEC_NSEC_NODATA,
  77         DNSSEC_NSEC_FOUND,
  78         DNSSEC_NSEC_OPTOUT,
  79 } DnssecNsecResult;
  80
  81 int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
  82
  83 int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);
  84
  85 const char* dnssec_result_to_string(DnssecResult m) _const_;
  86 DnssecResult dnssec_result_from_string(const char *s) _pure_;
  87
  88 const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
  89 DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;