1 /* SPDX-License-Identifier: LGPL-2.1+ */
5 This file is part of systemd.
7 Copyright 2015 Lennart Poettering
10 typedef enum DnssecResult DnssecResult
;
11 typedef enum DnssecVerdict DnssecVerdict
;
13 #include "dns-domain.h"
14 #include "resolved-dns-answer.h"
15 #include "resolved-dns-rr.h"
18 /* These five are returned by dnssec_verify_rrset() */
20 DNSSEC_VALIDATED_WILDCARD
, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
22 DNSSEC_SIGNATURE_EXPIRED
,
23 DNSSEC_UNSUPPORTED_ALGORITHM
,
25 /* These two are added by dnssec_verify_rrset_search() */
29 /* These two are added by the DnsTransaction logic */
31 DNSSEC_FAILED_AUXILIARY
,
33 DNSSEC_INCOMPATIBLE_SERVER
,
36 _DNSSEC_RESULT_INVALID
= -1
46 _DNSSEC_VERDICT_INVALID
= -1
49 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
51 /* The longest digest we'll ever generate, of all digest algorithms we support */
52 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
54 int dnssec_rrsig_match_dnskey(DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, bool revoked_ok
);
55 int dnssec_key_match_rrsig(const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
);
57 int dnssec_verify_rrset(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, usec_t realtime
, DnssecResult
*result
);
58 int dnssec_verify_rrset_search(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsAnswer
*validated_dnskeys
, usec_t realtime
, DnssecResult
*result
, DnsResourceRecord
**rrsig
);
60 int dnssec_verify_dnskey_by_ds(DnsResourceRecord
*dnskey
, DnsResourceRecord
*ds
, bool mask_revoke
);
61 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord
*dnskey
, DnsAnswer
*validated_ds
);
63 int dnssec_has_rrsig(DnsAnswer
*a
, const DnsResourceKey
*key
);
65 uint16_t dnssec_keytag(DnsResourceRecord
*dnskey
, bool mask_revoke
);
67 int dnssec_canonicalize(const char *n
, char *buffer
, size_t buffer_max
);
69 int dnssec_nsec3_hash(DnsResourceRecord
*nsec3
, const char *name
, void *ret
);
71 typedef enum DnssecNsecResult
{
72 DNSSEC_NSEC_NO_RR
, /* No suitable NSEC/NSEC3 RR found */
73 DNSSEC_NSEC_CNAME
, /* Didn't find what was asked for, but did find CNAME */
74 DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
,
81 int dnssec_nsec_test(DnsAnswer
*answer
, DnsResourceKey
*key
, DnssecNsecResult
*result
, bool *authenticated
, uint32_t *ttl
);
83 int dnssec_test_positive_wildcard(DnsAnswer
*a
, const char *name
, const char *source
, const char *zone
, bool *authenticated
);
85 const char* dnssec_result_to_string(DnssecResult m
) _const_
;
86 DnssecResult
dnssec_result_from_string(const char *s
) _pure_
;
88 const char* dnssec_verdict_to_string(DnssecVerdict m
) _const_
;
89 DnssecVerdict
dnssec_verdict_from_string(const char *s
) _pure_
;