1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 #pragma once
3 
4 typedef enum DnssecResult DnssecResult;
5 typedef enum DnssecVerdict DnssecVerdict;
6 
7 #include "dns-domain.h"
8 #include "resolved-dns-answer.h"
9 #include "resolved-dns-rr.h"
10 
11 enum DnssecResult {
12         /* These five are returned by dnssec_verify_rrset() */
13         DNSSEC_VALIDATED,
14         DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
15         DNSSEC_INVALID,
16         DNSSEC_SIGNATURE_EXPIRED,
17         DNSSEC_UNSUPPORTED_ALGORITHM,
18 
19         /* These two are added by dnssec_verify_rrset_search() */
20         DNSSEC_NO_SIGNATURE,
21         DNSSEC_MISSING_KEY,
22 
23         /* These two are added by the DnsTransaction logic */
24         DNSSEC_UNSIGNED,
25         DNSSEC_FAILED_AUXILIARY,
26         DNSSEC_NSEC_MISMATCH,
27         DNSSEC_INCOMPATIBLE_SERVER,
28 
29         _DNSSEC_RESULT_MAX,
30         _DNSSEC_RESULT_INVALID = -EINVAL,
31 };
32 
33 enum DnssecVerdict {
34         DNSSEC_SECURE,
35         DNSSEC_INSECURE,
36         DNSSEC_BOGUS,
37         DNSSEC_INDETERMINATE,
38 
39         _DNSSEC_VERDICT_MAX,
40         _DNSSEC_VERDICT_INVALID = -EINVAL,
41 };
42 
43 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
44 
45 /* The longest digest we'll ever generate, of all digest algorithms we support */
46 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
47 
48 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
49 int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
50 
51 int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
52 int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
53 
54 int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
55 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
56 
57 int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
58 
59 uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
60 
61 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
62 
63 typedef enum DnssecNsecResult {
64         DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
65         DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */
66         DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
67         DNSSEC_NSEC_NXDOMAIN,
68         DNSSEC_NSEC_NODATA,
69         DNSSEC_NSEC_FOUND,
70         DNSSEC_NSEC_OPTOUT,
71 } DnssecNsecResult;
72 
73 int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
74 
75 int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);
76 
77 const char* dnssec_result_to_string(DnssecResult m) _const_;
78 DnssecResult dnssec_result_from_string(const char *s) _pure_;
79 
80 const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
81 DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;
82