105e151299
This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
99 lines
3.4 KiB
C
99 lines
3.4 KiB
C
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
|
|
|
|
#pragma once
|
|
|
|
/***
|
|
This file is part of systemd.
|
|
|
|
Copyright 2015 Lennart Poettering
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
***/
|
|
|
|
typedef enum DnssecMode DnssecMode;
|
|
typedef enum DnssecResult DnssecResult;
|
|
|
|
#include "dns-domain.h"
|
|
#include "resolved-dns-answer.h"
|
|
#include "resolved-dns-rr.h"
|
|
|
|
enum DnssecMode {
|
|
/* No DNSSEC validation is done */
|
|
DNSSEC_NO,
|
|
|
|
/* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
|
|
DNSSEC_YES,
|
|
|
|
_DNSSEC_MODE_MAX,
|
|
_DNSSEC_MODE_INVALID = -1
|
|
};
|
|
|
|
enum DnssecResult {
|
|
/* These four are returned by dnssec_verify_rrset() */
|
|
DNSSEC_VALIDATED,
|
|
DNSSEC_INVALID,
|
|
DNSSEC_SIGNATURE_EXPIRED,
|
|
DNSSEC_UNSUPPORTED_ALGORITHM,
|
|
|
|
/* These two are added by dnssec_verify_rrset_search() */
|
|
DNSSEC_NO_SIGNATURE,
|
|
DNSSEC_MISSING_KEY,
|
|
|
|
/* These two are added by the DnsTransaction logic */
|
|
DNSSEC_UNSIGNED,
|
|
DNSSEC_FAILED_AUXILIARY,
|
|
DNSSEC_NSEC_MISMATCH,
|
|
_DNSSEC_RESULT_MAX,
|
|
_DNSSEC_RESULT_INVALID = -1
|
|
};
|
|
|
|
#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
|
|
|
|
/* The longest digest we'll ever generate, of all digest algorithms we support */
|
|
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
|
|
|
|
int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
|
|
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
|
|
|
|
int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
|
|
int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);
|
|
|
|
int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
|
|
int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
|
|
|
|
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
|
|
|
|
uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
|
|
|
|
int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
|
|
|
|
int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
|
|
|
|
typedef enum DnssecNsecResult {
|
|
DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
|
|
DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
|
|
DNSSEC_NSEC_NXDOMAIN,
|
|
DNSSEC_NSEC_NODATA,
|
|
DNSSEC_NSEC_FOUND,
|
|
DNSSEC_NSEC_OPTOUT,
|
|
} DnssecNsecResult;
|
|
|
|
int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result);
|
|
|
|
const char* dnssec_mode_to_string(DnssecMode m) _const_;
|
|
DnssecMode dnssec_mode_from_string(const char *s) _pure_;
|
|
|
|
const char* dnssec_result_to_string(DnssecResult m) _const_;
|
|
DnssecResult dnssec_result_from_string(const char *s) _pure_;
|