0c69794138
These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
84 lines
3.1 KiB
C
84 lines
3.1 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
#pragma once
|
|
|
|
typedef enum DnssecResult DnssecResult;
|
|
typedef enum DnssecVerdict DnssecVerdict;
|
|
|
|
#include "dns-domain.h"
|
|
#include "resolved-dns-answer.h"
|
|
#include "resolved-dns-rr.h"
|
|
|
|
enum DnssecResult {
|
|
/* These five are returned by dnssec_verify_rrset() */
|
|
DNSSEC_VALIDATED,
|
|
DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
|
|
DNSSEC_INVALID,
|
|
DNSSEC_SIGNATURE_EXPIRED,
|
|
DNSSEC_UNSUPPORTED_ALGORITHM,
|
|
|
|
/* These two are added by dnssec_verify_rrset_search() */
|
|
DNSSEC_NO_SIGNATURE,
|
|
DNSSEC_MISSING_KEY,
|
|
|
|
/* These two are added by the DnsTransaction logic */
|
|
DNSSEC_UNSIGNED,
|
|
DNSSEC_FAILED_AUXILIARY,
|
|
DNSSEC_NSEC_MISMATCH,
|
|
DNSSEC_INCOMPATIBLE_SERVER,
|
|
|
|
_DNSSEC_RESULT_MAX,
|
|
_DNSSEC_RESULT_INVALID = -1
|
|
};
|
|
|
|
enum DnssecVerdict {
|
|
DNSSEC_SECURE,
|
|
DNSSEC_INSECURE,
|
|
DNSSEC_BOGUS,
|
|
DNSSEC_INDETERMINATE,
|
|
|
|
_DNSSEC_VERDICT_MAX,
|
|
_DNSSEC_VERDICT_INVALID = -1
|
|
};
|
|
|
|
#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
|
|
|
|
/* The longest digest we'll ever generate, of all digest algorithms we support */
|
|
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
|
|
|
|
int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
|
|
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
|
|
|
|
int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
|
|
int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
|
|
|
|
int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
|
|
int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
|
|
|
|
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
|
|
|
|
uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
|
|
|
|
int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
|
|
|
|
int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
|
|
|
|
typedef enum DnssecNsecResult {
|
|
DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
|
|
DNSSEC_NSEC_CNAME, /* Didn't find what was asked for, but did find CNAME */
|
|
DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
|
|
DNSSEC_NSEC_NXDOMAIN,
|
|
DNSSEC_NSEC_NODATA,
|
|
DNSSEC_NSEC_FOUND,
|
|
DNSSEC_NSEC_OPTOUT,
|
|
} DnssecNsecResult;
|
|
|
|
int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
|
|
|
|
int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);
|
|
|
|
const char* dnssec_result_to_string(DnssecResult m) _const_;
|
|
DnssecResult dnssec_result_from_string(const char *s) _pure_;
|
|
|
|
const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
|
|
DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;
|