]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/dns-domain.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
man/systemd.mount: tmpfs automatically gains After=swap.target dep
[thirdparty/systemd.git] / src / shared / dns-domain.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <endian.h>
4 #include <netinet/in.h>
5 #include <stdio.h>
6 #include <sys/socket.h>
7
8 #include "alloc-util.h"
9 #include "dns-domain.h"
10 #include "glyph-util.h"
11 #include "hashmap.h"
12 #include "hexdecoct.h"
13 #include "hostname-util.h"
14 #include "idn-util.h"
15 #include "in-addr-util.h"
16 #include "macro.h"
17 #include "parse-util.h"
18 #include "string-util.h"
19 #include "strv.h"
20 #include "utf8.h"
21
22 int dns_label_unescape(const char **name, char *dest, size_t sz, DNSLabelFlags flags) {
23 const char *n;
24 char *d, last_char = 0;
25 int r = 0;
26
27 assert(name);
28 assert(*name);
29
30 n = *name;
31 d = dest;
32
33 for (;;) {
34 if (IN_SET(*n, 0, '.')) {
35 if (FLAGS_SET(flags, DNS_LABEL_LDH) && last_char == '-')
36 /* Trailing dash */
37 return -EINVAL;
38
39 if (n[0] == '.' && (n[1] != 0 || !FLAGS_SET(flags, DNS_LABEL_LEAVE_TRAILING_DOT)))
40 n++;
41
42 break;
43 }
44
45 if (r >= DNS_LABEL_MAX)
46 return -EINVAL;
47
48 if (sz <= 0)
49 return -ENOBUFS;
50
51 if (*n == '\\') {
52 /* Escaped character */
53 if (FLAGS_SET(flags, DNS_LABEL_NO_ESCAPES))
54 return -EINVAL;
55
56 n++;
57
58 if (*n == 0)
59 /* Ending NUL */
60 return -EINVAL;
61
62 else if (IN_SET(*n, '\\', '.')) {
63 /* Escaped backslash or dot */
64
65 if (FLAGS_SET(flags, DNS_LABEL_LDH))
66 return -EINVAL;
67
68 last_char = *n;
69 if (d)
70 *(d++) = *n;
71 sz--;
72 r++;
73 n++;
74
75 } else if (n[0] >= '0' && n[0] <= '9') {
76 unsigned k;
77
78 /* Escaped literal ASCII character */
79
80 if (!(n[1] >= '0' && n[1] <= '9') ||
81 !(n[2] >= '0' && n[2] <= '9'))
82 return -EINVAL;
83
84 k = ((unsigned) (n[0] - '0') * 100) +
85 ((unsigned) (n[1] - '0') * 10) +
86 ((unsigned) (n[2] - '0'));
87
88 /* Don't allow anything that doesn't fit in 8 bits. Note that we do allow
89 * control characters, as some servers (e.g. cloudflare) are happy to
90 * generate labels with them inside. */
91 if (k > 255)
92 return -EINVAL;
93
94 if (FLAGS_SET(flags, DNS_LABEL_LDH) &&
95 !valid_ldh_char((char) k))
96 return -EINVAL;
97
98 last_char = (char) k;
99 if (d)
100 *(d++) = (char) k;
101 sz--;
102 r++;
103
104 n += 3;
105 } else
106 return -EINVAL;
107
108 } else if ((uint8_t) *n >= (uint8_t) ' ' && *n != 127) {
109
110 /* Normal character */
111
112 if (FLAGS_SET(flags, DNS_LABEL_LDH)) {
113 if (!valid_ldh_char(*n))
114 return -EINVAL;
115 if (r == 0 && *n == '-')
116 /* Leading dash */
117 return -EINVAL;
118 }
119
120 last_char = *n;
121 if (d)
122 *(d++) = *n;
123 sz--;
124 r++;
125 n++;
126 } else
127 return -EINVAL;
128 }
129
130 /* Empty label that is not at the end? */
131 if (r == 0 && *n)
132 return -EINVAL;
133
134 /* More than one trailing dot? */
135 if (n[0] == '.' && !FLAGS_SET(flags, DNS_LABEL_LEAVE_TRAILING_DOT))
136 return -EINVAL;
137
138 if (sz >= 1 && d)
139 *d = 0;
140
141 *name = n;
142 return r;
143 }
144
145 /* @label_terminal: terminal character of a label, updated to point to the terminal character of
146 * the previous label (always skipping one dot) or to NULL if there are no more
147 * labels. */
148 int dns_label_unescape_suffix(const char *name, const char **label_terminal, char *dest, size_t sz) {
149 const char *terminal;
150 int r;
151
152 assert(name);
153 assert(label_terminal);
154 assert(dest);
155
156 /* no more labels */
157 if (!*label_terminal) {
158 if (sz >= 1)
159 *dest = 0;
160
161 return 0;
162 }
163
164 terminal = *label_terminal;
165 assert(IN_SET(*terminal, 0, '.'));
166
167 /* Skip current terminal character (and accept domain names ending it ".") */
168 if (*terminal == 0)
169 terminal = PTR_SUB1(terminal, name);
170 if (terminal >= name && *terminal == '.')
171 terminal = PTR_SUB1(terminal, name);
172
173 /* Point name to the last label, and terminal to the preceding terminal symbol (or make it a NULL pointer) */
174 while (terminal) {
175 /* Find the start of the last label */
176 if (*terminal == '.') {
177 const char *y;
178 unsigned slashes = 0;
179
180 for (y = PTR_SUB1(terminal, name); y && *y == '\\'; y = PTR_SUB1(y, name))
181 slashes++;
182
183 if (slashes % 2 == 0) {
184 /* The '.' was not escaped */
185 name = terminal + 1;
186 break;
187 } else {
188 terminal = y;
189 continue;
190 }
191 }
192
193 terminal = PTR_SUB1(terminal, name);
194 }
195
196 r = dns_label_unescape(&name, dest, sz, 0);
197 if (r < 0)
198 return r;
199
200 *label_terminal = terminal;
201
202 return r;
203 }
204
205 int dns_label_escape(const char *p, size_t l, char *dest, size_t sz) {
206 char *q;
207
208 /* DNS labels must be between 1 and 63 characters long. A
209 * zero-length label does not exist. See RFC 2181, Section
210 * 11. */
211
212 if (l <= 0 || l > DNS_LABEL_MAX)
213 return -EINVAL;
214 if (sz < 1)
215 return -ENOBUFS;
216
217 assert(p);
218 assert(dest);
219
220 q = dest;
221 while (l > 0) {
222
223 if (IN_SET(*p, '.', '\\')) {
224
225 /* Dot or backslash */
226
227 if (sz < 3)
228 return -ENOBUFS;
229
230 *(q++) = '\\';
231 *(q++) = *p;
232
233 sz -= 2;
234
235 } else if (IN_SET(*p, '_', '-') ||
236 ascii_isdigit(*p) ||
237 ascii_isalpha(*p)) {
238
239 /* Proper character */
240
241 if (sz < 2)
242 return -ENOBUFS;
243
244 *(q++) = *p;
245 sz -= 1;
246
247 } else {
248
249 /* Everything else */
250
251 if (sz < 5)
252 return -ENOBUFS;
253
254 *(q++) = '\\';
255 *(q++) = '0' + (char) ((uint8_t) *p / 100);
256 *(q++) = '0' + (char) (((uint8_t) *p / 10) % 10);
257 *(q++) = '0' + (char) ((uint8_t) *p % 10);
258
259 sz -= 4;
260 }
261
262 p++;
263 l--;
264 }
265
266 *q = 0;
267 return (int) (q - dest);
268 }
269
270 int dns_label_escape_new(const char *p, size_t l, char **ret) {
271 _cleanup_free_ char *s = NULL;
272 int r;
273
274 assert(p);
275 assert(ret);
276
277 if (l <= 0 || l > DNS_LABEL_MAX)
278 return -EINVAL;
279
280 s = new(char, DNS_LABEL_ESCAPED_MAX);
281 if (!s)
282 return -ENOMEM;
283
284 r = dns_label_escape(p, l, s, DNS_LABEL_ESCAPED_MAX);
285 if (r < 0)
286 return r;
287
288 *ret = TAKE_PTR(s);
289
290 return r;
291 }
292
293 #if HAVE_LIBIDN
294 int dns_label_apply_idna(const char *encoded, size_t encoded_size, char *decoded, size_t decoded_max) {
295 _cleanup_free_ uint32_t *input = NULL;
296 size_t input_size, l;
297 bool contains_8_bit = false;
298 char buffer[DNS_LABEL_MAX+1];
299 int r;
300
301 assert(encoded);
302 assert(decoded);
303
304 /* Converts a U-label into an A-label */
305
306 r = dlopen_idn();
307 if (r < 0)
308 return r;
309
310 if (encoded_size <= 0)
311 return -EINVAL;
312
313 for (const char *p = encoded; p < encoded + encoded_size; p++)
314 if ((uint8_t) *p > 127)
315 contains_8_bit = true;
316
317 if (!contains_8_bit) {
318 if (encoded_size > DNS_LABEL_MAX)
319 return -EINVAL;
320
321 return 0;
322 }
323
324 input = sym_stringprep_utf8_to_ucs4(encoded, encoded_size, &input_size);
325 if (!input)
326 return -ENOMEM;
327
328 if (sym_idna_to_ascii_4i(input, input_size, buffer, 0) != 0)
329 return -EINVAL;
330
331 l = strlen(buffer);
332
333 /* Verify that the result is not longer than one DNS label. */
334 if (l <= 0 || l > DNS_LABEL_MAX)
335 return -EINVAL;
336 if (l > decoded_max)
337 return -ENOBUFS;
338
339 memcpy(decoded, buffer, l);
340
341 /* If there's room, append a trailing NUL byte, but only then */
342 if (decoded_max > l)
343 decoded[l] = 0;
344
345 return (int) l;
346 }
347
348 int dns_label_undo_idna(const char *encoded, size_t encoded_size, char *decoded, size_t decoded_max) {
349 size_t input_size, output_size;
350 _cleanup_free_ uint32_t *input = NULL;
351 _cleanup_free_ char *result = NULL;
352 uint32_t *output = NULL;
353 size_t w;
354 int r;
355
356 /* To be invoked after unescaping. Converts an A-label into a U-label. */
357
358 assert(encoded);
359 assert(decoded);
360
361 r = dlopen_idn();
362 if (r < 0)
363 return r;
364
365 if (encoded_size <= 0 || encoded_size > DNS_LABEL_MAX)
366 return -EINVAL;
367
368 if (!memory_startswith(encoded, encoded_size, IDNA_ACE_PREFIX))
369 return 0;
370
371 input = sym_stringprep_utf8_to_ucs4(encoded, encoded_size, &input_size);
372 if (!input)
373 return -ENOMEM;
374
375 output_size = input_size;
376 output = newa(uint32_t, output_size);
377
378 sym_idna_to_unicode_44i(input, input_size, output, &output_size, 0);
379
380 result = sym_stringprep_ucs4_to_utf8(output, output_size, NULL, &w);
381 if (!result)
382 return -ENOMEM;
383 if (w <= 0)
384 return -EINVAL;
385 if (w > decoded_max)
386 return -ENOBUFS;
387
388 memcpy(decoded, result, w);
389
390 /* Append trailing NUL byte if there's space, but only then. */
391 if (decoded_max > w)
392 decoded[w] = 0;
393
394 return w;
395 }
396 #endif
397
398 int dns_name_concat(const char *a, const char *b, DNSLabelFlags flags, char **_ret) {
399 _cleanup_free_ char *ret = NULL;
400 size_t n = 0;
401 const char *p;
402 bool first = true;
403 int r;
404
405 if (a)
406 p = a;
407 else if (b)
408 p = TAKE_PTR(b);
409 else
410 goto finish;
411
412 for (;;) {
413 char label[DNS_LABEL_MAX];
414
415 r = dns_label_unescape(&p, label, sizeof label, flags);
416 if (r < 0)
417 return r;
418 if (r == 0) {
419 if (*p != 0)
420 return -EINVAL;
421
422 if (b) {
423 /* Now continue with the second string, if there is one */
424 p = TAKE_PTR(b);
425 continue;
426 }
427
428 break;
429 }
430
431 if (_ret) {
432 if (!GREEDY_REALLOC(ret, n + !first + DNS_LABEL_ESCAPED_MAX))
433 return -ENOMEM;
434
435 r = dns_label_escape(label, r, ret + n + !first, DNS_LABEL_ESCAPED_MAX);
436 if (r < 0)
437 return r;
438
439 if (!first)
440 ret[n] = '.';
441 } else {
442 char escaped[DNS_LABEL_ESCAPED_MAX];
443
444 r = dns_label_escape(label, r, escaped, sizeof(escaped));
445 if (r < 0)
446 return r;
447 }
448
449 n += r + !first;
450 first = false;
451 }
452
453 finish:
454 if (n > DNS_HOSTNAME_MAX)
455 return -EINVAL;
456
457 if (_ret) {
458 if (n == 0) {
459 /* Nothing appended? If so, generate at least a single dot, to indicate the DNS root domain */
460 if (!GREEDY_REALLOC(ret, 2))
461 return -ENOMEM;
462
463 ret[n++] = '.';
464 } else {
465 if (!GREEDY_REALLOC(ret, n + 1))
466 return -ENOMEM;
467 }
468
469 ret[n] = 0;
470 *_ret = TAKE_PTR(ret);
471 }
472
473 return 0;
474 }
475
476 void dns_name_hash_func(const char *p, struct siphash *state) {
477 int r;
478
479 assert(p);
480
481 for (;;) {
482 char label[DNS_LABEL_MAX+1];
483
484 r = dns_label_unescape(&p, label, sizeof label, 0);
485 if (r < 0)
486 break;
487 if (r == 0)
488 break;
489
490 ascii_strlower_n(label, r);
491 siphash24_compress(label, r, state);
492 siphash24_compress_byte(0, state); /* make sure foobar and foo.bar result in different hashes */
493 }
494
495 /* enforce that all names are terminated by the empty label */
496 string_hash_func("", state);
497 }
498
499 int dns_name_compare_func(const char *a, const char *b) {
500 const char *x, *y;
501 int r, q;
502
503 assert(a);
504 assert(b);
505
506 x = a + strlen(a);
507 y = b + strlen(b);
508
509 for (;;) {
510 char la[DNS_LABEL_MAX], lb[DNS_LABEL_MAX];
511
512 if (x == NULL && y == NULL)
513 return 0;
514
515 r = dns_label_unescape_suffix(a, &x, la, sizeof(la));
516 q = dns_label_unescape_suffix(b, &y, lb, sizeof(lb));
517 if (r < 0 || q < 0)
518 return CMP(r, q);
519
520 r = ascii_strcasecmp_nn(la, r, lb, q);
521 if (r != 0)
522 return r;
523 }
524 }
525
526 DEFINE_HASH_OPS(
527 dns_name_hash_ops,
528 char,
529 dns_name_hash_func,
530 dns_name_compare_func);
531
532 DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(
533 dns_name_hash_ops_free,
534 char,
535 dns_name_hash_func,
536 dns_name_compare_func,
537 free);
538
539 int dns_name_equal(const char *x, const char *y) {
540 int r, q;
541
542 assert(x);
543 assert(y);
544
545 for (;;) {
546 char la[DNS_LABEL_MAX], lb[DNS_LABEL_MAX];
547
548 r = dns_label_unescape(&x, la, sizeof la, 0);
549 if (r < 0)
550 return r;
551
552 q = dns_label_unescape(&y, lb, sizeof lb, 0);
553 if (q < 0)
554 return q;
555
556 if (r != q)
557 return false;
558 if (r == 0)
559 return true;
560
561 if (ascii_strcasecmp_n(la, lb, r) != 0)
562 return false;
563 }
564 }
565
566 int dns_name_endswith(const char *name, const char *suffix) {
567 const char *n, *s, *saved_n = NULL;
568 int r, q;
569
570 assert(name);
571 assert(suffix);
572
573 n = name;
574 s = suffix;
575
576 for (;;) {
577 char ln[DNS_LABEL_MAX], ls[DNS_LABEL_MAX];
578
579 r = dns_label_unescape(&n, ln, sizeof ln, 0);
580 if (r < 0)
581 return r;
582
583 if (!saved_n)
584 saved_n = n;
585
586 q = dns_label_unescape(&s, ls, sizeof ls, 0);
587 if (q < 0)
588 return q;
589
590 if (r == 0 && q == 0)
591 return true;
592 if (r == 0 && saved_n == n)
593 return false;
594
595 if (r != q || ascii_strcasecmp_n(ln, ls, r) != 0) {
596
597 /* Not the same, let's jump back, and try with the next label again */
598 s = suffix;
599 n = TAKE_PTR(saved_n);
600 }
601 }
602 }
603
604 int dns_name_startswith(const char *name, const char *prefix) {
605 const char *n, *p;
606 int r, q;
607
608 assert(name);
609 assert(prefix);
610
611 n = name;
612 p = prefix;
613
614 for (;;) {
615 char ln[DNS_LABEL_MAX], lp[DNS_LABEL_MAX];
616
617 r = dns_label_unescape(&p, lp, sizeof lp, 0);
618 if (r < 0)
619 return r;
620 if (r == 0)
621 return true;
622
623 q = dns_label_unescape(&n, ln, sizeof ln, 0);
624 if (q < 0)
625 return q;
626
627 if (r != q)
628 return false;
629 if (ascii_strcasecmp_n(ln, lp, r) != 0)
630 return false;
631 }
632 }
633
634 int dns_name_change_suffix(const char *name, const char *old_suffix, const char *new_suffix, char **ret) {
635 const char *n, *s, *saved_before = NULL, *saved_after = NULL, *prefix;
636 int r, q;
637
638 assert(name);
639 assert(old_suffix);
640 assert(new_suffix);
641 assert(ret);
642
643 n = name;
644 s = old_suffix;
645
646 for (;;) {
647 char ln[DNS_LABEL_MAX], ls[DNS_LABEL_MAX];
648
649 if (!saved_before)
650 saved_before = n;
651
652 r = dns_label_unescape(&n, ln, sizeof ln, 0);
653 if (r < 0)
654 return r;
655
656 if (!saved_after)
657 saved_after = n;
658
659 q = dns_label_unescape(&s, ls, sizeof ls, 0);
660 if (q < 0)
661 return q;
662
663 if (r == 0 && q == 0)
664 break;
665 if (r == 0 && saved_after == n) {
666 *ret = NULL; /* doesn't match */
667 return 0;
668 }
669
670 if (r != q || ascii_strcasecmp_n(ln, ls, r) != 0) {
671
672 /* Not the same, let's jump back, and try with the next label again */
673 s = old_suffix;
674 n = TAKE_PTR(saved_after);
675 saved_before = NULL;
676 }
677 }
678
679 /* Found it! Now generate the new name */
680 prefix = strndupa_safe(name, saved_before - name);
681
682 r = dns_name_concat(prefix, new_suffix, 0, ret);
683 if (r < 0)
684 return r;
685
686 return 1;
687 }
688
689 int dns_name_between(const char *a, const char *b, const char *c) {
690 /* Determine if b is strictly greater than a and strictly smaller than c.
691 We consider the order of names to be circular, so that if a is
692 strictly greater than c, we consider b to be between them if it is
693 either greater than a or smaller than c. This is how the canonical
694 DNS name order used in NSEC records work. */
695
696 if (dns_name_compare_func(a, c) < 0)
697 /*
698 a and c are properly ordered:
699 a<---b--->c
700 */
701 return dns_name_compare_func(a, b) < 0 &&
702 dns_name_compare_func(b, c) < 0;
703 else
704 /*
705 a and c are equal or 'reversed':
706 <--b--c a----->
707 or:
708 <-----c a--b-->
709 */
710 return dns_name_compare_func(b, c) < 0 ||
711 dns_name_compare_func(a, b) < 0;
712 }
713
714 int dns_name_reverse(int family, const union in_addr_union *a, char **ret) {
715 const uint8_t *p;
716 int r;
717
718 assert(a);
719 assert(ret);
720
721 p = (const uint8_t*) a;
722
723 if (family == AF_INET)
724 r = asprintf(ret, "%u.%u.%u.%u.in-addr.arpa", p[3], p[2], p[1], p[0]);
725 else if (family == AF_INET6)
726 r = asprintf(ret, "%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.ip6.arpa",
727 hexchar(p[15] & 0xF), hexchar(p[15] >> 4), hexchar(p[14] & 0xF), hexchar(p[14] >> 4),
728 hexchar(p[13] & 0xF), hexchar(p[13] >> 4), hexchar(p[12] & 0xF), hexchar(p[12] >> 4),
729 hexchar(p[11] & 0xF), hexchar(p[11] >> 4), hexchar(p[10] & 0xF), hexchar(p[10] >> 4),
730 hexchar(p[ 9] & 0xF), hexchar(p[ 9] >> 4), hexchar(p[ 8] & 0xF), hexchar(p[ 8] >> 4),
731 hexchar(p[ 7] & 0xF), hexchar(p[ 7] >> 4), hexchar(p[ 6] & 0xF), hexchar(p[ 6] >> 4),
732 hexchar(p[ 5] & 0xF), hexchar(p[ 5] >> 4), hexchar(p[ 4] & 0xF), hexchar(p[ 4] >> 4),
733 hexchar(p[ 3] & 0xF), hexchar(p[ 3] >> 4), hexchar(p[ 2] & 0xF), hexchar(p[ 2] >> 4),
734 hexchar(p[ 1] & 0xF), hexchar(p[ 1] >> 4), hexchar(p[ 0] & 0xF), hexchar(p[ 0] >> 4));
735 else
736 return -EAFNOSUPPORT;
737 if (r < 0)
738 return -ENOMEM;
739
740 return 0;
741 }
742
743 int dns_name_address(const char *p, int *ret_family, union in_addr_union *ret_address) {
744 int r;
745
746 assert(p);
747 assert(ret_family);
748 assert(ret_address);
749
750 r = dns_name_endswith(p, "in-addr.arpa");
751 if (r < 0)
752 return r;
753 if (r > 0) {
754 uint8_t a[4];
755
756 for (size_t i = 0; i < ELEMENTSOF(a); i++) {
757 char label[DNS_LABEL_MAX+1];
758
759 r = dns_label_unescape(&p, label, sizeof label, 0);
760 if (r < 0)
761 return r;
762 if (r == 0)
763 return -EINVAL;
764 if (r > 3)
765 return -EINVAL;
766
767 r = safe_atou8(label, &a[i]);
768 if (r < 0)
769 return r;
770 }
771
772 r = dns_name_equal(p, "in-addr.arpa");
773 if (r <= 0)
774 return r;
775
776 *ret_family = AF_INET;
777 ret_address->in.s_addr = htobe32(((uint32_t) a[3] << 24) |
778 ((uint32_t) a[2] << 16) |
779 ((uint32_t) a[1] << 8) |
780 (uint32_t) a[0]);
781
782 return 1;
783 }
784
785 r = dns_name_endswith(p, "ip6.arpa");
786 if (r < 0)
787 return r;
788 if (r > 0) {
789 struct in6_addr a;
790
791 for (size_t i = 0; i < ELEMENTSOF(a.s6_addr); i++) {
792 char label[DNS_LABEL_MAX+1];
793 int x, y;
794
795 r = dns_label_unescape(&p, label, sizeof label, 0);
796 if (r <= 0)
797 return r;
798 if (r != 1)
799 return -EINVAL;
800 x = unhexchar(label[0]);
801 if (x < 0)
802 return -EINVAL;
803
804 r = dns_label_unescape(&p, label, sizeof label, 0);
805 if (r <= 0)
806 return r;
807 if (r != 1)
808 return -EINVAL;
809 y = unhexchar(label[0]);
810 if (y < 0)
811 return -EINVAL;
812
813 a.s6_addr[ELEMENTSOF(a.s6_addr) - i - 1] = (uint8_t) y << 4 | (uint8_t) x;
814 }
815
816 r = dns_name_equal(p, "ip6.arpa");
817 if (r <= 0)
818 return r;
819
820 *ret_family = AF_INET6;
821 ret_address->in6 = a;
822 return 1;
823 }
824
825 *ret_family = AF_UNSPEC;
826 *ret_address = IN_ADDR_NULL;
827
828 return 0;
829 }
830
831 bool dns_name_is_root(const char *name) {
832 assert(name);
833
834 /* There are exactly two ways to encode the root domain name:
835 * as empty string, or with a single dot. */
836
837 return STR_IN_SET(name, "", ".");
838 }
839
840 bool dns_name_is_single_label(const char *name) {
841 int r;
842
843 assert(name);
844
845 r = dns_name_parent(&name);
846 if (r <= 0)
847 return false;
848
849 return dns_name_is_root(name);
850 }
851
852 /* Encode a domain name according to RFC 1035 Section 3.1, without compression */
853 int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len, bool canonical) {
854 uint8_t *label_length, *out;
855 int r;
856
857 assert(domain);
858 assert(buffer);
859
860 out = buffer;
861
862 do {
863 /* Reserve a byte for label length */
864 if (len <= 0)
865 return -ENOBUFS;
866 len--;
867 label_length = out;
868 out++;
869
870 /* Convert and copy a single label. Note that
871 * dns_label_unescape() returns 0 when it hits the end
872 * of the domain name, which we rely on here to encode
873 * the trailing NUL byte. */
874 r = dns_label_unescape(&domain, (char *) out, len, 0);
875 if (r < 0)
876 return r;
877
878 /* Optionally, output the name in DNSSEC canonical
879 * format, as described in RFC 4034, section 6.2. Or
880 * in other words: in lower-case. */
881 if (canonical)
882 ascii_strlower_n((char*) out, (size_t) r);
883
884 /* Fill label length, move forward */
885 *label_length = r;
886 out += r;
887 len -= r;
888
889 } while (r != 0);
890
891 /* Verify the maximum size of the encoded name. The trailing
892 * dot + NUL byte account are included this time, hence
893 * compare against DNS_HOSTNAME_MAX + 2 (which is 255) this
894 * time. */
895 if (out - buffer > DNS_HOSTNAME_MAX + 2)
896 return -EINVAL;
897
898 return out - buffer;
899 }
900
901 static bool srv_type_label_is_valid(const char *label, size_t n) {
902 assert(label);
903
904 if (n < 2) /* Label needs to be at least 2 chars long */
905 return false;
906
907 if (label[0] != '_') /* First label char needs to be underscore */
908 return false;
909
910 /* Second char must be a letter */
911 if (!ascii_isalpha(label[1]))
912 return false;
913
914 /* Third and further chars must be alphanumeric or a hyphen */
915 for (size_t k = 2; k < n; k++)
916 if (!ascii_isalpha(label[k]) &&
917 !ascii_isdigit(label[k]) &&
918 label[k] != '-')
919 return false;
920
921 return true;
922 }
923
924 bool dns_srv_type_is_valid(const char *name) {
925 unsigned c = 0;
926 int r;
927
928 if (!name)
929 return false;
930
931 for (;;) {
932 char label[DNS_LABEL_MAX];
933
934 /* This more or less implements RFC 6335, Section 5.1 */
935
936 r = dns_label_unescape(&name, label, sizeof label, 0);
937 if (r < 0)
938 return false;
939 if (r == 0)
940 break;
941
942 if (c >= 2)
943 return false;
944
945 if (!srv_type_label_is_valid(label, r))
946 return false;
947
948 c++;
949 }
950
951 return c == 2; /* exactly two labels */
952 }
953
954 bool dnssd_srv_type_is_valid(const char *name) {
955 return dns_srv_type_is_valid(name) &&
956 ((dns_name_endswith(name, "_tcp") > 0) ||
957 (dns_name_endswith(name, "_udp") > 0)); /* Specific to DNS-SD. RFC 6763, Section 7 */
958 }
959
960 bool dns_service_name_is_valid(const char *name) {
961 size_t l;
962
963 /* This more or less implements RFC 6763, Section 4.1.1 */
964
965 if (!name)
966 return false;
967
968 if (!utf8_is_valid(name))
969 return false;
970
971 if (string_has_cc(name, NULL))
972 return false;
973
974 l = strlen(name);
975 if (l <= 0)
976 return false;
977 if (l > DNS_LABEL_MAX)
978 return false;
979
980 return true;
981 }
982
983 int dns_service_join(const char *name, const char *type, const char *domain, char **ret) {
984 char escaped[DNS_LABEL_ESCAPED_MAX];
985 _cleanup_free_ char *n = NULL;
986 int r;
987
988 assert(type);
989 assert(domain);
990 assert(ret);
991
992 if (!dns_srv_type_is_valid(type))
993 return -EINVAL;
994
995 if (!name)
996 return dns_name_concat(type, domain, 0, ret);
997
998 if (!dns_service_name_is_valid(name))
999 return -EINVAL;
1000
1001 r = dns_label_escape(name, strlen(name), escaped, sizeof(escaped));
1002 if (r < 0)
1003 return r;
1004
1005 r = dns_name_concat(type, domain, 0, &n);
1006 if (r < 0)
1007 return r;
1008
1009 return dns_name_concat(escaped, n, 0, ret);
1010 }
1011
1012 static bool dns_service_name_label_is_valid(const char *label, size_t n) {
1013 char *s;
1014
1015 assert(label);
1016
1017 if (memchr(label, 0, n))
1018 return false;
1019
1020 s = strndupa_safe(label, n);
1021 return dns_service_name_is_valid(s);
1022 }
1023
1024 int dns_service_split(const char *joined, char **ret_name, char **ret_type, char **ret_domain) {
1025 _cleanup_free_ char *name = NULL, *type = NULL, *domain = NULL;
1026 const char *p = joined, *q = NULL, *d = joined;
1027 char a[DNS_LABEL_MAX+1], b[DNS_LABEL_MAX+1], c[DNS_LABEL_MAX+1];
1028 int an, bn, cn, r;
1029 unsigned x = 0;
1030
1031 assert(joined);
1032
1033 /* Get first label from the full name */
1034 an = dns_label_unescape(&p, a, sizeof(a), 0);
1035 if (an < 0)
1036 return an;
1037
1038 if (an > 0) {
1039 x++;
1040
1041 /* If there was a first label, try to get the second one */
1042 bn = dns_label_unescape(&p, b, sizeof(b), 0);
1043 if (bn < 0)
1044 return bn;
1045
1046 if (bn > 0) {
1047 if (!srv_type_label_is_valid(b, bn))
1048 goto finish;
1049
1050 x++;
1051
1052 /* If there was a second label, try to get the third one */
1053 q = p;
1054 cn = dns_label_unescape(&p, c, sizeof(c), 0);
1055 if (cn < 0)
1056 return cn;
1057
1058 if (cn > 0 && srv_type_label_is_valid(c, cn))
1059 x++;
1060 }
1061 }
1062
1063 switch (x) {
1064 case 2:
1065 if (!srv_type_label_is_valid(a, an))
1066 break;
1067
1068 /* OK, got <type> . <type2> . <domain> */
1069
1070 name = NULL;
1071
1072 type = strjoin(a, ".", b);
1073 if (!type)
1074 return -ENOMEM;
1075
1076 d = q;
1077 break;
1078
1079 case 3:
1080 if (!dns_service_name_label_is_valid(a, an))
1081 break;
1082
1083 /* OK, got <name> . <type> . <type2> . <domain> */
1084
1085 name = strndup(a, an);
1086 if (!name)
1087 return -ENOMEM;
1088
1089 type = strjoin(b, ".", c);
1090 if (!type)
1091 return -ENOMEM;
1092
1093 d = p;
1094 break;
1095 }
1096
1097 finish:
1098 r = dns_name_normalize(d, 0, &domain);
1099 if (r < 0)
1100 return r;
1101
1102 if (ret_domain)
1103 *ret_domain = TAKE_PTR(domain);
1104
1105 if (ret_type)
1106 *ret_type = TAKE_PTR(type);
1107
1108 if (ret_name)
1109 *ret_name = TAKE_PTR(name);
1110
1111 return 0;
1112 }
1113
1114 static int dns_name_build_suffix_table(const char *name, const char *table[]) {
1115 const char *p = ASSERT_PTR(name);
1116 unsigned n = 0;
1117 int r;
1118
1119 assert(table);
1120
1121 for (;;) {
1122 if (n > DNS_N_LABELS_MAX)
1123 return -EINVAL;
1124
1125 table[n] = p;
1126 r = dns_name_parent(&p);
1127 if (r < 0)
1128 return r;
1129 if (r == 0)
1130 break;
1131
1132 n++;
1133 }
1134
1135 return (int) n;
1136 }
1137
1138 int dns_name_suffix(const char *name, unsigned n_labels, const char **ret) {
1139 const char* labels[DNS_N_LABELS_MAX+1];
1140 int n;
1141
1142 assert(name);
1143 assert(ret);
1144
1145 n = dns_name_build_suffix_table(name, labels);
1146 if (n < 0)
1147 return n;
1148
1149 if ((unsigned) n < n_labels)
1150 return -EINVAL;
1151
1152 *ret = labels[n - n_labels];
1153 return (int) (n - n_labels);
1154 }
1155
1156 int dns_name_skip(const char *a, unsigned n_labels, const char **ret) {
1157 int r;
1158
1159 assert(a);
1160 assert(ret);
1161
1162 for (; n_labels > 0; n_labels--) {
1163 r = dns_name_parent(&a);
1164 if (r < 0)
1165 return r;
1166 if (r == 0) {
1167 *ret = "";
1168 return 0;
1169 }
1170 }
1171
1172 *ret = a;
1173 return 1;
1174 }
1175
1176 int dns_name_count_labels(const char *name) {
1177 unsigned n = 0;
1178 int r;
1179
1180 assert(name);
1181
1182 for (const char *p = name;;) {
1183 r = dns_name_parent(&p);
1184 if (r < 0)
1185 return r;
1186 if (r == 0)
1187 break;
1188
1189 if (n >= DNS_N_LABELS_MAX)
1190 return -EINVAL;
1191
1192 n++;
1193 }
1194
1195 return n;
1196 }
1197
1198 int dns_name_equal_skip(const char *a, unsigned n_labels, const char *b) {
1199 int r;
1200
1201 assert(a);
1202 assert(b);
1203
1204 r = dns_name_skip(a, n_labels, &a);
1205 if (r <= 0)
1206 return r;
1207
1208 return dns_name_equal(a, b);
1209 }
1210
1211 int dns_name_common_suffix(const char *a, const char *b, const char **ret) {
1212 const char *a_labels[DNS_N_LABELS_MAX+1], *b_labels[DNS_N_LABELS_MAX+1];
1213 int n = 0, m = 0, k = 0, r, q;
1214
1215 assert(a);
1216 assert(b);
1217 assert(ret);
1218
1219 /* Determines the common suffix of domain names a and b */
1220
1221 n = dns_name_build_suffix_table(a, a_labels);
1222 if (n < 0)
1223 return n;
1224
1225 m = dns_name_build_suffix_table(b, b_labels);
1226 if (m < 0)
1227 return m;
1228
1229 for (;;) {
1230 char la[DNS_LABEL_MAX], lb[DNS_LABEL_MAX];
1231 const char *x, *y;
1232
1233 if (k >= n || k >= m) {
1234 *ret = a_labels[n - k];
1235 return 0;
1236 }
1237
1238 x = a_labels[n - 1 - k];
1239 r = dns_label_unescape(&x, la, sizeof la, 0);
1240 if (r < 0)
1241 return r;
1242
1243 y = b_labels[m - 1 - k];
1244 q = dns_label_unescape(&y, lb, sizeof lb, 0);
1245 if (q < 0)
1246 return q;
1247
1248 if (r != q || ascii_strcasecmp_n(la, lb, r) != 0) {
1249 *ret = a_labels[n - k];
1250 return 0;
1251 }
1252
1253 k++;
1254 }
1255 }
1256
1257 int dns_name_apply_idna(const char *name, char **ret) {
1258
1259 /* Return negative on error, 0 if not implemented, positive on success. */
1260
1261 #if HAVE_LIBIDN2 || HAVE_LIBIDN2
1262 int r;
1263
1264 r = dlopen_idn();
1265 if (r == -EOPNOTSUPP) {
1266 *ret = NULL;
1267 return 0;
1268 }
1269 if (r < 0)
1270 return r;
1271 #endif
1272
1273 #if HAVE_LIBIDN2
1274 _cleanup_free_ char *t = NULL;
1275
1276 assert(name);
1277 assert(ret);
1278
1279 /* First, try non-transitional mode (i.e. IDN2008 rules) */
1280 r = sym_idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
1281 IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL);
1282 if (r == IDN2_DISALLOWED) /* If that failed, because of disallowed characters, try transitional mode.
1283 * (i.e. IDN2003 rules which supports some unicode chars IDN2008 doesn't allow). */
1284 r = sym_idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
1285 IDN2_NFC_INPUT | IDN2_TRANSITIONAL);
1286
1287 log_debug("idn2_lookup_u8: %s %s %s", name, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), t);
1288 if (r == IDN2_OK) {
1289 if (!startswith(name, "xn--")) {
1290 _cleanup_free_ char *s = NULL;
1291
1292 r = sym_idn2_to_unicode_8z8z(t, &s, 0);
1293 if (r != IDN2_OK) {
1294 log_debug("idn2_to_unicode_8z8z(\"%s\") failed: %d/%s",
1295 t, r, sym_idn2_strerror(r));
1296 *ret = NULL;
1297 return 0;
1298 }
1299
1300 if (!streq_ptr(name, s)) {
1301 log_debug("idn2 roundtrip failed: \"%s\" %s \"%s\" %s \"%s\", ignoring.",
1302 name, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), t,
1303 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), s);
1304 *ret = NULL;
1305 return 0;
1306 }
1307 }
1308
1309 *ret = TAKE_PTR(t);
1310 return 1; /* *ret has been written */
1311 }
1312
1313 log_debug("idn2_lookup_u8(\"%s\") failed: %d/%s", name, r, sym_idn2_strerror(r));
1314 if (r == IDN2_2HYPHEN)
1315 /* The name has two hyphens — forbidden by IDNA2008 in some cases */
1316 return 0;
1317 if (IN_SET(r, IDN2_TOO_BIG_DOMAIN, IDN2_TOO_BIG_LABEL))
1318 return -ENOSPC;
1319
1320 return -EINVAL;
1321 #elif HAVE_LIBIDN
1322 _cleanup_free_ char *buf = NULL;
1323 size_t n = 0;
1324 bool first = true;
1325 int r, q;
1326
1327 assert(name);
1328 assert(ret);
1329
1330 for (;;) {
1331 char label[DNS_LABEL_MAX];
1332
1333 r = dns_label_unescape(&name, label, sizeof label, 0);
1334 if (r < 0)
1335 return r;
1336 if (r == 0)
1337 break;
1338
1339 q = dns_label_apply_idna(label, r, label, sizeof label);
1340 if (q < 0)
1341 return q;
1342 if (q > 0)
1343 r = q;
1344
1345 if (!GREEDY_REALLOC(buf, n + !first + DNS_LABEL_ESCAPED_MAX))
1346 return -ENOMEM;
1347
1348 r = dns_label_escape(label, r, buf + n + !first, DNS_LABEL_ESCAPED_MAX);
1349 if (r < 0)
1350 return r;
1351
1352 if (first)
1353 first = false;
1354 else
1355 buf[n++] = '.';
1356
1357 n += r;
1358 }
1359
1360 if (n > DNS_HOSTNAME_MAX)
1361 return -EINVAL;
1362
1363 if (!GREEDY_REALLOC(buf, n + 1))
1364 return -ENOMEM;
1365
1366 buf[n] = 0;
1367 *ret = TAKE_PTR(buf);
1368
1369 return 1;
1370 #else
1371 *ret = NULL;
1372 return 0;
1373 #endif
1374 }
1375
1376 int dns_name_is_valid_or_address(const char *name) {
1377 /* Returns > 0 if the specified name is either a valid IP address formatted as string or a valid DNS name */
1378
1379 if (isempty(name))
1380 return 0;
1381
1382 if (in_addr_from_string_auto(name, NULL, NULL) >= 0)
1383 return 1;
1384
1385 return dns_name_is_valid(name);
1386 }
1387
1388 int dns_name_dot_suffixed(const char *name) {
1389 const char *p = name;
1390 int r;
1391
1392 for (;;) {
1393 if (streq(p, "."))
1394 return true;
1395
1396 r = dns_label_unescape(&p, NULL, DNS_LABEL_MAX, DNS_LABEL_LEAVE_TRAILING_DOT);
1397 if (r < 0)
1398 return r;
1399 if (r == 0)
1400 return false;
1401 }
1402 }
1403
1404 bool dns_name_dont_resolve(const char *name) {
1405
1406 /* Never respond to some of the domains listed in RFC6303 */
1407 if (dns_name_endswith(name, "0.in-addr.arpa") > 0 ||
1408 dns_name_equal(name, "255.255.255.255.in-addr.arpa") > 0 ||
1409 dns_name_equal(name, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
1410 return true;
1411
1412 /* Never respond to some of the domains listed in RFC6761 */
1413 if (dns_name_endswith(name, "invalid") > 0)
1414 return true;
1415
1416 /* Never respond to some of the domains listed in RFC9476 */
1417 if (dns_name_endswith(name, "alt") > 0)
1418 return true;
1419
1420 return false;
1421 }
Unnamed repository; edit this file 'description' to name the repository.