[thirdparty/systemd.git] / src / resolve / dns-type.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  Copyright © 2014 Zbigniew Jędrzejewski-Szmek
***/

#include <sys/socket.h>
#include <errno.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_TYPE_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_zone_transer(uint16_t type) {

        /* Zone transfers, either normal or incremental */

        return IN_SET(type,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7263f724	2	/***
96b2fb93	3	Copyright © 2014 Zbigniew Jędrzejewski-Szmek
7263f724 ZJS	4	***/
7263f724 ZJS	5
d07b43a1	6	#include <sys/socket.h>
dccca82b	7	#include <errno.h>
d07b43a1	8
7263f724	9	#include "dns-type.h"
869b3b67	10	#include "parse-util.h"
4b548ef3	11	#include "string-util.h"
7263f724 ZJS	12
	13	typedef const struct {
	14	uint16_t type;
	15	const char *name;
	16	} dns_type;
	17
	18	static const struct dns_type_name *
c9f7b4d3	19	lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
7263f724 ZJS	20
	21	#include "dns_type-from-name.h"
	22	#include "dns_type-to-name.h"
	23
de292aa1	24	int dns_type_from_string(const char *s) {
7263f724 ZJS	25	const struct dns_type_name *sc;
	26
	27	assert(s);
7263f724 ZJS	28
7263f724 ZJS	29	sc = lookup_dns_type(s, strlen(s));
869b3b67 ZJS	30	if (sc)
869b3b67 ZJS	31	return sc->id;
7263f724	32
869b3b67 ZJS	33	s = startswith_no_case(s, "TYPE");
	34	if (s) {
	35	unsigned x;
	36
	37	if (safe_atou(s, &x) >= 0 &&
	38	x <= UINT16_MAX)
	39	return (int) x;
	40	}
	41
	42	return _DNS_TYPE_INVALID;
7263f724	43	}
8e6edc49	44
bea4c76f LP	45	bool dns_type_is_pseudo(uint16_t type) {
	46
	47	/* Checks whether the specified type is a "pseudo-type". What
	48	* a "pseudo-type" precisely is, is defined only very weakly,
	49	* but apparently entails all RR types that are not actually
	50	* stored as RRs on the server and should hence also not be
	51	* cached. We use this list primarily to validate NSEC type
c33be4a6	52	* bitfields, and to verify what to cache. */
bea4c76f LP	53
	54	return IN_SET(type,
	55	0, /* A Pseudo RR type, according to RFC 2931 */
	56	DNS_TYPE_ANY,
	57	DNS_TYPE_AXFR,
	58	DNS_TYPE_IXFR,
	59	DNS_TYPE_OPT,
	60	DNS_TYPE_TSIG,
	61	DNS_TYPE_TKEY
	62	);
8e6edc49	63	}
c463eb78	64
4b548ef3 LP	65	bool dns_class_is_pseudo(uint16_t class) {
	66	return class == DNS_TYPE_ANY;
	67	}
	68
c463eb78 LP	69	bool dns_type_is_valid_query(uint16_t type) {
	70
	71	/* The types valid as questions in packets */
	72
	73	return !IN_SET(type,
	74	0,
	75	DNS_TYPE_OPT,
	76	DNS_TYPE_TSIG,
04680e36 LP	77	DNS_TYPE_TKEY,
	78
	79	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	80	* they aren't really payload, but signatures for payload, and cannot be validated on their
	81	* own. After all they are the signatures, and have no signatures of their own validating
	82	* them. */
	83	DNS_TYPE_RRSIG);
c463eb78 LP	84	}
c463eb78 LP	85
6ebd1e33 LP	86	bool dns_type_is_zone_transer(uint16_t type) {
	87
	88	/* Zone transfers, either normal or incremental */
	89
	90	return IN_SET(type,
	91	DNS_TYPE_AXFR,
	92	DNS_TYPE_IXFR);
	93	}
	94
c463eb78 LP	95	bool dns_type_is_valid_rr(uint16_t type) {
	96
	97	/* The types valid as RR in packets (but not necessarily
	98	* stored on servers). */
	99
	100	return !IN_SET(type,
	101	DNS_TYPE_ANY,
	102	DNS_TYPE_AXFR,
	103	DNS_TYPE_IXFR);
	104	}
4b548ef3 LP	105
	106	bool dns_class_is_valid_rr(uint16_t class) {
	107	return class != DNS_CLASS_ANY;
	108	}
	109
d3c7e913 LP	110	bool dns_type_may_redirect(uint16_t type) {
	111	/* The following record types should never be redirected using
	112	* CNAME/DNAME RRs. See
	113	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	114
	115	if (dns_type_is_pseudo(type))
	116	return false;
	117
	118	return !IN_SET(type,
	119	DNS_TYPE_CNAME,
	120	DNS_TYPE_DNAME,
	121	DNS_TYPE_NSEC3,
	122	DNS_TYPE_NSEC,
	123	DNS_TYPE_RRSIG,
	124	DNS_TYPE_NXT,
	125	DNS_TYPE_SIG,
	126	DNS_TYPE_KEY);
	127	}
	128
e8233bce LP	129	bool dns_type_may_wildcard(uint16_t type) {
	130
	131	/* The following records may not be expanded from wildcard RRsets */
	132
	133	if (dns_type_is_pseudo(type))
	134	return false;
	135
	136	return !IN_SET(type,
	137	DNS_TYPE_NSEC3,
	138	DNS_TYPE_SOA,
	139
	140	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	141	DNS_TYPE_DNAME);
	142	}
	143
588c53d0 LP	144	bool dns_type_apex_only(uint16_t type) {
	145
	146	/* Returns true for all RR types that may only appear signed in a zone apex */
	147
	148	return IN_SET(type,
	149	DNS_TYPE_SOA,
	150	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	151	DNS_TYPE_DNSKEY,
	152	DNS_TYPE_NSEC3PARAM);
	153	}
	154
91adc4db LP	155	bool dns_type_is_dnssec(uint16_t type) {
	156	return IN_SET(type,
	157	DNS_TYPE_DS,
	158	DNS_TYPE_DNSKEY,
	159	DNS_TYPE_RRSIG,
	160	DNS_TYPE_NSEC,
	161	DNS_TYPE_NSEC3,
	162	DNS_TYPE_NSEC3PARAM);
	163	}
	164
d0129ddb LP	165	bool dns_type_is_obsolete(uint16_t type) {
	166	return IN_SET(type,
	167	/* Obsoleted by RFC 973 */
	168	DNS_TYPE_MD,
	169	DNS_TYPE_MF,
	170	DNS_TYPE_MAILA,
	171
	172	/* Kinda obsoleted by RFC 2505 */
	173	DNS_TYPE_MB,
	174	DNS_TYPE_MG,
	175	DNS_TYPE_MR,
	176	DNS_TYPE_MINFO,
	177	DNS_TYPE_MAILB,
	178
	179	/* RFC1127 kinda obsoleted this by recommending against its use */
	180	DNS_TYPE_WKS,
	181
	182	/* Declared historical by RFC 6563 */
	183	DNS_TYPE_A6,
	184
	185	/* Obsoleted by DNSSEC-bis */
	186	DNS_TYPE_NXT,
	187
	188	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
	189	DNS_TYPE_NULL);
	190	}
	191
41815a4a LP	192	bool dns_type_needs_authentication(uint16_t type) {
	193
	194	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	195	* authenticated. I.e. everything that contains crypto keys. */
	196
	197	return IN_SET(type,
	198	DNS_TYPE_CERT,
	199	DNS_TYPE_SSHFP,
	200	DNS_TYPE_IPSECKEY,
	201	DNS_TYPE_DS,
	202	DNS_TYPE_DNSKEY,
	203	DNS_TYPE_TLSA,
	204	DNS_TYPE_CDNSKEY,
	205	DNS_TYPE_OPENPGPKEY,
	206	DNS_TYPE_CAA);
	207	}
	208
d07b43a1 LP	209	int dns_type_to_af(uint16_t t) {
	210	switch (t) {
	211
	212	case DNS_TYPE_A:
	213	return AF_INET;
	214
	215	case DNS_TYPE_AAAA:
	216	return AF_INET6;
	217
	218	case DNS_TYPE_ANY:
	219	return AF_UNSPEC;
	220
	221	default:
	222	return -EINVAL;
	223	}
	224	}
	225
4b548ef3 LP	226	const char *dns_class_to_string(uint16_t class) {
	227
	228	switch (class) {
	229
	230	case DNS_CLASS_IN:
	231	return "IN";
	232
	233	case DNS_CLASS_ANY:
	234	return "ANY";
	235	}
	236
	237	return NULL;
	238	}
	239
	240	int dns_class_from_string(const char *s) {
	241
	242	if (!s)
	243	return _DNS_CLASS_INVALID;
	244
	245	if (strcaseeq(s, "IN"))
	246	return DNS_CLASS_IN;
	247	else if (strcaseeq(s, "ANY"))
	248	return DNS_CLASS_ANY;
	249
	250	return _DNS_CLASS_INVALID;
	251	}
cfb90da3 ZJS	252
cfb90da3 ZJS	253	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
fb8a9fc9 LP	254
	255	switch (cert_usage) {
	256
	257	case 0:
	258	return "CA constraint";
	259
	260	case 1:
	261	return "Service certificate constraint";
	262
	263	case 2:
	264	return "Trust anchor assertion";
	265
	266	case 3:
	267	return "Domain-issued certificate";
	268
	269	case 4 ... 254:
	270	return "Unassigned";
	271
	272	case 255:
	273	return "Private use";
cfb90da3	274	}
fb8a9fc9 LP	275
fb8a9fc9 LP	276	return NULL; /* clang cannot count that we covered everything */
cfb90da3 ZJS	277	}
	278
	279	const char* tlsa_selector_to_string(uint8_t selector) {
fb8a9fc9 LP	280	switch (selector) {
	281
	282	case 0:
	283	return "Full Certificate";
	284
	285	case 1:
	286	return "SubjectPublicKeyInfo";
	287
	288	case 2 ... 254:
	289	return "Unassigned";
	290
	291	case 255:
	292	return "Private use";
cfb90da3	293	}
fb8a9fc9 LP	294
fb8a9fc9 LP	295	return NULL;
cfb90da3 ZJS	296	}
	297
	298	const char* tlsa_matching_type_to_string(uint8_t selector) {
fb8a9fc9 LP	299
	300	switch (selector) {
	301
	302	case 0:
	303	return "No hash used";
	304
	305	case 1:
	306	return "SHA-256";
	307
	308	case 2:
	309	return "SHA-512";
	310
	311	case 3 ... 254:
	312	return "Unassigned";
	313
	314	case 255:
	315	return "Private use";
cfb90da3	316	}
fb8a9fc9 LP	317
fb8a9fc9 LP	318	return NULL;
cfb90da3	319	}