[thirdparty/systemd.git] / src / resolve / dns-type.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2014 Zbigniew Jędrzejewski-Szmek

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <sys/socket.h>
#include <errno.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_TYPE_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_zone_transer(uint16_t type) {

        /* Zone transfers, either normal or incremental */

        return IN_SET(type,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7263f724 ZJS	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2014 Zbigniew Jędrzejewski-Szmek
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
d07b43a1	21	#include <sys/socket.h>
dccca82b	22	#include <errno.h>
d07b43a1	23
7263f724	24	#include "dns-type.h"
869b3b67	25	#include "parse-util.h"
4b548ef3	26	#include "string-util.h"
7263f724 ZJS	27
	28	typedef const struct {
	29	uint16_t type;
	30	const char *name;
	31	} dns_type;
	32
	33	static const struct dns_type_name *
c9f7b4d3	34	lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
7263f724 ZJS	35
	36	#include "dns_type-from-name.h"
	37	#include "dns_type-to-name.h"
	38
de292aa1	39	int dns_type_from_string(const char *s) {
7263f724 ZJS	40	const struct dns_type_name *sc;
	41
	42	assert(s);
7263f724 ZJS	43
7263f724 ZJS	44	sc = lookup_dns_type(s, strlen(s));
869b3b67 ZJS	45	if (sc)
869b3b67 ZJS	46	return sc->id;
7263f724	47
869b3b67 ZJS	48	s = startswith_no_case(s, "TYPE");
	49	if (s) {
	50	unsigned x;
	51
	52	if (safe_atou(s, &x) >= 0 &&
	53	x <= UINT16_MAX)
	54	return (int) x;
	55	}
	56
	57	return _DNS_TYPE_INVALID;
7263f724	58	}
8e6edc49	59
bea4c76f LP	60	bool dns_type_is_pseudo(uint16_t type) {
	61
	62	/* Checks whether the specified type is a "pseudo-type". What
	63	* a "pseudo-type" precisely is, is defined only very weakly,
	64	* but apparently entails all RR types that are not actually
	65	* stored as RRs on the server and should hence also not be
	66	* cached. We use this list primarily to validate NSEC type
c33be4a6	67	* bitfields, and to verify what to cache. */
bea4c76f LP	68
	69	return IN_SET(type,
	70	0, /* A Pseudo RR type, according to RFC 2931 */
	71	DNS_TYPE_ANY,
	72	DNS_TYPE_AXFR,
	73	DNS_TYPE_IXFR,
	74	DNS_TYPE_OPT,
	75	DNS_TYPE_TSIG,
	76	DNS_TYPE_TKEY
	77	);
8e6edc49	78	}
c463eb78	79
4b548ef3 LP	80	bool dns_class_is_pseudo(uint16_t class) {
	81	return class == DNS_TYPE_ANY;
	82	}
	83
c463eb78 LP	84	bool dns_type_is_valid_query(uint16_t type) {
	85
	86	/* The types valid as questions in packets */
	87
	88	return !IN_SET(type,
	89	0,
	90	DNS_TYPE_OPT,
	91	DNS_TYPE_TSIG,
04680e36 LP	92	DNS_TYPE_TKEY,
	93
	94	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	95	* they aren't really payload, but signatures for payload, and cannot be validated on their
	96	* own. After all they are the signatures, and have no signatures of their own validating
	97	* them. */
	98	DNS_TYPE_RRSIG);
c463eb78 LP	99	}
c463eb78 LP	100
6ebd1e33 LP	101	bool dns_type_is_zone_transer(uint16_t type) {
	102
	103	/* Zone transfers, either normal or incremental */
	104
	105	return IN_SET(type,
	106	DNS_TYPE_AXFR,
	107	DNS_TYPE_IXFR);
	108	}
	109
c463eb78 LP	110	bool dns_type_is_valid_rr(uint16_t type) {
	111
	112	/* The types valid as RR in packets (but not necessarily
	113	* stored on servers). */
	114
	115	return !IN_SET(type,
	116	DNS_TYPE_ANY,
	117	DNS_TYPE_AXFR,
	118	DNS_TYPE_IXFR);
	119	}
4b548ef3 LP	120
	121	bool dns_class_is_valid_rr(uint16_t class) {
	122	return class != DNS_CLASS_ANY;
	123	}
	124
d3c7e913 LP	125	bool dns_type_may_redirect(uint16_t type) {
	126	/* The following record types should never be redirected using
	127	* CNAME/DNAME RRs. See
	128	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	129
	130	if (dns_type_is_pseudo(type))
	131	return false;
	132
	133	return !IN_SET(type,
	134	DNS_TYPE_CNAME,
	135	DNS_TYPE_DNAME,
	136	DNS_TYPE_NSEC3,
	137	DNS_TYPE_NSEC,
	138	DNS_TYPE_RRSIG,
	139	DNS_TYPE_NXT,
	140	DNS_TYPE_SIG,
	141	DNS_TYPE_KEY);
	142	}
	143
e8233bce LP	144	bool dns_type_may_wildcard(uint16_t type) {
	145
	146	/* The following records may not be expanded from wildcard RRsets */
	147
	148	if (dns_type_is_pseudo(type))
	149	return false;
	150
	151	return !IN_SET(type,
	152	DNS_TYPE_NSEC3,
	153	DNS_TYPE_SOA,
	154
	155	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	156	DNS_TYPE_DNAME);
	157	}
	158
588c53d0 LP	159	bool dns_type_apex_only(uint16_t type) {
	160
	161	/* Returns true for all RR types that may only appear signed in a zone apex */
	162
	163	return IN_SET(type,
	164	DNS_TYPE_SOA,
	165	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	166	DNS_TYPE_DNSKEY,
	167	DNS_TYPE_NSEC3PARAM);
	168	}
	169
91adc4db LP	170	bool dns_type_is_dnssec(uint16_t type) {
	171	return IN_SET(type,
	172	DNS_TYPE_DS,
	173	DNS_TYPE_DNSKEY,
	174	DNS_TYPE_RRSIG,
	175	DNS_TYPE_NSEC,
	176	DNS_TYPE_NSEC3,
	177	DNS_TYPE_NSEC3PARAM);
	178	}
	179
d0129ddb LP	180	bool dns_type_is_obsolete(uint16_t type) {
	181	return IN_SET(type,
	182	/* Obsoleted by RFC 973 */
	183	DNS_TYPE_MD,
	184	DNS_TYPE_MF,
	185	DNS_TYPE_MAILA,
	186
	187	/* Kinda obsoleted by RFC 2505 */
	188	DNS_TYPE_MB,
	189	DNS_TYPE_MG,
	190	DNS_TYPE_MR,
	191	DNS_TYPE_MINFO,
	192	DNS_TYPE_MAILB,
	193
	194	/* RFC1127 kinda obsoleted this by recommending against its use */
	195	DNS_TYPE_WKS,
	196
	197	/* Declared historical by RFC 6563 */
	198	DNS_TYPE_A6,
	199
	200	/* Obsoleted by DNSSEC-bis */
	201	DNS_TYPE_NXT,
	202
	203	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
	204	DNS_TYPE_NULL);
	205	}
	206
41815a4a LP	207	bool dns_type_needs_authentication(uint16_t type) {
	208
	209	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	210	* authenticated. I.e. everything that contains crypto keys. */
	211
	212	return IN_SET(type,
	213	DNS_TYPE_CERT,
	214	DNS_TYPE_SSHFP,
	215	DNS_TYPE_IPSECKEY,
	216	DNS_TYPE_DS,
	217	DNS_TYPE_DNSKEY,
	218	DNS_TYPE_TLSA,
	219	DNS_TYPE_CDNSKEY,
	220	DNS_TYPE_OPENPGPKEY,
	221	DNS_TYPE_CAA);
	222	}
	223
d07b43a1 LP	224	int dns_type_to_af(uint16_t t) {
	225	switch (t) {
	226
	227	case DNS_TYPE_A:
	228	return AF_INET;
	229
	230	case DNS_TYPE_AAAA:
	231	return AF_INET6;
	232
	233	case DNS_TYPE_ANY:
	234	return AF_UNSPEC;
	235
	236	default:
	237	return -EINVAL;
	238	}
	239	}
	240
4b548ef3 LP	241	const char *dns_class_to_string(uint16_t class) {
	242
	243	switch (class) {
	244
	245	case DNS_CLASS_IN:
	246	return "IN";
	247
	248	case DNS_CLASS_ANY:
	249	return "ANY";
	250	}
	251
	252	return NULL;
	253	}
	254
	255	int dns_class_from_string(const char *s) {
	256
	257	if (!s)
	258	return _DNS_CLASS_INVALID;
	259
	260	if (strcaseeq(s, "IN"))
	261	return DNS_CLASS_IN;
	262	else if (strcaseeq(s, "ANY"))
	263	return DNS_CLASS_ANY;
	264
	265	return _DNS_CLASS_INVALID;
	266	}
cfb90da3 ZJS	267
cfb90da3 ZJS	268	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
fb8a9fc9 LP	269
	270	switch (cert_usage) {
	271
	272	case 0:
	273	return "CA constraint";
	274
	275	case 1:
	276	return "Service certificate constraint";
	277
	278	case 2:
	279	return "Trust anchor assertion";
	280
	281	case 3:
	282	return "Domain-issued certificate";
	283
	284	case 4 ... 254:
	285	return "Unassigned";
	286
	287	case 255:
	288	return "Private use";
cfb90da3	289	}
fb8a9fc9 LP	290
fb8a9fc9 LP	291	return NULL; /* clang cannot count that we covered everything */
cfb90da3 ZJS	292	}
	293
	294	const char* tlsa_selector_to_string(uint8_t selector) {
fb8a9fc9 LP	295	switch (selector) {
	296
	297	case 0:
	298	return "Full Certificate";
	299
	300	case 1:
	301	return "SubjectPublicKeyInfo";
	302
	303	case 2 ... 254:
	304	return "Unassigned";
	305
	306	case 255:
	307	return "Private use";
cfb90da3	308	}
fb8a9fc9 LP	309
fb8a9fc9 LP	310	return NULL;
cfb90da3 ZJS	311	}
	312
	313	const char* tlsa_matching_type_to_string(uint8_t selector) {
fb8a9fc9 LP	314
	315	switch (selector) {
	316
	317	case 0:
	318	return "No hash used";
	319
	320	case 1:
	321	return "SHA-256";
	322
	323	case 2:
	324	return "SHA-512";
	325
	326	case 3 ... 254:
	327	return "Unassigned";
	328
	329	case 255:
	330	return "Private use";
cfb90da3	331	}
fb8a9fc9 LP	332
fb8a9fc9 LP	333	return NULL;
cfb90da3	334	}