[thirdparty/systemd.git] / src / resolve / dns-type.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2014 Zbigniew Jędrzejewski-Szmek
***/

#include <sys/socket.h>
#include <errno.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_TYPE_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_zone_transer(uint16_t type) {

        /* Zone transfers, either normal or incremental */

        return IN_SET(type,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7263f724 ZJS	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2014 Zbigniew Jędrzejewski-Szmek
7263f724 ZJS	6	***/
7263f724 ZJS	7
d07b43a1	8	#include <sys/socket.h>
dccca82b	9	#include <errno.h>
d07b43a1	10
7263f724	11	#include "dns-type.h"
869b3b67	12	#include "parse-util.h"
4b548ef3	13	#include "string-util.h"
7263f724 ZJS	14
	15	typedef const struct {
	16	uint16_t type;
	17	const char *name;
	18	} dns_type;
	19
	20	static const struct dns_type_name *
c9f7b4d3	21	lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
7263f724 ZJS	22
	23	#include "dns_type-from-name.h"
	24	#include "dns_type-to-name.h"
	25
de292aa1	26	int dns_type_from_string(const char *s) {
7263f724 ZJS	27	const struct dns_type_name *sc;
	28
	29	assert(s);
7263f724 ZJS	30
7263f724 ZJS	31	sc = lookup_dns_type(s, strlen(s));
869b3b67 ZJS	32	if (sc)
869b3b67 ZJS	33	return sc->id;
7263f724	34
869b3b67 ZJS	35	s = startswith_no_case(s, "TYPE");
	36	if (s) {
	37	unsigned x;
	38
	39	if (safe_atou(s, &x) >= 0 &&
	40	x <= UINT16_MAX)
	41	return (int) x;
	42	}
	43
	44	return _DNS_TYPE_INVALID;
7263f724	45	}
8e6edc49	46
bea4c76f LP	47	bool dns_type_is_pseudo(uint16_t type) {
	48
	49	/* Checks whether the specified type is a "pseudo-type". What
	50	* a "pseudo-type" precisely is, is defined only very weakly,
	51	* but apparently entails all RR types that are not actually
	52	* stored as RRs on the server and should hence also not be
	53	* cached. We use this list primarily to validate NSEC type
c33be4a6	54	* bitfields, and to verify what to cache. */
bea4c76f LP	55
	56	return IN_SET(type,
	57	0, /* A Pseudo RR type, according to RFC 2931 */
	58	DNS_TYPE_ANY,
	59	DNS_TYPE_AXFR,
	60	DNS_TYPE_IXFR,
	61	DNS_TYPE_OPT,
	62	DNS_TYPE_TSIG,
	63	DNS_TYPE_TKEY
	64	);
8e6edc49	65	}
c463eb78	66
4b548ef3 LP	67	bool dns_class_is_pseudo(uint16_t class) {
	68	return class == DNS_TYPE_ANY;
	69	}
	70
c463eb78 LP	71	bool dns_type_is_valid_query(uint16_t type) {
	72
	73	/* The types valid as questions in packets */
	74
	75	return !IN_SET(type,
	76	0,
	77	DNS_TYPE_OPT,
	78	DNS_TYPE_TSIG,
04680e36 LP	79	DNS_TYPE_TKEY,
	80
	81	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	82	* they aren't really payload, but signatures for payload, and cannot be validated on their
	83	* own. After all they are the signatures, and have no signatures of their own validating
	84	* them. */
	85	DNS_TYPE_RRSIG);
c463eb78 LP	86	}
c463eb78 LP	87
6ebd1e33 LP	88	bool dns_type_is_zone_transer(uint16_t type) {
	89
	90	/* Zone transfers, either normal or incremental */
	91
	92	return IN_SET(type,
	93	DNS_TYPE_AXFR,
	94	DNS_TYPE_IXFR);
	95	}
	96
c463eb78 LP	97	bool dns_type_is_valid_rr(uint16_t type) {
	98
	99	/* The types valid as RR in packets (but not necessarily
	100	* stored on servers). */
	101
	102	return !IN_SET(type,
	103	DNS_TYPE_ANY,
	104	DNS_TYPE_AXFR,
	105	DNS_TYPE_IXFR);
	106	}
4b548ef3 LP	107
	108	bool dns_class_is_valid_rr(uint16_t class) {
	109	return class != DNS_CLASS_ANY;
	110	}
	111
d3c7e913 LP	112	bool dns_type_may_redirect(uint16_t type) {
	113	/* The following record types should never be redirected using
	114	* CNAME/DNAME RRs. See
	115	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	116
	117	if (dns_type_is_pseudo(type))
	118	return false;
	119
	120	return !IN_SET(type,
	121	DNS_TYPE_CNAME,
	122	DNS_TYPE_DNAME,
	123	DNS_TYPE_NSEC3,
	124	DNS_TYPE_NSEC,
	125	DNS_TYPE_RRSIG,
	126	DNS_TYPE_NXT,
	127	DNS_TYPE_SIG,
	128	DNS_TYPE_KEY);
	129	}
	130
e8233bce LP	131	bool dns_type_may_wildcard(uint16_t type) {
	132
	133	/* The following records may not be expanded from wildcard RRsets */
	134
	135	if (dns_type_is_pseudo(type))
	136	return false;
	137
	138	return !IN_SET(type,
	139	DNS_TYPE_NSEC3,
	140	DNS_TYPE_SOA,
	141
	142	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	143	DNS_TYPE_DNAME);
	144	}
	145
588c53d0 LP	146	bool dns_type_apex_only(uint16_t type) {
	147
	148	/* Returns true for all RR types that may only appear signed in a zone apex */
	149
	150	return IN_SET(type,
	151	DNS_TYPE_SOA,
	152	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	153	DNS_TYPE_DNSKEY,
	154	DNS_TYPE_NSEC3PARAM);
	155	}
	156
91adc4db LP	157	bool dns_type_is_dnssec(uint16_t type) {
	158	return IN_SET(type,
	159	DNS_TYPE_DS,
	160	DNS_TYPE_DNSKEY,
	161	DNS_TYPE_RRSIG,
	162	DNS_TYPE_NSEC,
	163	DNS_TYPE_NSEC3,
	164	DNS_TYPE_NSEC3PARAM);
	165	}
	166
d0129ddb LP	167	bool dns_type_is_obsolete(uint16_t type) {
	168	return IN_SET(type,
	169	/* Obsoleted by RFC 973 */
	170	DNS_TYPE_MD,
	171	DNS_TYPE_MF,
	172	DNS_TYPE_MAILA,
	173
	174	/* Kinda obsoleted by RFC 2505 */
	175	DNS_TYPE_MB,
	176	DNS_TYPE_MG,
	177	DNS_TYPE_MR,
	178	DNS_TYPE_MINFO,
	179	DNS_TYPE_MAILB,
	180
	181	/* RFC1127 kinda obsoleted this by recommending against its use */
	182	DNS_TYPE_WKS,
	183
	184	/* Declared historical by RFC 6563 */
	185	DNS_TYPE_A6,
	186
	187	/* Obsoleted by DNSSEC-bis */
	188	DNS_TYPE_NXT,
	189
	190	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
	191	DNS_TYPE_NULL);
	192	}
	193
41815a4a LP	194	bool dns_type_needs_authentication(uint16_t type) {
	195
	196	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	197	* authenticated. I.e. everything that contains crypto keys. */
	198
	199	return IN_SET(type,
	200	DNS_TYPE_CERT,
	201	DNS_TYPE_SSHFP,
	202	DNS_TYPE_IPSECKEY,
	203	DNS_TYPE_DS,
	204	DNS_TYPE_DNSKEY,
	205	DNS_TYPE_TLSA,
	206	DNS_TYPE_CDNSKEY,
	207	DNS_TYPE_OPENPGPKEY,
	208	DNS_TYPE_CAA);
	209	}
	210
d07b43a1 LP	211	int dns_type_to_af(uint16_t t) {
	212	switch (t) {
	213
	214	case DNS_TYPE_A:
	215	return AF_INET;
	216
	217	case DNS_TYPE_AAAA:
	218	return AF_INET6;
	219
	220	case DNS_TYPE_ANY:
	221	return AF_UNSPEC;
	222
	223	default:
	224	return -EINVAL;
	225	}
	226	}
	227
4b548ef3 LP	228	const char *dns_class_to_string(uint16_t class) {
	229
	230	switch (class) {
	231
	232	case DNS_CLASS_IN:
	233	return "IN";
	234
	235	case DNS_CLASS_ANY:
	236	return "ANY";
	237	}
	238
	239	return NULL;
	240	}
	241
	242	int dns_class_from_string(const char *s) {
	243
	244	if (!s)
	245	return _DNS_CLASS_INVALID;
	246
	247	if (strcaseeq(s, "IN"))
	248	return DNS_CLASS_IN;
	249	else if (strcaseeq(s, "ANY"))
	250	return DNS_CLASS_ANY;
	251
	252	return _DNS_CLASS_INVALID;
	253	}
cfb90da3 ZJS	254
cfb90da3 ZJS	255	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
fb8a9fc9 LP	256
	257	switch (cert_usage) {
	258
	259	case 0:
	260	return "CA constraint";
	261
	262	case 1:
	263	return "Service certificate constraint";
	264
	265	case 2:
	266	return "Trust anchor assertion";
	267
	268	case 3:
	269	return "Domain-issued certificate";
	270
	271	case 4 ... 254:
	272	return "Unassigned";
	273
	274	case 255:
	275	return "Private use";
cfb90da3	276	}
fb8a9fc9 LP	277
fb8a9fc9 LP	278	return NULL; /* clang cannot count that we covered everything */
cfb90da3 ZJS	279	}
	280
	281	const char* tlsa_selector_to_string(uint8_t selector) {
fb8a9fc9 LP	282	switch (selector) {
	283
	284	case 0:
	285	return "Full Certificate";
	286
	287	case 1:
	288	return "SubjectPublicKeyInfo";
	289
	290	case 2 ... 254:
	291	return "Unassigned";
	292
	293	case 255:
	294	return "Private use";
cfb90da3	295	}
fb8a9fc9 LP	296
fb8a9fc9 LP	297	return NULL;
cfb90da3 ZJS	298	}
	299
	300	const char* tlsa_matching_type_to_string(uint8_t selector) {
fb8a9fc9 LP	301
	302	switch (selector) {
	303
	304	case 0:
	305	return "No hash used";
	306
	307	case 1:
	308	return "SHA-256";
	309
	310	case 2:
	311	return "SHA-512";
	312
	313	case 3 ... 254:
	314	return "Unassigned";
	315
	316	case 255:
	317	return "Private use";
cfb90da3	318	}
fb8a9fc9 LP	319
fb8a9fc9 LP	320	return NULL;
cfb90da3	321	}