2 This file is part of systemd.
4 Copyright 2014 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <stringprep.h>
26 #include <netinet/in.h>
29 #include <sys/socket.h>
31 #include "alloc-util.h"
32 #include "dns-domain.h"
34 #include "hexdecoct.h"
35 #include "in-addr-util.h"
37 #include "parse-util.h"
38 #include "string-util.h"
42 int dns_label_unescape(const char **name
, char *dest
, size_t sz
) {
62 if (r
>= DNS_LABEL_MAX
)
69 /* Escaped character */
77 else if (*n
== '\\' || *n
== '.') {
78 /* Escaped backslash or dot */
86 } else if (n
[0] >= '0' && n
[0] <= '9') {
89 /* Escaped literal ASCII character */
91 if (!(n
[1] >= '0' && n
[1] <= '9') ||
92 !(n
[2] >= '0' && n
[2] <= '9'))
95 k
= ((unsigned) (n
[0] - '0') * 100) +
96 ((unsigned) (n
[1] - '0') * 10) +
97 ((unsigned) (n
[2] - '0'));
99 /* Don't allow anything that doesn't
100 * fit in 8bit. Note that we do allow
101 * control characters, as some servers
102 * (e.g. cloudflare) are happy to
103 * generate labels with them
117 } else if ((uint8_t) *n
>= (uint8_t) ' ' && *n
!= 127) {
119 /* Normal character */
130 /* Empty label that is not at the end? */
134 /* More than one trailing dot? */
145 /* @label_terminal: terminal character of a label, updated to point to the terminal character of
146 * the previous label (always skipping one dot) or to NULL if there are no more
148 int dns_label_unescape_suffix(const char *name
, const char **label_terminal
, char *dest
, size_t sz
) {
149 const char *terminal
;
153 assert(label_terminal
);
157 if (!*label_terminal
) {
164 terminal
= *label_terminal
;
165 assert(*terminal
== '.' || *terminal
== 0);
167 /* Skip current terminal character (and accept domain names ending it ".") */
170 if (terminal
>= name
&& *terminal
== '.')
173 /* Point name to the last label, and terminal to the preceding terminal symbol (or make it a NULL pointer) */
175 if (terminal
< name
) {
176 /* Reached the first label, so indicate that there are no more */
181 /* Find the start of the last label */
182 if (*terminal
== '.') {
184 unsigned slashes
= 0;
186 for (y
= terminal
- 1; y
>= name
&& *y
== '\\'; y
--)
189 if (slashes
% 2 == 0) {
190 /* The '.' was not escaped */
202 r
= dns_label_unescape(&name
, dest
, sz
);
206 *label_terminal
= terminal
;
211 int dns_label_escape(const char *p
, size_t l
, char *dest
, size_t sz
) {
214 /* DNS labels must be between 1 and 63 characters long. A
215 * zero-length label does not exist. See RFC 2182, Section
218 if (l
<= 0 || l
> DNS_LABEL_MAX
)
229 if (*p
== '.' || *p
== '\\') {
231 /* Dot or backslash */
241 } else if (*p
== '_' ||
243 (*p
>= '0' && *p
<= '9') ||
244 (*p
>= 'a' && *p
<= 'z') ||
245 (*p
>= 'A' && *p
<= 'Z')) {
247 /* Proper character */
257 /* Everything else */
263 *(q
++) = '0' + (char) ((uint8_t) *p
/ 100);
264 *(q
++) = '0' + (char) (((uint8_t) *p
/ 10) % 10);
265 *(q
++) = '0' + (char) ((uint8_t) *p
% 10);
275 return (int) (q
- dest
);
278 int dns_label_escape_new(const char *p
, size_t l
, char **ret
) {
279 _cleanup_free_
char *s
= NULL
;
285 if (l
<= 0 || l
> DNS_LABEL_MAX
)
288 s
= new(char, DNS_LABEL_ESCAPED_MAX
);
292 r
= dns_label_escape(p
, l
, s
, DNS_LABEL_ESCAPED_MAX
);
302 int dns_label_apply_idna(const char *encoded
, size_t encoded_size
, char *decoded
, size_t decoded_max
) {
304 _cleanup_free_
uint32_t *input
= NULL
;
305 size_t input_size
, l
;
307 bool contains_8bit
= false;
308 char buffer
[DNS_LABEL_MAX
+1];
313 /* Converts an U-label into an A-label */
315 if (encoded_size
<= 0)
318 for (p
= encoded
; p
< encoded
+ encoded_size
; p
++)
319 if ((uint8_t) *p
> 127)
320 contains_8bit
= true;
322 if (!contains_8bit
) {
323 if (encoded_size
> DNS_LABEL_MAX
)
329 input
= stringprep_utf8_to_ucs4(encoded
, encoded_size
, &input_size
);
333 if (idna_to_ascii_4i(input
, input_size
, buffer
, 0) != 0)
338 /* Verify that the result is not longer than one DNS label. */
339 if (l
<= 0 || l
> DNS_LABEL_MAX
)
344 memcpy(decoded
, buffer
, l
);
346 /* If there's room, append a trailing NUL byte, but only then */
356 int dns_label_undo_idna(const char *encoded
, size_t encoded_size
, char *decoded
, size_t decoded_max
) {
358 size_t input_size
, output_size
;
359 _cleanup_free_
uint32_t *input
= NULL
;
360 _cleanup_free_
char *result
= NULL
;
361 uint32_t *output
= NULL
;
364 /* To be invoked after unescaping. Converts an A-label into an U-label. */
369 if (encoded_size
<= 0 || encoded_size
> DNS_LABEL_MAX
)
372 if (encoded_size
< sizeof(IDNA_ACE_PREFIX
)-1)
375 if (memcmp(encoded
, IDNA_ACE_PREFIX
, sizeof(IDNA_ACE_PREFIX
) -1) != 0)
378 input
= stringprep_utf8_to_ucs4(encoded
, encoded_size
, &input_size
);
382 output_size
= input_size
;
383 output
= newa(uint32_t, output_size
);
385 idna_to_unicode_44i(input
, input_size
, output
, &output_size
, 0);
387 result
= stringprep_ucs4_to_utf8(output
, output_size
, NULL
, &w
);
395 memcpy(decoded
, result
, w
);
397 /* Append trailing NUL byte if there's space, but only then. */
407 int dns_name_concat(const char *a
, const char *b
, char **_ret
) {
408 _cleanup_free_
char *ret
= NULL
;
409 size_t n
= 0, allocated
= 0;
423 char label
[DNS_LABEL_MAX
];
425 r
= dns_label_unescape(&p
, label
, sizeof(label
));
433 /* Now continue with the second string, if there is one */
443 if (!GREEDY_REALLOC(ret
, allocated
, n
+ !first
+ DNS_LABEL_ESCAPED_MAX
))
446 r
= dns_label_escape(label
, r
, ret
+ n
+ !first
, DNS_LABEL_ESCAPED_MAX
);
453 char escaped
[DNS_LABEL_ESCAPED_MAX
];
455 r
= dns_label_escape(label
, r
, escaped
, sizeof(escaped
));
469 if (n
> DNS_HOSTNAME_MAX
)
474 /* Nothing appended? If so, generate at least a single dot, to indicate the DNS root domain */
475 if (!GREEDY_REALLOC(ret
, allocated
, 2))
480 if (!GREEDY_REALLOC(ret
, allocated
, n
+ 1))
492 void dns_name_hash_func(const void *s
, struct siphash
*state
) {
499 char label
[DNS_LABEL_MAX
+1];
501 r
= dns_label_unescape(&p
, label
, sizeof(label
));
507 ascii_strlower_n(label
, r
);
508 siphash24_compress(label
, r
, state
);
509 siphash24_compress_byte(0, state
); /* make sure foobar and foo.bar result in different hashes */
512 /* enforce that all names are terminated by the empty label */
513 string_hash_func("", state
);
516 int dns_name_compare_func(const void *a
, const void *b
) {
523 x
= (const char *) a
+ strlen(a
);
524 y
= (const char *) b
+ strlen(b
);
527 char la
[DNS_LABEL_MAX
], lb
[DNS_LABEL_MAX
];
529 if (x
== NULL
&& y
== NULL
)
532 r
= dns_label_unescape_suffix(a
, &x
, la
, sizeof(la
));
533 q
= dns_label_unescape_suffix(b
, &y
, lb
, sizeof(lb
));
537 r
= ascii_strcasecmp_nn(la
, r
, lb
, q
);
543 const struct hash_ops dns_name_hash_ops
= {
544 .hash
= dns_name_hash_func
,
545 .compare
= dns_name_compare_func
548 int dns_name_equal(const char *x
, const char *y
) {
555 char la
[DNS_LABEL_MAX
], lb
[DNS_LABEL_MAX
];
557 r
= dns_label_unescape(&x
, la
, sizeof(la
));
561 q
= dns_label_unescape(&y
, lb
, sizeof(lb
));
570 if (ascii_strcasecmp_n(la
, lb
, r
) != 0)
575 int dns_name_endswith(const char *name
, const char *suffix
) {
576 const char *n
, *s
, *saved_n
= NULL
;
586 char ln
[DNS_LABEL_MAX
], ls
[DNS_LABEL_MAX
];
588 r
= dns_label_unescape(&n
, ln
, sizeof(ln
));
595 q
= dns_label_unescape(&s
, ls
, sizeof(ls
));
599 if (r
== 0 && q
== 0)
601 if (r
== 0 && saved_n
== n
)
604 if (r
!= q
|| ascii_strcasecmp_n(ln
, ls
, r
) != 0) {
606 /* Not the same, let's jump back, and try with the next label again */
614 int dns_name_startswith(const char *name
, const char *prefix
) {
625 char ln
[DNS_LABEL_MAX
], lp
[DNS_LABEL_MAX
];
627 r
= dns_label_unescape(&p
, lp
, sizeof(lp
));
633 q
= dns_label_unescape(&n
, ln
, sizeof(ln
));
639 if (ascii_strcasecmp_n(ln
, lp
, r
) != 0)
644 int dns_name_change_suffix(const char *name
, const char *old_suffix
, const char *new_suffix
, char **ret
) {
645 const char *n
, *s
, *saved_before
= NULL
, *saved_after
= NULL
, *prefix
;
657 char ln
[DNS_LABEL_MAX
], ls
[DNS_LABEL_MAX
];
662 r
= dns_label_unescape(&n
, ln
, sizeof(ln
));
669 q
= dns_label_unescape(&s
, ls
, sizeof(ls
));
673 if (r
== 0 && q
== 0)
675 if (r
== 0 && saved_after
== n
) {
676 *ret
= NULL
; /* doesn't match */
680 if (r
!= q
|| ascii_strcasecmp_n(ln
, ls
, r
) != 0) {
682 /* Not the same, let's jump back, and try with the next label again */
685 saved_after
= saved_before
= NULL
;
689 /* Found it! Now generate the new name */
690 prefix
= strndupa(name
, saved_before
- name
);
692 r
= dns_name_concat(prefix
, new_suffix
, ret
);
699 int dns_name_between(const char *a
, const char *b
, const char *c
) {
702 /* Determine if b is strictly greater than a and strictly smaller than c.
703 We consider the order of names to be circular, so that if a is
704 strictly greater than c, we consider b to be between them if it is
705 either greater than a or smaller than c. This is how the canonical
706 DNS name order used in NSEC records work. */
708 n
= dns_name_compare_func(a
, c
);
713 return dns_name_compare_func(a
, b
) < 0 &&
714 dns_name_compare_func(b
, c
) < 0;
716 /* <--b--c a--b--> */
717 return dns_name_compare_func(b
, c
) < 0 ||
718 dns_name_compare_func(a
, b
) < 0;
721 int dns_name_reverse(int family
, const union in_addr_union
*a
, char **ret
) {
728 p
= (const uint8_t*) a
;
730 if (family
== AF_INET
)
731 r
= asprintf(ret
, "%u.%u.%u.%u.in-addr.arpa", p
[3], p
[2], p
[1], p
[0]);
732 else if (family
== AF_INET6
)
733 r
= asprintf(ret
, "%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.ip6.arpa",
734 hexchar(p
[15] & 0xF), hexchar(p
[15] >> 4), hexchar(p
[14] & 0xF), hexchar(p
[14] >> 4),
735 hexchar(p
[13] & 0xF), hexchar(p
[13] >> 4), hexchar(p
[12] & 0xF), hexchar(p
[12] >> 4),
736 hexchar(p
[11] & 0xF), hexchar(p
[11] >> 4), hexchar(p
[10] & 0xF), hexchar(p
[10] >> 4),
737 hexchar(p
[ 9] & 0xF), hexchar(p
[ 9] >> 4), hexchar(p
[ 8] & 0xF), hexchar(p
[ 8] >> 4),
738 hexchar(p
[ 7] & 0xF), hexchar(p
[ 7] >> 4), hexchar(p
[ 6] & 0xF), hexchar(p
[ 6] >> 4),
739 hexchar(p
[ 5] & 0xF), hexchar(p
[ 5] >> 4), hexchar(p
[ 4] & 0xF), hexchar(p
[ 4] >> 4),
740 hexchar(p
[ 3] & 0xF), hexchar(p
[ 3] >> 4), hexchar(p
[ 2] & 0xF), hexchar(p
[ 2] >> 4),
741 hexchar(p
[ 1] & 0xF), hexchar(p
[ 1] >> 4), hexchar(p
[ 0] & 0xF), hexchar(p
[ 0] >> 4));
743 return -EAFNOSUPPORT
;
750 int dns_name_address(const char *p
, int *family
, union in_addr_union
*address
) {
757 r
= dns_name_endswith(p
, "in-addr.arpa");
764 for (i
= 0; i
< ELEMENTSOF(a
); i
++) {
765 char label
[DNS_LABEL_MAX
+1];
767 r
= dns_label_unescape(&p
, label
, sizeof(label
));
775 r
= safe_atou8(label
, &a
[i
]);
780 r
= dns_name_equal(p
, "in-addr.arpa");
785 address
->in
.s_addr
= htobe32(((uint32_t) a
[3] << 24) |
786 ((uint32_t) a
[2] << 16) |
787 ((uint32_t) a
[1] << 8) |
793 r
= dns_name_endswith(p
, "ip6.arpa");
800 for (i
= 0; i
< ELEMENTSOF(a
.s6_addr
); i
++) {
801 char label
[DNS_LABEL_MAX
+1];
804 r
= dns_label_unescape(&p
, label
, sizeof(label
));
809 x
= unhexchar(label
[0]);
813 r
= dns_label_unescape(&p
, label
, sizeof(label
));
818 y
= unhexchar(label
[0]);
822 a
.s6_addr
[ELEMENTSOF(a
.s6_addr
) - i
- 1] = (uint8_t) y
<< 4 | (uint8_t) x
;
825 r
= dns_name_equal(p
, "ip6.arpa");
837 bool dns_name_is_root(const char *name
) {
841 /* There are exactly two ways to encode the root domain name:
842 * as empty string, or with a single dot. */
844 return STR_IN_SET(name
, "", ".");
847 bool dns_name_is_single_label(const char *name
) {
852 r
= dns_name_parent(&name
);
856 return dns_name_is_root(name
);
859 /* Encode a domain name according to RFC 1035 Section 3.1, without compression */
860 int dns_name_to_wire_format(const char *domain
, uint8_t *buffer
, size_t len
, bool canonical
) {
861 uint8_t *label_length
, *out
;
870 /* Reserve a byte for label length */
877 /* Convert and copy a single label. Note that
878 * dns_label_unescape() returns 0 when it hits the end
879 * of the domain name, which we rely on here to encode
880 * the trailing NUL byte. */
881 r
= dns_label_unescape(&domain
, (char *) out
, len
);
885 /* Optionally, output the name in DNSSEC canonical
886 * format, as described in RFC 4034, section 6.2. Or
887 * in other words: in lower-case. */
889 ascii_strlower_n((char*) out
, (size_t) r
);
891 /* Fill label length, move forward */
898 /* Verify the maximum size of the encoded name. The trailing
899 * dot + NUL byte account are included this time, hence
900 * compare against DNS_HOSTNAME_MAX + 2 (which is 255) this
902 if (out
- buffer
> DNS_HOSTNAME_MAX
+ 2)
908 static bool srv_type_label_is_valid(const char *label
, size_t n
) {
913 if (n
< 2) /* Label needs to be at least 2 chars long */
916 if (label
[0] != '_') /* First label char needs to be underscore */
919 /* Second char must be a letter */
920 if (!(label
[1] >= 'A' && label
[1] <= 'Z') &&
921 !(label
[1] >= 'a' && label
[1] <= 'z'))
924 /* Third and further chars must be alphanumeric or a hyphen */
925 for (k
= 2; k
< n
; k
++) {
926 if (!(label
[k
] >= 'A' && label
[k
] <= 'Z') &&
927 !(label
[k
] >= 'a' && label
[k
] <= 'z') &&
928 !(label
[k
] >= '0' && label
[k
] <= '9') &&
936 bool dns_srv_type_is_valid(const char *name
) {
944 char label
[DNS_LABEL_MAX
];
946 /* This more or less implements RFC 6335, Section 5.1 */
948 r
= dns_label_unescape(&name
, label
, sizeof(label
));
957 if (!srv_type_label_is_valid(label
, r
))
963 return c
== 2; /* exactly two labels */
966 bool dns_service_name_is_valid(const char *name
) {
969 /* This more or less implements RFC 6763, Section 4.1.1 */
974 if (!utf8_is_valid(name
))
977 if (string_has_cc(name
, NULL
))
989 int dns_service_join(const char *name
, const char *type
, const char *domain
, char **ret
) {
990 char escaped
[DNS_LABEL_ESCAPED_MAX
];
991 _cleanup_free_
char *n
= NULL
;
998 if (!dns_srv_type_is_valid(type
))
1002 return dns_name_concat(type
, domain
, ret
);
1004 if (!dns_service_name_is_valid(name
))
1007 r
= dns_label_escape(name
, strlen(name
), escaped
, sizeof(escaped
));
1011 r
= dns_name_concat(type
, domain
, &n
);
1015 return dns_name_concat(escaped
, n
, ret
);
1018 static bool dns_service_name_label_is_valid(const char *label
, size_t n
) {
1023 if (memchr(label
, 0, n
))
1026 s
= strndupa(label
, n
);
1027 return dns_service_name_is_valid(s
);
1030 int dns_service_split(const char *joined
, char **_name
, char **_type
, char **_domain
) {
1031 _cleanup_free_
char *name
= NULL
, *type
= NULL
, *domain
= NULL
;
1032 const char *p
= joined
, *q
= NULL
, *d
= NULL
;
1033 char a
[DNS_LABEL_MAX
], b
[DNS_LABEL_MAX
], c
[DNS_LABEL_MAX
];
1039 /* Get first label from the full name */
1040 an
= dns_label_unescape(&p
, a
, sizeof(a
));
1047 /* If there was a first label, try to get the second one */
1048 bn
= dns_label_unescape(&p
, b
, sizeof(b
));
1055 /* If there was a second label, try to get the third one */
1057 cn
= dns_label_unescape(&p
, c
, sizeof(c
));
1068 if (x
>= 2 && srv_type_label_is_valid(b
, bn
)) {
1070 if (x
>= 3 && srv_type_label_is_valid(c
, cn
)) {
1072 if (dns_service_name_label_is_valid(a
, an
)) {
1073 /* OK, got <name> . <type> . <type2> . <domain> */
1075 name
= strndup(a
, an
);
1079 type
= strjoin(b
, ".", c
, NULL
);
1087 } else if (srv_type_label_is_valid(a
, an
)) {
1089 /* OK, got <type> . <type2> . <domain> */
1093 type
= strjoin(a
, ".", b
, NULL
);
1107 r
= dns_name_normalize(d
, &domain
);
1129 static int dns_name_build_suffix_table(const char *name
, const char*table
[]) {
1139 if (n
> DNS_N_LABELS_MAX
)
1143 r
= dns_name_parent(&p
);
1155 int dns_name_suffix(const char *name
, unsigned n_labels
, const char **ret
) {
1156 const char* labels
[DNS_N_LABELS_MAX
+1];
1162 n
= dns_name_build_suffix_table(name
, labels
);
1166 if ((unsigned) n
< n_labels
)
1169 *ret
= labels
[n
- n_labels
];
1170 return (int) (n
- n_labels
);
1173 int dns_name_skip(const char *a
, unsigned n_labels
, const char **ret
) {
1179 for (; n_labels
> 0; n_labels
--) {
1180 r
= dns_name_parent(&a
);
1193 int dns_name_count_labels(const char *name
) {
1202 r
= dns_name_parent(&p
);
1208 if (n
>= DNS_N_LABELS_MAX
)
1217 int dns_name_equal_skip(const char *a
, unsigned n_labels
, const char *b
) {
1223 r
= dns_name_skip(a
, n_labels
, &a
);
1227 return dns_name_equal(a
, b
);
1230 int dns_name_common_suffix(const char *a
, const char *b
, const char **ret
) {
1231 const char *a_labels
[DNS_N_LABELS_MAX
+1], *b_labels
[DNS_N_LABELS_MAX
+1];
1232 int n
= 0, m
= 0, k
= 0, r
, q
;
1238 /* Determines the common suffix of domain names a and b */
1240 n
= dns_name_build_suffix_table(a
, a_labels
);
1244 m
= dns_name_build_suffix_table(b
, b_labels
);
1249 char la
[DNS_LABEL_MAX
], lb
[DNS_LABEL_MAX
];
1252 if (k
>= n
|| k
>= m
) {
1253 *ret
= a_labels
[n
- k
];
1257 x
= a_labels
[n
- 1 - k
];
1258 r
= dns_label_unescape(&x
, la
, sizeof(la
));
1262 y
= b_labels
[m
- 1 - k
];
1263 q
= dns_label_unescape(&y
, lb
, sizeof(lb
));
1267 if (r
!= q
|| ascii_strcasecmp_n(la
, lb
, r
) != 0) {
1268 *ret
= a_labels
[n
- k
];
1276 int dns_name_apply_idna(const char *name
, char **ret
) {
1277 _cleanup_free_
char *buf
= NULL
;
1278 size_t n
= 0, allocated
= 0;
1286 char label
[DNS_LABEL_MAX
];
1288 r
= dns_label_unescape(&name
, label
, sizeof(label
));
1294 q
= dns_label_apply_idna(label
, r
, label
, sizeof(label
));
1300 if (!GREEDY_REALLOC(buf
, allocated
, n
+ !first
+ DNS_LABEL_ESCAPED_MAX
))
1303 r
= dns_label_escape(label
, r
, buf
+ n
+ !first
, DNS_LABEL_ESCAPED_MAX
);
1315 if (n
> DNS_HOSTNAME_MAX
)
1318 if (!GREEDY_REALLOC(buf
, allocated
, n
+ 1))