[thirdparty/systemd.git] / src / resolve / dns-type.c

/***
  This file is part of systemd.

  Copyright 2014 Zbigniew Jędrzejewski-Szmek

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <sys/socket.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register unsigned int len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_TYPE_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
7263f724 ZJS	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2014 Zbigniew Jędrzejewski-Szmek
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
d07b43a1 LP	20	#include <sys/socket.h>
d07b43a1 LP	21
7263f724	22	#include "dns-type.h"
869b3b67	23	#include "parse-util.h"
4b548ef3	24	#include "string-util.h"
7263f724 ZJS	25
	26	typedef const struct {
	27	uint16_t type;
	28	const char *name;
	29	} dns_type;
	30
	31	static const struct dns_type_name *
	32	lookup_dns_type (register const char *str, register unsigned int len);
	33
	34	#include "dns_type-from-name.h"
	35	#include "dns_type-to-name.h"
	36
de292aa1	37	int dns_type_from_string(const char *s) {
7263f724 ZJS	38	const struct dns_type_name *sc;
	39
	40	assert(s);
7263f724 ZJS	41
7263f724 ZJS	42	sc = lookup_dns_type(s, strlen(s));
869b3b67 ZJS	43	if (sc)
869b3b67 ZJS	44	return sc->id;
7263f724	45
869b3b67 ZJS	46	s = startswith_no_case(s, "TYPE");
	47	if (s) {
	48	unsigned x;
	49
	50	if (safe_atou(s, &x) >= 0 &&
	51	x <= UINT16_MAX)
	52	return (int) x;
	53	}
	54
	55	return _DNS_TYPE_INVALID;
7263f724	56	}
8e6edc49	57
bea4c76f LP	58	bool dns_type_is_pseudo(uint16_t type) {
	59
	60	/* Checks whether the specified type is a "pseudo-type". What
	61	* a "pseudo-type" precisely is, is defined only very weakly,
	62	* but apparently entails all RR types that are not actually
	63	* stored as RRs on the server and should hence also not be
	64	* cached. We use this list primarily to validate NSEC type
c33be4a6	65	* bitfields, and to verify what to cache. */
bea4c76f LP	66
	67	return IN_SET(type,
	68	0, /* A Pseudo RR type, according to RFC 2931 */
	69	DNS_TYPE_ANY,
	70	DNS_TYPE_AXFR,
	71	DNS_TYPE_IXFR,
	72	DNS_TYPE_OPT,
	73	DNS_TYPE_TSIG,
	74	DNS_TYPE_TKEY
	75	);
8e6edc49	76	}
c463eb78	77
4b548ef3 LP	78	bool dns_class_is_pseudo(uint16_t class) {
	79	return class == DNS_TYPE_ANY;
	80	}
	81
c463eb78 LP	82	bool dns_type_is_valid_query(uint16_t type) {
	83
	84	/* The types valid as questions in packets */
	85
	86	return !IN_SET(type,
	87	0,
	88	DNS_TYPE_OPT,
	89	DNS_TYPE_TSIG,
04680e36 LP	90	DNS_TYPE_TKEY,
	91
	92	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	93	* they aren't really payload, but signatures for payload, and cannot be validated on their
	94	* own. After all they are the signatures, and have no signatures of their own validating
	95	* them. */
	96	DNS_TYPE_RRSIG);
c463eb78 LP	97	}
	98
	99	bool dns_type_is_valid_rr(uint16_t type) {
	100
	101	/* The types valid as RR in packets (but not necessarily
	102	* stored on servers). */
	103
	104	return !IN_SET(type,
	105	DNS_TYPE_ANY,
	106	DNS_TYPE_AXFR,
	107	DNS_TYPE_IXFR);
	108	}
4b548ef3 LP	109
	110	bool dns_class_is_valid_rr(uint16_t class) {
	111	return class != DNS_CLASS_ANY;
	112	}
	113
d3c7e913 LP	114	bool dns_type_may_redirect(uint16_t type) {
	115	/* The following record types should never be redirected using
	116	* CNAME/DNAME RRs. See
	117	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	118
	119	if (dns_type_is_pseudo(type))
	120	return false;
	121
	122	return !IN_SET(type,
	123	DNS_TYPE_CNAME,
	124	DNS_TYPE_DNAME,
	125	DNS_TYPE_NSEC3,
	126	DNS_TYPE_NSEC,
	127	DNS_TYPE_RRSIG,
	128	DNS_TYPE_NXT,
	129	DNS_TYPE_SIG,
	130	DNS_TYPE_KEY);
	131	}
	132
e8233bce LP	133	bool dns_type_may_wildcard(uint16_t type) {
	134
	135	/* The following records may not be expanded from wildcard RRsets */
	136
	137	if (dns_type_is_pseudo(type))
	138	return false;
	139
	140	return !IN_SET(type,
	141	DNS_TYPE_NSEC3,
	142	DNS_TYPE_SOA,
	143
	144	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	145	DNS_TYPE_DNAME);
	146	}
	147
588c53d0 LP	148	bool dns_type_apex_only(uint16_t type) {
	149
	150	/* Returns true for all RR types that may only appear signed in a zone apex */
	151
	152	return IN_SET(type,
	153	DNS_TYPE_SOA,
	154	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	155	DNS_TYPE_DNSKEY,
	156	DNS_TYPE_NSEC3PARAM);
	157	}
	158
91adc4db LP	159	bool dns_type_is_dnssec(uint16_t type) {
	160	return IN_SET(type,
	161	DNS_TYPE_DS,
	162	DNS_TYPE_DNSKEY,
	163	DNS_TYPE_RRSIG,
	164	DNS_TYPE_NSEC,
	165	DNS_TYPE_NSEC3,
	166	DNS_TYPE_NSEC3PARAM);
	167	}
	168
d0129ddb LP	169	bool dns_type_is_obsolete(uint16_t type) {
	170	return IN_SET(type,
	171	/* Obsoleted by RFC 973 */
	172	DNS_TYPE_MD,
	173	DNS_TYPE_MF,
	174	DNS_TYPE_MAILA,
	175
	176	/* Kinda obsoleted by RFC 2505 */
	177	DNS_TYPE_MB,
	178	DNS_TYPE_MG,
	179	DNS_TYPE_MR,
	180	DNS_TYPE_MINFO,
	181	DNS_TYPE_MAILB,
	182
	183	/* RFC1127 kinda obsoleted this by recommending against its use */
	184	DNS_TYPE_WKS,
	185
	186	/* Declared historical by RFC 6563 */
	187	DNS_TYPE_A6,
	188
	189	/* Obsoleted by DNSSEC-bis */
	190	DNS_TYPE_NXT,
	191
	192	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
	193	DNS_TYPE_NULL);
	194	}
	195
41815a4a LP	196	bool dns_type_needs_authentication(uint16_t type) {
	197
	198	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	199	* authenticated. I.e. everything that contains crypto keys. */
	200
	201	return IN_SET(type,
	202	DNS_TYPE_CERT,
	203	DNS_TYPE_SSHFP,
	204	DNS_TYPE_IPSECKEY,
	205	DNS_TYPE_DS,
	206	DNS_TYPE_DNSKEY,
	207	DNS_TYPE_TLSA,
	208	DNS_TYPE_CDNSKEY,
	209	DNS_TYPE_OPENPGPKEY,
	210	DNS_TYPE_CAA);
	211	}
	212
d07b43a1 LP	213	int dns_type_to_af(uint16_t t) {
	214	switch (t) {
	215
	216	case DNS_TYPE_A:
	217	return AF_INET;
	218
	219	case DNS_TYPE_AAAA:
	220	return AF_INET6;
	221
	222	case DNS_TYPE_ANY:
	223	return AF_UNSPEC;
	224
	225	default:
	226	return -EINVAL;
	227	}
	228	}
	229
4b548ef3 LP	230	const char *dns_class_to_string(uint16_t class) {
	231
	232	switch (class) {
	233
	234	case DNS_CLASS_IN:
	235	return "IN";
	236
	237	case DNS_CLASS_ANY:
	238	return "ANY";
	239	}
	240
	241	return NULL;
	242	}
	243
	244	int dns_class_from_string(const char *s) {
	245
	246	if (!s)
	247	return _DNS_CLASS_INVALID;
	248
	249	if (strcaseeq(s, "IN"))
	250	return DNS_CLASS_IN;
	251	else if (strcaseeq(s, "ANY"))
	252	return DNS_CLASS_ANY;
	253
	254	return _DNS_CLASS_INVALID;
	255	}
cfb90da3 ZJS	256
cfb90da3 ZJS	257	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
fb8a9fc9 LP	258
	259	switch (cert_usage) {
	260
	261	case 0:
	262	return "CA constraint";
	263
	264	case 1:
	265	return "Service certificate constraint";
	266
	267	case 2:
	268	return "Trust anchor assertion";
	269
	270	case 3:
	271	return "Domain-issued certificate";
	272
	273	case 4 ... 254:
	274	return "Unassigned";
	275
	276	case 255:
	277	return "Private use";
cfb90da3	278	}
fb8a9fc9 LP	279
fb8a9fc9 LP	280	return NULL; /* clang cannot count that we covered everything */
cfb90da3 ZJS	281	}
	282
	283	const char* tlsa_selector_to_string(uint8_t selector) {
fb8a9fc9 LP	284	switch (selector) {
	285
	286	case 0:
	287	return "Full Certificate";
	288
	289	case 1:
	290	return "SubjectPublicKeyInfo";
	291
	292	case 2 ... 254:
	293	return "Unassigned";
	294
	295	case 255:
	296	return "Private use";
cfb90da3	297	}
fb8a9fc9 LP	298
fb8a9fc9 LP	299	return NULL;
cfb90da3 ZJS	300	}
	301
	302	const char* tlsa_matching_type_to_string(uint8_t selector) {
fb8a9fc9 LP	303
	304	switch (selector) {
	305
	306	case 0:
	307	return "No hash used";
	308
	309	case 1:
	310	return "SHA-256";
	311
	312	case 2:
	313	return "SHA-512";
	314
	315	case 3 ... 254:
	316	return "Unassigned";
	317
	318	case 255:
	319	return "Private use";
cfb90da3	320	}
fb8a9fc9 LP	321
fb8a9fc9 LP	322	return NULL;
cfb90da3	323	}