[thirdparty/systemd.git] / src / resolve / dns-type.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2014 Zbigniew Jędrzejewski-Szmek

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <sys/socket.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_TYPE_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_zone_transer(uint16_t type) {

        /* Zone transfers, either normal or incremental */

        return IN_SET(type,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
7263f724 ZJS	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2014 Zbigniew Jędrzejewski-Szmek
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
d07b43a1 LP	21	#include <sys/socket.h>
d07b43a1 LP	22
7263f724	23	#include "dns-type.h"
869b3b67	24	#include "parse-util.h"
4b548ef3	25	#include "string-util.h"
7263f724 ZJS	26
	27	typedef const struct {
	28	uint16_t type;
	29	const char *name;
	30	} dns_type;
	31
	32	static const struct dns_type_name *
c9f7b4d3	33	lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
7263f724 ZJS	34
	35	#include "dns_type-from-name.h"
	36	#include "dns_type-to-name.h"
	37
de292aa1	38	int dns_type_from_string(const char *s) {
7263f724 ZJS	39	const struct dns_type_name *sc;
	40
	41	assert(s);
7263f724 ZJS	42
7263f724 ZJS	43	sc = lookup_dns_type(s, strlen(s));
869b3b67 ZJS	44	if (sc)
869b3b67 ZJS	45	return sc->id;
7263f724	46
869b3b67 ZJS	47	s = startswith_no_case(s, "TYPE");
	48	if (s) {
	49	unsigned x;
	50
	51	if (safe_atou(s, &x) >= 0 &&
	52	x <= UINT16_MAX)
	53	return (int) x;
	54	}
	55
	56	return _DNS_TYPE_INVALID;
7263f724	57	}
8e6edc49	58
bea4c76f LP	59	bool dns_type_is_pseudo(uint16_t type) {
	60
	61	/* Checks whether the specified type is a "pseudo-type". What
	62	* a "pseudo-type" precisely is, is defined only very weakly,
	63	* but apparently entails all RR types that are not actually
	64	* stored as RRs on the server and should hence also not be
	65	* cached. We use this list primarily to validate NSEC type
c33be4a6	66	* bitfields, and to verify what to cache. */
bea4c76f LP	67
	68	return IN_SET(type,
	69	0, /* A Pseudo RR type, according to RFC 2931 */
	70	DNS_TYPE_ANY,
	71	DNS_TYPE_AXFR,
	72	DNS_TYPE_IXFR,
	73	DNS_TYPE_OPT,
	74	DNS_TYPE_TSIG,
	75	DNS_TYPE_TKEY
	76	);
8e6edc49	77	}
c463eb78	78
4b548ef3 LP	79	bool dns_class_is_pseudo(uint16_t class) {
	80	return class == DNS_TYPE_ANY;
	81	}
	82
c463eb78 LP	83	bool dns_type_is_valid_query(uint16_t type) {
	84
	85	/* The types valid as questions in packets */
	86
	87	return !IN_SET(type,
	88	0,
	89	DNS_TYPE_OPT,
	90	DNS_TYPE_TSIG,
04680e36 LP	91	DNS_TYPE_TKEY,
	92
	93	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	94	* they aren't really payload, but signatures for payload, and cannot be validated on their
	95	* own. After all they are the signatures, and have no signatures of their own validating
	96	* them. */
	97	DNS_TYPE_RRSIG);
c463eb78 LP	98	}
c463eb78 LP	99
6ebd1e33 LP	100	bool dns_type_is_zone_transer(uint16_t type) {
	101
	102	/* Zone transfers, either normal or incremental */
	103
	104	return IN_SET(type,
	105	DNS_TYPE_AXFR,
	106	DNS_TYPE_IXFR);
	107	}
	108
c463eb78 LP	109	bool dns_type_is_valid_rr(uint16_t type) {
	110
	111	/* The types valid as RR in packets (but not necessarily
	112	* stored on servers). */
	113
	114	return !IN_SET(type,
	115	DNS_TYPE_ANY,
	116	DNS_TYPE_AXFR,
	117	DNS_TYPE_IXFR);
	118	}
4b548ef3 LP	119
	120	bool dns_class_is_valid_rr(uint16_t class) {
	121	return class != DNS_CLASS_ANY;
	122	}
	123
d3c7e913 LP	124	bool dns_type_may_redirect(uint16_t type) {
	125	/* The following record types should never be redirected using
	126	* CNAME/DNAME RRs. See
	127	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	128
	129	if (dns_type_is_pseudo(type))
	130	return false;
	131
	132	return !IN_SET(type,
	133	DNS_TYPE_CNAME,
	134	DNS_TYPE_DNAME,
	135	DNS_TYPE_NSEC3,
	136	DNS_TYPE_NSEC,
	137	DNS_TYPE_RRSIG,
	138	DNS_TYPE_NXT,
	139	DNS_TYPE_SIG,
	140	DNS_TYPE_KEY);
	141	}
	142
e8233bce LP	143	bool dns_type_may_wildcard(uint16_t type) {
	144
	145	/* The following records may not be expanded from wildcard RRsets */
	146
	147	if (dns_type_is_pseudo(type))
	148	return false;
	149
	150	return !IN_SET(type,
	151	DNS_TYPE_NSEC3,
	152	DNS_TYPE_SOA,
	153
	154	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	155	DNS_TYPE_DNAME);
	156	}
	157
588c53d0 LP	158	bool dns_type_apex_only(uint16_t type) {
	159
	160	/* Returns true for all RR types that may only appear signed in a zone apex */
	161
	162	return IN_SET(type,
	163	DNS_TYPE_SOA,
	164	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	165	DNS_TYPE_DNSKEY,
	166	DNS_TYPE_NSEC3PARAM);
	167	}
	168
91adc4db LP	169	bool dns_type_is_dnssec(uint16_t type) {
	170	return IN_SET(type,
	171	DNS_TYPE_DS,
	172	DNS_TYPE_DNSKEY,
	173	DNS_TYPE_RRSIG,
	174	DNS_TYPE_NSEC,
	175	DNS_TYPE_NSEC3,
	176	DNS_TYPE_NSEC3PARAM);
	177	}
	178
d0129ddb LP	179	bool dns_type_is_obsolete(uint16_t type) {
	180	return IN_SET(type,
	181	/* Obsoleted by RFC 973 */
	182	DNS_TYPE_MD,
	183	DNS_TYPE_MF,
	184	DNS_TYPE_MAILA,
	185
	186	/* Kinda obsoleted by RFC 2505 */
	187	DNS_TYPE_MB,
	188	DNS_TYPE_MG,
	189	DNS_TYPE_MR,
	190	DNS_TYPE_MINFO,
	191	DNS_TYPE_MAILB,
	192
	193	/* RFC1127 kinda obsoleted this by recommending against its use */
	194	DNS_TYPE_WKS,
	195
	196	/* Declared historical by RFC 6563 */
	197	DNS_TYPE_A6,
	198
	199	/* Obsoleted by DNSSEC-bis */
	200	DNS_TYPE_NXT,
	201
	202	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
	203	DNS_TYPE_NULL);
	204	}
	205
41815a4a LP	206	bool dns_type_needs_authentication(uint16_t type) {
	207
	208	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	209	* authenticated. I.e. everything that contains crypto keys. */
	210
	211	return IN_SET(type,
	212	DNS_TYPE_CERT,
	213	DNS_TYPE_SSHFP,
	214	DNS_TYPE_IPSECKEY,
	215	DNS_TYPE_DS,
	216	DNS_TYPE_DNSKEY,
	217	DNS_TYPE_TLSA,
	218	DNS_TYPE_CDNSKEY,
	219	DNS_TYPE_OPENPGPKEY,
	220	DNS_TYPE_CAA);
	221	}
	222
d07b43a1 LP	223	int dns_type_to_af(uint16_t t) {
	224	switch (t) {
	225
	226	case DNS_TYPE_A:
	227	return AF_INET;
	228
	229	case DNS_TYPE_AAAA:
	230	return AF_INET6;
	231
	232	case DNS_TYPE_ANY:
	233	return AF_UNSPEC;
	234
	235	default:
	236	return -EINVAL;
	237	}
	238	}
	239
4b548ef3 LP	240	const char *dns_class_to_string(uint16_t class) {
	241
	242	switch (class) {
	243
	244	case DNS_CLASS_IN:
	245	return "IN";
	246
	247	case DNS_CLASS_ANY:
	248	return "ANY";
	249	}
	250
	251	return NULL;
	252	}
	253
	254	int dns_class_from_string(const char *s) {
	255
	256	if (!s)
	257	return _DNS_CLASS_INVALID;
	258
	259	if (strcaseeq(s, "IN"))
	260	return DNS_CLASS_IN;
	261	else if (strcaseeq(s, "ANY"))
	262	return DNS_CLASS_ANY;
	263
	264	return _DNS_CLASS_INVALID;
	265	}
cfb90da3 ZJS	266
cfb90da3 ZJS	267	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
fb8a9fc9 LP	268
	269	switch (cert_usage) {
	270
	271	case 0:
	272	return "CA constraint";
	273
	274	case 1:
	275	return "Service certificate constraint";
	276
	277	case 2:
	278	return "Trust anchor assertion";
	279
	280	case 3:
	281	return "Domain-issued certificate";
	282
	283	case 4 ... 254:
	284	return "Unassigned";
	285
	286	case 255:
	287	return "Private use";
cfb90da3	288	}
fb8a9fc9 LP	289
fb8a9fc9 LP	290	return NULL; /* clang cannot count that we covered everything */
cfb90da3 ZJS	291	}
	292
	293	const char* tlsa_selector_to_string(uint8_t selector) {
fb8a9fc9 LP	294	switch (selector) {
	295
	296	case 0:
	297	return "Full Certificate";
	298
	299	case 1:
	300	return "SubjectPublicKeyInfo";
	301
	302	case 2 ... 254:
	303	return "Unassigned";
	304
	305	case 255:
	306	return "Private use";
cfb90da3	307	}
fb8a9fc9 LP	308
fb8a9fc9 LP	309	return NULL;
cfb90da3 ZJS	310	}
	311
	312	const char* tlsa_matching_type_to_string(uint8_t selector) {
fb8a9fc9 LP	313
	314	switch (selector) {
	315
	316	case 0:
	317	return "No hash used";
	318
	319	case 1:
	320	return "SHA-256";
	321
	322	case 2:
	323	return "SHA-512";
	324
	325	case 3 ... 254:
	326	return "Unassigned";
	327
	328	case 255:
	329	return "Private use";
cfb90da3	330	}
fb8a9fc9 LP	331
fb8a9fc9 LP	332	return NULL;
cfb90da3	333	}