1 /* $NetBSD: rcode.c,v 1.14 2025/01/26 16:25:24 christos Exp $ */ 2 3 /* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16 #include <ctype.h> 17 #include <inttypes.h> 18 #include <stdbool.h> 19 #include <stdlib.h> 20 21 #include <isc/ascii.h> 22 #include <isc/buffer.h> 23 #include <isc/parseint.h> 24 #include <isc/region.h> 25 #include <isc/result.h> 26 #include <isc/stdio.h> 27 #include <isc/string.h> 28 #include <isc/types.h> 29 #include <isc/util.h> 30 31 #include <dns/cert.h> 32 #include <dns/ds.h> 33 #include <dns/dsdigest.h> 34 #include <dns/keyflags.h> 35 #include <dns/keyvalues.h> 36 #include <dns/rcode.h> 37 #include <dns/rdataclass.h> 38 #include <dns/secalg.h> 39 #include <dns/secproto.h> 40 41 #define RETERR(x) \ 42 do { \ 43 isc_result_t _r = (x); \ 44 if (_r != ISC_R_SUCCESS) \ 45 return ((_r)); \ 46 } while (0) 47 48 #define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */ 49 50 #define TOTEXTONLY 0x01 51 52 #define RCODENAMES \ 53 /* standard rcodes */ \ 54 { dns_rcode_noerror, "NOERROR", 0 }, \ 55 { dns_rcode_formerr, "FORMERR", 0 }, \ 56 { dns_rcode_servfail, "SERVFAIL", 0 }, \ 57 { dns_rcode_nxdomain, "NXDOMAIN", 0 }, \ 58 { dns_rcode_notimp, "NOTIMP", 0 }, \ 59 { dns_rcode_refused, "REFUSED", 0 }, \ 60 { dns_rcode_yxdomain, "YXDOMAIN", 0 }, \ 61 { dns_rcode_yxrrset, "YXRRSET", 0 }, \ 62 { dns_rcode_nxrrset, "NXRRSET", 0 }, \ 63 { dns_rcode_notauth, "NOTAUTH", 0 }, \ 64 { dns_rcode_notzone, "NOTZONE", 0 }, \ 65 { 11, "RESERVED11", TOTEXTONLY }, \ 66 { 12, "RESERVED12", TOTEXTONLY }, \ 67 { 13, "RESERVED13", TOTEXTONLY }, \ 68 { 14, "RESERVED14", TOTEXTONLY }, \ 69 { 15, "RESERVED15", TOTEXTONLY }, 70 71 #define ERCODENAMES \ 72 /* extended rcodes */ \ 73 { dns_rcode_badvers, "BADVERS", 0 }, \ 74 { dns_rcode_badcookie, "BADCOOKIE", 0 }, { 0, NULL, 0 } 75 76 #define TSIGRCODENAMES \ 77 /* extended rcodes */ \ 78 { dns_tsigerror_badsig, "BADSIG", 0 }, \ 79 { dns_tsigerror_badkey, "BADKEY", 0 }, \ 80 { dns_tsigerror_badtime, "BADTIME", 0 }, \ 81 { dns_tsigerror_badmode, "BADMODE", 0 }, \ 82 { dns_tsigerror_badname, "BADNAME", 0 }, \ 83 { dns_tsigerror_badalg, "BADALG", 0 }, \ 84 { dns_tsigerror_badtrunc, "BADTRUNC", 0 }, { 0, NULL, 0 } 85 86 /* RFC4398 section 2.1 */ 87 88 #define CERTNAMES \ 89 { 1, "PKIX", 0 }, { 2, "SPKI", 0 }, { 3, "PGP", 0 }, \ 90 { 4, "IPKIX", 0 }, { 5, "ISPKI", 0 }, { 6, "IPGP", 0 }, \ 91 { 7, "ACPKIX", 0 }, { 8, "IACPKIX", 0 }, { 253, "URI", 0 }, \ 92 { 254, "OID", 0 }, { 0, NULL, 0 } 93 94 /* RFC2535 section 7, RFC3110 */ 95 96 #define SECALGNAMES \ 97 { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ 98 { DNS_KEYALG_DH_DEPRECATED, "DH", 0 }, \ 99 { DNS_KEYALG_DSA, "DSA", 0 }, \ 100 { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ 101 { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ 102 { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ 103 { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ 104 { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ 105 { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ 106 { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ 107 { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ 108 { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ 109 { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ 110 { DNS_KEYALG_ED25519, "ED25519", 0 }, \ 111 { DNS_KEYALG_ED448, "ED448", 0 }, \ 112 { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ 113 { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ 114 { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { 0, NULL, 0 } 115 116 /* RFC2535 section 7.1 */ 117 118 #define SECPROTONAMES \ 119 { 0, "NONE", 0 }, { 1, "TLS", 0 }, { 2, "EMAIL", 0 }, \ 120 { 3, "DNSSEC", 0 }, { 4, "IPSEC", 0 }, { 255, "ALL", 0 }, \ 121 { 0, NULL, 0 } 122 123 #define HASHALGNAMES { 1, "SHA-1", 0 }, { 0, NULL, 0 } 124 125 /* RFC3658, RFC4509, RFC5933, RFC6605 */ 126 127 #define DSDIGESTNAMES \ 128 { DNS_DSDIGEST_SHA1, "SHA-1", 0 }, { DNS_DSDIGEST_SHA1, "SHA1", 0 }, \ 129 { DNS_DSDIGEST_SHA256, "SHA-256", 0 }, \ 130 { DNS_DSDIGEST_SHA256, "SHA256", 0 }, \ 131 { DNS_DSDIGEST_GOST, "GOST", 0 }, \ 132 { DNS_DSDIGEST_SHA384, "SHA-384", 0 }, \ 133 { DNS_DSDIGEST_SHA384, "SHA384", 0 }, { 0, NULL, 0 } 134 135 struct tbl { 136 unsigned int value; 137 const char *name; 138 int flags; 139 }; 140 141 static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; 142 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; 143 static struct tbl certs[] = { CERTNAMES }; 144 static struct tbl secalgs[] = { SECALGNAMES }; 145 static struct tbl secprotos[] = { SECPROTONAMES }; 146 static struct tbl hashalgs[] = { HASHALGNAMES }; 147 static struct tbl dsdigests[] = { DSDIGESTNAMES }; 148 149 static struct keyflag { 150 const char *name; 151 unsigned int value; 152 unsigned int mask; 153 } keyflags[] = { { "NOCONF", 0x4000, 0xC000 }, 154 { "NOAUTH", 0x8000, 0xC000 }, 155 { "NOKEY", 0xC000, 0xC000 }, 156 { "FLAG2", 0x2000, 0x2000 }, 157 { "EXTEND", 0x1000, 0x1000 }, 158 { "FLAG4", 0x0800, 0x0800 }, 159 { "FLAG5", 0x0400, 0x0400 }, 160 { "USER", 0x0000, 0x0300 }, 161 { "ZONE", 0x0100, 0x0300 }, 162 { "HOST", 0x0200, 0x0300 }, 163 { "NTYP3", 0x0300, 0x0300 }, 164 { "FLAG8", 0x0080, 0x0080 }, 165 { "FLAG9", 0x0040, 0x0040 }, 166 { "FLAG10", 0x0020, 0x0020 }, 167 { "FLAG11", 0x0010, 0x0010 }, 168 { "SIG0", 0x0000, 0x000F }, 169 { "SIG1", 0x0001, 0x000F }, 170 { "SIG2", 0x0002, 0x000F }, 171 { "SIG3", 0x0003, 0x000F }, 172 { "SIG4", 0x0004, 0x000F }, 173 { "SIG5", 0x0005, 0x000F }, 174 { "SIG6", 0x0006, 0x000F }, 175 { "SIG7", 0x0007, 0x000F }, 176 { "SIG8", 0x0008, 0x000F }, 177 { "SIG9", 0x0009, 0x000F }, 178 { "SIG10", 0x000A, 0x000F }, 179 { "SIG11", 0x000B, 0x000F }, 180 { "SIG12", 0x000C, 0x000F }, 181 { "SIG13", 0x000D, 0x000F }, 182 { "SIG14", 0x000E, 0x000F }, 183 { "SIG15", 0x000F, 0x000F }, 184 { "KSK", DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK }, 185 { NULL, 0, 0 } }; 186 187 static isc_result_t 188 str_totext(const char *source, isc_buffer_t *target) { 189 unsigned int l; 190 isc_region_t region; 191 192 isc_buffer_availableregion(target, ®ion); 193 l = strlen(source); 194 195 if (l > region.length) { 196 return ISC_R_NOSPACE; 197 } 198 199 memmove(region.base, source, l); 200 isc_buffer_add(target, l); 201 return ISC_R_SUCCESS; 202 } 203 204 static isc_result_t 205 maybe_numeric(unsigned int *valuep, isc_textregion_t *source, unsigned int max, 206 bool hex_allowed) { 207 isc_result_t result; 208 uint32_t n; 209 char buffer[NUMBERSIZE]; 210 int v; 211 212 if (!isdigit((unsigned char)source->base[0]) || 213 source->length > NUMBERSIZE - 1) 214 { 215 return ISC_R_BADNUMBER; 216 } 217 218 /* 219 * We have a potential number. Try to parse it with 220 * isc_parse_uint32(). isc_parse_uint32() requires 221 * null termination, so we must make a copy. 222 */ 223 v = snprintf(buffer, sizeof(buffer), "%.*s", (int)source->length, 224 source->base); 225 if (v < 0 || (unsigned int)v != source->length) { 226 return ISC_R_BADNUMBER; 227 } 228 INSIST(buffer[source->length] == '\0'); 229 230 result = isc_parse_uint32(&n, buffer, 10); 231 if (result == ISC_R_BADNUMBER && hex_allowed) { 232 result = isc_parse_uint32(&n, buffer, 16); 233 } 234 if (result != ISC_R_SUCCESS) { 235 return result; 236 } 237 if (n > max) { 238 return ISC_R_RANGE; 239 } 240 *valuep = n; 241 return ISC_R_SUCCESS; 242 } 243 244 static isc_result_t 245 dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source, 246 struct tbl *table, unsigned int max) { 247 isc_result_t result; 248 int i; 249 250 result = maybe_numeric(valuep, source, max, false); 251 if (result != ISC_R_BADNUMBER) { 252 return result; 253 } 254 255 for (i = 0; table[i].name != NULL; i++) { 256 unsigned int n; 257 n = strlen(table[i].name); 258 if (n == source->length && (table[i].flags & TOTEXTONLY) == 0 && 259 strncasecmp(source->base, table[i].name, n) == 0) 260 { 261 *valuep = table[i].value; 262 return ISC_R_SUCCESS; 263 } 264 } 265 return DNS_R_UNKNOWN; 266 } 267 268 static isc_result_t 269 dns_mnemonic_totext(unsigned int value, isc_buffer_t *target, 270 struct tbl *table) { 271 int i = 0; 272 char buf[sizeof("4294967296")]; 273 while (table[i].name != NULL) { 274 if (table[i].value == value) { 275 return str_totext(table[i].name, target); 276 } 277 i++; 278 } 279 snprintf(buf, sizeof(buf), "%u", value); 280 return str_totext(buf, target); 281 } 282 283 isc_result_t 284 dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { 285 unsigned int value; 286 RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff)); 287 *rcodep = value; 288 return ISC_R_SUCCESS; 289 } 290 291 isc_result_t 292 dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { 293 return dns_mnemonic_totext(rcode, target, rcodes); 294 } 295 296 isc_result_t 297 dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { 298 unsigned int value; 299 RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff)); 300 *rcodep = value; 301 return ISC_R_SUCCESS; 302 } 303 304 isc_result_t 305 dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { 306 return dns_mnemonic_totext(rcode, target, tsigrcodes); 307 } 308 309 isc_result_t 310 dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) { 311 unsigned int value; 312 RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff)); 313 *certp = value; 314 return ISC_R_SUCCESS; 315 } 316 317 isc_result_t 318 dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { 319 return dns_mnemonic_totext(cert, target, certs); 320 } 321 322 isc_result_t 323 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { 324 unsigned int value; 325 RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); 326 *secalgp = value; 327 return ISC_R_SUCCESS; 328 } 329 330 isc_result_t 331 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { 332 return dns_mnemonic_totext(secalg, target, secalgs); 333 } 334 335 void 336 dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) { 337 isc_buffer_t b; 338 isc_region_t r; 339 isc_result_t result; 340 341 REQUIRE(cp != NULL && size > 0); 342 isc_buffer_init(&b, cp, size - 1); 343 result = dns_secalg_totext(alg, &b); 344 isc_buffer_usedregion(&b, &r); 345 r.base[r.length] = 0; 346 if (result != ISC_R_SUCCESS) { 347 r.base[0] = 0; 348 } 349 } 350 351 isc_result_t 352 dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) { 353 unsigned int value; 354 RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff)); 355 *secprotop = value; 356 return ISC_R_SUCCESS; 357 } 358 359 isc_result_t 360 dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) { 361 return dns_mnemonic_totext(secproto, target, secprotos); 362 } 363 364 isc_result_t 365 dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) { 366 unsigned int value; 367 RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff)); 368 *hashalg = value; 369 return ISC_R_SUCCESS; 370 } 371 372 isc_result_t 373 dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source) { 374 isc_result_t result; 375 char *text, *end; 376 unsigned int value = 0; 377 #ifdef notyet 378 unsigned int mask = 0; 379 #endif /* ifdef notyet */ 380 381 result = maybe_numeric(&value, source, 0xffff, true); 382 if (result == ISC_R_SUCCESS) { 383 *flagsp = value; 384 return ISC_R_SUCCESS; 385 } 386 if (result != ISC_R_BADNUMBER) { 387 return result; 388 } 389 390 text = source->base; 391 end = source->base + source->length; 392 393 while (text < end) { 394 struct keyflag *p; 395 unsigned int len; 396 char *delim = memchr(text, '|', end - text); 397 if (delim != NULL) { 398 len = (unsigned int)(delim - text); 399 } else { 400 len = (unsigned int)(end - text); 401 } 402 for (p = keyflags; p->name != NULL; p++) { 403 if (strncasecmp(p->name, text, len) == 0) { 404 break; 405 } 406 } 407 if (p->name == NULL) { 408 return DNS_R_UNKNOWNFLAG; 409 } 410 value |= p->value; 411 #ifdef notyet 412 if ((mask & p->mask) != 0) { 413 warn("overlapping key flags"); 414 } 415 mask |= p->mask; 416 #endif /* ifdef notyet */ 417 text += len; 418 if (delim != NULL) { 419 text++; /* Skip "|" */ 420 } 421 } 422 *flagsp = value; 423 return ISC_R_SUCCESS; 424 } 425 426 isc_result_t 427 dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source) { 428 unsigned int value; 429 RETERR(dns_mnemonic_fromtext(&value, source, dsdigests, 0xff)); 430 *dsdigestp = value; 431 return ISC_R_SUCCESS; 432 } 433 434 isc_result_t 435 dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target) { 436 return dns_mnemonic_totext(dsdigest, target, dsdigests); 437 } 438 439 void 440 dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size) { 441 isc_buffer_t b; 442 isc_region_t r; 443 isc_result_t result; 444 445 REQUIRE(cp != NULL && size > 0); 446 isc_buffer_init(&b, cp, size - 1); 447 result = dns_dsdigest_totext(typ, &b); 448 isc_buffer_usedregion(&b, &r); 449 r.base[r.length] = 0; 450 if (result != ISC_R_SUCCESS) { 451 r.base[0] = 0; 452 } 453 } 454 455 /* 456 * This uses lots of hard coded values, but how often do we actually 457 * add classes? 458 */ 459 isc_result_t 460 dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) { 461 #define COMPARE(string, rdclass) \ 462 if (((sizeof(string) - 1) == source->length) && \ 463 (strncasecmp(source->base, string, source->length) == 0)) \ 464 { \ 465 *classp = rdclass; \ 466 return (ISC_R_SUCCESS); \ 467 } 468 469 switch (isc_ascii_tolower(source->base[0])) { 470 case 'a': 471 COMPARE("any", dns_rdataclass_any); 472 break; 473 case 'c': 474 /* 475 * RFC1035 says the mnemonic for the CHAOS class is CH, 476 * but historical BIND practice is to call it CHAOS. 477 * We will accept both forms, but only generate CH. 478 */ 479 COMPARE("ch", dns_rdataclass_chaos); 480 COMPARE("chaos", dns_rdataclass_chaos); 481 482 if (source->length > 5 && 483 source->length < (5 + sizeof("65000")) && 484 strncasecmp("class", source->base, 5) == 0) 485 { 486 char buf[sizeof("65000")]; 487 char *endp; 488 unsigned int val; 489 490 /* 491 * source->base is not required to be NUL terminated. 492 * Copy up to remaining bytes and NUL terminate. 493 */ 494 snprintf(buf, sizeof(buf), "%.*s", 495 (int)(source->length - 5), source->base + 5); 496 val = strtoul(buf, &endp, 10); 497 if (*endp == '\0' && val <= 0xffff) { 498 *classp = (dns_rdataclass_t)val; 499 return ISC_R_SUCCESS; 500 } 501 } 502 break; 503 case 'h': 504 COMPARE("hs", dns_rdataclass_hs); 505 COMPARE("hesiod", dns_rdataclass_hs); 506 break; 507 case 'i': 508 COMPARE("in", dns_rdataclass_in); 509 break; 510 case 'n': 511 COMPARE("none", dns_rdataclass_none); 512 break; 513 case 'r': 514 COMPARE("reserved0", dns_rdataclass_reserved0); 515 break; 516 } 517 518 #undef COMPARE 519 520 return DNS_R_UNKNOWN; 521 } 522 523 isc_result_t 524 dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) { 525 switch (rdclass) { 526 case dns_rdataclass_any: 527 return str_totext("ANY", target); 528 case dns_rdataclass_chaos: 529 return str_totext("CH", target); 530 case dns_rdataclass_hs: 531 return str_totext("HS", target); 532 case dns_rdataclass_in: 533 return str_totext("IN", target); 534 case dns_rdataclass_none: 535 return str_totext("NONE", target); 536 case dns_rdataclass_reserved0: 537 return str_totext("RESERVED0", target); 538 default: 539 return dns_rdataclass_tounknowntext(rdclass, target); 540 } 541 } 542 543 isc_result_t 544 dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target) { 545 char buf[sizeof("CLASS65535")]; 546 547 snprintf(buf, sizeof(buf), "CLASS%u", rdclass); 548 return str_totext(buf, target); 549 } 550 551 void 552 dns_rdataclass_format(dns_rdataclass_t rdclass, char *array, 553 unsigned int size) { 554 isc_result_t result; 555 isc_buffer_t buf; 556 557 if (size == 0U) { 558 return; 559 } 560 561 isc_buffer_init(&buf, array, size); 562 result = dns_rdataclass_totext(rdclass, &buf); 563 /* 564 * Null terminate. 565 */ 566 if (result == ISC_R_SUCCESS) { 567 if (isc_buffer_availablelength(&buf) >= 1) { 568 isc_buffer_putuint8(&buf, 0); 569 } else { 570 result = ISC_R_NOSPACE; 571 } 572 } 573 if (result != ISC_R_SUCCESS) { 574 strlcpy(array, "<unknown>", size); 575 } 576 } 577