1 /* $NetBSD: rcode.c,v 1.12 2023/01/25 21:43:30 christos Exp $ */ 2 3 /* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16 #include <ctype.h> 17 #include <inttypes.h> 18 #include <stdbool.h> 19 #include <stdlib.h> 20 21 #include <isc/buffer.h> 22 #include <isc/parseint.h> 23 #include <isc/print.h> 24 #include <isc/region.h> 25 #include <isc/result.h> 26 #include <isc/stdio.h> 27 #include <isc/string.h> 28 #include <isc/types.h> 29 #include <isc/util.h> 30 31 #include <pk11/site.h> 32 33 #include <dns/cert.h> 34 #include <dns/ds.h> 35 #include <dns/dsdigest.h> 36 #include <dns/keyflags.h> 37 #include <dns/keyvalues.h> 38 #include <dns/rcode.h> 39 #include <dns/rdataclass.h> 40 #include <dns/result.h> 41 #include <dns/secalg.h> 42 #include <dns/secproto.h> 43 44 #define RETERR(x) \ 45 do { \ 46 isc_result_t _r = (x); \ 47 if (_r != ISC_R_SUCCESS) \ 48 return ((_r)); \ 49 } while (0) 50 51 #define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */ 52 53 #define TOTEXTONLY 0x01 54 55 #define RCODENAMES \ 56 /* standard rcodes */ \ 57 { dns_rcode_noerror, "NOERROR", 0 }, \ 58 { dns_rcode_formerr, "FORMERR", 0 }, \ 59 { dns_rcode_servfail, "SERVFAIL", 0 }, \ 60 { dns_rcode_nxdomain, "NXDOMAIN", 0 }, \ 61 { dns_rcode_notimp, "NOTIMP", 0 }, \ 62 { dns_rcode_refused, "REFUSED", 0 }, \ 63 { dns_rcode_yxdomain, "YXDOMAIN", 0 }, \ 64 { dns_rcode_yxrrset, "YXRRSET", 0 }, \ 65 { dns_rcode_nxrrset, "NXRRSET", 0 }, \ 66 { dns_rcode_notauth, "NOTAUTH", 0 }, \ 67 { dns_rcode_notzone, "NOTZONE", 0 }, \ 68 { 11, "RESERVED11", TOTEXTONLY }, \ 69 { 12, "RESERVED12", TOTEXTONLY }, \ 70 { 13, "RESERVED13", TOTEXTONLY }, \ 71 { 14, "RESERVED14", TOTEXTONLY }, \ 72 { 15, "RESERVED15", TOTEXTONLY }, 73 74 #define ERCODENAMES \ 75 /* extended rcodes */ \ 76 { dns_rcode_badvers, "BADVERS", 0 }, \ 77 { dns_rcode_badcookie, "BADCOOKIE", 0 }, { \ 78 0, NULL, 0 \ 79 } 80 81 #define TSIGRCODENAMES \ 82 /* extended rcodes */ \ 83 { dns_tsigerror_badsig, "BADSIG", 0 }, \ 84 { dns_tsigerror_badkey, "BADKEY", 0 }, \ 85 { dns_tsigerror_badtime, "BADTIME", 0 }, \ 86 { dns_tsigerror_badmode, "BADMODE", 0 }, \ 87 { dns_tsigerror_badname, "BADNAME", 0 }, \ 88 { dns_tsigerror_badalg, "BADALG", 0 }, \ 89 { dns_tsigerror_badtrunc, "BADTRUNC", 0 }, { \ 90 0, NULL, 0 \ 91 } 92 93 /* RFC4398 section 2.1 */ 94 95 #define CERTNAMES \ 96 { 1, "PKIX", 0 }, { 2, "SPKI", 0 }, { 3, "PGP", 0 }, \ 97 { 4, "IPKIX", 0 }, { 5, "ISPKI", 0 }, { 6, "IPGP", 0 }, \ 98 { 7, "ACPKIX", 0 }, { 8, "IACPKIX", 0 }, { 253, "URI", 0 }, \ 99 { 254, "OID", 0 }, { \ 100 0, NULL, 0 \ 101 } 102 103 /* RFC2535 section 7, RFC3110 */ 104 105 #define SECALGNAMES \ 106 { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, { DNS_KEYALG_DH, "DH", 0 }, \ 107 { DNS_KEYALG_DSA, "DSA", 0 }, \ 108 { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ 109 { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ 110 { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ 111 { DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \ 112 { DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \ 113 { DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \ 114 { DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \ 115 { DNS_KEYALG_ECDSA256, "ECDSA256", 0 }, \ 116 { DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \ 117 { DNS_KEYALG_ECDSA384, "ECDSA384", 0 }, \ 118 { DNS_KEYALG_ED25519, "ED25519", 0 }, \ 119 { DNS_KEYALG_ED448, "ED448", 0 }, \ 120 { DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \ 121 { DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \ 122 { DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, { \ 123 0, NULL, 0 \ 124 } 125 126 /* RFC2535 section 7.1 */ 127 128 #define SECPROTONAMES \ 129 { 0, "NONE", 0 }, { 1, "TLS", 0 }, { 2, "EMAIL", 0 }, \ 130 { 3, "DNSSEC", 0 }, { 4, "IPSEC", 0 }, { 255, "ALL", 0 }, { \ 131 0, NULL, 0 \ 132 } 133 134 #define HASHALGNAMES \ 135 { 1, "SHA-1", 0 }, { 0, NULL, 0 } 136 137 /* RFC3658, RFC4509, RFC5933, RFC6605 */ 138 139 #define DSDIGESTNAMES \ 140 { DNS_DSDIGEST_SHA1, "SHA-1", 0 }, { DNS_DSDIGEST_SHA1, "SHA1", 0 }, \ 141 { DNS_DSDIGEST_SHA256, "SHA-256", 0 }, \ 142 { DNS_DSDIGEST_SHA256, "SHA256", 0 }, \ 143 { DNS_DSDIGEST_GOST, "GOST", 0 }, \ 144 { DNS_DSDIGEST_SHA384, "SHA-384", 0 }, \ 145 { DNS_DSDIGEST_SHA384, "SHA384", 0 }, { \ 146 0, NULL, 0 \ 147 } 148 149 struct tbl { 150 unsigned int value; 151 const char *name; 152 int flags; 153 }; 154 155 static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; 156 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; 157 static struct tbl certs[] = { CERTNAMES }; 158 static struct tbl secalgs[] = { SECALGNAMES }; 159 static struct tbl secprotos[] = { SECPROTONAMES }; 160 static struct tbl hashalgs[] = { HASHALGNAMES }; 161 static struct tbl dsdigests[] = { DSDIGESTNAMES }; 162 163 static struct keyflag { 164 const char *name; 165 unsigned int value; 166 unsigned int mask; 167 } keyflags[] = { { "NOCONF", 0x4000, 0xC000 }, 168 { "NOAUTH", 0x8000, 0xC000 }, 169 { "NOKEY", 0xC000, 0xC000 }, 170 { "FLAG2", 0x2000, 0x2000 }, 171 { "EXTEND", 0x1000, 0x1000 }, 172 { "FLAG4", 0x0800, 0x0800 }, 173 { "FLAG5", 0x0400, 0x0400 }, 174 { "USER", 0x0000, 0x0300 }, 175 { "ZONE", 0x0100, 0x0300 }, 176 { "HOST", 0x0200, 0x0300 }, 177 { "NTYP3", 0x0300, 0x0300 }, 178 { "FLAG8", 0x0080, 0x0080 }, 179 { "FLAG9", 0x0040, 0x0040 }, 180 { "FLAG10", 0x0020, 0x0020 }, 181 { "FLAG11", 0x0010, 0x0010 }, 182 { "SIG0", 0x0000, 0x000F }, 183 { "SIG1", 0x0001, 0x000F }, 184 { "SIG2", 0x0002, 0x000F }, 185 { "SIG3", 0x0003, 0x000F }, 186 { "SIG4", 0x0004, 0x000F }, 187 { "SIG5", 0x0005, 0x000F }, 188 { "SIG6", 0x0006, 0x000F }, 189 { "SIG7", 0x0007, 0x000F }, 190 { "SIG8", 0x0008, 0x000F }, 191 { "SIG9", 0x0009, 0x000F }, 192 { "SIG10", 0x000A, 0x000F }, 193 { "SIG11", 0x000B, 0x000F }, 194 { "SIG12", 0x000C, 0x000F }, 195 { "SIG13", 0x000D, 0x000F }, 196 { "SIG14", 0x000E, 0x000F }, 197 { "SIG15", 0x000F, 0x000F }, 198 { "KSK", DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK }, 199 { NULL, 0, 0 } }; 200 201 static isc_result_t 202 str_totext(const char *source, isc_buffer_t *target) { 203 unsigned int l; 204 isc_region_t region; 205 206 isc_buffer_availableregion(target, ®ion); 207 l = strlen(source); 208 209 if (l > region.length) { 210 return (ISC_R_NOSPACE); 211 } 212 213 memmove(region.base, source, l); 214 isc_buffer_add(target, l); 215 return (ISC_R_SUCCESS); 216 } 217 218 static isc_result_t 219 maybe_numeric(unsigned int *valuep, isc_textregion_t *source, unsigned int max, 220 bool hex_allowed) { 221 isc_result_t result; 222 uint32_t n; 223 char buffer[NUMBERSIZE]; 224 int v; 225 226 if (!isdigit((unsigned char)source->base[0]) || 227 source->length > NUMBERSIZE - 1) 228 { 229 return (ISC_R_BADNUMBER); 230 } 231 232 /* 233 * We have a potential number. Try to parse it with 234 * isc_parse_uint32(). isc_parse_uint32() requires 235 * null termination, so we must make a copy. 236 */ 237 v = snprintf(buffer, sizeof(buffer), "%.*s", (int)source->length, 238 source->base); 239 if (v < 0 || (unsigned)v != source->length) { 240 return (ISC_R_BADNUMBER); 241 } 242 INSIST(buffer[source->length] == '\0'); 243 244 result = isc_parse_uint32(&n, buffer, 10); 245 if (result == ISC_R_BADNUMBER && hex_allowed) { 246 result = isc_parse_uint32(&n, buffer, 16); 247 } 248 if (result != ISC_R_SUCCESS) { 249 return (result); 250 } 251 if (n > max) { 252 return (ISC_R_RANGE); 253 } 254 *valuep = n; 255 return (ISC_R_SUCCESS); 256 } 257 258 static isc_result_t 259 dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source, 260 struct tbl *table, unsigned int max) { 261 isc_result_t result; 262 int i; 263 264 result = maybe_numeric(valuep, source, max, false); 265 if (result != ISC_R_BADNUMBER) { 266 return (result); 267 } 268 269 for (i = 0; table[i].name != NULL; i++) { 270 unsigned int n; 271 n = strlen(table[i].name); 272 if (n == source->length && (table[i].flags & TOTEXTONLY) == 0 && 273 strncasecmp(source->base, table[i].name, n) == 0) 274 { 275 *valuep = table[i].value; 276 return (ISC_R_SUCCESS); 277 } 278 } 279 return (DNS_R_UNKNOWN); 280 } 281 282 static isc_result_t 283 dns_mnemonic_totext(unsigned int value, isc_buffer_t *target, 284 struct tbl *table) { 285 int i = 0; 286 char buf[sizeof("4294967296")]; 287 while (table[i].name != NULL) { 288 if (table[i].value == value) { 289 return (str_totext(table[i].name, target)); 290 } 291 i++; 292 } 293 snprintf(buf, sizeof(buf), "%u", value); 294 return (str_totext(buf, target)); 295 } 296 297 isc_result_t 298 dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { 299 unsigned int value; 300 RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff)); 301 *rcodep = value; 302 return (ISC_R_SUCCESS); 303 } 304 305 isc_result_t 306 dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { 307 return (dns_mnemonic_totext(rcode, target, rcodes)); 308 } 309 310 isc_result_t 311 dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) { 312 unsigned int value; 313 RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff)); 314 *rcodep = value; 315 return (ISC_R_SUCCESS); 316 } 317 318 isc_result_t 319 dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) { 320 return (dns_mnemonic_totext(rcode, target, tsigrcodes)); 321 } 322 323 isc_result_t 324 dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) { 325 unsigned int value; 326 RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff)); 327 *certp = value; 328 return (ISC_R_SUCCESS); 329 } 330 331 isc_result_t 332 dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) { 333 return (dns_mnemonic_totext(cert, target, certs)); 334 } 335 336 isc_result_t 337 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) { 338 unsigned int value; 339 RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff)); 340 *secalgp = value; 341 return (ISC_R_SUCCESS); 342 } 343 344 isc_result_t 345 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) { 346 return (dns_mnemonic_totext(secalg, target, secalgs)); 347 } 348 349 void 350 dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) { 351 isc_buffer_t b; 352 isc_region_t r; 353 isc_result_t result; 354 355 REQUIRE(cp != NULL && size > 0); 356 isc_buffer_init(&b, cp, size - 1); 357 result = dns_secalg_totext(alg, &b); 358 isc_buffer_usedregion(&b, &r); 359 r.base[r.length] = 0; 360 if (result != ISC_R_SUCCESS) { 361 r.base[0] = 0; 362 } 363 } 364 365 isc_result_t 366 dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) { 367 unsigned int value; 368 RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff)); 369 *secprotop = value; 370 return (ISC_R_SUCCESS); 371 } 372 373 isc_result_t 374 dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) { 375 return (dns_mnemonic_totext(secproto, target, secprotos)); 376 } 377 378 isc_result_t 379 dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) { 380 unsigned int value; 381 RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff)); 382 *hashalg = value; 383 return (ISC_R_SUCCESS); 384 } 385 386 isc_result_t 387 dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source) { 388 isc_result_t result; 389 char *text, *end; 390 unsigned int value = 0; 391 #ifdef notyet 392 unsigned int mask = 0; 393 #endif /* ifdef notyet */ 394 395 result = maybe_numeric(&value, source, 0xffff, true); 396 if (result == ISC_R_SUCCESS) { 397 *flagsp = value; 398 return (ISC_R_SUCCESS); 399 } 400 if (result != ISC_R_BADNUMBER) { 401 return (result); 402 } 403 404 text = source->base; 405 end = source->base + source->length; 406 407 while (text < end) { 408 struct keyflag *p; 409 unsigned int len; 410 char *delim = memchr(text, '|', end - text); 411 if (delim != NULL) { 412 len = (unsigned int)(delim - text); 413 } else { 414 len = (unsigned int)(end - text); 415 } 416 for (p = keyflags; p->name != NULL; p++) { 417 if (strncasecmp(p->name, text, len) == 0) { 418 break; 419 } 420 } 421 if (p->name == NULL) { 422 return (DNS_R_UNKNOWNFLAG); 423 } 424 value |= p->value; 425 #ifdef notyet 426 if ((mask & p->mask) != 0) { 427 warn("overlapping key flags"); 428 } 429 mask |= p->mask; 430 #endif /* ifdef notyet */ 431 text += len; 432 if (delim != NULL) { 433 text++; /* Skip "|" */ 434 } 435 } 436 *flagsp = value; 437 return (ISC_R_SUCCESS); 438 } 439 440 isc_result_t 441 dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source) { 442 unsigned int value; 443 RETERR(dns_mnemonic_fromtext(&value, source, dsdigests, 0xff)); 444 *dsdigestp = value; 445 return (ISC_R_SUCCESS); 446 } 447 448 isc_result_t 449 dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target) { 450 return (dns_mnemonic_totext(dsdigest, target, dsdigests)); 451 } 452 453 void 454 dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size) { 455 isc_buffer_t b; 456 isc_region_t r; 457 isc_result_t result; 458 459 REQUIRE(cp != NULL && size > 0); 460 isc_buffer_init(&b, cp, size - 1); 461 result = dns_dsdigest_totext(typ, &b); 462 isc_buffer_usedregion(&b, &r); 463 r.base[r.length] = 0; 464 if (result != ISC_R_SUCCESS) { 465 r.base[0] = 0; 466 } 467 } 468 469 /* 470 * This uses lots of hard coded values, but how often do we actually 471 * add classes? 472 */ 473 isc_result_t 474 dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) { 475 #define COMPARE(string, rdclass) \ 476 if (((sizeof(string) - 1) == source->length) && \ 477 (strncasecmp(source->base, string, source->length) == 0)) \ 478 { \ 479 *classp = rdclass; \ 480 return (ISC_R_SUCCESS); \ 481 } 482 483 switch (tolower((unsigned char)source->base[0])) { 484 case 'a': 485 COMPARE("any", dns_rdataclass_any); 486 break; 487 case 'c': 488 /* 489 * RFC1035 says the mnemonic for the CHAOS class is CH, 490 * but historical BIND practice is to call it CHAOS. 491 * We will accept both forms, but only generate CH. 492 */ 493 COMPARE("ch", dns_rdataclass_chaos); 494 COMPARE("chaos", dns_rdataclass_chaos); 495 496 if (source->length > 5 && 497 source->length < (5 + sizeof("65000")) && 498 strncasecmp("class", source->base, 5) == 0) 499 { 500 char buf[sizeof("65000")]; 501 char *endp; 502 unsigned int val; 503 504 /* 505 * source->base is not required to be NUL terminated. 506 * Copy up to remaining bytes and NUL terminate. 507 */ 508 snprintf(buf, sizeof(buf), "%.*s", 509 (int)(source->length - 5), source->base + 5); 510 val = strtoul(buf, &endp, 10); 511 if (*endp == '\0' && val <= 0xffff) { 512 *classp = (dns_rdataclass_t)val; 513 return (ISC_R_SUCCESS); 514 } 515 } 516 break; 517 case 'h': 518 COMPARE("hs", dns_rdataclass_hs); 519 COMPARE("hesiod", dns_rdataclass_hs); 520 break; 521 case 'i': 522 COMPARE("in", dns_rdataclass_in); 523 break; 524 case 'n': 525 COMPARE("none", dns_rdataclass_none); 526 break; 527 case 'r': 528 COMPARE("reserved0", dns_rdataclass_reserved0); 529 break; 530 } 531 532 #undef COMPARE 533 534 return (DNS_R_UNKNOWN); 535 } 536 537 isc_result_t 538 dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) { 539 switch (rdclass) { 540 case dns_rdataclass_any: 541 return (str_totext("ANY", target)); 542 case dns_rdataclass_chaos: 543 return (str_totext("CH", target)); 544 case dns_rdataclass_hs: 545 return (str_totext("HS", target)); 546 case dns_rdataclass_in: 547 return (str_totext("IN", target)); 548 case dns_rdataclass_none: 549 return (str_totext("NONE", target)); 550 case dns_rdataclass_reserved0: 551 return (str_totext("RESERVED0", target)); 552 default: 553 return (dns_rdataclass_tounknowntext(rdclass, target)); 554 } 555 } 556 557 isc_result_t 558 dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target) { 559 char buf[sizeof("CLASS65535")]; 560 561 snprintf(buf, sizeof(buf), "CLASS%u", rdclass); 562 return (str_totext(buf, target)); 563 } 564 565 void 566 dns_rdataclass_format(dns_rdataclass_t rdclass, char *array, 567 unsigned int size) { 568 isc_result_t result; 569 isc_buffer_t buf; 570 571 if (size == 0U) { 572 return; 573 } 574 575 isc_buffer_init(&buf, array, size); 576 result = dns_rdataclass_totext(rdclass, &buf); 577 /* 578 * Null terminate. 579 */ 580 if (result == ISC_R_SUCCESS) { 581 if (isc_buffer_availablelength(&buf) >= 1) { 582 isc_buffer_putuint8(&buf, 0); 583 } else { 584 result = ISC_R_NOSPACE; 585 } 586 } 587 if (result != ISC_R_SUCCESS) { 588 strlcpy(array, "<unknown>", size); 589 } 590 } 591