diff options
Diffstat (limited to 'src/grp-resolve/libbasic-dns/include')
7 files changed, 1181 insertions, 0 deletions
| diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/dns-type.h b/src/grp-resolve/libbasic-dns/include/basic-dns/dns-type.h new file mode 100644 index 0000000000..df1642f85e --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/dns-type.h @@ -0,0 +1,162 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Zbigniew Jędrzejewski-Szmek + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "systemd-basic/macro.h" + +/* DNS record types, taken from + * http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml. + */ +enum { +        /* Normal records */ +        DNS_TYPE_A          = 0x01, +        DNS_TYPE_NS, +        DNS_TYPE_MD, +        DNS_TYPE_MF, +        DNS_TYPE_CNAME, +        DNS_TYPE_SOA, +        DNS_TYPE_MB, +        DNS_TYPE_MG, +        DNS_TYPE_MR, +        DNS_TYPE_NULL, +        DNS_TYPE_WKS, +        DNS_TYPE_PTR, +        DNS_TYPE_HINFO, +        DNS_TYPE_MINFO, +        DNS_TYPE_MX, +        DNS_TYPE_TXT, +        DNS_TYPE_RP, +        DNS_TYPE_AFSDB, +        DNS_TYPE_X25, +        DNS_TYPE_ISDN, +        DNS_TYPE_RT, +        DNS_TYPE_NSAP, +        DNS_TYPE_NSAP_PTR, +        DNS_TYPE_SIG, +        DNS_TYPE_KEY, +        DNS_TYPE_PX, +        DNS_TYPE_GPOS, +        DNS_TYPE_AAAA, +        DNS_TYPE_LOC, +        DNS_TYPE_NXT, +        DNS_TYPE_EID, +        DNS_TYPE_NIMLOC, +        DNS_TYPE_SRV, +        DNS_TYPE_ATMA, +        DNS_TYPE_NAPTR, +        DNS_TYPE_KX, +        DNS_TYPE_CERT, +        DNS_TYPE_A6, +        DNS_TYPE_DNAME, +        DNS_TYPE_SINK, +        DNS_TYPE_OPT,          /* EDNS0 option */ +        DNS_TYPE_APL, +        DNS_TYPE_DS, +        DNS_TYPE_SSHFP, +        DNS_TYPE_IPSECKEY, +        DNS_TYPE_RRSIG, +        DNS_TYPE_NSEC, +        DNS_TYPE_DNSKEY, +        DNS_TYPE_DHCID, +        DNS_TYPE_NSEC3, +        DNS_TYPE_NSEC3PARAM, +        DNS_TYPE_TLSA, + +        DNS_TYPE_HIP        = 0x37, +        DNS_TYPE_NINFO, +        DNS_TYPE_RKEY, +        DNS_TYPE_TALINK, +        DNS_TYPE_CDS, +        DNS_TYPE_CDNSKEY, +        DNS_TYPE_OPENPGPKEY, + +        DNS_TYPE_SPF        = 0x63, +        DNS_TYPE_NID, +        DNS_TYPE_L32, +        DNS_TYPE_L64, +        DNS_TYPE_LP, +        DNS_TYPE_EUI48, +        DNS_TYPE_EUI64, + +        DNS_TYPE_TKEY       = 0xF9, +        DNS_TYPE_TSIG, +        DNS_TYPE_IXFR, +        DNS_TYPE_AXFR, +        DNS_TYPE_MAILB, +        DNS_TYPE_MAILA, +        DNS_TYPE_ANY, +        DNS_TYPE_URI, +        DNS_TYPE_CAA, +        DNS_TYPE_TA         = 0x8000, +        DNS_TYPE_DLV, + +        _DNS_TYPE_MAX, +        _DNS_TYPE_INVALID = -1 +}; + +assert_cc(DNS_TYPE_SSHFP == 44); +assert_cc(DNS_TYPE_TLSA == 52); +assert_cc(DNS_TYPE_ANY == 255); + +/* DNS record classes, see RFC 1035 */ +enum { +        DNS_CLASS_IN   = 0x01, +        DNS_CLASS_ANY  = 0xFF, + +        _DNS_CLASS_MAX, +        _DNS_CLASS_INVALID = -1 +}; + +#define _DNS_CLASS_STRING_MAX (sizeof "CLASS" + DECIMAL_STR_MAX(uint16_t)) +#define _DNS_TYPE_STRING_MAX (sizeof "CLASS" + DECIMAL_STR_MAX(uint16_t)) + +bool dns_type_is_pseudo(uint16_t type); +bool dns_type_is_valid_query(uint16_t type); +bool dns_type_is_valid_rr(uint16_t type); +bool dns_type_may_redirect(uint16_t type); +bool dns_type_is_dnssec(uint16_t type); +bool dns_type_is_obsolete(uint16_t type); +bool dns_type_may_wildcard(uint16_t type); +bool dns_type_apex_only(uint16_t type); +bool dns_type_needs_authentication(uint16_t type); +bool dns_type_is_zone_transer(uint16_t type); +int dns_type_to_af(uint16_t type); + +bool dns_class_is_pseudo(uint16_t class); +bool dns_class_is_valid_rr(uint16_t class); + +/* TYPE?? follows http://tools.ietf.org/html/rfc3597#section-5 */ +const char *dns_type_to_string(int type); +int dns_type_from_string(const char *s); + +const char *dns_class_to_string(uint16_t class); +int dns_class_from_string(const char *name); + +/* https://tools.ietf.org/html/draft-ietf-dane-protocol-23#section-7.2 */ +const char *tlsa_cert_usage_to_string(uint8_t cert_usage); + +/* https://tools.ietf.org/html/draft-ietf-dane-protocol-23#section-7.3 */ +const char *tlsa_selector_to_string(uint8_t selector); + +/* https://tools.ietf.org/html/draft-ietf-dane-protocol-23#section-7.4 */ +const char *tlsa_matching_type_to_string(uint8_t selector); + +/* https://tools.ietf.org/html/rfc6844#section-5.1 */ +#define CAA_FLAG_CRITICAL (1u << 7) diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-def.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-def.h new file mode 100644 index 0000000000..c4c1915b18 --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-def.h @@ -0,0 +1,38 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <inttypes.h> + +#define SD_RESOLVED_DNS           (UINT64_C(1) << 0) +#define SD_RESOLVED_LLMNR_IPV4    (UINT64_C(1) << 1) +#define SD_RESOLVED_LLMNR_IPV6    (UINT64_C(1) << 2) +#define SD_RESOLVED_MDNS_IPV4     (UINT64_C(1) << 3) +#define SD_RESOLVED_MDNS_IPV6     (UINT64_C(1) << 4) +#define SD_RESOLVED_NO_CNAME      (UINT64_C(1) << 5) +#define SD_RESOLVED_NO_TXT        (UINT64_C(1) << 6) +#define SD_RESOLVED_NO_ADDRESS    (UINT64_C(1) << 7) +#define SD_RESOLVED_NO_SEARCH     (UINT64_C(1) << 8) +#define SD_RESOLVED_AUTHENTICATED (UINT64_C(1) << 9) + +#define SD_RESOLVED_LLMNR         (SD_RESOLVED_LLMNR_IPV4|SD_RESOLVED_LLMNR_IPV6) +#define SD_RESOLVED_MDNS          (SD_RESOLVED_MDNS_IPV4|SD_RESOLVED_MDNS_IPV6) + +#define SD_RESOLVED_PROTOCOLS_ALL (SD_RESOLVED_MDNS|SD_RESOLVED_LLMNR|SD_RESOLVED_DNS) diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-answer.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-answer.h new file mode 100644 index 0000000000..447604d008 --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-answer.h @@ -0,0 +1,148 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "systemd-basic/macro.h" + +typedef struct DnsAnswer DnsAnswer; +typedef struct DnsAnswerItem DnsAnswerItem; + +#include "resolved-dns-rr.h" + +/* A simple array of resource records. We keep track of the + * originating ifindex for each RR where that makes sense, so that we + * can qualify A and AAAA RRs referring to a local link with the + * right ifindex. + * + * Note that we usually encode the empty DnsAnswer object as a simple NULL. */ + +typedef enum DnsAnswerFlags { +        DNS_ANSWER_AUTHENTICATED = 1, /* Item has been authenticated */ +        DNS_ANSWER_CACHEABLE     = 2, /* Item is subject to caching */ +        DNS_ANSWER_SHARED_OWNER  = 4, /* For mDNS: RRset may be owner by multiple peers */ +} DnsAnswerFlags; + +struct DnsAnswerItem { +        DnsResourceRecord *rr; +        int ifindex; +        DnsAnswerFlags flags; +}; + +struct DnsAnswer { +        unsigned n_ref; +        unsigned n_rrs, n_allocated; +        DnsAnswerItem items[0]; +}; + +DnsAnswer *dns_answer_new(unsigned n); +DnsAnswer *dns_answer_ref(DnsAnswer *a); +DnsAnswer *dns_answer_unref(DnsAnswer *a); + +int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); +int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); +int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex); + +int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); +int dns_answer_contains_rr(DnsAnswer *a, DnsResourceRecord *rr, DnsAnswerFlags *combined_flags); +int dns_answer_contains_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); +int dns_answer_contains_nsec_or_nsec3(DnsAnswer *a); +int dns_answer_contains_zone_nsec3(DnsAnswer *answer, const char *zone); + +int dns_answer_find_soa(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags); +int dns_answer_find_cname_or_dname(DnsAnswer *a, const DnsResourceKey *key, DnsResourceRecord **ret, DnsAnswerFlags *flags); + +int dns_answer_merge(DnsAnswer *a, DnsAnswer *b, DnsAnswer **ret); +int dns_answer_extend(DnsAnswer **a, DnsAnswer *b); + +void dns_answer_order_by_scope(DnsAnswer *a, bool prefer_link_local); + +int dns_answer_reserve(DnsAnswer **a, unsigned n_free); +int dns_answer_reserve_or_clone(DnsAnswer **a, unsigned n_free); + +int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key); +int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr); + +int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags); +int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags); + +bool dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname); + +static inline unsigned dns_answer_size(DnsAnswer *a) { +        return a ? a->n_rrs : 0; +} + +static inline bool dns_answer_isempty(DnsAnswer *a) { +        return dns_answer_size(a) <= 0; +} + +void dns_answer_dump(DnsAnswer *answer, FILE *f); + +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref); + +#define _DNS_ANSWER_FOREACH(q, kk, a)                                   \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++, (kk) = (UNIQ_T(i, q) < (a)->n_rrs ? (a)->items[UNIQ_T(i, q)].rr : NULL)) + +#define DNS_ANSWER_FOREACH(kk, a) _DNS_ANSWER_FOREACH(UNIQ, kk, a) + +#define _DNS_ANSWER_FOREACH_IFINDEX(q, kk, ifi, a)                      \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                (ifi) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (ifi) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0)) + +#define DNS_ANSWER_FOREACH_IFINDEX(kk, ifindex, a) _DNS_ANSWER_FOREACH_IFINDEX(UNIQ, kk, ifindex, a) + +#define _DNS_ANSWER_FOREACH_FLAGS(q, kk, fl, a)                         \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                (fl) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].flags : 0; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (fl) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].flags : 0)) + +#define DNS_ANSWER_FOREACH_FLAGS(kk, flags, a) _DNS_ANSWER_FOREACH_FLAGS(UNIQ, kk, flags, a) + +#define _DNS_ANSWER_FOREACH_FULL(q, kk, ifi, fl, a)                     \ +        for (unsigned UNIQ_T(i, q) = ({                                 \ +                                (kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \ +                                (ifi) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \ +                                (fl) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].flags : 0; \ +                                0;                                      \ +                        });                                             \ +             (a) && (UNIQ_T(i, q) < (a)->n_rrs);                        \ +             UNIQ_T(i, q)++,                                            \ +                     (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), \ +                     (ifi) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0), \ +                     (fl) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].flags : 0)) + +#define DNS_ANSWER_FOREACH_FULL(kk, ifindex, flags, a) _DNS_ANSWER_FOREACH_FULL(UNIQ, kk, ifindex, flags, a) diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-dnssec.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-dnssec.h new file mode 100644 index 0000000000..b91abe98ac --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-dnssec.h @@ -0,0 +1,103 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2015 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "systemd-shared/dns-domain.h" + +typedef enum DnssecResult DnssecResult; +typedef enum DnssecVerdict DnssecVerdict; + +#include "resolved-dns-answer.h" +#include "resolved-dns-rr.h" + +enum DnssecResult { +        /* These five are returned by dnssec_verify_rrset() */ +        DNSSEC_VALIDATED, +        DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ +        DNSSEC_INVALID, +        DNSSEC_SIGNATURE_EXPIRED, +        DNSSEC_UNSUPPORTED_ALGORITHM, + +        /* These two are added by dnssec_verify_rrset_search() */ +        DNSSEC_NO_SIGNATURE, +        DNSSEC_MISSING_KEY, + +        /* These two are added by the DnsTransaction logic */ +        DNSSEC_UNSIGNED, +        DNSSEC_FAILED_AUXILIARY, +        DNSSEC_NSEC_MISMATCH, +        DNSSEC_INCOMPATIBLE_SERVER, + +        _DNSSEC_RESULT_MAX, +        _DNSSEC_RESULT_INVALID = -1 +}; + +enum DnssecVerdict { +        DNSSEC_SECURE, +        DNSSEC_INSECURE, +        DNSSEC_BOGUS, +        DNSSEC_INDETERMINATE, + +        _DNSSEC_VERDICT_MAX, +        _DNSSEC_VERDICT_INVALID = -1 +}; + +#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2) + +/* The longest digest we'll ever generate, of all digest algorithms we support */ +#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) + +int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); +int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); + +int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result); +int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig); + +int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke); +int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds); + +int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key); + +uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke); + +int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max); + +int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); + +typedef enum DnssecNsecResult { +        DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */ +        DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */ +        DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, +        DNSSEC_NSEC_NXDOMAIN, +        DNSSEC_NSEC_NODATA, +        DNSSEC_NSEC_FOUND, +        DNSSEC_NSEC_OPTOUT, +} DnssecNsecResult; + +int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); + + +int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated); + +const char* dnssec_result_to_string(DnssecResult m) _const_; +DnssecResult dnssec_result_from_string(const char *s) _pure_; + +const char* dnssec_verdict_to_string(DnssecVerdict m) _const_; +DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_; diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-packet.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-packet.h new file mode 100644 index 0000000000..cb03de8986 --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-packet.h @@ -0,0 +1,302 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. + ***/ + +#include <netinet/ip.h> +#include <netinet/udp.h> + +#include "systemd-basic/hashmap.h" +#include "systemd-basic/in-addr-util.h" +#include "systemd-basic/macro.h" +#include "systemd-basic/sparse-endian.h" + +typedef struct DnsPacket DnsPacket; +typedef struct DnsPacketHeader DnsPacketHeader; + +#include "resolved-def.h" +#include "resolved-dns-answer.h" +#include "resolved-dns-question.h" +#include "resolved-dns-rr.h" + +typedef enum DnsProtocol { +        DNS_PROTOCOL_DNS, +        DNS_PROTOCOL_MDNS, +        DNS_PROTOCOL_LLMNR, +        _DNS_PROTOCOL_MAX, +        _DNS_PROTOCOL_INVALID = -1 +} DnsProtocol; + +struct DnsPacketHeader { +        uint16_t id; +        be16_t flags; +        be16_t qdcount; +        be16_t ancount; +        be16_t nscount; +        be16_t arcount; +}; + +#define DNS_PACKET_HEADER_SIZE sizeof(DnsPacketHeader) +#define UDP_PACKET_HEADER_SIZE (sizeof(struct iphdr) + sizeof(struct udphdr)) + +/* The various DNS protocols deviate in how large a packet can grow, +   but the TCP transport has a 16bit size field, hence that appears to +   be the absolute maximum. */ +#define DNS_PACKET_SIZE_MAX 0xFFFF + +/* RFC 1035 say 512 is the maximum, for classic unicast DNS */ +#define DNS_PACKET_UNICAST_SIZE_MAX 512 + +/* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ +#define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 + +#define DNS_PACKET_SIZE_START 512 + +struct DnsPacket { +        int n_ref; +        DnsProtocol protocol; +        size_t size, allocated, rindex; +        void *_data; /* don't access directly, use DNS_PACKET_DATA()! */ +        Hashmap *names; /* For name compression */ +        size_t opt_start, opt_size; + +        /* Parsed data */ +        DnsQuestion *question; +        DnsAnswer *answer; +        DnsResourceRecord *opt; + +        /* Packet reception metadata */ +        int ifindex; +        int family, ipproto; +        union in_addr_union sender, destination; +        uint16_t sender_port, destination_port; +        uint32_t ttl; + +        /* For support of truncated packets */ +        DnsPacket *more; + +        bool on_stack:1; +        bool extracted:1; +        bool refuse_compression:1; +        bool canonical_form:1; +}; + +static inline uint8_t* DNS_PACKET_DATA(DnsPacket *p) { +        if (_unlikely_(!p)) +                return NULL; + +        if (p->_data) +                return p->_data; + +        return ((uint8_t*) p) + ALIGN(sizeof(DnsPacket)); +} + +#define DNS_PACKET_HEADER(p) ((DnsPacketHeader*) DNS_PACKET_DATA(p)) +#define DNS_PACKET_ID(p) DNS_PACKET_HEADER(p)->id +#define DNS_PACKET_QR(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 15) & 1) +#define DNS_PACKET_OPCODE(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 11) & 15) +#define DNS_PACKET_AA(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 10) & 1) +#define DNS_PACKET_TC(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 9) & 1) +#define DNS_PACKET_RD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 8) & 1) +#define DNS_PACKET_RA(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 7) & 1) +#define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1) +#define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1) + +#define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9) + +static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { +        uint16_t rcode; + +        if (p->opt) +                rcode = (uint16_t) (p->opt->ttl >> 24); +        else +                rcode = 0; + +        return rcode | (be16toh(DNS_PACKET_HEADER(p)->flags) & 0xF); +} + +static inline uint16_t DNS_PACKET_PAYLOAD_SIZE_MAX(DnsPacket *p) { + +        /* Returns the advertised maximum datagram size for replies, or the DNS default if there's nothing defined. */ + +        if (p->opt) +                return MAX(DNS_PACKET_UNICAST_SIZE_MAX, p->opt->key->class); + +        return DNS_PACKET_UNICAST_SIZE_MAX; +} + +static inline bool DNS_PACKET_DO(DnsPacket *p) { +        if (!p->opt) +                return false; + +        return !!(p->opt->ttl & (1U << 15)); +} + +static inline bool DNS_PACKET_VERSION_SUPPORTED(DnsPacket *p) { +        /* Returns true if this packet is in a version we support. Which means either non-EDNS or EDNS(0), but not EDNS +         * of any newer versions */ + +        if (!p->opt) +                return true; + +        return DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(p->opt); +} + +/* LLMNR defines some bits differently */ +#define DNS_PACKET_LLMNR_C(p) DNS_PACKET_AA(p) +#define DNS_PACKET_LLMNR_T(p) DNS_PACKET_RD(p) + +#define DNS_PACKET_QDCOUNT(p) be16toh(DNS_PACKET_HEADER(p)->qdcount) +#define DNS_PACKET_ANCOUNT(p) be16toh(DNS_PACKET_HEADER(p)->ancount) +#define DNS_PACKET_NSCOUNT(p) be16toh(DNS_PACKET_HEADER(p)->nscount) +#define DNS_PACKET_ARCOUNT(p) be16toh(DNS_PACKET_HEADER(p)->arcount) + +#define DNS_PACKET_MAKE_FLAGS(qr, opcode, aa, tc, rd, ra, ad, cd, rcode) \ +        (((uint16_t) !!(qr) << 15) |                                    \ +         ((uint16_t) ((opcode) & 15) << 11) |                           \ +         ((uint16_t) !!(aa) << 10) |                /* on LLMNR: c */   \ +         ((uint16_t) !!(tc) << 9) |                                     \ +         ((uint16_t) !!(rd) << 8) |                 /* on LLMNR: t */   \ +         ((uint16_t) !!(ra) << 7) |                                     \ +         ((uint16_t) !!(ad) << 5) |                                     \ +         ((uint16_t) !!(cd) << 4) |                                     \ +         ((uint16_t) ((rcode) & 15))) + +static inline unsigned DNS_PACKET_RRCOUNT(DnsPacket *p) { +        return +                (unsigned) DNS_PACKET_ANCOUNT(p) + +                (unsigned) DNS_PACKET_NSCOUNT(p) + +                (unsigned) DNS_PACKET_ARCOUNT(p); +} + +int dns_packet_new(DnsPacket **p, DnsProtocol protocol, size_t mtu); +int dns_packet_new_query(DnsPacket **p, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled); + +void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated); + +DnsPacket *dns_packet_ref(DnsPacket *p); +DnsPacket *dns_packet_unref(DnsPacket *p); + +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsPacket*, dns_packet_unref); + +int dns_packet_validate(DnsPacket *p); +int dns_packet_validate_reply(DnsPacket *p); +int dns_packet_validate_query(DnsPacket *p); + +int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key); + +int dns_packet_append_blob(DnsPacket *p, const void *d, size_t sz, size_t *start); +int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start); +int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start); +int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start); +int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start); +int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start); +int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, bool canonical_candidate, size_t *start); +int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, bool canonical_candidate, size_t *start); +int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, size_t *start); +int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start); +int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, int rcode, size_t *start); +int dns_packet_append_question(DnsPacket *p, DnsQuestion *q); +int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a); + +void dns_packet_truncate(DnsPacket *p, size_t sz); +int dns_packet_truncate_opt(DnsPacket *p); + +int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start); +int dns_packet_read_blob(DnsPacket *p, void *d, size_t sz, size_t *start); +int dns_packet_read_uint8(DnsPacket *p, uint8_t *ret, size_t *start); +int dns_packet_read_uint16(DnsPacket *p, uint16_t *ret, size_t *start); +int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start); +int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start); +int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start); +int dns_packet_read_name(DnsPacket *p, char **ret, bool allow_compression, size_t *start); +int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, bool *ret_cache_flush, size_t *start); +int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, bool *ret_cache_flush, size_t *start); + +void dns_packet_rewind(DnsPacket *p, size_t idx); + +int dns_packet_skip_question(DnsPacket *p); +int dns_packet_extract(DnsPacket *p); + +static inline bool DNS_PACKET_SHALL_CACHE(DnsPacket *p) { +        /* Never cache data originating from localhost, under the +         * assumption, that it's coming from a locally DNS forwarder +         * or server, that is caching on its own. */ + +        return in_addr_is_localhost(p->family, &p->sender) == 0; +} + +/* https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 */ +enum { +        DNS_RCODE_SUCCESS = 0, +        DNS_RCODE_FORMERR = 1, +        DNS_RCODE_SERVFAIL = 2, +        DNS_RCODE_NXDOMAIN = 3, +        DNS_RCODE_NOTIMP = 4, +        DNS_RCODE_REFUSED = 5, +        DNS_RCODE_YXDOMAIN = 6, +        DNS_RCODE_YXRRSET = 7, +        DNS_RCODE_NXRRSET = 8, +        DNS_RCODE_NOTAUTH = 9, +        DNS_RCODE_NOTZONE = 10, +        DNS_RCODE_BADVERS = 16, +        DNS_RCODE_BADSIG = 16, /* duplicate value! */ +        DNS_RCODE_BADKEY = 17, +        DNS_RCODE_BADTIME = 18, +        DNS_RCODE_BADMODE = 19, +        DNS_RCODE_BADNAME = 20, +        DNS_RCODE_BADALG = 21, +        DNS_RCODE_BADTRUNC = 22, +        _DNS_RCODE_MAX_DEFINED, +        _DNS_RCODE_MAX = 4095 /* 4 bit rcode in the header plus 8 bit rcode in OPT, makes 12 bit */ +}; + +const char* dns_rcode_to_string(int i) _const_; +int dns_rcode_from_string(const char *s) _pure_; + +const char* dns_protocol_to_string(DnsProtocol p) _const_; +DnsProtocol dns_protocol_from_string(const char *s) _pure_; + +#define LLMNR_MULTICAST_IPV4_ADDRESS ((struct in_addr) { .s_addr = htobe32(224U << 24 | 252U) }) +#define LLMNR_MULTICAST_IPV6_ADDRESS ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03 } }) + +#define MDNS_MULTICAST_IPV4_ADDRESS  ((struct in_addr) { .s_addr = htobe32(224U << 24 | 251U) }) +#define MDNS_MULTICAST_IPV6_ADDRESS  ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfb } }) + +static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family, bool authenticated) { +        uint64_t f; + +        /* Converts a protocol + family into a flags field as used in queries and responses */ + +        f = authenticated ? SD_RESOLVED_AUTHENTICATED : 0; + +        switch (protocol) { +        case DNS_PROTOCOL_DNS: +                return f|SD_RESOLVED_DNS; + +        case DNS_PROTOCOL_LLMNR: +                return f|(family == AF_INET6 ? SD_RESOLVED_LLMNR_IPV6 : SD_RESOLVED_LLMNR_IPV4); + +        case DNS_PROTOCOL_MDNS: +                return f|(family == AF_INET6 ? SD_RESOLVED_MDNS_IPV6 : SD_RESOLVED_MDNS_IPV4); + +        default: +                return f; +        } +} diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-question.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-question.h new file mode 100644 index 0000000000..fb1b2d2410 --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-question.h @@ -0,0 +1,74 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include "systemd-basic/macro.h" + +typedef struct DnsQuestion DnsQuestion; + +#include "resolved-dns-rr.h" + +/* A simple array of resource keys */ + +struct DnsQuestion { +        unsigned n_ref; +        unsigned n_keys, n_allocated; +        DnsResourceKey* keys[0]; +}; + +DnsQuestion *dns_question_new(unsigned n); +DnsQuestion *dns_question_ref(DnsQuestion *q); +DnsQuestion *dns_question_unref(DnsQuestion *q); + +int dns_question_new_address(DnsQuestion **ret, int family, const char *name, bool convert_idna); +int dns_question_new_reverse(DnsQuestion **ret, int family, const union in_addr_union *a); +int dns_question_new_service(DnsQuestion **ret, const char *service, const char *type, const char *domain, bool with_txt, bool convert_idna); + +int dns_question_add(DnsQuestion *q, DnsResourceKey *key); + +int dns_question_matches_rr(DnsQuestion *q, DnsResourceRecord *rr, const char *search_domain); +int dns_question_matches_cname_or_dname(DnsQuestion *q, DnsResourceRecord *rr, const char* search_domain); +int dns_question_is_valid_for_query(DnsQuestion *q); +int dns_question_contains(DnsQuestion *a, const DnsResourceKey *k); +int dns_question_is_equal(DnsQuestion *a, DnsQuestion *b); + +int dns_question_cname_redirect(DnsQuestion *q, const DnsResourceRecord *cname, DnsQuestion **ret); + +const char *dns_question_first_name(DnsQuestion *q); + +static inline unsigned dns_question_size(DnsQuestion *q) { +        return q ? q->n_keys : 0; +} + +static inline bool dns_question_isempty(DnsQuestion *q) { +        return dns_question_size(q) <= 0; +} + +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref); + +#define _DNS_QUESTION_FOREACH(u, key, q)                                \ +        for (unsigned UNIQ_T(i, u) = ({                                 \ +                                (key) = ((q) && (q)->n_keys > 0) ? (q)->keys[0] : NULL; \ +                                0;                                      \ +                        });                                             \ +             (q) && (UNIQ_T(i, u) < (q)->n_keys);                       \ +             UNIQ_T(i, u)++, (key) = (UNIQ_T(i, u) < (q)->n_keys ? (q)->keys[UNIQ_T(i, u)] : NULL)) + +#define DNS_QUESTION_FOREACH(key, q) _DNS_QUESTION_FOREACH(UNIQ, key, q) diff --git a/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-rr.h b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-rr.h new file mode 100644 index 0000000000..864c7c237f --- /dev/null +++ b/src/grp-resolve/libbasic-dns/include/basic-dns/resolved-dns-rr.h @@ -0,0 +1,354 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2014 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. + ***/ + +#include <netinet/in.h> + +#include "systemd-basic/bitmap.h" +#include "systemd-basic/hashmap.h" +#include "systemd-basic/in-addr-util.h" +#include "systemd-basic/list.h" +#include "systemd-basic/string-util.h" + +#include "dns-type.h" + +typedef struct DnsResourceKey DnsResourceKey; +typedef struct DnsResourceRecord DnsResourceRecord; +typedef struct DnsTxtItem DnsTxtItem; + +/* DNSKEY RR flags */ +#define DNSKEY_FLAG_SEP      (UINT16_C(1) << 0) +#define DNSKEY_FLAG_REVOKE   (UINT16_C(1) << 7) +#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8) + +/* mDNS RR flags */ +#define MDNS_RR_CACHE_FLUSH  (UINT16_C(1) << 15) + +/* DNSSEC algorithm identifiers, see + * http://tools.ietf.org/html/rfc4034#appendix-A.1 and + * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */ +enum { +        DNSSEC_ALGORITHM_RSAMD5 = 1, +        DNSSEC_ALGORITHM_DH, +        DNSSEC_ALGORITHM_DSA, +        DNSSEC_ALGORITHM_ECC, +        DNSSEC_ALGORITHM_RSASHA1, +        DNSSEC_ALGORITHM_DSA_NSEC3_SHA1, +        DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1, +        DNSSEC_ALGORITHM_RSASHA256 = 8,        /* RFC 5702 */ +        DNSSEC_ALGORITHM_RSASHA512 = 10,       /* RFC 5702 */ +        DNSSEC_ALGORITHM_ECC_GOST = 12,        /* RFC 5933 */ +        DNSSEC_ALGORITHM_ECDSAP256SHA256 = 13, /* RFC 6605 */ +        DNSSEC_ALGORITHM_ECDSAP384SHA384 = 14, /* RFC 6605 */ +        DNSSEC_ALGORITHM_INDIRECT = 252, +        DNSSEC_ALGORITHM_PRIVATEDNS, +        DNSSEC_ALGORITHM_PRIVATEOID, +        _DNSSEC_ALGORITHM_MAX_DEFINED +}; + +/* DNSSEC digest identifiers, see + * https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */ +enum { +        DNSSEC_DIGEST_SHA1 = 1, +        DNSSEC_DIGEST_SHA256 = 2,              /* RFC 4509 */ +        DNSSEC_DIGEST_GOST_R_34_11_94 = 3,     /* RFC 5933 */ +        DNSSEC_DIGEST_SHA384 = 4,              /* RFC 6605 */ +        _DNSSEC_DIGEST_MAX_DEFINED +}; + +/* DNSSEC NSEC3 hash algorithms, see + * https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml */ +enum { +        NSEC3_ALGORITHM_SHA1 = 1, +        _NSEC3_ALGORITHM_MAX_DEFINED +}; + +struct DnsResourceKey { +        unsigned n_ref; /* (unsigned -1) for const keys, see below */ +        uint16_t class, type; +        char *_name; /* don't access directly, use dns_resource_key_name()! */ +}; + +/* Creates a temporary resource key. This is only useful to quickly + * look up something, without allocating a full DnsResourceKey object + * for it. Note that it is not OK to take references to this kind of + * resource key object. */ +#define DNS_RESOURCE_KEY_CONST(c, t, n)                 \ +        ((DnsResourceKey) {                             \ +                .n_ref = (unsigned) -1,                 \ +                .class = c,                             \ +                .type = t,                              \ +                ._name = (char*) n,                     \ +        }) + + +struct DnsTxtItem { +        size_t length; +        LIST_FIELDS(DnsTxtItem, items); +        uint8_t data[]; +}; + +struct DnsResourceRecord { +        unsigned n_ref; +        DnsResourceKey *key; + +        char *to_string; + +        uint32_t ttl; +        usec_t expiry; /* RRSIG signature expiry */ + +        /* How many labels to strip to determine "signer" of the RRSIG (aka, the zone). -1 if not signed. */ +        unsigned n_skip_labels_signer; +        /* How many labels to strip to determine "synthesizing source" of this RR, i.e. the wildcard's immediate parent. -1 if not signed. */ +        unsigned n_skip_labels_source; + +        bool unparseable:1; + +        bool wire_format_canonical:1; +        void *wire_format; +        size_t wire_format_size; +        size_t wire_format_rdata_offset; + +        union { +                struct { +                        void *data; +                        size_t data_size; +                } generic, opt; + +                struct { +                        uint16_t priority; +                        uint16_t weight; +                        uint16_t port; +                        char *name; +                } srv; + +                struct { +                        char *name; +                } ptr, ns, cname, dname; + +                struct { +                        char *cpu; +                        char *os; +                } hinfo; + +                struct { +                        DnsTxtItem *items; +                } txt, spf; + +                struct { +                        struct in_addr in_addr; +                } a; + +                struct { +                        struct in6_addr in6_addr; +                } aaaa; + +                struct { +                        char *mname; +                        char *rname; +                        uint32_t serial; +                        uint32_t refresh; +                        uint32_t retry; +                        uint32_t expire; +                        uint32_t minimum; +                } soa; + +                struct { +                        uint16_t priority; +                        char *exchange; +                } mx; + +                /* https://tools.ietf.org/html/rfc1876 */ +                struct { +                        uint8_t version; +                        uint8_t size; +                        uint8_t horiz_pre; +                        uint8_t vert_pre; +                        uint32_t latitude; +                        uint32_t longitude; +                        uint32_t altitude; +                } loc; + +                /* https://tools.ietf.org/html/rfc4255#section-3.1 */ +                struct { +                        uint8_t algorithm; +                        uint8_t fptype; +                        void *fingerprint; +                        size_t fingerprint_size; +                } sshfp; + +                /* http://tools.ietf.org/html/rfc4034#section-2.1 */ +                struct { +                        uint16_t flags; +                        uint8_t protocol; +                        uint8_t algorithm; +                        void* key; +                        size_t key_size; +                } dnskey; + +                /* http://tools.ietf.org/html/rfc4034#section-3.1 */ +                struct { +                        uint16_t type_covered; +                        uint8_t algorithm; +                        uint8_t labels; +                        uint32_t original_ttl; +                        uint32_t expiration; +                        uint32_t inception; +                        uint16_t key_tag; +                        char *signer; +                        void *signature; +                        size_t signature_size; +                } rrsig; + +                /* https://tools.ietf.org/html/rfc4034#section-4.1 */ +                struct { +                        char *next_domain_name; +                        Bitmap *types; +                } nsec; + +                /* https://tools.ietf.org/html/rfc4034#section-5.1 */ +                struct { +                        uint16_t key_tag; +                        uint8_t algorithm; +                        uint8_t digest_type; +                        void *digest; +                        size_t digest_size; +                } ds; + +                struct { +                        uint8_t algorithm; +                        uint8_t flags; +                        uint16_t iterations; +                        void *salt; +                        size_t salt_size; +                        void *next_hashed_name; +                        size_t next_hashed_name_size; +                        Bitmap *types; +                } nsec3; + +                /* https://tools.ietf.org/html/draft-ietf-dane-protocol-23 */ +                struct { +                        uint8_t cert_usage; +                        uint8_t selector; +                        uint8_t matching_type; +                        void *data; +                        size_t data_size; +                } tlsa; + +                /* https://tools.ietf.org/html/rfc6844 */ +                struct { +                        uint8_t flags; +                        char *tag; +                        void *value; +                        size_t value_size; +                } caa; +        }; +}; + +static inline const void* DNS_RESOURCE_RECORD_RDATA(DnsResourceRecord *rr) { +        if (!rr) +                return NULL; + +        if (!rr->wire_format) +                return NULL; + +        assert(rr->wire_format_rdata_offset <= rr->wire_format_size); +        return (uint8_t*) rr->wire_format + rr->wire_format_rdata_offset; +} + +static inline size_t DNS_RESOURCE_RECORD_RDATA_SIZE(DnsResourceRecord *rr) { +        if (!rr) +                return 0; +        if (!rr->wire_format) +                return 0; + +        assert(rr->wire_format_rdata_offset <= rr->wire_format_size); +        return rr->wire_format_size - rr->wire_format_rdata_offset; +} + +static inline uint8_t DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(DnsResourceRecord *rr) { +        assert(rr); +        assert(rr->key->type == DNS_TYPE_OPT); + +        return ((rr->ttl >> 16) & 0xFF) == 0; +} + +DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name); +DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname); +int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name); +DnsResourceKey* dns_resource_key_new_consume(uint16_t class, uint16_t type, char *name); +DnsResourceKey* dns_resource_key_ref(DnsResourceKey *key); +DnsResourceKey* dns_resource_key_unref(DnsResourceKey *key); +const char* dns_resource_key_name(const DnsResourceKey *key); +bool dns_resource_key_is_address(const DnsResourceKey *key); +int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b); +int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain); +int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain); +int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa); + +/* _DNS_{CLASS,TYPE}_STRING_MAX include one byte for NUL, which we use for space instead below. + * DNS_HOSTNAME_MAX does not include the NUL byte, so we need to add 1. */ +#define DNS_RESOURCE_KEY_STRING_MAX (_DNS_CLASS_STRING_MAX + _DNS_TYPE_STRING_MAX + DNS_HOSTNAME_MAX + 1) + +char* dns_resource_key_to_string(const DnsResourceKey *key, char *buf, size_t buf_size); +ssize_t dns_resource_record_payload(DnsResourceRecord *rr, void **out); + +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceKey*, dns_resource_key_unref); + +static inline bool dns_key_is_shared(const DnsResourceKey *key) { +        return IN_SET(key->type, DNS_TYPE_PTR); +} + +bool dns_resource_key_reduce(DnsResourceKey **a, DnsResourceKey **b); + +DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key); +DnsResourceRecord* dns_resource_record_new_full(uint16_t class, uint16_t type, const char *name); +DnsResourceRecord* dns_resource_record_ref(DnsResourceRecord *rr); +DnsResourceRecord* dns_resource_record_unref(DnsResourceRecord *rr); +int dns_resource_record_new_reverse(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name); +int dns_resource_record_new_address(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name); +int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecord *b); +const char* dns_resource_record_to_string(DnsResourceRecord *rr); +DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr); +DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceRecord*, dns_resource_record_unref); + +int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical); + +int dns_resource_record_signer(DnsResourceRecord *rr, const char **ret); +int dns_resource_record_source(DnsResourceRecord *rr, const char **ret); +int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone); +int dns_resource_record_is_synthetic(DnsResourceRecord *rr); + +int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl); + +DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i); +bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b); +DnsTxtItem *dns_txt_item_copy(DnsTxtItem *i); + +void dns_resource_record_hash_func(const void *i, struct siphash *state); + +extern const struct hash_ops dns_resource_key_hash_ops; +extern const struct hash_ops dns_resource_record_hash_ops; + +int dnssec_algorithm_to_string_alloc(int i, char **ret); +int dnssec_algorithm_from_string(const char *s) _pure_; + +int dnssec_digest_to_string_alloc(int i, char **ret); +int dnssec_digest_from_string(const char *s) _pure_; | 
