1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
7 #include "alloc-util.h"
8 #include "dns-domain.h"
9 #include "memory-util.h"
10 #include "resolved-dns-packet.h"
12 #include "string-table.h"
14 #include "unaligned.h"
18 #define EDNS0_OPT_DO (1<<15)
20 assert_cc(DNS_PACKET_SIZE_START
> DNS_PACKET_HEADER_SIZE
);
22 typedef struct DnsPacketRewinder
{
27 static void rewind_dns_packet(DnsPacketRewinder
*rewinder
) {
29 dns_packet_rewind(rewinder
->packet
, rewinder
->saved_rindex
);
32 #define REWINDER_INIT(p) { \
34 .saved_rindex = (p)->rindex, \
36 #define CANCEL_REWINDER(rewinder) do { (rewinder).packet = NULL; } while (0)
41 size_t min_alloc_dsize
,
48 assert(max_size
>= DNS_PACKET_HEADER_SIZE
);
50 if (max_size
> DNS_PACKET_SIZE_MAX
)
51 max_size
= DNS_PACKET_SIZE_MAX
;
53 /* The caller may not check what is going to be truly allocated, so do not allow to
54 * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX.
56 if (min_alloc_dsize
> DNS_PACKET_SIZE_MAX
)
57 return log_error_errno(SYNTHETIC_ERRNO(EFBIG
),
58 "Requested packet data size too big: %zu",
61 /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the
62 * absolute minimum (which is the dns packet header size), to avoid
63 * resizing immediately again after appending the first data to the packet.
65 if (min_alloc_dsize
< DNS_PACKET_HEADER_SIZE
)
66 a
= DNS_PACKET_SIZE_START
;
70 /* round up to next page size */
71 a
= PAGE_ALIGN(ALIGN(sizeof(DnsPacket
)) + a
) - ALIGN(sizeof(DnsPacket
));
73 /* make sure we never allocate more than useful */
77 p
= malloc0(ALIGN(sizeof(DnsPacket
)) + a
);
84 .size
= DNS_PACKET_HEADER_SIZE
,
85 .rindex
= DNS_PACKET_HEADER_SIZE
,
88 .opt_start
= SIZE_MAX
,
97 void dns_packet_set_flags(DnsPacket
*p
, bool dnssec_checking_disabled
, bool truncated
) {
103 h
= DNS_PACKET_HEADER(p
);
105 switch(p
->protocol
) {
106 case DNS_PROTOCOL_LLMNR
:
109 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
120 case DNS_PROTOCOL_MDNS
:
121 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
125 0 /* rd (ask for recursion) */,
135 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
139 1 /* rd (ask for recursion) */,
142 dnssec_checking_disabled
/* cd */,
147 int dns_packet_new_query(DnsPacket
**ret
, DnsProtocol protocol
, size_t min_alloc_dsize
, bool dnssec_checking_disabled
) {
153 r
= dns_packet_new(&p
, protocol
, min_alloc_dsize
, DNS_PACKET_SIZE_MAX
);
157 /* Always set the TC bit to 0 initially.
158 * If there are multiple packets later, we'll update the bit shortly before sending.
160 dns_packet_set_flags(p
, dnssec_checking_disabled
, false);
166 int dns_packet_dup(DnsPacket
**ret
, DnsPacket
*p
) {
173 r
= dns_packet_validate(p
);
177 c
= malloc(ALIGN(sizeof(DnsPacket
)) + p
->size
);
183 .protocol
= p
->protocol
,
185 .rindex
= DNS_PACKET_HEADER_SIZE
,
186 .allocated
= p
->size
,
187 .max_size
= p
->max_size
,
188 .opt_start
= SIZE_MAX
,
189 .opt_size
= SIZE_MAX
,
192 memcpy(DNS_PACKET_DATA(c
), DNS_PACKET_DATA(p
), p
->size
);
198 DnsPacket
*dns_packet_ref(DnsPacket
*p
) {
203 assert(!p
->on_stack
);
205 assert(p
->n_ref
> 0);
210 static void dns_packet_free(DnsPacket
*p
) {
215 dns_question_unref(p
->question
);
216 dns_answer_unref(p
->answer
);
217 dns_resource_record_unref(p
->opt
);
219 while ((s
= hashmap_steal_first_key(p
->names
)))
221 hashmap_free(p
->names
);
229 DnsPacket
*dns_packet_unref(DnsPacket
*p
) {
233 assert(p
->n_ref
> 0);
235 dns_packet_unref(p
->more
);
245 int dns_packet_validate(DnsPacket
*p
) {
248 if (p
->size
< DNS_PACKET_HEADER_SIZE
)
251 if (p
->size
> DNS_PACKET_SIZE_MAX
)
257 int dns_packet_validate_reply(DnsPacket
*p
) {
262 r
= dns_packet_validate(p
);
266 if (DNS_PACKET_QR(p
) != 1)
269 if (DNS_PACKET_OPCODE(p
) != 0)
272 switch (p
->protocol
) {
274 case DNS_PROTOCOL_LLMNR
:
275 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
276 if (DNS_PACKET_QDCOUNT(p
) != 1)
281 case DNS_PROTOCOL_MDNS
:
282 /* RFC 6762, Section 18 */
283 if (DNS_PACKET_RCODE(p
) != 0)
295 int dns_packet_validate_query(DnsPacket
*p
) {
300 r
= dns_packet_validate(p
);
304 if (DNS_PACKET_QR(p
) != 0)
307 if (DNS_PACKET_OPCODE(p
) != 0)
310 if (DNS_PACKET_TC(p
))
313 switch (p
->protocol
) {
315 case DNS_PROTOCOL_LLMNR
:
316 case DNS_PROTOCOL_DNS
:
317 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
318 if (DNS_PACKET_QDCOUNT(p
) != 1)
321 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
322 if (DNS_PACKET_ANCOUNT(p
) > 0)
325 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
326 if (DNS_PACKET_NSCOUNT(p
) > 0)
331 case DNS_PROTOCOL_MDNS
:
332 /* RFC 6762, Section 18 specifies that messages with non-zero RCODE
333 * must be silently ignored, and that we must ignore the values of
334 * AA, RD, RA, AD, and CD bits. */
335 if (DNS_PACKET_RCODE(p
) != 0)
347 static int dns_packet_extend(DnsPacket
*p
, size_t add
, void **ret
, size_t *start
) {
350 if (p
->size
+ add
> p
->allocated
) {
353 a
= PAGE_ALIGN((p
->size
+ add
) * 2);
355 ms
= dns_packet_size_max(p
);
359 if (p
->size
+ add
> a
)
365 d
= realloc(p
->_data
, a
);
371 p
->_data
= malloc(a
);
375 memcpy(p
->_data
, (uint8_t*) p
+ ALIGN(sizeof(DnsPacket
)), p
->size
);
376 memzero((uint8_t*) p
->_data
+ p
->size
, a
- p
->size
);
386 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->size
;
392 void dns_packet_truncate(DnsPacket
*p
, size_t sz
) {
401 HASHMAP_FOREACH_KEY(n
, s
, p
->names
) {
403 if (PTR_TO_SIZE(n
) < sz
)
406 hashmap_remove(p
->names
, s
);
413 int dns_packet_append_blob(DnsPacket
*p
, const void *d
, size_t l
, size_t *start
) {
419 r
= dns_packet_extend(p
, l
, &q
, start
);
423 memcpy_safe(q
, d
, l
);
427 int dns_packet_append_uint8(DnsPacket
*p
, uint8_t v
, size_t *start
) {
433 r
= dns_packet_extend(p
, sizeof(uint8_t), &d
, start
);
437 ((uint8_t*) d
)[0] = v
;
442 int dns_packet_append_uint16(DnsPacket
*p
, uint16_t v
, size_t *start
) {
448 r
= dns_packet_extend(p
, sizeof(uint16_t), &d
, start
);
452 unaligned_write_be16(d
, v
);
457 int dns_packet_append_uint32(DnsPacket
*p
, uint32_t v
, size_t *start
) {
463 r
= dns_packet_extend(p
, sizeof(uint32_t), &d
, start
);
467 unaligned_write_be32(d
, v
);
472 int dns_packet_append_string(DnsPacket
*p
, const char *s
, size_t *start
) {
476 return dns_packet_append_raw_string(p
, s
, strlen(s
), start
);
479 int dns_packet_append_raw_string(DnsPacket
*p
, const void *s
, size_t size
, size_t *start
) {
484 assert(s
|| size
== 0);
489 r
= dns_packet_extend(p
, 1 + size
, &d
, start
);
493 ((uint8_t*) d
)[0] = (uint8_t) size
;
495 memcpy_safe(((uint8_t*) d
) + 1, s
, size
);
500 int dns_packet_append_label(DnsPacket
*p
, const char *d
, size_t l
, bool canonical_candidate
, size_t *start
) {
504 /* Append a label to a packet. Optionally, does this in DNSSEC
505 * canonical form, if this label is marked as a candidate for
506 * it, and the canonical form logic is enabled for the
512 if (l
> DNS_LABEL_MAX
)
515 r
= dns_packet_extend(p
, 1 + l
, (void**) &w
, start
);
519 *(w
++) = (uint8_t) l
;
521 if (p
->canonical_form
&& canonical_candidate
)
522 /* Generate in canonical form, as defined by DNSSEC
523 * RFC 4034, Section 6.2, i.e. all lower-case. */
524 for (size_t i
= 0; i
< l
; i
++)
525 w
[i
] = (uint8_t) ascii_tolower(d
[i
]);
527 /* Otherwise, just copy the string unaltered. This is
528 * essential for DNS-SD, where the casing of labels
529 * matters and needs to be retained. */
535 int dns_packet_append_name(
538 bool allow_compression
,
539 bool canonical_candidate
,
548 if (p
->refuse_compression
)
549 allow_compression
= false;
551 saved_size
= p
->size
;
553 while (!dns_name_is_root(name
)) {
554 const char *z
= name
;
555 char label
[DNS_LABEL_MAX
];
558 if (allow_compression
)
559 n
= PTR_TO_SIZE(hashmap_get(p
->names
, name
));
564 r
= dns_packet_append_uint16(p
, 0xC000 | n
, NULL
);
572 r
= dns_label_unescape(&name
, label
, sizeof label
, 0);
576 r
= dns_packet_append_label(p
, label
, r
, canonical_candidate
, &n
);
580 if (allow_compression
) {
581 _cleanup_free_
char *s
= NULL
;
589 r
= hashmap_ensure_put(&p
->names
, &dns_name_hash_ops
, s
, SIZE_TO_PTR(n
));
597 r
= dns_packet_append_uint8(p
, 0, NULL
);
608 dns_packet_truncate(p
, saved_size
);
612 int dns_packet_append_key(DnsPacket
*p
, const DnsResourceKey
*k
, const DnsAnswerFlags flags
, size_t *start
) {
620 saved_size
= p
->size
;
622 r
= dns_packet_append_name(p
, dns_resource_key_name(k
), true, true, NULL
);
626 r
= dns_packet_append_uint16(p
, k
->type
, NULL
);
630 class = flags
& DNS_ANSWER_CACHE_FLUSH
? k
->class | MDNS_RR_CACHE_FLUSH_OR_QU
: k
->class;
631 r
= dns_packet_append_uint16(p
, class, NULL
);
641 dns_packet_truncate(p
, saved_size
);
645 static int dns_packet_append_type_window(DnsPacket
*p
, uint8_t window
, uint8_t length
, const uint8_t *types
, size_t *start
) {
653 saved_size
= p
->size
;
655 r
= dns_packet_append_uint8(p
, window
, NULL
);
659 r
= dns_packet_append_uint8(p
, length
, NULL
);
663 r
= dns_packet_append_blob(p
, types
, length
, NULL
);
672 dns_packet_truncate(p
, saved_size
);
676 static int dns_packet_append_types(DnsPacket
*p
, Bitmap
*types
, size_t *start
) {
679 uint8_t bitmaps
[32] = {};
686 saved_size
= p
->size
;
688 BITMAP_FOREACH(n
, types
) {
691 if ((n
>> 8) != window
&& bitmaps
[entry
/ 8] != 0) {
692 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
702 bitmaps
[entry
/ 8] |= 1 << (7 - (entry
% 8));
705 if (bitmaps
[entry
/ 8] != 0) {
706 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
716 dns_packet_truncate(p
, saved_size
);
720 /* Append the OPT pseudo-RR described in RFC6891 */
721 int dns_packet_append_opt(
723 uint16_t max_udp_size
,
725 bool include_rfc6975
,
734 /* we must never advertise supported packet size smaller than the legacy max */
735 assert(max_udp_size
>= DNS_PACKET_UNICAST_SIZE_MAX
);
737 assert(rcode
<= _DNS_RCODE_MAX
);
739 if (p
->opt_start
!= SIZE_MAX
)
742 assert(p
->opt_size
== SIZE_MAX
);
744 saved_size
= p
->size
;
747 r
= dns_packet_append_uint8(p
, 0, NULL
);
752 r
= dns_packet_append_uint16(p
, DNS_TYPE_OPT
, NULL
);
756 /* class: maximum udp packet that can be received */
757 r
= dns_packet_append_uint16(p
, max_udp_size
, NULL
);
761 /* extended RCODE and VERSION */
762 r
= dns_packet_append_uint16(p
, ((uint16_t) rcode
& 0x0FF0) << 4, NULL
);
766 /* flags: DNSSEC OK (DO), see RFC3225 */
767 r
= dns_packet_append_uint16(p
, edns0_do
? EDNS0_OPT_DO
: 0, NULL
);
771 if (edns0_do
&& include_rfc6975
) {
772 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
773 * be done on queries, not on replies, hencer callers should turn this off when finishing off
776 static const uint8_t rfc6975
[] = {
778 0, 5, /* OPTION_CODE: DAU */
779 #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
780 0, 7, /* LIST_LENGTH */
782 0, 6, /* LIST_LENGTH */
784 DNSSEC_ALGORITHM_RSASHA1
,
785 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1
,
786 DNSSEC_ALGORITHM_RSASHA256
,
787 DNSSEC_ALGORITHM_RSASHA512
,
788 DNSSEC_ALGORITHM_ECDSAP256SHA256
,
789 DNSSEC_ALGORITHM_ECDSAP384SHA384
,
790 #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
791 DNSSEC_ALGORITHM_ED25519
,
794 0, 6, /* OPTION_CODE: DHU */
795 0, 3, /* LIST_LENGTH */
797 DNSSEC_DIGEST_SHA256
,
798 DNSSEC_DIGEST_SHA384
,
800 0, 7, /* OPTION_CODE: N3U */
801 0, 1, /* LIST_LENGTH */
802 NSEC3_ALGORITHM_SHA1
,
805 r
= dns_packet_append_uint16(p
, sizeof(rfc6975
), NULL
); /* RDLENGTH */
809 r
= dns_packet_append_blob(p
, rfc6975
, sizeof(rfc6975
), NULL
); /* the payload, as defined above */
813 if (strlen(nsid
) > UINT16_MAX
- 4) {
818 r
= dns_packet_append_uint16(p
, 4 + strlen(nsid
), NULL
); /* RDLENGTH */
822 r
= dns_packet_append_uint16(p
, 3, NULL
); /* OPTION-CODE: NSID */
826 r
= dns_packet_append_uint16(p
, strlen(nsid
), NULL
); /* OPTION-LENGTH */
830 r
= dns_packet_append_blob(p
, nsid
, strlen(nsid
), NULL
);
832 r
= dns_packet_append_uint16(p
, 0, NULL
);
836 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) + 1);
838 p
->opt_start
= saved_size
;
839 p
->opt_size
= p
->size
- saved_size
;
842 *ret_start
= saved_size
;
847 dns_packet_truncate(p
, saved_size
);
851 int dns_packet_truncate_opt(DnsPacket
*p
) {
854 if (p
->opt_start
== SIZE_MAX
) {
855 assert(p
->opt_size
== SIZE_MAX
);
859 assert(p
->opt_size
!= SIZE_MAX
);
860 assert(DNS_PACKET_ARCOUNT(p
) > 0);
862 if (p
->opt_start
+ p
->opt_size
!= p
->size
)
865 dns_packet_truncate(p
, p
->opt_start
);
866 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) - 1);
867 p
->opt_start
= p
->opt_size
= SIZE_MAX
;
872 int dns_packet_append_rr(DnsPacket
*p
, const DnsResourceRecord
*rr
, const DnsAnswerFlags flags
, size_t *start
, size_t *rdata_start
) {
874 size_t saved_size
, rdlength_offset
, end
, rdlength
, rds
;
881 saved_size
= p
->size
;
883 r
= dns_packet_append_key(p
, rr
->key
, flags
, NULL
);
887 ttl
= flags
& DNS_ANSWER_GOODBYE
? 0 : rr
->ttl
;
888 r
= dns_packet_append_uint32(p
, ttl
, NULL
);
892 /* Initially we write 0 here */
893 r
= dns_packet_append_uint16(p
, 0, &rdlength_offset
);
897 rds
= p
->size
- saved_size
;
899 switch (rr
->unparsable
? _DNS_TYPE_INVALID
: rr
->key
->type
) {
902 r
= dns_packet_append_uint16(p
, rr
->srv
.priority
, NULL
);
906 r
= dns_packet_append_uint16(p
, rr
->srv
.weight
, NULL
);
910 r
= dns_packet_append_uint16(p
, rr
->srv
.port
, NULL
);
914 /* RFC 2782 states "Unless and until permitted by future standards
915 * action, name compression is not to be used for this field." */
916 r
= dns_packet_append_name(p
, rr
->srv
.name
, false, true, NULL
);
923 r
= dns_packet_append_name(p
, rr
->ptr
.name
, true, true, NULL
);
927 r
= dns_packet_append_string(p
, rr
->hinfo
.cpu
, NULL
);
931 r
= dns_packet_append_string(p
, rr
->hinfo
.os
, NULL
);
934 case DNS_TYPE_SPF
: /* exactly the same as TXT */
937 if (!rr
->txt
.items
) {
938 /* RFC 6763, section 6.1 suggests to generate
939 * single empty string for an empty array. */
941 r
= dns_packet_append_raw_string(p
, NULL
, 0, NULL
);
947 LIST_FOREACH(items
, i
, rr
->txt
.items
) {
948 r
= dns_packet_append_raw_string(p
, i
->data
, i
->length
, NULL
);
958 r
= dns_packet_append_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
962 r
= dns_packet_append_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
966 r
= dns_packet_append_name(p
, rr
->soa
.mname
, true, true, NULL
);
970 r
= dns_packet_append_name(p
, rr
->soa
.rname
, true, true, NULL
);
974 r
= dns_packet_append_uint32(p
, rr
->soa
.serial
, NULL
);
978 r
= dns_packet_append_uint32(p
, rr
->soa
.refresh
, NULL
);
982 r
= dns_packet_append_uint32(p
, rr
->soa
.retry
, NULL
);
986 r
= dns_packet_append_uint32(p
, rr
->soa
.expire
, NULL
);
990 r
= dns_packet_append_uint32(p
, rr
->soa
.minimum
, NULL
);
994 r
= dns_packet_append_uint16(p
, rr
->mx
.priority
, NULL
);
998 r
= dns_packet_append_name(p
, rr
->mx
.exchange
, true, true, NULL
);
1002 r
= dns_packet_append_uint8(p
, rr
->loc
.version
, NULL
);
1006 r
= dns_packet_append_uint8(p
, rr
->loc
.size
, NULL
);
1010 r
= dns_packet_append_uint8(p
, rr
->loc
.horiz_pre
, NULL
);
1014 r
= dns_packet_append_uint8(p
, rr
->loc
.vert_pre
, NULL
);
1018 r
= dns_packet_append_uint32(p
, rr
->loc
.latitude
, NULL
);
1022 r
= dns_packet_append_uint32(p
, rr
->loc
.longitude
, NULL
);
1026 r
= dns_packet_append_uint32(p
, rr
->loc
.altitude
, NULL
);
1030 r
= dns_packet_append_uint16(p
, rr
->ds
.key_tag
, NULL
);
1034 r
= dns_packet_append_uint8(p
, rr
->ds
.algorithm
, NULL
);
1038 r
= dns_packet_append_uint8(p
, rr
->ds
.digest_type
, NULL
);
1042 r
= dns_packet_append_blob(p
, rr
->ds
.digest
, rr
->ds
.digest_size
, NULL
);
1045 case DNS_TYPE_SSHFP
:
1046 r
= dns_packet_append_uint8(p
, rr
->sshfp
.algorithm
, NULL
);
1050 r
= dns_packet_append_uint8(p
, rr
->sshfp
.fptype
, NULL
);
1054 r
= dns_packet_append_blob(p
, rr
->sshfp
.fingerprint
, rr
->sshfp
.fingerprint_size
, NULL
);
1057 case DNS_TYPE_DNSKEY
:
1058 r
= dns_packet_append_uint16(p
, rr
->dnskey
.flags
, NULL
);
1062 r
= dns_packet_append_uint8(p
, rr
->dnskey
.protocol
, NULL
);
1066 r
= dns_packet_append_uint8(p
, rr
->dnskey
.algorithm
, NULL
);
1070 r
= dns_packet_append_blob(p
, rr
->dnskey
.key
, rr
->dnskey
.key_size
, NULL
);
1073 case DNS_TYPE_RRSIG
:
1074 r
= dns_packet_append_uint16(p
, rr
->rrsig
.type_covered
, NULL
);
1078 r
= dns_packet_append_uint8(p
, rr
->rrsig
.algorithm
, NULL
);
1082 r
= dns_packet_append_uint8(p
, rr
->rrsig
.labels
, NULL
);
1086 r
= dns_packet_append_uint32(p
, rr
->rrsig
.original_ttl
, NULL
);
1090 r
= dns_packet_append_uint32(p
, rr
->rrsig
.expiration
, NULL
);
1094 r
= dns_packet_append_uint32(p
, rr
->rrsig
.inception
, NULL
);
1098 r
= dns_packet_append_uint16(p
, rr
->rrsig
.key_tag
, NULL
);
1102 r
= dns_packet_append_name(p
, rr
->rrsig
.signer
, false, true, NULL
);
1106 r
= dns_packet_append_blob(p
, rr
->rrsig
.signature
, rr
->rrsig
.signature_size
, NULL
);
1110 r
= dns_packet_append_name(p
, rr
->nsec
.next_domain_name
, false, false, NULL
);
1114 r
= dns_packet_append_types(p
, rr
->nsec
.types
, NULL
);
1120 case DNS_TYPE_NSEC3
:
1121 r
= dns_packet_append_uint8(p
, rr
->nsec3
.algorithm
, NULL
);
1125 r
= dns_packet_append_uint8(p
, rr
->nsec3
.flags
, NULL
);
1129 r
= dns_packet_append_uint16(p
, rr
->nsec3
.iterations
, NULL
);
1133 r
= dns_packet_append_uint8(p
, rr
->nsec3
.salt_size
, NULL
);
1137 r
= dns_packet_append_blob(p
, rr
->nsec3
.salt
, rr
->nsec3
.salt_size
, NULL
);
1141 r
= dns_packet_append_uint8(p
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1145 r
= dns_packet_append_blob(p
, rr
->nsec3
.next_hashed_name
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1149 r
= dns_packet_append_types(p
, rr
->nsec3
.types
, NULL
);
1156 r
= dns_packet_append_uint8(p
, rr
->tlsa
.cert_usage
, NULL
);
1160 r
= dns_packet_append_uint8(p
, rr
->tlsa
.selector
, NULL
);
1164 r
= dns_packet_append_uint8(p
, rr
->tlsa
.matching_type
, NULL
);
1168 r
= dns_packet_append_blob(p
, rr
->tlsa
.data
, rr
->tlsa
.data_size
, NULL
);
1172 r
= dns_packet_append_uint8(p
, rr
->caa
.flags
, NULL
);
1176 r
= dns_packet_append_string(p
, rr
->caa
.tag
, NULL
);
1180 r
= dns_packet_append_blob(p
, rr
->caa
.value
, rr
->caa
.value_size
, NULL
);
1184 case DNS_TYPE_OPENPGPKEY
:
1185 case _DNS_TYPE_INVALID
: /* unparsable */
1188 r
= dns_packet_append_blob(p
, rr
->generic
.data
, rr
->generic
.data_size
, NULL
);
1194 /* Let's calculate the actual data size and update the field */
1195 rdlength
= p
->size
- rdlength_offset
- sizeof(uint16_t);
1196 if (rdlength
> 0xFFFF) {
1202 p
->size
= rdlength_offset
;
1203 r
= dns_packet_append_uint16(p
, rdlength
, NULL
);
1209 *start
= saved_size
;
1217 dns_packet_truncate(p
, saved_size
);
1221 int dns_packet_append_question(DnsPacket
*p
, DnsQuestion
*q
) {
1222 DnsResourceKey
*key
;
1227 DNS_QUESTION_FOREACH(key
, q
) {
1228 r
= dns_packet_append_key(p
, key
, 0, NULL
);
1236 int dns_packet_append_answer(DnsPacket
*p
, DnsAnswer
*a
, unsigned *completed
) {
1237 DnsResourceRecord
*rr
;
1238 DnsAnswerFlags flags
;
1243 DNS_ANSWER_FOREACH_FLAGS(rr
, flags
, a
) {
1244 r
= dns_packet_append_rr(p
, rr
, flags
, NULL
, NULL
);
1255 int dns_packet_read(DnsPacket
*p
, size_t sz
, const void **ret
, size_t *start
) {
1258 if (p
->rindex
+ sz
> p
->size
)
1262 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->rindex
;
1271 void dns_packet_rewind(DnsPacket
*p
, size_t idx
) {
1273 assert(idx
<= p
->size
);
1274 assert(idx
>= DNS_PACKET_HEADER_SIZE
);
1279 int dns_packet_read_blob(DnsPacket
*p
, void *d
, size_t sz
, size_t *start
) {
1286 r
= dns_packet_read(p
, sz
, &q
, start
);
1294 static int dns_packet_read_memdup(
1295 DnsPacket
*p
, size_t size
,
1296 void **ret
, size_t *ret_size
,
1297 size_t *ret_start
) {
1306 r
= dns_packet_read(p
, size
, &src
, &start
);
1315 copy
= memdup(src
, size
);
1330 int dns_packet_read_uint8(DnsPacket
*p
, uint8_t *ret
, size_t *start
) {
1336 r
= dns_packet_read(p
, sizeof(uint8_t), &d
, start
);
1340 *ret
= ((uint8_t*) d
)[0];
1344 int dns_packet_read_uint16(DnsPacket
*p
, uint16_t *ret
, size_t *start
) {
1350 r
= dns_packet_read(p
, sizeof(uint16_t), &d
, start
);
1355 *ret
= unaligned_read_be16(d
);
1360 int dns_packet_read_uint32(DnsPacket
*p
, uint32_t *ret
, size_t *start
) {
1366 r
= dns_packet_read(p
, sizeof(uint32_t), &d
, start
);
1370 *ret
= unaligned_read_be32(d
);
1375 int dns_packet_read_string(DnsPacket
*p
, char **ret
, size_t *start
) {
1378 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1384 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1388 r
= dns_packet_read(p
, c
, &d
, NULL
);
1392 if (memchr(d
, 0, c
))
1399 if (!utf8_is_valid(t
)) {
1407 *start
= rewinder
.saved_rindex
;
1408 CANCEL_REWINDER(rewinder
);
1413 int dns_packet_read_raw_string(DnsPacket
*p
, const void **ret
, size_t *size
, size_t *start
) {
1416 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1420 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1424 r
= dns_packet_read(p
, c
, ret
, NULL
);
1431 *start
= rewinder
.saved_rindex
;
1432 CANCEL_REWINDER(rewinder
);
1437 int dns_packet_read_name(
1440 bool allow_compression
,
1441 size_t *ret_start
) {
1445 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1446 size_t after_rindex
= 0, jump_barrier
= p
->rindex
;
1447 _cleanup_free_
char *name
= NULL
;
1452 if (p
->refuse_compression
)
1453 allow_compression
= false;
1458 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1469 r
= dns_packet_read(p
, c
, (const void**) &label
, NULL
);
1473 if (!GREEDY_REALLOC(name
, n
+ !first
+ DNS_LABEL_ESCAPED_MAX
))
1481 r
= dns_label_escape(label
, c
, name
+ n
, DNS_LABEL_ESCAPED_MAX
);
1487 } else if (allow_compression
&& FLAGS_SET(c
, 0xc0)) {
1491 r
= dns_packet_read_uint8(p
, &d
, NULL
);
1495 ptr
= (uint16_t) (c
& ~0xc0) << 8 | (uint16_t) d
;
1496 if (ptr
< DNS_PACKET_HEADER_SIZE
|| ptr
>= jump_barrier
)
1499 if (after_rindex
== 0)
1500 after_rindex
= p
->rindex
;
1502 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
1509 if (!GREEDY_REALLOC(name
, n
+ 1))
1514 if (after_rindex
!= 0)
1515 p
->rindex
= after_rindex
;
1518 *ret
= TAKE_PTR(name
);
1520 *ret_start
= rewinder
.saved_rindex
;
1522 CANCEL_REWINDER(rewinder
);
1527 static int dns_packet_read_type_window(DnsPacket
*p
, Bitmap
**types
, size_t *start
) {
1531 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1532 uint8_t window
, length
;
1533 const uint8_t *bitmap
;
1538 r
= bitmap_ensure_allocated(types
);
1542 r
= dns_packet_read_uint8(p
, &window
, NULL
);
1546 r
= dns_packet_read_uint8(p
, &length
, NULL
);
1550 if (length
== 0 || length
> 32)
1553 r
= dns_packet_read(p
, length
, (const void **)&bitmap
, NULL
);
1557 for (uint8_t i
= 0; i
< length
; i
++) {
1558 uint8_t bitmask
= 1 << 7;
1568 for (; bitmask
; bit
++, bitmask
>>= 1)
1569 if (bitmap
[i
] & bitmask
) {
1572 n
= (uint16_t) window
<< 8 | (uint16_t) bit
;
1574 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1575 if (dns_type_is_pseudo(n
))
1578 r
= bitmap_set(*types
, n
);
1588 *start
= rewinder
.saved_rindex
;
1589 CANCEL_REWINDER(rewinder
);
1594 static int dns_packet_read_type_windows(DnsPacket
*p
, Bitmap
**types
, size_t size
, size_t *start
) {
1595 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1598 while (p
->rindex
< rewinder
.saved_rindex
+ size
) {
1599 r
= dns_packet_read_type_window(p
, types
, NULL
);
1603 /* don't read past end of current RR */
1604 if (p
->rindex
> rewinder
.saved_rindex
+ size
)
1608 if (p
->rindex
!= rewinder
.saved_rindex
+ size
)
1612 *start
= rewinder
.saved_rindex
;
1613 CANCEL_REWINDER(rewinder
);
1618 int dns_packet_read_key(
1620 DnsResourceKey
**ret
,
1621 bool *ret_cache_flush_or_qu
,
1622 size_t *ret_start
) {
1626 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1627 _cleanup_free_
char *name
= NULL
;
1628 bool cache_flush_or_qu
= false;
1629 uint16_t class, type
;
1632 r
= dns_packet_read_name(p
, &name
, true, NULL
);
1636 r
= dns_packet_read_uint16(p
, &type
, NULL
);
1640 r
= dns_packet_read_uint16(p
, &class, NULL
);
1644 if (p
->protocol
== DNS_PROTOCOL_MDNS
) {
1645 /* See RFC6762, sections 5.4 and 10.2 */
1647 if (type
!= DNS_TYPE_OPT
&& (class & MDNS_RR_CACHE_FLUSH_OR_QU
)) {
1648 class &= ~MDNS_RR_CACHE_FLUSH_OR_QU
;
1649 cache_flush_or_qu
= true;
1654 DnsResourceKey
*key
;
1656 key
= dns_resource_key_new_consume(class, type
, name
);
1664 if (ret_cache_flush_or_qu
)
1665 *ret_cache_flush_or_qu
= cache_flush_or_qu
;
1667 *ret_start
= rewinder
.saved_rindex
;
1669 CANCEL_REWINDER(rewinder
);
1673 static bool loc_size_ok(uint8_t size
) {
1674 uint8_t m
= size
>> 4, e
= size
& 0xF;
1676 return m
<= 9 && e
<= 9 && (m
> 0 || e
== 0);
1679 int dns_packet_read_rr(
1681 DnsResourceRecord
**ret
,
1682 bool *ret_cache_flush
,
1683 size_t *ret_start
) {
1687 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
1688 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1689 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1695 r
= dns_packet_read_key(p
, &key
, &cache_flush
, NULL
);
1699 if (!dns_class_is_valid_rr(key
->class) || !dns_type_is_valid_rr(key
->type
))
1702 rr
= dns_resource_record_new(key
);
1706 r
= dns_packet_read_uint32(p
, &rr
->ttl
, NULL
);
1710 /* RFC 2181, Section 8, suggests to
1711 * treat a TTL with the MSB set as a zero TTL. */
1712 if (rr
->ttl
& UINT32_C(0x80000000))
1715 r
= dns_packet_read_uint16(p
, &rdlength
, NULL
);
1719 if (p
->rindex
+ rdlength
> p
->size
)
1724 switch (rr
->key
->type
) {
1727 r
= dns_packet_read_uint16(p
, &rr
->srv
.priority
, NULL
);
1730 r
= dns_packet_read_uint16(p
, &rr
->srv
.weight
, NULL
);
1733 r
= dns_packet_read_uint16(p
, &rr
->srv
.port
, NULL
);
1736 r
= dns_packet_read_name(p
, &rr
->srv
.name
, true, NULL
);
1741 case DNS_TYPE_CNAME
:
1742 case DNS_TYPE_DNAME
:
1743 r
= dns_packet_read_name(p
, &rr
->ptr
.name
, true, NULL
);
1746 case DNS_TYPE_HINFO
:
1747 r
= dns_packet_read_string(p
, &rr
->hinfo
.cpu
, NULL
);
1751 r
= dns_packet_read_string(p
, &rr
->hinfo
.os
, NULL
);
1754 case DNS_TYPE_SPF
: /* exactly the same as TXT */
1756 if (rdlength
<= 0) {
1757 r
= dns_txt_item_new_empty(&rr
->txt
.items
);
1761 DnsTxtItem
*last
= NULL
;
1763 while (p
->rindex
< offset
+ rdlength
) {
1768 r
= dns_packet_read_raw_string(p
, &data
, &sz
, NULL
);
1772 i
= malloc0(offsetof(DnsTxtItem
, data
) + sz
+ 1); /* extra NUL byte at the end */
1776 memcpy(i
->data
, data
, sz
);
1779 LIST_INSERT_AFTER(items
, rr
->txt
.items
, last
, i
);
1788 r
= dns_packet_read_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
1792 r
= dns_packet_read_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
1796 r
= dns_packet_read_name(p
, &rr
->soa
.mname
, true, NULL
);
1800 r
= dns_packet_read_name(p
, &rr
->soa
.rname
, true, NULL
);
1804 r
= dns_packet_read_uint32(p
, &rr
->soa
.serial
, NULL
);
1808 r
= dns_packet_read_uint32(p
, &rr
->soa
.refresh
, NULL
);
1812 r
= dns_packet_read_uint32(p
, &rr
->soa
.retry
, NULL
);
1816 r
= dns_packet_read_uint32(p
, &rr
->soa
.expire
, NULL
);
1820 r
= dns_packet_read_uint32(p
, &rr
->soa
.minimum
, NULL
);
1824 r
= dns_packet_read_uint16(p
, &rr
->mx
.priority
, NULL
);
1828 r
= dns_packet_read_name(p
, &rr
->mx
.exchange
, true, NULL
);
1831 case DNS_TYPE_LOC
: {
1835 r
= dns_packet_read_uint8(p
, &t
, &pos
);
1840 rr
->loc
.version
= t
;
1842 r
= dns_packet_read_uint8(p
, &rr
->loc
.size
, NULL
);
1846 if (!loc_size_ok(rr
->loc
.size
))
1849 r
= dns_packet_read_uint8(p
, &rr
->loc
.horiz_pre
, NULL
);
1853 if (!loc_size_ok(rr
->loc
.horiz_pre
))
1856 r
= dns_packet_read_uint8(p
, &rr
->loc
.vert_pre
, NULL
);
1860 if (!loc_size_ok(rr
->loc
.vert_pre
))
1863 r
= dns_packet_read_uint32(p
, &rr
->loc
.latitude
, NULL
);
1867 r
= dns_packet_read_uint32(p
, &rr
->loc
.longitude
, NULL
);
1871 r
= dns_packet_read_uint32(p
, &rr
->loc
.altitude
, NULL
);
1877 dns_packet_rewind(p
, pos
);
1878 rr
->unparsable
= true;
1884 r
= dns_packet_read_uint16(p
, &rr
->ds
.key_tag
, NULL
);
1888 r
= dns_packet_read_uint8(p
, &rr
->ds
.algorithm
, NULL
);
1892 r
= dns_packet_read_uint8(p
, &rr
->ds
.digest_type
, NULL
);
1899 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1900 &rr
->ds
.digest
, &rr
->ds
.digest_size
,
1905 if (rr
->ds
.digest_size
<= 0)
1906 /* the accepted size depends on the algorithm, but for now
1907 just ensure that the value is greater than zero */
1912 case DNS_TYPE_SSHFP
:
1913 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.algorithm
, NULL
);
1917 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.fptype
, NULL
);
1924 r
= dns_packet_read_memdup(p
, rdlength
- 2,
1925 &rr
->sshfp
.fingerprint
, &rr
->sshfp
.fingerprint_size
,
1928 if (rr
->sshfp
.fingerprint_size
<= 0)
1929 /* the accepted size depends on the algorithm, but for now
1930 just ensure that the value is greater than zero */
1935 case DNS_TYPE_DNSKEY
:
1936 r
= dns_packet_read_uint16(p
, &rr
->dnskey
.flags
, NULL
);
1940 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.protocol
, NULL
);
1944 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.algorithm
, NULL
);
1951 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1952 &rr
->dnskey
.key
, &rr
->dnskey
.key_size
,
1955 if (rr
->dnskey
.key_size
<= 0)
1956 /* the accepted size depends on the algorithm, but for now
1957 just ensure that the value is greater than zero */
1962 case DNS_TYPE_RRSIG
:
1963 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.type_covered
, NULL
);
1967 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.algorithm
, NULL
);
1971 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.labels
, NULL
);
1975 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.original_ttl
, NULL
);
1979 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.expiration
, NULL
);
1983 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.inception
, NULL
);
1987 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.key_tag
, NULL
);
1991 r
= dns_packet_read_name(p
, &rr
->rrsig
.signer
, false, NULL
);
1995 if (rdlength
+ offset
< p
->rindex
)
1998 r
= dns_packet_read_memdup(p
, offset
+ rdlength
- p
->rindex
,
1999 &rr
->rrsig
.signature
, &rr
->rrsig
.signature_size
,
2002 if (rr
->rrsig
.signature_size
<= 0)
2003 /* the accepted size depends on the algorithm, but for now
2004 just ensure that the value is greater than zero */
2009 case DNS_TYPE_NSEC
: {
2012 * RFC6762, section 18.14 explicitly states mDNS should use name compression.
2013 * This contradicts RFC3845, section 2.1.1
2016 bool allow_compressed
= p
->protocol
== DNS_PROTOCOL_MDNS
;
2018 r
= dns_packet_read_name(p
, &rr
->nsec
.next_domain_name
, allow_compressed
, NULL
);
2022 r
= dns_packet_read_type_windows(p
, &rr
->nsec
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
2024 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
2025 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
2026 * without the NSEC bit set. */
2030 case DNS_TYPE_NSEC3
: {
2033 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.algorithm
, NULL
);
2037 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.flags
, NULL
);
2041 r
= dns_packet_read_uint16(p
, &rr
->nsec3
.iterations
, NULL
);
2045 /* this may be zero */
2046 r
= dns_packet_read_uint8(p
, &size
, NULL
);
2050 r
= dns_packet_read_memdup(p
, size
, &rr
->nsec3
.salt
, &rr
->nsec3
.salt_size
, NULL
);
2054 r
= dns_packet_read_uint8(p
, &size
, NULL
);
2061 r
= dns_packet_read_memdup(p
, size
,
2062 &rr
->nsec3
.next_hashed_name
, &rr
->nsec3
.next_hashed_name_size
,
2067 r
= dns_packet_read_type_windows(p
, &rr
->nsec3
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
2069 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
2075 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.cert_usage
, NULL
);
2079 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.selector
, NULL
);
2083 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.matching_type
, NULL
);
2090 r
= dns_packet_read_memdup(p
, rdlength
- 3,
2091 &rr
->tlsa
.data
, &rr
->tlsa
.data_size
,
2094 if (rr
->tlsa
.data_size
<= 0)
2095 /* the accepted size depends on the algorithm, but for now
2096 just ensure that the value is greater than zero */
2102 r
= dns_packet_read_uint8(p
, &rr
->caa
.flags
, NULL
);
2106 r
= dns_packet_read_string(p
, &rr
->caa
.tag
, NULL
);
2110 if (rdlength
+ offset
< p
->rindex
)
2113 r
= dns_packet_read_memdup(p
,
2114 rdlength
+ offset
- p
->rindex
,
2115 &rr
->caa
.value
, &rr
->caa
.value_size
, NULL
);
2119 case DNS_TYPE_OPT
: /* we only care about the header of OPT for now. */
2120 case DNS_TYPE_OPENPGPKEY
:
2123 r
= dns_packet_read_memdup(p
, rdlength
, &rr
->generic
.data
, &rr
->generic
.data_size
, NULL
);
2129 if (p
->rindex
!= offset
+ rdlength
)
2133 *ret
= TAKE_PTR(rr
);
2134 if (ret_cache_flush
)
2135 *ret_cache_flush
= cache_flush
;
2137 *ret_start
= rewinder
.saved_rindex
;
2139 CANCEL_REWINDER(rewinder
);
2143 static bool opt_is_good(DnsResourceRecord
*rr
, bool *rfc6975
) {
2145 bool found_dau_dhu_n3u
= false;
2148 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2152 assert(rr
->key
->type
== DNS_TYPE_OPT
);
2154 /* Check that the version is 0 */
2155 if (((rr
->ttl
>> 16) & UINT32_C(0xFF)) != 0) {
2157 return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
2161 l
= rr
->opt
.data_size
;
2163 uint16_t option_code
, option_length
;
2165 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2169 option_code
= unaligned_read_be16(p
);
2170 option_length
= unaligned_read_be16(p
+ 2);
2172 if (l
< option_length
+ 4U)
2175 /* RFC 6975 DAU, DHU or N3U fields found. */
2176 if (IN_SET(option_code
, 5, 6, 7))
2177 found_dau_dhu_n3u
= true;
2179 p
+= option_length
+ 4U;
2180 l
-= option_length
+ 4U;
2183 *rfc6975
= found_dau_dhu_n3u
;
2187 static int dns_packet_extract_question(DnsPacket
*p
, DnsQuestion
**ret_question
) {
2188 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
2192 n
= DNS_PACKET_QDCOUNT(p
);
2194 question
= dns_question_new(n
);
2198 _cleanup_set_free_ Set
*keys
= NULL
; /* references to keys are kept by Question */
2200 keys
= set_new(&dns_resource_key_hash_ops
);
2204 r
= set_reserve(keys
, n
* 2); /* Higher multipliers give slightly higher efficiency through
2205 * hash collisions, but the gains quickly drop off after 2. */
2209 for (unsigned i
= 0; i
< n
; i
++) {
2210 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
2213 r
= dns_packet_read_key(p
, &key
, &qu
, NULL
);
2217 if (!dns_type_is_valid_query(key
->type
))
2220 r
= set_put(keys
, key
);
2224 /* Already in the Question, let's skip */
2227 r
= dns_question_add_raw(question
, key
, qu
? DNS_QUESTION_WANTS_UNICAST_REPLY
: 0);
2233 *ret_question
= TAKE_PTR(question
);
2238 static int dns_packet_extract_answer(DnsPacket
*p
, DnsAnswer
**ret_answer
) {
2239 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
2241 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*previous
= NULL
;
2242 bool bad_opt
= false;
2245 n
= DNS_PACKET_RRCOUNT(p
);
2249 answer
= dns_answer_new(n
);
2253 for (unsigned i
= 0; i
< n
; i
++) {
2254 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
2255 bool cache_flush
= false;
2258 if (p
->rindex
== p
->size
&& p
->opt
) {
2259 /* If we reached the end of the packet already, but there are still more RRs
2260 * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's
2261 * apparently a common bug in routers. Let's however suppress OPT support in this
2262 * case, so that we force the rest of the logic into lowest DNS baseline support. Or
2263 * to say this differently: if the DNS server doesn't even get the RR counts right,
2264 * it's highly unlikely it gets EDNS right. */
2265 log_debug("More resource records declared in packet than included, suppressing OPT.");
2270 r
= dns_packet_read_rr(p
, &rr
, &cache_flush
, &start
);
2274 /* Try to reduce memory usage a bit */
2276 dns_resource_key_reduce(&rr
->key
, &previous
->key
);
2278 if (rr
->key
->type
== DNS_TYPE_OPT
) {
2281 if (p
->opt
|| bad_opt
) {
2282 /* Multiple OPT RRs? if so, let's ignore all, because there's
2283 * something wrong with the server, and if one is valid we wouldn't
2284 * know which one. */
2285 log_debug("Multiple OPT RRs detected, ignoring all.");
2290 if (!dns_name_is_root(dns_resource_key_name(rr
->key
))) {
2291 /* If the OPT RR is not owned by the root domain, then it is bad,
2292 * let's ignore it. */
2293 log_debug("OPT RR is not owned by root domain, ignoring.");
2298 if (i
< DNS_PACKET_ANCOUNT(p
) + DNS_PACKET_NSCOUNT(p
)) {
2299 /* OPT RR is in the wrong section? Some Belkin routers do this. This
2300 * is a hint the EDNS implementation is borked, like the Belkin one
2301 * is, hence ignore it. */
2302 log_debug("OPT RR in wrong section, ignoring.");
2307 if (!opt_is_good(rr
, &has_rfc6975
)) {
2308 log_debug("Malformed OPT RR, ignoring.");
2313 if (DNS_PACKET_QR(p
)) {
2314 /* Additional checks for responses */
2316 if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr
))
2317 /* If this is a reply and we don't know the EDNS version
2318 * then something is weird... */
2319 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2320 "EDNS version newer that our request, bad server.");
2323 /* If the OPT RR contains RFC6975 algorithm data, then this
2324 * is indication that the server just copied the OPT it got
2325 * from us (which contained that data) back into the reply.
2326 * If so, then it doesn't properly support EDNS, as RFC6975
2327 * makes it very clear that the algorithm data should only
2328 * be contained in questions, never in replies. Crappy
2329 * Belkin routers copy the OPT data for example, hence let's
2330 * detect this so that we downgrade early. */
2331 log_debug("OPT RR contains RFC6975 data, ignoring.");
2337 p
->opt
= dns_resource_record_ref(rr
);
2338 p
->opt_start
= start
;
2339 assert(p
->rindex
>= start
);
2340 p
->opt_size
= p
->rindex
- start
;
2342 DnsAnswerFlags flags
= 0;
2344 if (p
->protocol
== DNS_PROTOCOL_MDNS
&& !cache_flush
)
2345 flags
|= DNS_ANSWER_SHARED_OWNER
;
2347 /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
2348 * cached. Hence mark only those RRs as cacheable by default, but not the ones from
2349 * the Additional or Authority sections. */
2350 if (i
< DNS_PACKET_ANCOUNT(p
))
2351 flags
|= DNS_ANSWER_CACHEABLE
|DNS_ANSWER_SECTION_ANSWER
;
2352 else if (i
< DNS_PACKET_ANCOUNT(p
) + DNS_PACKET_NSCOUNT(p
))
2353 flags
|= DNS_ANSWER_SECTION_AUTHORITY
;
2355 flags
|= DNS_ANSWER_SECTION_ADDITIONAL
;
2357 r
= dns_answer_add(answer
, rr
, p
->ifindex
, flags
, NULL
);
2362 /* Remember this RR, so that we can potentially merge its ->key object with the
2363 * next RR. Note that we only do this if we actually decided to keep the RR around.
2365 dns_resource_record_unref(previous
);
2366 previous
= dns_resource_record_ref(rr
);
2370 p
->opt
= dns_resource_record_unref(p
->opt
);
2371 p
->opt_start
= p
->opt_size
= SIZE_MAX
;
2374 *ret_answer
= TAKE_PTR(answer
);
2379 int dns_packet_extract(DnsPacket
*p
) {
2385 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
2386 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
2387 _unused_
_cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
2390 dns_packet_rewind(p
, DNS_PACKET_HEADER_SIZE
);
2392 r
= dns_packet_extract_question(p
, &question
);
2396 r
= dns_packet_extract_answer(p
, &answer
);
2400 if (p
->rindex
< p
->size
) {
2401 log_debug("Trailing garbage in packet, suppressing OPT.");
2402 p
->opt
= dns_resource_record_unref(p
->opt
);
2403 p
->opt_start
= p
->opt_size
= SIZE_MAX
;
2406 p
->question
= TAKE_PTR(question
);
2407 p
->answer
= TAKE_PTR(answer
);
2408 p
->extracted
= true;
2410 /* no CANCEL, always rewind */
2414 int dns_packet_is_reply_for(DnsPacket
*p
, const DnsResourceKey
*key
) {
2420 /* Checks if the specified packet is a reply for the specified
2421 * key and the specified key is the only one in the question
2424 if (DNS_PACKET_QR(p
) != 1)
2427 /* Let's unpack the packet, if that hasn't happened yet. */
2428 r
= dns_packet_extract(p
);
2435 if (p
->question
->n_keys
!= 1)
2438 return dns_resource_key_equal(dns_question_first_key(p
->question
), key
);
2441 int dns_packet_patch_max_udp_size(DnsPacket
*p
, uint16_t max_udp_size
) {
2443 assert(max_udp_size
>= DNS_PACKET_UNICAST_SIZE_MAX
);
2445 if (p
->opt_start
== SIZE_MAX
) /* No OPT section, nothing to patch */
2448 assert(p
->opt_size
!= SIZE_MAX
);
2449 assert(p
->opt_size
>= 5);
2451 unaligned_write_be16(DNS_PACKET_DATA(p
) + p
->opt_start
+ 3, max_udp_size
);
2455 static int patch_rr(DnsPacket
*p
, usec_t age
) {
2456 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
2459 uint16_t type
, rdlength
;
2462 /* Patches the RR at the current rindex, subtracts the specified time from the TTL */
2464 r
= dns_packet_read_name(p
, NULL
, true, NULL
);
2468 r
= dns_packet_read_uint16(p
, &type
, NULL
);
2472 r
= dns_packet_read_uint16(p
, NULL
, NULL
);
2476 r
= dns_packet_read_uint32(p
, &ttl
, &ttl_index
);
2480 if (type
!= DNS_TYPE_OPT
) { /* The TTL of the OPT field is not actually a TTL, skip it */
2481 ttl
= LESS_BY(ttl
* USEC_PER_SEC
, age
) / USEC_PER_SEC
;
2482 unaligned_write_be32(DNS_PACKET_DATA(p
) + ttl_index
, ttl
);
2485 r
= dns_packet_read_uint16(p
, &rdlength
, NULL
);
2489 r
= dns_packet_read(p
, rdlength
, NULL
, NULL
);
2493 CANCEL_REWINDER(rewinder
);
2497 int dns_packet_patch_ttls(DnsPacket
*p
, usec_t timestamp
) {
2499 assert(timestamp_is_set(timestamp
));
2501 /* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */
2503 _unused_
_cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= REWINDER_INIT(p
);
2508 k
= now(clock_boottime_or_monotonic());
2509 assert(k
>= timestamp
);
2512 dns_packet_rewind(p
, DNS_PACKET_HEADER_SIZE
);
2514 n
= DNS_PACKET_QDCOUNT(p
);
2515 for (unsigned i
= 0; i
< n
; i
++) {
2516 r
= dns_packet_read_key(p
, NULL
, NULL
, NULL
);
2521 n
= DNS_PACKET_RRCOUNT(p
);
2522 for (unsigned i
= 0; i
< n
; i
++) {
2524 /* DNS servers suck, hence the RR count is in many servers off. If we reached the end
2525 * prematurely, accept that, exit early */
2526 if (p
->rindex
== p
->size
)
2537 static void dns_packet_hash_func(const DnsPacket
*s
, struct siphash
*state
) {
2540 siphash24_compress(&s
->size
, sizeof(s
->size
), state
);
2541 siphash24_compress(DNS_PACKET_DATA((DnsPacket
*) s
), s
->size
, state
);
2544 static int dns_packet_compare_func(const DnsPacket
*x
, const DnsPacket
*y
) {
2547 r
= CMP(x
->size
, y
->size
);
2551 return memcmp(DNS_PACKET_DATA((DnsPacket
*) x
), DNS_PACKET_DATA((DnsPacket
*) y
), x
->size
);
2554 DEFINE_HASH_OPS(dns_packet_hash_ops
, DnsPacket
, dns_packet_hash_func
, dns_packet_compare_func
);
2556 bool dns_packet_equal(const DnsPacket
*a
, const DnsPacket
*b
) {
2557 return dns_packet_compare_func(a
, b
) == 0;
2560 int dns_packet_has_nsid_request(DnsPacket
*p
) {
2561 bool has_nsid
= false;
2570 d
= p
->opt
->opt
.data
;
2571 l
= p
->opt
->opt
.data_size
;
2574 uint16_t code
, length
;
2577 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2578 "EDNS0 variable part has invalid size.");
2580 code
= unaligned_read_be16(d
);
2581 length
= unaligned_read_be16(d
+ 2);
2583 if (l
< 4U + length
)
2584 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2585 "Truncated option in EDNS0 variable part.");
2589 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2590 "Duplicate NSID option in EDNS0 variable part.");
2593 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2594 "Non-empty NSID option in DNS request.");
2606 size_t dns_packet_size_unfragmented(DnsPacket
*p
) {
2609 if (p
->fragsize
== 0) /* Wasn't fragmented */
2612 /* The fragment size (p->fragsize) covers the whole (fragmented) IP packet, while the regular packet
2613 * size (p->size) only covers the DNS part. Thus, subtract the UDP header from the largest fragment
2614 * size, in order to determine which size of DNS packet would have gone through without
2617 return LESS_BY(p
->fragsize
, udp_header_size(p
->family
));
2620 static const char* const dns_rcode_table
[_DNS_RCODE_MAX_DEFINED
] = {
2621 [DNS_RCODE_SUCCESS
] = "SUCCESS",
2622 [DNS_RCODE_FORMERR
] = "FORMERR",
2623 [DNS_RCODE_SERVFAIL
] = "SERVFAIL",
2624 [DNS_RCODE_NXDOMAIN
] = "NXDOMAIN",
2625 [DNS_RCODE_NOTIMP
] = "NOTIMP",
2626 [DNS_RCODE_REFUSED
] = "REFUSED",
2627 [DNS_RCODE_YXDOMAIN
] = "YXDOMAIN",
2628 [DNS_RCODE_YXRRSET
] = "YRRSET",
2629 [DNS_RCODE_NXRRSET
] = "NXRRSET",
2630 [DNS_RCODE_NOTAUTH
] = "NOTAUTH",
2631 [DNS_RCODE_NOTZONE
] = "NOTZONE",
2632 [DNS_RCODE_BADVERS
] = "BADVERS",
2633 [DNS_RCODE_BADKEY
] = "BADKEY",
2634 [DNS_RCODE_BADTIME
] = "BADTIME",
2635 [DNS_RCODE_BADMODE
] = "BADMODE",
2636 [DNS_RCODE_BADNAME
] = "BADNAME",
2637 [DNS_RCODE_BADALG
] = "BADALG",
2638 [DNS_RCODE_BADTRUNC
] = "BADTRUNC",
2639 [DNS_RCODE_BADCOOKIE
] = "BADCOOKIE",
2641 DEFINE_STRING_TABLE_LOOKUP(dns_rcode
, int);
2643 static const char* const dns_protocol_table
[_DNS_PROTOCOL_MAX
] = {
2644 [DNS_PROTOCOL_DNS
] = "dns",
2645 [DNS_PROTOCOL_MDNS
] = "mdns",
2646 [DNS_PROTOCOL_LLMNR
] = "llmnr",
2648 DEFINE_STRING_TABLE_LOOKUP(dns_protocol
, DnsProtocol
);