]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
74b2466e | 2 | |
73a4cd17 | 3 | #if HAVE_GCRYPT |
7e8facb3 | 4 | # include <gcrypt.h> |
73a4cd17 MCO |
5 | #endif |
6 | ||
b5efdb8a | 7 | #include "alloc-util.h" |
4ad7f276 | 8 | #include "dns-domain.h" |
ac684446 | 9 | #include "escape.h" |
0a970718 | 10 | #include "memory-util.h" |
74b2466e | 11 | #include "resolved-dns-packet.h" |
2d34cf0c | 12 | #include "set.h" |
0d609349 | 13 | #include "stdio-util.h" |
8b43440b LP |
14 | #include "string-table.h" |
15 | #include "strv.h" | |
16 | #include "unaligned.h" | |
17 | #include "utf8.h" | |
74b2466e | 18 | |
7586f4d1 TG |
19 | #define EDNS0_OPT_DO (1<<15) |
20 | ||
ab1a1ba5 | 21 | assert_cc(DNS_PACKET_SIZE_START > DNS_PACKET_HEADER_SIZE); |
88795538 | 22 | |
e18a3c73 ZJS |
23 | typedef struct DnsPacketRewinder { |
24 | DnsPacket *packet; | |
25 | size_t saved_rindex; | |
26 | } DnsPacketRewinder; | |
27 | ||
28 | static void rewind_dns_packet(DnsPacketRewinder *rewinder) { | |
29 | if (rewinder->packet) | |
30 | dns_packet_rewind(rewinder->packet, rewinder->saved_rindex); | |
31 | } | |
32 | ||
0c4f37f0 ZJS |
33 | #define REWINDER_INIT(p) { \ |
34 | .packet = (p), \ | |
35 | .saved_rindex = (p)->rindex, \ | |
36 | } | |
37 | #define CANCEL_REWINDER(rewinder) do { (rewinder).packet = NULL; } while (0) | |
e18a3c73 | 38 | |
51027656 LP |
39 | int dns_packet_new( |
40 | DnsPacket **ret, | |
41 | DnsProtocol protocol, | |
42 | size_t min_alloc_dsize, | |
43 | size_t max_size) { | |
44 | ||
74b2466e LP |
45 | DnsPacket *p; |
46 | size_t a; | |
47 | ||
48 | assert(ret); | |
51027656 LP |
49 | assert(max_size >= DNS_PACKET_HEADER_SIZE); |
50 | ||
51 | if (max_size > DNS_PACKET_SIZE_MAX) | |
52 | max_size = DNS_PACKET_SIZE_MAX; | |
74b2466e | 53 | |
46a58596 BR |
54 | /* The caller may not check what is going to be truly allocated, so do not allow to |
55 | * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX. | |
56 | */ | |
baaa35ad ZJS |
57 | if (min_alloc_dsize > DNS_PACKET_SIZE_MAX) |
58 | return log_error_errno(SYNTHETIC_ERRNO(EFBIG), | |
59 | "Requested packet data size too big: %zu", | |
60 | min_alloc_dsize); | |
46a58596 BR |
61 | |
62 | /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the | |
88795538 ZJS |
63 | * absolute minimum (which is the dns packet header size), to avoid |
64 | * resizing immediately again after appending the first data to the packet. | |
65 | */ | |
46a58596 | 66 | if (min_alloc_dsize < DNS_PACKET_HEADER_SIZE) |
88795538 ZJS |
67 | a = DNS_PACKET_SIZE_START; |
68 | else | |
46a58596 | 69 | a = min_alloc_dsize; |
74b2466e | 70 | |
c73ce96b LP |
71 | /* round up to next page size */ |
72 | a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); | |
73 | ||
74 | /* make sure we never allocate more than useful */ | |
51027656 LP |
75 | if (a > max_size) |
76 | a = max_size; | |
c73ce96b | 77 | |
74b2466e LP |
78 | p = malloc0(ALIGN(sizeof(DnsPacket)) + a); |
79 | if (!p) | |
80 | return -ENOMEM; | |
81 | ||
1ed31408 LP |
82 | *p = (DnsPacket) { |
83 | .n_ref = 1, | |
84 | .protocol = protocol, | |
85 | .size = DNS_PACKET_HEADER_SIZE, | |
86 | .rindex = DNS_PACKET_HEADER_SIZE, | |
87 | .allocated = a, | |
88 | .max_size = max_size, | |
f5fbe71d YW |
89 | .opt_start = SIZE_MAX, |
90 | .opt_size = SIZE_MAX, | |
1ed31408 | 91 | }; |
74b2466e LP |
92 | |
93 | *ret = p; | |
94 | ||
95 | return 0; | |
96 | } | |
97 | ||
dbfbb6e7 | 98 | void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) { |
74b2466e | 99 | |
dbfbb6e7 | 100 | DnsPacketHeader *h; |
74b2466e | 101 | |
dbfbb6e7 | 102 | assert(p); |
74b2466e LP |
103 | |
104 | h = DNS_PACKET_HEADER(p); | |
1716f6dc | 105 | |
79893116 | 106 | switch (p->protocol) { |
dbfbb6e7 DM |
107 | case DNS_PROTOCOL_LLMNR: |
108 | assert(!truncated); | |
109 | ||
069360a6 LP |
110 | h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */, |
111 | 0 /* opcode */, | |
112 | 0 /* c */, | |
e5abebab | 113 | 0 /* tc */, |
069360a6 LP |
114 | 0 /* t */, |
115 | 0 /* ra */, | |
116 | 0 /* ad */, | |
117 | 0 /* cd */, | |
118 | 0 /* rcode */)); | |
dbfbb6e7 DM |
119 | break; |
120 | ||
121 | case DNS_PROTOCOL_MDNS: | |
122 | h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */, | |
123 | 0 /* opcode */, | |
124 | 0 /* aa */, | |
125 | truncated /* tc */, | |
126 | 0 /* rd (ask for recursion) */, | |
127 | 0 /* ra */, | |
128 | 0 /* ad */, | |
129 | 0 /* cd */, | |
130 | 0 /* rcode */)); | |
131 | break; | |
132 | ||
133 | default: | |
134 | assert(!truncated); | |
135 | ||
069360a6 LP |
136 | h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */, |
137 | 0 /* opcode */, | |
138 | 0 /* aa */, | |
139 | 0 /* tc */, | |
140 | 1 /* rd (ask for recursion) */, | |
141 | 0 /* ra */, | |
142 | 0 /* ad */, | |
24710c48 | 143 | dnssec_checking_disabled /* cd */, |
069360a6 | 144 | 0 /* rcode */)); |
dbfbb6e7 DM |
145 | } |
146 | } | |
147 | ||
46a58596 | 148 | int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t min_alloc_dsize, bool dnssec_checking_disabled) { |
dbfbb6e7 DM |
149 | DnsPacket *p; |
150 | int r; | |
151 | ||
152 | assert(ret); | |
153 | ||
51027656 | 154 | r = dns_packet_new(&p, protocol, min_alloc_dsize, DNS_PACKET_SIZE_MAX); |
dbfbb6e7 DM |
155 | if (r < 0) |
156 | return r; | |
157 | ||
158 | /* Always set the TC bit to 0 initially. | |
159 | * If there are multiple packets later, we'll update the bit shortly before sending. | |
160 | */ | |
161 | dns_packet_set_flags(p, dnssec_checking_disabled, false); | |
74b2466e LP |
162 | |
163 | *ret = p; | |
164 | return 0; | |
165 | } | |
166 | ||
1a6cd020 LP |
167 | int dns_packet_dup(DnsPacket **ret, DnsPacket *p) { |
168 | DnsPacket *c; | |
169 | int r; | |
170 | ||
171 | assert(ret); | |
172 | assert(p); | |
173 | ||
174 | r = dns_packet_validate(p); | |
175 | if (r < 0) | |
176 | return r; | |
177 | ||
178 | c = malloc(ALIGN(sizeof(DnsPacket)) + p->size); | |
179 | if (!c) | |
180 | return -ENOMEM; | |
181 | ||
182 | *c = (DnsPacket) { | |
183 | .n_ref = 1, | |
184 | .protocol = p->protocol, | |
185 | .size = p->size, | |
186 | .rindex = DNS_PACKET_HEADER_SIZE, | |
187 | .allocated = p->size, | |
188 | .max_size = p->max_size, | |
f5fbe71d YW |
189 | .opt_start = SIZE_MAX, |
190 | .opt_size = SIZE_MAX, | |
1a6cd020 LP |
191 | }; |
192 | ||
193 | memcpy(DNS_PACKET_DATA(c), DNS_PACKET_DATA(p), p->size); | |
194 | ||
195 | *ret = c; | |
196 | return 0; | |
197 | } | |
198 | ||
74b2466e LP |
199 | DnsPacket *dns_packet_ref(DnsPacket *p) { |
200 | ||
201 | if (!p) | |
202 | return NULL; | |
203 | ||
a8812dd7 LP |
204 | assert(!p->on_stack); |
205 | ||
74b2466e LP |
206 | assert(p->n_ref > 0); |
207 | p->n_ref++; | |
208 | return p; | |
209 | } | |
210 | ||
211 | static void dns_packet_free(DnsPacket *p) { | |
212 | char *s; | |
213 | ||
214 | assert(p); | |
215 | ||
faa133f3 LP |
216 | dns_question_unref(p->question); |
217 | dns_answer_unref(p->answer); | |
d75acfb0 | 218 | dns_resource_record_unref(p->opt); |
322345fd | 219 | |
74b2466e LP |
220 | while ((s = hashmap_steal_first_key(p->names))) |
221 | free(s); | |
222 | hashmap_free(p->names); | |
223 | ||
faa133f3 | 224 | free(p->_data); |
a8812dd7 LP |
225 | |
226 | if (!p->on_stack) | |
227 | free(p); | |
74b2466e LP |
228 | } |
229 | ||
230 | DnsPacket *dns_packet_unref(DnsPacket *p) { | |
231 | if (!p) | |
232 | return NULL; | |
233 | ||
234 | assert(p->n_ref > 0); | |
235 | ||
6728a58d | 236 | dns_packet_unref(p->more); |
9c491563 | 237 | |
74b2466e LP |
238 | if (p->n_ref == 1) |
239 | dns_packet_free(p); | |
240 | else | |
241 | p->n_ref--; | |
242 | ||
243 | return NULL; | |
244 | } | |
245 | ||
246 | int dns_packet_validate(DnsPacket *p) { | |
247 | assert(p); | |
248 | ||
249 | if (p->size < DNS_PACKET_HEADER_SIZE) | |
250 | return -EBADMSG; | |
251 | ||
c73ce96b LP |
252 | if (p->size > DNS_PACKET_SIZE_MAX) |
253 | return -EBADMSG; | |
254 | ||
623a4c97 | 255 | return 1; |
74b2466e LP |
256 | } |
257 | ||
258 | int dns_packet_validate_reply(DnsPacket *p) { | |
74b2466e LP |
259 | int r; |
260 | ||
261 | assert(p); | |
262 | ||
263 | r = dns_packet_validate(p); | |
264 | if (r < 0) | |
265 | return r; | |
266 | ||
623a4c97 LP |
267 | if (DNS_PACKET_QR(p) != 1) |
268 | return 0; | |
269 | ||
270 | if (DNS_PACKET_OPCODE(p) != 0) | |
74b2466e LP |
271 | return -EBADMSG; |
272 | ||
818ef443 | 273 | switch (p->protocol) { |
d75acfb0 | 274 | |
818ef443 DM |
275 | case DNS_PROTOCOL_LLMNR: |
276 | /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */ | |
277 | if (DNS_PACKET_QDCOUNT(p) != 1) | |
278 | return -EBADMSG; | |
279 | ||
280 | break; | |
281 | ||
4e5bf5e1 DM |
282 | case DNS_PROTOCOL_MDNS: |
283 | /* RFC 6762, Section 18 */ | |
284 | if (DNS_PACKET_RCODE(p) != 0) | |
285 | return -EBADMSG; | |
286 | ||
287 | break; | |
288 | ||
818ef443 DM |
289 | default: |
290 | break; | |
291 | } | |
ea917db9 | 292 | |
623a4c97 LP |
293 | return 1; |
294 | } | |
295 | ||
296 | int dns_packet_validate_query(DnsPacket *p) { | |
297 | int r; | |
298 | ||
299 | assert(p); | |
300 | ||
301 | r = dns_packet_validate(p); | |
302 | if (r < 0) | |
303 | return r; | |
304 | ||
305 | if (DNS_PACKET_QR(p) != 0) | |
306 | return 0; | |
307 | ||
3cb10d3a | 308 | if (DNS_PACKET_OPCODE(p) != 0) |
74b2466e LP |
309 | return -EBADMSG; |
310 | ||
818ef443 | 311 | switch (p->protocol) { |
d75acfb0 | 312 | |
b30bf55d | 313 | case DNS_PROTOCOL_DNS: |
ba1749f6 YW |
314 | if (DNS_PACKET_TC(p)) |
315 | return -EBADMSG; | |
316 | ||
317 | if (DNS_PACKET_QDCOUNT(p) != 1) | |
318 | return -EBADMSG; | |
319 | ||
320 | if (DNS_PACKET_ANCOUNT(p) > 0) | |
321 | return -EBADMSG; | |
322 | ||
323 | /* Note, in most cases, DNS query packet does not have authority section. But some query | |
324 | * types, e.g. IXFR, have Authority sections. Hence, unlike the check for LLMNR, we do not | |
325 | * check DNS_PACKET_NSCOUNT(p) here. */ | |
326 | break; | |
327 | ||
328 | case DNS_PROTOCOL_LLMNR: | |
329 | if (DNS_PACKET_TC(p)) | |
6f087266 YW |
330 | return -EBADMSG; |
331 | ||
818ef443 DM |
332 | /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */ |
333 | if (DNS_PACKET_QDCOUNT(p) != 1) | |
334 | return -EBADMSG; | |
623a4c97 | 335 | |
818ef443 DM |
336 | /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */ |
337 | if (DNS_PACKET_ANCOUNT(p) > 0) | |
338 | return -EBADMSG; | |
623a4c97 | 339 | |
818ef443 DM |
340 | /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */ |
341 | if (DNS_PACKET_NSCOUNT(p) > 0) | |
342 | return -EBADMSG; | |
343 | ||
344 | break; | |
345 | ||
4e5bf5e1 | 346 | case DNS_PROTOCOL_MDNS: |
ba1749f6 YW |
347 | /* Note, mDNS query may have truncation flag. So, unlike the check for DNS and LLMNR, |
348 | * we do not check DNS_PACKET_TC(p) here. */ | |
349 | ||
2aaf3765 SB |
350 | /* RFC 6762, Section 18 specifies that messages with non-zero RCODE |
351 | * must be silently ignored, and that we must ignore the values of | |
352 | * AA, RD, RA, AD, and CD bits. */ | |
353 | if (DNS_PACKET_RCODE(p) != 0) | |
4e5bf5e1 DM |
354 | return -EBADMSG; |
355 | ||
356 | break; | |
357 | ||
818ef443 DM |
358 | default: |
359 | break; | |
360 | } | |
623a4c97 LP |
361 | |
362 | return 1; | |
74b2466e LP |
363 | } |
364 | ||
365 | static int dns_packet_extend(DnsPacket *p, size_t add, void **ret, size_t *start) { | |
366 | assert(p); | |
367 | ||
c73ce96b | 368 | if (p->size + add > p->allocated) { |
51027656 | 369 | size_t a, ms; |
c73ce96b LP |
370 | |
371 | a = PAGE_ALIGN((p->size + add) * 2); | |
51027656 LP |
372 | |
373 | ms = dns_packet_size_max(p); | |
374 | if (a > ms) | |
375 | a = ms; | |
c73ce96b LP |
376 | |
377 | if (p->size + add > a) | |
378 | return -EMSGSIZE; | |
379 | ||
faa133f3 | 380 | if (p->_data) { |
c73ce96b LP |
381 | void *d; |
382 | ||
faa133f3 | 383 | d = realloc(p->_data, a); |
c73ce96b LP |
384 | if (!d) |
385 | return -ENOMEM; | |
386 | ||
faa133f3 | 387 | p->_data = d; |
c73ce96b | 388 | } else { |
faa133f3 LP |
389 | p->_data = malloc(a); |
390 | if (!p->_data) | |
c73ce96b LP |
391 | return -ENOMEM; |
392 | ||
faa133f3 LP |
393 | memcpy(p->_data, (uint8_t*) p + ALIGN(sizeof(DnsPacket)), p->size); |
394 | memzero((uint8_t*) p->_data + p->size, a - p->size); | |
c73ce96b LP |
395 | } |
396 | ||
397 | p->allocated = a; | |
398 | } | |
74b2466e LP |
399 | |
400 | if (start) | |
401 | *start = p->size; | |
402 | ||
403 | if (ret) | |
404 | *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->size; | |
405 | ||
406 | p->size += add; | |
407 | return 0; | |
408 | } | |
409 | ||
9c5e12a4 | 410 | void dns_packet_truncate(DnsPacket *p, size_t sz) { |
74b2466e LP |
411 | char *s; |
412 | void *n; | |
413 | ||
414 | assert(p); | |
415 | ||
416 | if (p->size <= sz) | |
417 | return; | |
418 | ||
90e74a66 | 419 | HASHMAP_FOREACH_KEY(n, s, p->names) { |
74b2466e LP |
420 | |
421 | if (PTR_TO_SIZE(n) < sz) | |
422 | continue; | |
423 | ||
424 | hashmap_remove(p->names, s); | |
425 | free(s); | |
426 | } | |
427 | ||
428 | p->size = sz; | |
429 | } | |
430 | ||
623a4c97 LP |
431 | int dns_packet_append_blob(DnsPacket *p, const void *d, size_t l, size_t *start) { |
432 | void *q; | |
433 | int r; | |
434 | ||
435 | assert(p); | |
436 | ||
437 | r = dns_packet_extend(p, l, &q, start); | |
438 | if (r < 0) | |
439 | return r; | |
440 | ||
1f66559c | 441 | memcpy_safe(q, d, l); |
623a4c97 LP |
442 | return 0; |
443 | } | |
444 | ||
74b2466e LP |
445 | int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start) { |
446 | void *d; | |
447 | int r; | |
448 | ||
449 | assert(p); | |
450 | ||
451 | r = dns_packet_extend(p, sizeof(uint8_t), &d, start); | |
452 | if (r < 0) | |
453 | return r; | |
454 | ||
455 | ((uint8_t*) d)[0] = v; | |
456 | ||
457 | return 0; | |
458 | } | |
459 | ||
460 | int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start) { | |
461 | void *d; | |
462 | int r; | |
463 | ||
464 | assert(p); | |
465 | ||
466 | r = dns_packet_extend(p, sizeof(uint16_t), &d, start); | |
467 | if (r < 0) | |
468 | return r; | |
469 | ||
725ca0e5 | 470 | unaligned_write_be16(d, v); |
623a4c97 LP |
471 | |
472 | return 0; | |
473 | } | |
474 | ||
475 | int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start) { | |
476 | void *d; | |
477 | int r; | |
478 | ||
479 | assert(p); | |
480 | ||
481 | r = dns_packet_extend(p, sizeof(uint32_t), &d, start); | |
482 | if (r < 0) | |
483 | return r; | |
484 | ||
725ca0e5 | 485 | unaligned_write_be32(d, v); |
74b2466e LP |
486 | |
487 | return 0; | |
488 | } | |
489 | ||
490 | int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start) { | |
74b2466e LP |
491 | assert(p); |
492 | assert(s); | |
493 | ||
c38a52da | 494 | return dns_packet_append_raw_string(p, s, strlen(s), start); |
74b2466e LP |
495 | } |
496 | ||
2001c805 LP |
497 | int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start) { |
498 | void *d; | |
499 | int r; | |
500 | ||
501 | assert(p); | |
502 | assert(s || size == 0); | |
503 | ||
504 | if (size > 255) | |
505 | return -E2BIG; | |
506 | ||
507 | r = dns_packet_extend(p, 1 + size, &d, start); | |
508 | if (r < 0) | |
509 | return r; | |
510 | ||
511 | ((uint8_t*) d)[0] = (uint8_t) size; | |
512 | ||
75f32f04 | 513 | memcpy_safe(((uint8_t*) d) + 1, s, size); |
2001c805 LP |
514 | |
515 | return 0; | |
516 | } | |
517 | ||
a3db237b | 518 | int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, bool canonical_candidate, size_t *start) { |
a8812dd7 | 519 | uint8_t *w; |
74b2466e LP |
520 | int r; |
521 | ||
a3db237b LP |
522 | /* Append a label to a packet. Optionally, does this in DNSSEC |
523 | * canonical form, if this label is marked as a candidate for | |
524 | * it, and the canonical form logic is enabled for the | |
525 | * packet */ | |
526 | ||
74b2466e LP |
527 | assert(p); |
528 | assert(d); | |
529 | ||
530 | if (l > DNS_LABEL_MAX) | |
531 | return -E2BIG; | |
532 | ||
a8812dd7 | 533 | r = dns_packet_extend(p, 1 + l, (void**) &w, start); |
74b2466e LP |
534 | if (r < 0) |
535 | return r; | |
536 | ||
a8812dd7 LP |
537 | *(w++) = (uint8_t) l; |
538 | ||
64ea42e9 | 539 | if (p->canonical_form && canonical_candidate) |
a8812dd7 LP |
540 | /* Generate in canonical form, as defined by DNSSEC |
541 | * RFC 4034, Section 6.2, i.e. all lower-case. */ | |
64ea42e9 | 542 | for (size_t i = 0; i < l; i++) |
b577e3d5 | 543 | w[i] = (uint8_t) ascii_tolower(d[i]); |
64ea42e9 | 544 | else |
a8812dd7 LP |
545 | /* Otherwise, just copy the string unaltered. This is |
546 | * essential for DNS-SD, where the casing of labels | |
547 | * matters and needs to be retained. */ | |
548 | memcpy(w, d, l); | |
74b2466e LP |
549 | |
550 | return 0; | |
551 | } | |
552 | ||
f6a5fec6 LP |
553 | int dns_packet_append_name( |
554 | DnsPacket *p, | |
555 | const char *name, | |
556 | bool allow_compression, | |
a3db237b | 557 | bool canonical_candidate, |
f6a5fec6 LP |
558 | size_t *start) { |
559 | ||
74b2466e LP |
560 | size_t saved_size; |
561 | int r; | |
562 | ||
563 | assert(p); | |
564 | assert(name); | |
565 | ||
f6a5fec6 LP |
566 | if (p->refuse_compression) |
567 | allow_compression = false; | |
568 | ||
74b2466e LP |
569 | saved_size = p->size; |
570 | ||
e48b9a64 | 571 | while (!dns_name_is_root(name)) { |
08f904fd | 572 | const char *z = name; |
fd7e9887 | 573 | char label[DNS_LABEL_MAX+1]; |
151226ab | 574 | size_t n = 0; |
74b2466e | 575 | |
151226ab ZJS |
576 | if (allow_compression) |
577 | n = PTR_TO_SIZE(hashmap_get(p->names, name)); | |
74b2466e LP |
578 | if (n > 0) { |
579 | assert(n < p->size); | |
580 | ||
581 | if (n < 0x4000) { | |
582 | r = dns_packet_append_uint16(p, 0xC000 | n, NULL); | |
583 | if (r < 0) | |
584 | goto fail; | |
585 | ||
586 | goto done; | |
587 | } | |
588 | } | |
589 | ||
7470cc4c | 590 | r = dns_label_unescape(&name, label, sizeof label, 0); |
74b2466e LP |
591 | if (r < 0) |
592 | goto fail; | |
593 | ||
a3db237b | 594 | r = dns_packet_append_label(p, label, r, canonical_candidate, &n); |
74b2466e LP |
595 | if (r < 0) |
596 | goto fail; | |
597 | ||
151226ab | 598 | if (allow_compression) { |
08f904fd LP |
599 | _cleanup_free_ char *s = NULL; |
600 | ||
601 | s = strdup(z); | |
602 | if (!s) { | |
603 | r = -ENOMEM; | |
604 | goto fail; | |
605 | } | |
606 | ||
3004fcd0 | 607 | r = hashmap_ensure_put(&p->names, &dns_name_hash_ops, s, SIZE_TO_PTR(n)); |
151226ab ZJS |
608 | if (r < 0) |
609 | goto fail; | |
74b2466e | 610 | |
daced748 | 611 | TAKE_PTR(s); |
151226ab | 612 | } |
74b2466e LP |
613 | } |
614 | ||
615 | r = dns_packet_append_uint8(p, 0, NULL); | |
616 | if (r < 0) | |
617 | return r; | |
618 | ||
619 | done: | |
620 | if (start) | |
621 | *start = saved_size; | |
622 | ||
623 | return 0; | |
624 | ||
625 | fail: | |
626 | dns_packet_truncate(p, saved_size); | |
627 | return r; | |
628 | } | |
629 | ||
58ab31d5 | 630 | int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *k, const DnsAnswerFlags flags, size_t *start) { |
74b2466e | 631 | size_t saved_size; |
58ab31d5 | 632 | uint16_t class; |
74b2466e LP |
633 | int r; |
634 | ||
635 | assert(p); | |
636 | assert(k); | |
637 | ||
638 | saved_size = p->size; | |
639 | ||
1c02e7ba | 640 | r = dns_packet_append_name(p, dns_resource_key_name(k), true, true, NULL); |
74b2466e LP |
641 | if (r < 0) |
642 | goto fail; | |
643 | ||
644 | r = dns_packet_append_uint16(p, k->type, NULL); | |
645 | if (r < 0) | |
646 | goto fail; | |
647 | ||
82d39576 | 648 | class = flags & DNS_ANSWER_CACHE_FLUSH ? k->class | MDNS_RR_CACHE_FLUSH_OR_QU : k->class; |
58ab31d5 | 649 | r = dns_packet_append_uint16(p, class, NULL); |
74b2466e LP |
650 | if (r < 0) |
651 | goto fail; | |
652 | ||
653 | if (start) | |
654 | *start = saved_size; | |
655 | ||
656 | return 0; | |
657 | ||
658 | fail: | |
659 | dns_packet_truncate(p, saved_size); | |
660 | return r; | |
661 | } | |
662 | ||
e1a9f1a8 | 663 | static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, const uint8_t *types, size_t *start) { |
50f1e641 TG |
664 | size_t saved_size; |
665 | int r; | |
666 | ||
667 | assert(p); | |
668 | assert(types); | |
1792f223 | 669 | assert(length > 0); |
50f1e641 | 670 | |
50f1e641 TG |
671 | saved_size = p->size; |
672 | ||
1792f223 TG |
673 | r = dns_packet_append_uint8(p, window, NULL); |
674 | if (r < 0) | |
675 | goto fail; | |
50f1e641 | 676 | |
1792f223 TG |
677 | r = dns_packet_append_uint8(p, length, NULL); |
678 | if (r < 0) | |
679 | goto fail; | |
6fa91901 | 680 | |
1792f223 TG |
681 | r = dns_packet_append_blob(p, types, length, NULL); |
682 | if (r < 0) | |
683 | goto fail; | |
50f1e641 TG |
684 | |
685 | if (start) | |
686 | *start = saved_size; | |
687 | ||
688 | return 0; | |
689 | fail: | |
690 | dns_packet_truncate(p, saved_size); | |
691 | return r; | |
692 | } | |
693 | ||
694 | static int dns_packet_append_types(DnsPacket *p, Bitmap *types, size_t *start) { | |
695 | uint8_t window = 0; | |
1792f223 | 696 | uint8_t entry = 0; |
50f1e641 TG |
697 | uint8_t bitmaps[32] = {}; |
698 | unsigned n; | |
699 | size_t saved_size; | |
700 | int r; | |
701 | ||
702 | assert(p); | |
50f1e641 TG |
703 | |
704 | saved_size = p->size; | |
705 | ||
90e74a66 | 706 | BITMAP_FOREACH(n, types) { |
50f1e641 TG |
707 | assert(n <= 0xffff); |
708 | ||
1792f223 TG |
709 | if ((n >> 8) != window && bitmaps[entry / 8] != 0) { |
710 | r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL); | |
50f1e641 TG |
711 | if (r < 0) |
712 | goto fail; | |
713 | ||
1792f223 | 714 | zero(bitmaps); |
50f1e641 TG |
715 | } |
716 | ||
1792f223 | 717 | window = n >> 8; |
50f1e641 TG |
718 | entry = n & 255; |
719 | ||
720 | bitmaps[entry / 8] |= 1 << (7 - (entry % 8)); | |
721 | } | |
722 | ||
d0ae14ff LP |
723 | if (bitmaps[entry / 8] != 0) { |
724 | r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL); | |
725 | if (r < 0) | |
726 | goto fail; | |
727 | } | |
50f1e641 TG |
728 | |
729 | if (start) | |
730 | *start = saved_size; | |
731 | ||
732 | return 0; | |
733 | fail: | |
734 | dns_packet_truncate(p, saved_size); | |
735 | return r; | |
736 | } | |
737 | ||
dc913c9a | 738 | /* Append the OPT pseudo-RR described in RFC6891 */ |
c36d5b5b LP |
739 | int dns_packet_append_opt( |
740 | DnsPacket *p, | |
741 | uint16_t max_udp_size, | |
742 | bool edns0_do, | |
743 | bool include_rfc6975, | |
4a6eb824 | 744 | const char *nsid, |
c36d5b5b | 745 | int rcode, |
4a6eb824 | 746 | size_t *ret_start) { |
c36d5b5b | 747 | |
dc913c9a TG |
748 | size_t saved_size; |
749 | int r; | |
750 | ||
751 | assert(p); | |
752 | /* we must never advertise supported packet size smaller than the legacy max */ | |
753 | assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX); | |
f2ed4c69 LP |
754 | assert(rcode >= 0); |
755 | assert(rcode <= _DNS_RCODE_MAX); | |
dc913c9a | 756 | |
f5fbe71d | 757 | if (p->opt_start != SIZE_MAX) |
519ef046 LP |
758 | return -EBUSY; |
759 | ||
f5fbe71d | 760 | assert(p->opt_size == SIZE_MAX); |
519ef046 | 761 | |
dc913c9a TG |
762 | saved_size = p->size; |
763 | ||
764 | /* empty name */ | |
765 | r = dns_packet_append_uint8(p, 0, NULL); | |
766 | if (r < 0) | |
767 | return r; | |
768 | ||
769 | /* type */ | |
770 | r = dns_packet_append_uint16(p, DNS_TYPE_OPT, NULL); | |
771 | if (r < 0) | |
772 | goto fail; | |
773 | ||
f2ed4c69 | 774 | /* class: maximum udp packet that can be received */ |
dc913c9a TG |
775 | r = dns_packet_append_uint16(p, max_udp_size, NULL); |
776 | if (r < 0) | |
777 | goto fail; | |
778 | ||
779 | /* extended RCODE and VERSION */ | |
f2ed4c69 | 780 | r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL); |
dc913c9a TG |
781 | if (r < 0) |
782 | goto fail; | |
783 | ||
7586f4d1 TG |
784 | /* flags: DNSSEC OK (DO), see RFC3225 */ |
785 | r = dns_packet_append_uint16(p, edns0_do ? EDNS0_OPT_DO : 0, NULL); | |
dc913c9a TG |
786 | if (r < 0) |
787 | goto fail; | |
788 | ||
c36d5b5b LP |
789 | if (edns0_do && include_rfc6975) { |
790 | /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to | |
791 | * be done on queries, not on replies, hencer callers should turn this off when finishing off | |
792 | * replies. */ | |
665408ac LP |
793 | |
794 | static const uint8_t rfc6975[] = { | |
795 | ||
980cb160 | 796 | 0, DNS_EDNS_OPT_DAU, /* OPTION_CODE */ |
7e8facb3 | 797 | #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600) |
73a4cd17 MCO |
798 | 0, 7, /* LIST_LENGTH */ |
799 | #else | |
665408ac | 800 | 0, 6, /* LIST_LENGTH */ |
73a4cd17 | 801 | #endif |
665408ac LP |
802 | DNSSEC_ALGORITHM_RSASHA1, |
803 | DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1, | |
804 | DNSSEC_ALGORITHM_RSASHA256, | |
805 | DNSSEC_ALGORITHM_RSASHA512, | |
806 | DNSSEC_ALGORITHM_ECDSAP256SHA256, | |
807 | DNSSEC_ALGORITHM_ECDSAP384SHA384, | |
7e8facb3 | 808 | #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600) |
73a4cd17 MCO |
809 | DNSSEC_ALGORITHM_ED25519, |
810 | #endif | |
665408ac | 811 | |
980cb160 | 812 | 0, DNS_EDNS_OPT_DHU, /* OPTION_CODE */ |
665408ac LP |
813 | 0, 3, /* LIST_LENGTH */ |
814 | DNSSEC_DIGEST_SHA1, | |
815 | DNSSEC_DIGEST_SHA256, | |
816 | DNSSEC_DIGEST_SHA384, | |
817 | ||
980cb160 | 818 | 0, DNS_EDNS_OPT_N3U, /* OPTION_CODE */ |
665408ac LP |
819 | 0, 1, /* LIST_LENGTH */ |
820 | NSEC3_ALGORITHM_SHA1, | |
821 | }; | |
822 | ||
4a6eb824 LP |
823 | r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL); /* RDLENGTH */ |
824 | if (r < 0) | |
825 | goto fail; | |
826 | ||
827 | r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); /* the payload, as defined above */ | |
828 | ||
829 | } else if (nsid) { | |
830 | ||
831 | if (strlen(nsid) > UINT16_MAX - 4) { | |
832 | r = -E2BIG; | |
833 | goto fail; | |
834 | } | |
835 | ||
836 | r = dns_packet_append_uint16(p, 4 + strlen(nsid), NULL); /* RDLENGTH */ | |
665408ac LP |
837 | if (r < 0) |
838 | goto fail; | |
839 | ||
4a6eb824 LP |
840 | r = dns_packet_append_uint16(p, 3, NULL); /* OPTION-CODE: NSID */ |
841 | if (r < 0) | |
842 | goto fail; | |
843 | ||
844 | r = dns_packet_append_uint16(p, strlen(nsid), NULL); /* OPTION-LENGTH */ | |
845 | if (r < 0) | |
846 | goto fail; | |
847 | ||
848 | r = dns_packet_append_blob(p, nsid, strlen(nsid), NULL); | |
665408ac LP |
849 | } else |
850 | r = dns_packet_append_uint16(p, 0, NULL); | |
dc913c9a TG |
851 | if (r < 0) |
852 | goto fail; | |
853 | ||
519ef046 LP |
854 | DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) + 1); |
855 | ||
856 | p->opt_start = saved_size; | |
857 | p->opt_size = p->size - saved_size; | |
858 | ||
4a6eb824 LP |
859 | if (ret_start) |
860 | *ret_start = saved_size; | |
dc913c9a TG |
861 | |
862 | return 0; | |
863 | ||
864 | fail: | |
865 | dns_packet_truncate(p, saved_size); | |
866 | return r; | |
867 | } | |
868 | ||
519ef046 LP |
869 | int dns_packet_truncate_opt(DnsPacket *p) { |
870 | assert(p); | |
871 | ||
f5fbe71d YW |
872 | if (p->opt_start == SIZE_MAX) { |
873 | assert(p->opt_size == SIZE_MAX); | |
519ef046 LP |
874 | return 0; |
875 | } | |
876 | ||
f5fbe71d | 877 | assert(p->opt_size != SIZE_MAX); |
519ef046 LP |
878 | assert(DNS_PACKET_ARCOUNT(p) > 0); |
879 | ||
880 | if (p->opt_start + p->opt_size != p->size) | |
881 | return -EBUSY; | |
882 | ||
883 | dns_packet_truncate(p, p->opt_start); | |
884 | DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) - 1); | |
f5fbe71d | 885 | p->opt_start = p->opt_size = SIZE_MAX; |
519ef046 LP |
886 | |
887 | return 1; | |
888 | } | |
889 | ||
58ab31d5 | 890 | int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAnswerFlags flags, size_t *start, size_t *rdata_start) { |
f471bc11 | 891 | |
a8812dd7 | 892 | size_t saved_size, rdlength_offset, end, rdlength, rds; |
c3ae4188 | 893 | uint32_t ttl; |
623a4c97 LP |
894 | int r; |
895 | ||
896 | assert(p); | |
897 | assert(rr); | |
898 | ||
899 | saved_size = p->size; | |
900 | ||
58ab31d5 | 901 | r = dns_packet_append_key(p, rr->key, flags, NULL); |
623a4c97 LP |
902 | if (r < 0) |
903 | goto fail; | |
904 | ||
c3ae4188 DR |
905 | ttl = flags & DNS_ANSWER_GOODBYE ? 0 : rr->ttl; |
906 | r = dns_packet_append_uint32(p, ttl, NULL); | |
623a4c97 LP |
907 | if (r < 0) |
908 | goto fail; | |
909 | ||
910 | /* Initially we write 0 here */ | |
911 | r = dns_packet_append_uint16(p, 0, &rdlength_offset); | |
912 | if (r < 0) | |
913 | goto fail; | |
914 | ||
a8812dd7 LP |
915 | rds = p->size - saved_size; |
916 | ||
52e085af | 917 | switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) { |
623a4c97 | 918 | |
9c92ce6d LP |
919 | case DNS_TYPE_SRV: |
920 | r = dns_packet_append_uint16(p, rr->srv.priority, NULL); | |
921 | if (r < 0) | |
922 | goto fail; | |
923 | ||
924 | r = dns_packet_append_uint16(p, rr->srv.weight, NULL); | |
925 | if (r < 0) | |
926 | goto fail; | |
927 | ||
928 | r = dns_packet_append_uint16(p, rr->srv.port, NULL); | |
929 | if (r < 0) | |
930 | goto fail; | |
931 | ||
d9a55740 LP |
932 | /* RFC 2782 states "Unless and until permitted by future standards action, name compression |
933 | * is not to be used for this field." Hence we turn off compression here. */ | |
934 | r = dns_packet_append_name(p, rr->srv.name, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL); | |
9c92ce6d LP |
935 | break; |
936 | ||
623a4c97 LP |
937 | case DNS_TYPE_PTR: |
938 | case DNS_TYPE_NS: | |
939 | case DNS_TYPE_CNAME: | |
8ac4e9e1 | 940 | case DNS_TYPE_DNAME: |
4e58741d | 941 | r = dns_packet_append_name(p, rr->ptr.name, true, true, NULL); |
623a4c97 LP |
942 | break; |
943 | ||
944 | case DNS_TYPE_HINFO: | |
945 | r = dns_packet_append_string(p, rr->hinfo.cpu, NULL); | |
946 | if (r < 0) | |
947 | goto fail; | |
948 | ||
949 | r = dns_packet_append_string(p, rr->hinfo.os, NULL); | |
950 | break; | |
951 | ||
9de3e329 | 952 | case DNS_TYPE_SPF: /* exactly the same as TXT */ |
2001c805 | 953 | case DNS_TYPE_TXT: |
2e276efc | 954 | |
2001c805 | 955 | if (!rr->txt.items) { |
1ccda9b7 LP |
956 | /* RFC 6763, section 6.1 suggests to generate |
957 | * single empty string for an empty array. */ | |
958 | ||
2001c805 | 959 | r = dns_packet_append_raw_string(p, NULL, 0, NULL); |
2e276efc ZJS |
960 | if (r < 0) |
961 | goto fail; | |
03677889 | 962 | } else |
2001c805 LP |
963 | LIST_FOREACH(items, i, rr->txt.items) { |
964 | r = dns_packet_append_raw_string(p, i->data, i->length, NULL); | |
1ccda9b7 LP |
965 | if (r < 0) |
966 | goto fail; | |
967 | } | |
2e276efc | 968 | |
6a6fc3df | 969 | r = 0; |
2e276efc | 970 | break; |
2e276efc | 971 | |
623a4c97 LP |
972 | case DNS_TYPE_A: |
973 | r = dns_packet_append_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL); | |
974 | break; | |
975 | ||
976 | case DNS_TYPE_AAAA: | |
977 | r = dns_packet_append_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL); | |
978 | break; | |
979 | ||
980 | case DNS_TYPE_SOA: | |
4e58741d | 981 | r = dns_packet_append_name(p, rr->soa.mname, true, true, NULL); |
623a4c97 LP |
982 | if (r < 0) |
983 | goto fail; | |
984 | ||
4e58741d | 985 | r = dns_packet_append_name(p, rr->soa.rname, true, true, NULL); |
623a4c97 LP |
986 | if (r < 0) |
987 | goto fail; | |
988 | ||
989 | r = dns_packet_append_uint32(p, rr->soa.serial, NULL); | |
990 | if (r < 0) | |
991 | goto fail; | |
992 | ||
993 | r = dns_packet_append_uint32(p, rr->soa.refresh, NULL); | |
994 | if (r < 0) | |
995 | goto fail; | |
996 | ||
997 | r = dns_packet_append_uint32(p, rr->soa.retry, NULL); | |
998 | if (r < 0) | |
999 | goto fail; | |
1000 | ||
1001 | r = dns_packet_append_uint32(p, rr->soa.expire, NULL); | |
1002 | if (r < 0) | |
1003 | goto fail; | |
1004 | ||
1005 | r = dns_packet_append_uint32(p, rr->soa.minimum, NULL); | |
1006 | break; | |
1007 | ||
1008 | case DNS_TYPE_MX: | |
946c7094 ZJS |
1009 | r = dns_packet_append_uint16(p, rr->mx.priority, NULL); |
1010 | if (r < 0) | |
1011 | goto fail; | |
1012 | ||
4e58741d | 1013 | r = dns_packet_append_name(p, rr->mx.exchange, true, true, NULL); |
946c7094 ZJS |
1014 | break; |
1015 | ||
0dae31d4 ZJS |
1016 | case DNS_TYPE_LOC: |
1017 | r = dns_packet_append_uint8(p, rr->loc.version, NULL); | |
1018 | if (r < 0) | |
1019 | goto fail; | |
1020 | ||
1021 | r = dns_packet_append_uint8(p, rr->loc.size, NULL); | |
1022 | if (r < 0) | |
1023 | goto fail; | |
1024 | ||
1025 | r = dns_packet_append_uint8(p, rr->loc.horiz_pre, NULL); | |
1026 | if (r < 0) | |
1027 | goto fail; | |
1028 | ||
1029 | r = dns_packet_append_uint8(p, rr->loc.vert_pre, NULL); | |
1030 | if (r < 0) | |
1031 | goto fail; | |
1032 | ||
afbc4f26 | 1033 | r = dns_packet_append_uint32(p, rr->loc.latitude, NULL); |
0dae31d4 ZJS |
1034 | if (r < 0) |
1035 | goto fail; | |
1036 | ||
afbc4f26 | 1037 | r = dns_packet_append_uint32(p, rr->loc.longitude, NULL); |
0dae31d4 ZJS |
1038 | if (r < 0) |
1039 | goto fail; | |
1040 | ||
afbc4f26 | 1041 | r = dns_packet_append_uint32(p, rr->loc.altitude, NULL); |
0dae31d4 ZJS |
1042 | break; |
1043 | ||
abf126a3 TG |
1044 | case DNS_TYPE_DS: |
1045 | r = dns_packet_append_uint16(p, rr->ds.key_tag, NULL); | |
1046 | if (r < 0) | |
1047 | goto fail; | |
1048 | ||
1049 | r = dns_packet_append_uint8(p, rr->ds.algorithm, NULL); | |
1050 | if (r < 0) | |
1051 | goto fail; | |
1052 | ||
1053 | r = dns_packet_append_uint8(p, rr->ds.digest_type, NULL); | |
1054 | if (r < 0) | |
1055 | goto fail; | |
1056 | ||
1057 | r = dns_packet_append_blob(p, rr->ds.digest, rr->ds.digest_size, NULL); | |
1058 | break; | |
1059 | ||
623a4c97 | 1060 | case DNS_TYPE_SSHFP: |
42cc2eeb LP |
1061 | r = dns_packet_append_uint8(p, rr->sshfp.algorithm, NULL); |
1062 | if (r < 0) | |
1063 | goto fail; | |
8db0d2f5 | 1064 | |
42cc2eeb LP |
1065 | r = dns_packet_append_uint8(p, rr->sshfp.fptype, NULL); |
1066 | if (r < 0) | |
1067 | goto fail; | |
1068 | ||
549c1a25 | 1069 | r = dns_packet_append_blob(p, rr->sshfp.fingerprint, rr->sshfp.fingerprint_size, NULL); |
42cc2eeb LP |
1070 | break; |
1071 | ||
8db0d2f5 | 1072 | case DNS_TYPE_DNSKEY: |
f91dc240 | 1073 | r = dns_packet_append_uint16(p, rr->dnskey.flags, NULL); |
8db0d2f5 ZJS |
1074 | if (r < 0) |
1075 | goto fail; | |
1076 | ||
f91dc240 | 1077 | r = dns_packet_append_uint8(p, rr->dnskey.protocol, NULL); |
8db0d2f5 ZJS |
1078 | if (r < 0) |
1079 | goto fail; | |
1080 | ||
1081 | r = dns_packet_append_uint8(p, rr->dnskey.algorithm, NULL); | |
1082 | if (r < 0) | |
1083 | goto fail; | |
1084 | ||
1085 | r = dns_packet_append_blob(p, rr->dnskey.key, rr->dnskey.key_size, NULL); | |
1086 | break; | |
1087 | ||
151226ab ZJS |
1088 | case DNS_TYPE_RRSIG: |
1089 | r = dns_packet_append_uint16(p, rr->rrsig.type_covered, NULL); | |
1090 | if (r < 0) | |
1091 | goto fail; | |
1092 | ||
1093 | r = dns_packet_append_uint8(p, rr->rrsig.algorithm, NULL); | |
1094 | if (r < 0) | |
1095 | goto fail; | |
1096 | ||
1097 | r = dns_packet_append_uint8(p, rr->rrsig.labels, NULL); | |
1098 | if (r < 0) | |
1099 | goto fail; | |
1100 | ||
1101 | r = dns_packet_append_uint32(p, rr->rrsig.original_ttl, NULL); | |
1102 | if (r < 0) | |
1103 | goto fail; | |
1104 | ||
1105 | r = dns_packet_append_uint32(p, rr->rrsig.expiration, NULL); | |
1106 | if (r < 0) | |
1107 | goto fail; | |
1108 | ||
1109 | r = dns_packet_append_uint32(p, rr->rrsig.inception, NULL); | |
1110 | if (r < 0) | |
1111 | goto fail; | |
1112 | ||
0b1b17d3 | 1113 | r = dns_packet_append_uint16(p, rr->rrsig.key_tag, NULL); |
151226ab ZJS |
1114 | if (r < 0) |
1115 | goto fail; | |
1116 | ||
a3db237b | 1117 | r = dns_packet_append_name(p, rr->rrsig.signer, false, true, NULL); |
151226ab ZJS |
1118 | if (r < 0) |
1119 | goto fail; | |
1120 | ||
1121 | r = dns_packet_append_blob(p, rr->rrsig.signature, rr->rrsig.signature_size, NULL); | |
1122 | break; | |
1123 | ||
50f1e641 | 1124 | case DNS_TYPE_NSEC: |
a3db237b | 1125 | r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, false, NULL); |
50f1e641 TG |
1126 | if (r < 0) |
1127 | goto fail; | |
1128 | ||
1129 | r = dns_packet_append_types(p, rr->nsec.types, NULL); | |
1130 | if (r < 0) | |
1131 | goto fail; | |
1132 | ||
5d45a880 | 1133 | break; |
d75acfb0 | 1134 | |
5d45a880 TG |
1135 | case DNS_TYPE_NSEC3: |
1136 | r = dns_packet_append_uint8(p, rr->nsec3.algorithm, NULL); | |
1137 | if (r < 0) | |
1138 | goto fail; | |
1139 | ||
1140 | r = dns_packet_append_uint8(p, rr->nsec3.flags, NULL); | |
1141 | if (r < 0) | |
1142 | goto fail; | |
1143 | ||
1144 | r = dns_packet_append_uint16(p, rr->nsec3.iterations, NULL); | |
1145 | if (r < 0) | |
1146 | goto fail; | |
1147 | ||
1148 | r = dns_packet_append_uint8(p, rr->nsec3.salt_size, NULL); | |
1149 | if (r < 0) | |
1150 | goto fail; | |
1151 | ||
1152 | r = dns_packet_append_blob(p, rr->nsec3.salt, rr->nsec3.salt_size, NULL); | |
1153 | if (r < 0) | |
1154 | goto fail; | |
1155 | ||
1156 | r = dns_packet_append_uint8(p, rr->nsec3.next_hashed_name_size, NULL); | |
1157 | if (r < 0) | |
1158 | goto fail; | |
1159 | ||
1160 | r = dns_packet_append_blob(p, rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, NULL); | |
1161 | if (r < 0) | |
1162 | goto fail; | |
1163 | ||
1164 | r = dns_packet_append_types(p, rr->nsec3.types, NULL); | |
1165 | if (r < 0) | |
1166 | goto fail; | |
1167 | ||
50f1e641 | 1168 | break; |
d75acfb0 | 1169 | |
48d45d2b ZJS |
1170 | case DNS_TYPE_TLSA: |
1171 | r = dns_packet_append_uint8(p, rr->tlsa.cert_usage, NULL); | |
1172 | if (r < 0) | |
1173 | goto fail; | |
1174 | ||
1175 | r = dns_packet_append_uint8(p, rr->tlsa.selector, NULL); | |
1176 | if (r < 0) | |
1177 | goto fail; | |
1178 | ||
1179 | r = dns_packet_append_uint8(p, rr->tlsa.matching_type, NULL); | |
1180 | if (r < 0) | |
1181 | goto fail; | |
1182 | ||
1183 | r = dns_packet_append_blob(p, rr->tlsa.data, rr->tlsa.data_size, NULL); | |
1184 | break; | |
1185 | ||
e7634d6b RP |
1186 | case DNS_TYPE_SVCB: |
1187 | case DNS_TYPE_HTTPS: | |
1188 | r = dns_packet_append_uint16(p, rr->svcb.priority, NULL); | |
1189 | if (r < 0) | |
1190 | goto fail; | |
1191 | ||
1192 | r = dns_packet_append_name(p, rr->svcb.target_name, false, false, NULL); | |
1193 | if (r < 0) | |
1194 | goto fail; | |
1195 | ||
1196 | LIST_FOREACH(params, i, rr->svcb.params) { | |
1197 | r = dns_packet_append_uint16(p, i->key, NULL); | |
1198 | if (r < 0) | |
1199 | goto fail; | |
1200 | ||
1201 | r = dns_packet_append_uint16(p, i->length, NULL); | |
1202 | if (r < 0) | |
1203 | goto fail; | |
1204 | ||
1205 | r = dns_packet_append_blob(p, i->value, i->length, NULL); | |
1206 | if (r < 0) | |
1207 | goto fail; | |
1208 | } | |
1209 | break; | |
1210 | ||
95052df3 ZJS |
1211 | case DNS_TYPE_CAA: |
1212 | r = dns_packet_append_uint8(p, rr->caa.flags, NULL); | |
1213 | if (r < 0) | |
1214 | goto fail; | |
1215 | ||
1216 | r = dns_packet_append_string(p, rr->caa.tag, NULL); | |
1217 | if (r < 0) | |
1218 | goto fail; | |
1219 | ||
1220 | r = dns_packet_append_blob(p, rr->caa.value, rr->caa.value_size, NULL); | |
1221 | break; | |
1222 | ||
17615676 LP |
1223 | case DNS_TYPE_NAPTR: |
1224 | r = dns_packet_append_uint16(p, rr->naptr.order, NULL); | |
1225 | if (r < 0) | |
1226 | goto fail; | |
1227 | ||
1228 | r = dns_packet_append_uint16(p, rr->naptr.preference, NULL); | |
1229 | if (r < 0) | |
1230 | goto fail; | |
1231 | ||
1232 | r = dns_packet_append_string(p, rr->naptr.flags, NULL); | |
1233 | if (r < 0) | |
1234 | goto fail; | |
1235 | ||
1236 | r = dns_packet_append_string(p, rr->naptr.services, NULL); | |
1237 | if (r < 0) | |
1238 | goto fail; | |
1239 | ||
1240 | r = dns_packet_append_string(p, rr->naptr.regexp, NULL); | |
1241 | if (r < 0) | |
1242 | goto fail; | |
1243 | ||
1244 | r = dns_packet_append_name(p, rr->naptr.replacement, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL); | |
1245 | break; | |
1246 | ||
d75acfb0 | 1247 | case DNS_TYPE_OPT: |
d93a16b8 | 1248 | case DNS_TYPE_OPENPGPKEY: |
52e085af | 1249 | case _DNS_TYPE_INVALID: /* unparsable */ |
623a4c97 | 1250 | default: |
0dae31d4 | 1251 | |
a43a068a | 1252 | r = dns_packet_append_blob(p, rr->generic.data, rr->generic.data_size, NULL); |
623a4c97 LP |
1253 | break; |
1254 | } | |
1255 | if (r < 0) | |
1256 | goto fail; | |
1257 | ||
1258 | /* Let's calculate the actual data size and update the field */ | |
1259 | rdlength = p->size - rdlength_offset - sizeof(uint16_t); | |
1260 | if (rdlength > 0xFFFF) { | |
555f5cdc | 1261 | r = -ENOSPC; |
623a4c97 LP |
1262 | goto fail; |
1263 | } | |
1264 | ||
1265 | end = p->size; | |
1266 | p->size = rdlength_offset; | |
1267 | r = dns_packet_append_uint16(p, rdlength, NULL); | |
1268 | if (r < 0) | |
1269 | goto fail; | |
1270 | p->size = end; | |
1271 | ||
351e6342 LP |
1272 | if (start) |
1273 | *start = saved_size; | |
1274 | ||
a8812dd7 LP |
1275 | if (rdata_start) |
1276 | *rdata_start = rds; | |
1277 | ||
623a4c97 LP |
1278 | return 0; |
1279 | ||
1280 | fail: | |
1281 | dns_packet_truncate(p, saved_size); | |
1282 | return r; | |
1283 | } | |
1284 | ||
f471bc11 LP |
1285 | int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) { |
1286 | DnsResourceKey *key; | |
1287 | int r; | |
1288 | ||
1289 | assert(p); | |
1290 | ||
1291 | DNS_QUESTION_FOREACH(key, q) { | |
58ab31d5 | 1292 | r = dns_packet_append_key(p, key, 0, NULL); |
f471bc11 LP |
1293 | if (r < 0) |
1294 | return r; | |
1295 | } | |
1296 | ||
1297 | return 0; | |
1298 | } | |
1299 | ||
6f76e68a | 1300 | int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a, unsigned *completed) { |
f471bc11 | 1301 | DnsResourceRecord *rr; |
58ab31d5 | 1302 | DnsAnswerFlags flags; |
f471bc11 LP |
1303 | int r; |
1304 | ||
1305 | assert(p); | |
1306 | ||
58ab31d5 DR |
1307 | DNS_ANSWER_FOREACH_FLAGS(rr, flags, a) { |
1308 | r = dns_packet_append_rr(p, rr, flags, NULL, NULL); | |
f471bc11 LP |
1309 | if (r < 0) |
1310 | return r; | |
6f76e68a LP |
1311 | |
1312 | if (completed) | |
1313 | (*completed)++; | |
f471bc11 LP |
1314 | } |
1315 | ||
1316 | return 0; | |
1317 | } | |
1318 | ||
74b2466e LP |
1319 | int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) { |
1320 | assert(p); | |
370999c0 | 1321 | assert(p->rindex <= p->size); |
74b2466e | 1322 | |
370999c0 | 1323 | if (sz > p->size - p->rindex) |
74b2466e LP |
1324 | return -EMSGSIZE; |
1325 | ||
1326 | if (ret) | |
1327 | *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->rindex; | |
1328 | ||
1329 | if (start) | |
1330 | *start = p->rindex; | |
1331 | ||
1332 | p->rindex += sz; | |
1333 | return 0; | |
1334 | } | |
1335 | ||
8ba9fd9c | 1336 | void dns_packet_rewind(DnsPacket *p, size_t idx) { |
74b2466e LP |
1337 | assert(p); |
1338 | assert(idx <= p->size); | |
1339 | assert(idx >= DNS_PACKET_HEADER_SIZE); | |
1340 | ||
1341 | p->rindex = idx; | |
1342 | } | |
1343 | ||
623a4c97 LP |
1344 | int dns_packet_read_blob(DnsPacket *p, void *d, size_t sz, size_t *start) { |
1345 | const void *q; | |
1346 | int r; | |
1347 | ||
1348 | assert(p); | |
1349 | assert(d); | |
1350 | ||
1351 | r = dns_packet_read(p, sz, &q, start); | |
1352 | if (r < 0) | |
1353 | return r; | |
1354 | ||
1355 | memcpy(d, q, sz); | |
1356 | return 0; | |
1357 | } | |
1358 | ||
f5430a3e LP |
1359 | static int dns_packet_read_memdup( |
1360 | DnsPacket *p, size_t size, | |
1361 | void **ret, size_t *ret_size, | |
1362 | size_t *ret_start) { | |
1363 | ||
1364 | const void *src; | |
1365 | size_t start; | |
1366 | int r; | |
1367 | ||
1368 | assert(p); | |
1369 | assert(ret); | |
1370 | ||
1371 | r = dns_packet_read(p, size, &src, &start); | |
1372 | if (r < 0) | |
1373 | return r; | |
1374 | ||
1375 | if (size <= 0) | |
1376 | *ret = NULL; | |
1377 | else { | |
1378 | void *copy; | |
1379 | ||
1380 | copy = memdup(src, size); | |
1381 | if (!copy) | |
1382 | return -ENOMEM; | |
1383 | ||
1384 | *ret = copy; | |
1385 | } | |
1386 | ||
1387 | if (ret_size) | |
1388 | *ret_size = size; | |
1389 | if (ret_start) | |
1390 | *ret_start = start; | |
1391 | ||
1392 | return 0; | |
1393 | } | |
1394 | ||
74b2466e LP |
1395 | int dns_packet_read_uint8(DnsPacket *p, uint8_t *ret, size_t *start) { |
1396 | const void *d; | |
1397 | int r; | |
1398 | ||
1399 | assert(p); | |
1400 | ||
1401 | r = dns_packet_read(p, sizeof(uint8_t), &d, start); | |
1402 | if (r < 0) | |
1403 | return r; | |
1404 | ||
1405 | *ret = ((uint8_t*) d)[0]; | |
1406 | return 0; | |
1407 | } | |
1408 | ||
1409 | int dns_packet_read_uint16(DnsPacket *p, uint16_t *ret, size_t *start) { | |
1410 | const void *d; | |
1411 | int r; | |
1412 | ||
1413 | assert(p); | |
1414 | ||
1415 | r = dns_packet_read(p, sizeof(uint16_t), &d, start); | |
1416 | if (r < 0) | |
1417 | return r; | |
1418 | ||
81b4d94d LP |
1419 | if (ret) |
1420 | *ret = unaligned_read_be16(d); | |
725ca0e5 | 1421 | |
74b2466e LP |
1422 | return 0; |
1423 | } | |
1424 | ||
1425 | int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start) { | |
1426 | const void *d; | |
1427 | int r; | |
1428 | ||
1429 | assert(p); | |
1430 | ||
1431 | r = dns_packet_read(p, sizeof(uint32_t), &d, start); | |
1432 | if (r < 0) | |
1433 | return r; | |
1434 | ||
725ca0e5 | 1435 | *ret = unaligned_read_be32(d); |
74b2466e LP |
1436 | |
1437 | return 0; | |
1438 | } | |
1439 | ||
1440 | int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) { | |
0c4f37f0 | 1441 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); |
7153213e | 1442 | _cleanup_free_ char *t = NULL; |
74b2466e | 1443 | const void *d; |
74b2466e LP |
1444 | uint8_t c; |
1445 | int r; | |
1446 | ||
7153213e LP |
1447 | assert(p); |
1448 | ||
74b2466e LP |
1449 | r = dns_packet_read_uint8(p, &c, NULL); |
1450 | if (r < 0) | |
e18a3c73 | 1451 | return r; |
74b2466e LP |
1452 | |
1453 | r = dns_packet_read(p, c, &d, NULL); | |
1454 | if (r < 0) | |
e18a3c73 | 1455 | return r; |
74b2466e | 1456 | |
7153213e LP |
1457 | r = make_cstring(d, c, MAKE_CSTRING_REFUSE_TRAILING_NUL, &t); |
1458 | if (r < 0) | |
1459 | return r; | |
74b2466e | 1460 | |
7153213e | 1461 | if (!utf8_is_valid(t)) |
e18a3c73 | 1462 | return -EBADMSG; |
74b2466e | 1463 | |
7153213e | 1464 | *ret = TAKE_PTR(t); |
74b2466e LP |
1465 | |
1466 | if (start) | |
e18a3c73 ZJS |
1467 | *start = rewinder.saved_rindex; |
1468 | CANCEL_REWINDER(rewinder); | |
74b2466e LP |
1469 | |
1470 | return 0; | |
74b2466e LP |
1471 | } |
1472 | ||
2001c805 | 1473 | int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start) { |
0c4f37f0 ZJS |
1474 | assert(p); |
1475 | ||
1476 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); | |
2001c805 LP |
1477 | uint8_t c; |
1478 | int r; | |
1479 | ||
2001c805 LP |
1480 | r = dns_packet_read_uint8(p, &c, NULL); |
1481 | if (r < 0) | |
e18a3c73 | 1482 | return r; |
2001c805 LP |
1483 | |
1484 | r = dns_packet_read(p, c, ret, NULL); | |
1485 | if (r < 0) | |
e18a3c73 | 1486 | return r; |
2001c805 LP |
1487 | |
1488 | if (size) | |
1489 | *size = c; | |
1490 | if (start) | |
e18a3c73 ZJS |
1491 | *start = rewinder.saved_rindex; |
1492 | CANCEL_REWINDER(rewinder); | |
2001c805 LP |
1493 | |
1494 | return 0; | |
2001c805 LP |
1495 | } |
1496 | ||
f6a5fec6 LP |
1497 | int dns_packet_read_name( |
1498 | DnsPacket *p, | |
81b4d94d | 1499 | char **ret, |
f6a5fec6 | 1500 | bool allow_compression, |
81b4d94d | 1501 | size_t *ret_start) { |
f6a5fec6 | 1502 | |
0c4f37f0 ZJS |
1503 | assert(p); |
1504 | ||
1505 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); | |
1506 | size_t after_rindex = 0, jump_barrier = p->rindex; | |
81b4d94d | 1507 | _cleanup_free_ char *name = NULL; |
74b2466e | 1508 | bool first = true; |
319a4f4b | 1509 | size_t n = 0; |
74b2466e LP |
1510 | int r; |
1511 | ||
f6a5fec6 LP |
1512 | if (p->refuse_compression) |
1513 | allow_compression = false; | |
1514 | ||
74b2466e LP |
1515 | for (;;) { |
1516 | uint8_t c, d; | |
1517 | ||
1518 | r = dns_packet_read_uint8(p, &c, NULL); | |
1519 | if (r < 0) | |
e18a3c73 | 1520 | return r; |
74b2466e LP |
1521 | |
1522 | if (c == 0) | |
1523 | /* End of name */ | |
1524 | break; | |
1525 | else if (c <= 63) { | |
74b2466e LP |
1526 | const char *label; |
1527 | ||
1528 | /* Literal label */ | |
1529 | r = dns_packet_read(p, c, (const void**) &label, NULL); | |
1530 | if (r < 0) | |
e18a3c73 | 1531 | return r; |
74b2466e | 1532 | |
319a4f4b | 1533 | if (!GREEDY_REALLOC(name, n + !first + DNS_LABEL_ESCAPED_MAX)) |
e18a3c73 | 1534 | return -ENOMEM; |
74b2466e | 1535 | |
422baca0 | 1536 | if (first) |
74b2466e | 1537 | first = false; |
422baca0 | 1538 | else |
81b4d94d | 1539 | name[n++] = '.'; |
422baca0 | 1540 | |
81b4d94d | 1541 | r = dns_label_escape(label, c, name + n, DNS_LABEL_ESCAPED_MAX); |
422baca0 | 1542 | if (r < 0) |
e18a3c73 | 1543 | return r; |
74b2466e | 1544 | |
74b2466e LP |
1545 | n += r; |
1546 | continue; | |
d7a0f1f4 | 1547 | } else if (allow_compression && FLAGS_SET(c, 0xc0)) { |
74b2466e LP |
1548 | uint16_t ptr; |
1549 | ||
1550 | /* Pointer */ | |
1551 | r = dns_packet_read_uint8(p, &d, NULL); | |
1552 | if (r < 0) | |
e18a3c73 | 1553 | return r; |
74b2466e LP |
1554 | |
1555 | ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d; | |
e18a3c73 ZJS |
1556 | if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= jump_barrier) |
1557 | return -EBADMSG; | |
74b2466e LP |
1558 | |
1559 | if (after_rindex == 0) | |
1560 | after_rindex = p->rindex; | |
1561 | ||
f131770b | 1562 | /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */ |
c75dbf9b | 1563 | jump_barrier = ptr; |
74b2466e | 1564 | p->rindex = ptr; |
e18a3c73 ZJS |
1565 | } else |
1566 | return -EBADMSG; | |
74b2466e LP |
1567 | } |
1568 | ||
319a4f4b | 1569 | if (!GREEDY_REALLOC(name, n + 1)) |
e18a3c73 | 1570 | return -ENOMEM; |
74b2466e | 1571 | |
81b4d94d | 1572 | name[n] = 0; |
74b2466e LP |
1573 | |
1574 | if (after_rindex != 0) | |
1575 | p->rindex= after_rindex; | |
1576 | ||
81b4d94d LP |
1577 | if (ret) |
1578 | *ret = TAKE_PTR(name); | |
1579 | if (ret_start) | |
1580 | *ret_start = rewinder.saved_rindex; | |
74b2466e | 1581 | |
e18a3c73 | 1582 | CANCEL_REWINDER(rewinder); |
74b2466e LP |
1583 | |
1584 | return 0; | |
74b2466e LP |
1585 | } |
1586 | ||
50f1e641 | 1587 | static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *start) { |
0c4f37f0 ZJS |
1588 | assert(p); |
1589 | assert(types); | |
1590 | ||
1591 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); | |
1592 | uint8_t window, length; | |
50f1e641 | 1593 | const uint8_t *bitmap; |
2ad613ad | 1594 | uint8_t bit = 0; |
50f1e641 | 1595 | bool found = false; |
50f1e641 TG |
1596 | int r; |
1597 | ||
50f1e641 TG |
1598 | r = bitmap_ensure_allocated(types); |
1599 | if (r < 0) | |
e18a3c73 | 1600 | return r; |
50f1e641 TG |
1601 | |
1602 | r = dns_packet_read_uint8(p, &window, NULL); | |
1603 | if (r < 0) | |
e18a3c73 | 1604 | return r; |
50f1e641 TG |
1605 | |
1606 | r = dns_packet_read_uint8(p, &length, NULL); | |
1607 | if (r < 0) | |
e18a3c73 | 1608 | return r; |
50f1e641 TG |
1609 | |
1610 | if (length == 0 || length > 32) | |
1611 | return -EBADMSG; | |
1612 | ||
1613 | r = dns_packet_read(p, length, (const void **)&bitmap, NULL); | |
1614 | if (r < 0) | |
e18a3c73 | 1615 | return r; |
50f1e641 | 1616 | |
64ea42e9 | 1617 | for (uint8_t i = 0; i < length; i++) { |
50f1e641 | 1618 | uint8_t bitmask = 1 << 7; |
50f1e641 TG |
1619 | |
1620 | if (!bitmap[i]) { | |
1621 | found = false; | |
2ad613ad | 1622 | bit += 8; |
50f1e641 TG |
1623 | continue; |
1624 | } | |
1625 | ||
1626 | found = true; | |
1627 | ||
9f939335 | 1628 | for (; bitmask; bit++, bitmask >>= 1) |
50f1e641 TG |
1629 | if (bitmap[i] & bitmask) { |
1630 | uint16_t n; | |
1631 | ||
50f1e641 TG |
1632 | n = (uint16_t) window << 8 | (uint16_t) bit; |
1633 | ||
8e6edc49 TG |
1634 | /* Ignore pseudo-types. see RFC4034 section 4.1.2 */ |
1635 | if (dns_type_is_pseudo(n)) | |
1636 | continue; | |
1637 | ||
50f1e641 TG |
1638 | r = bitmap_set(*types, n); |
1639 | if (r < 0) | |
e18a3c73 | 1640 | return r; |
50f1e641 | 1641 | } |
50f1e641 TG |
1642 | } |
1643 | ||
1644 | if (!found) | |
1645 | return -EBADMSG; | |
1646 | ||
1647 | if (start) | |
e18a3c73 ZJS |
1648 | *start = rewinder.saved_rindex; |
1649 | CANCEL_REWINDER(rewinder); | |
50f1e641 TG |
1650 | |
1651 | return 0; | |
50f1e641 TG |
1652 | } |
1653 | ||
89492aaf | 1654 | static int dns_packet_read_type_windows(DnsPacket *p, Bitmap **types, size_t size, size_t *start) { |
0c4f37f0 | 1655 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); |
89492aaf TG |
1656 | int r; |
1657 | ||
370999c0 | 1658 | while (p->rindex - rewinder.saved_rindex < size) { |
89492aaf TG |
1659 | r = dns_packet_read_type_window(p, types, NULL); |
1660 | if (r < 0) | |
e18a3c73 | 1661 | return r; |
89492aaf | 1662 | |
370999c0 YW |
1663 | assert(p->rindex >= rewinder.saved_rindex); |
1664 | ||
89492aaf | 1665 | /* don't read past end of current RR */ |
370999c0 | 1666 | if (p->rindex - rewinder.saved_rindex > size) |
e18a3c73 | 1667 | return -EBADMSG; |
89492aaf TG |
1668 | } |
1669 | ||
370999c0 | 1670 | if (p->rindex - rewinder.saved_rindex != size) |
e18a3c73 | 1671 | return -EBADMSG; |
89492aaf TG |
1672 | |
1673 | if (start) | |
e18a3c73 ZJS |
1674 | *start = rewinder.saved_rindex; |
1675 | CANCEL_REWINDER(rewinder); | |
89492aaf TG |
1676 | |
1677 | return 0; | |
89492aaf TG |
1678 | } |
1679 | ||
81b4d94d LP |
1680 | int dns_packet_read_key( |
1681 | DnsPacket *p, | |
1682 | DnsResourceKey **ret, | |
82d39576 | 1683 | bool *ret_cache_flush_or_qu, |
81b4d94d LP |
1684 | size_t *ret_start) { |
1685 | ||
0c4f37f0 ZJS |
1686 | assert(p); |
1687 | ||
1688 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); | |
faa133f3 | 1689 | _cleanup_free_ char *name = NULL; |
82d39576 | 1690 | bool cache_flush_or_qu = false; |
faa133f3 | 1691 | uint16_t class, type; |
74b2466e LP |
1692 | int r; |
1693 | ||
151226ab | 1694 | r = dns_packet_read_name(p, &name, true, NULL); |
74b2466e | 1695 | if (r < 0) |
e18a3c73 | 1696 | return r; |
74b2466e | 1697 | |
faa133f3 | 1698 | r = dns_packet_read_uint16(p, &type, NULL); |
74b2466e | 1699 | if (r < 0) |
e18a3c73 | 1700 | return r; |
74b2466e | 1701 | |
faa133f3 | 1702 | r = dns_packet_read_uint16(p, &class, NULL); |
74b2466e | 1703 | if (r < 0) |
e18a3c73 | 1704 | return r; |
74b2466e | 1705 | |
23502de3 | 1706 | if (p->protocol == DNS_PROTOCOL_MDNS) { |
82d39576 | 1707 | /* See RFC6762, sections 5.4 and 10.2 */ |
23502de3 | 1708 | |
82d39576 SB |
1709 | if (type != DNS_TYPE_OPT && (class & MDNS_RR_CACHE_FLUSH_OR_QU)) { |
1710 | class &= ~MDNS_RR_CACHE_FLUSH_OR_QU; | |
1711 | cache_flush_or_qu = true; | |
d2579eec | 1712 | } |
23502de3 DM |
1713 | } |
1714 | ||
81b4d94d LP |
1715 | if (ret) { |
1716 | DnsResourceKey *key; | |
faa133f3 | 1717 | |
81b4d94d LP |
1718 | key = dns_resource_key_new_consume(class, type, name); |
1719 | if (!key) | |
1720 | return -ENOMEM; | |
1721 | ||
1722 | TAKE_PTR(name); | |
1723 | *ret = key; | |
1724 | } | |
74b2466e | 1725 | |
82d39576 SB |
1726 | if (ret_cache_flush_or_qu) |
1727 | *ret_cache_flush_or_qu = cache_flush_or_qu; | |
81b4d94d LP |
1728 | if (ret_start) |
1729 | *ret_start = rewinder.saved_rindex; | |
74b2466e | 1730 | |
81b4d94d | 1731 | CANCEL_REWINDER(rewinder); |
74b2466e | 1732 | return 0; |
74b2466e LP |
1733 | } |
1734 | ||
afbc4f26 ZJS |
1735 | static bool loc_size_ok(uint8_t size) { |
1736 | uint8_t m = size >> 4, e = size & 0xF; | |
1737 | ||
1738 | return m <= 9 && e <= 9 && (m > 0 || e == 0); | |
1739 | } | |
1740 | ||
e7634d6b RP |
1741 | static bool dns_svc_param_is_valid(DnsSvcParam *i) { |
1742 | if (!i) | |
1743 | return false; | |
1744 | ||
1745 | switch (i->key) { | |
1746 | /* RFC 9460, section 7.1.1: alpn-ids must exactly fill SvcParamValue */ | |
1747 | case DNS_SVC_PARAM_KEY_ALPN: { | |
1748 | size_t sz = 0; | |
1749 | if (i->length <= 0) | |
1750 | return false; | |
1751 | while (sz < i->length) | |
1752 | sz += 1 + i->value[sz]; /* N.B. will not overflow */ | |
1753 | return sz == i->length; | |
1754 | } | |
1755 | ||
1756 | /* RFC 9460, section 7.1.1: value must be empty */ | |
1757 | case DNS_SVC_PARAM_KEY_NO_DEFAULT_ALPN: | |
1758 | return i->length == 0; | |
1759 | ||
1760 | /* RFC 9460, section 7.2 */ | |
1761 | case DNS_SVC_PARAM_KEY_PORT: | |
1762 | return i->length == 2; | |
1763 | ||
1764 | /* RFC 9460, section 7.3: addrs must exactly fill SvcParamValue */ | |
1765 | case DNS_SVC_PARAM_KEY_IPV4HINT: | |
1766 | return i->length % (sizeof (struct in_addr)) == 0; | |
1767 | case DNS_SVC_PARAM_KEY_IPV6HINT: | |
1768 | return i->length % (sizeof (struct in6_addr)) == 0; | |
1769 | ||
1770 | /* Otherwise, permit any value */ | |
1771 | default: | |
1772 | return true; | |
1773 | } | |
1774 | } | |
1775 | ||
81b4d94d LP |
1776 | int dns_packet_read_rr( |
1777 | DnsPacket *p, | |
1778 | DnsResourceRecord **ret, | |
1779 | bool *ret_cache_flush, | |
1780 | size_t *ret_start) { | |
1781 | ||
0c4f37f0 ZJS |
1782 | assert(p); |
1783 | ||
1784 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); | |
faa133f3 LP |
1785 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; |
1786 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; | |
e18a3c73 | 1787 | size_t offset; |
74b2466e | 1788 | uint16_t rdlength; |
d2579eec | 1789 | bool cache_flush; |
74b2466e LP |
1790 | int r; |
1791 | ||
d2579eec | 1792 | r = dns_packet_read_key(p, &key, &cache_flush, NULL); |
74b2466e | 1793 | if (r < 0) |
e18a3c73 | 1794 | return r; |
74b2466e | 1795 | |
e18a3c73 ZJS |
1796 | if (!dns_class_is_valid_rr(key->class) || !dns_type_is_valid_rr(key->type)) |
1797 | return -EBADMSG; | |
0e2bcd6a | 1798 | |
faa133f3 | 1799 | rr = dns_resource_record_new(key); |
e18a3c73 ZJS |
1800 | if (!rr) |
1801 | return -ENOMEM; | |
faa133f3 | 1802 | |
74b2466e LP |
1803 | r = dns_packet_read_uint32(p, &rr->ttl, NULL); |
1804 | if (r < 0) | |
e18a3c73 | 1805 | return r; |
74b2466e | 1806 | |
0d0b52d7 LP |
1807 | /* RFC 2181, Section 8, suggests to |
1808 | * treat a TTL with the MSB set as a zero TTL. */ | |
1809 | if (rr->ttl & UINT32_C(0x80000000)) | |
1810 | rr->ttl = 0; | |
1811 | ||
74b2466e LP |
1812 | r = dns_packet_read_uint16(p, &rdlength, NULL); |
1813 | if (r < 0) | |
e18a3c73 | 1814 | return r; |
74b2466e | 1815 | |
370999c0 | 1816 | if (rdlength > p->size - p->rindex) |
e18a3c73 | 1817 | return -EBADMSG; |
74b2466e LP |
1818 | |
1819 | offset = p->rindex; | |
1820 | ||
faa133f3 | 1821 | switch (rr->key->type) { |
74b2466e | 1822 | |
9c92ce6d LP |
1823 | case DNS_TYPE_SRV: |
1824 | r = dns_packet_read_uint16(p, &rr->srv.priority, NULL); | |
1825 | if (r < 0) | |
e18a3c73 | 1826 | return r; |
9c92ce6d LP |
1827 | r = dns_packet_read_uint16(p, &rr->srv.weight, NULL); |
1828 | if (r < 0) | |
e18a3c73 | 1829 | return r; |
9c92ce6d LP |
1830 | r = dns_packet_read_uint16(p, &rr->srv.port, NULL); |
1831 | if (r < 0) | |
e18a3c73 | 1832 | return r; |
d9a55740 LP |
1833 | |
1834 | /* RFC 2782 states "Unless and until permitted by future standards action, name compression | |
1835 | * is not to be used for this field." Nonetheless, we support it here, in the interest of | |
1836 | * increasing compatibility with implementations that do not implement this correctly. After | |
1837 | * all we didn't do this right once upon a time ourselves (see | |
1838 | * https://github.com/systemd/systemd/issues/9793). */ | |
1839 | r = dns_packet_read_name(p, &rr->srv.name, /* allow_compression= */ true, NULL); | |
9c92ce6d LP |
1840 | break; |
1841 | ||
74b2466e LP |
1842 | case DNS_TYPE_PTR: |
1843 | case DNS_TYPE_NS: | |
1844 | case DNS_TYPE_CNAME: | |
8ac4e9e1 | 1845 | case DNS_TYPE_DNAME: |
151226ab | 1846 | r = dns_packet_read_name(p, &rr->ptr.name, true, NULL); |
74b2466e LP |
1847 | break; |
1848 | ||
1849 | case DNS_TYPE_HINFO: | |
1850 | r = dns_packet_read_string(p, &rr->hinfo.cpu, NULL); | |
1851 | if (r < 0) | |
e18a3c73 | 1852 | return r; |
74b2466e LP |
1853 | |
1854 | r = dns_packet_read_string(p, &rr->hinfo.os, NULL); | |
1855 | break; | |
1856 | ||
9de3e329 | 1857 | case DNS_TYPE_SPF: /* exactly the same as TXT */ |
1ccda9b7 LP |
1858 | case DNS_TYPE_TXT: |
1859 | if (rdlength <= 0) { | |
ebb779dc DR |
1860 | r = dns_txt_item_new_empty(&rr->txt.items); |
1861 | if (r < 0) | |
1862 | return r; | |
1ccda9b7 | 1863 | } else { |
2001c805 LP |
1864 | DnsTxtItem *last = NULL; |
1865 | ||
370999c0 | 1866 | while (p->rindex - offset < rdlength) { |
2001c805 LP |
1867 | DnsTxtItem *i; |
1868 | const void *data; | |
1869 | size_t sz; | |
2e276efc | 1870 | |
2001c805 | 1871 | r = dns_packet_read_raw_string(p, &data, &sz, NULL); |
1ccda9b7 | 1872 | if (r < 0) |
2001c805 | 1873 | return r; |
1ccda9b7 | 1874 | |
2001c805 LP |
1875 | i = malloc0(offsetof(DnsTxtItem, data) + sz + 1); /* extra NUL byte at the end */ |
1876 | if (!i) | |
1877 | return -ENOMEM; | |
1878 | ||
1879 | memcpy(i->data, data, sz); | |
1880 | i->length = sz; | |
1881 | ||
1882 | LIST_INSERT_AFTER(items, rr->txt.items, last, i); | |
1883 | last = i; | |
1ccda9b7 | 1884 | } |
6a6fc3df LP |
1885 | } |
1886 | ||
1887 | r = 0; | |
2e276efc | 1888 | break; |
2e276efc | 1889 | |
74b2466e | 1890 | case DNS_TYPE_A: |
623a4c97 | 1891 | r = dns_packet_read_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL); |
74b2466e LP |
1892 | break; |
1893 | ||
1894 | case DNS_TYPE_AAAA: | |
623a4c97 | 1895 | r = dns_packet_read_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL); |
74b2466e LP |
1896 | break; |
1897 | ||
7e8e0422 | 1898 | case DNS_TYPE_SOA: |
151226ab | 1899 | r = dns_packet_read_name(p, &rr->soa.mname, true, NULL); |
7e8e0422 | 1900 | if (r < 0) |
e18a3c73 | 1901 | return r; |
7e8e0422 | 1902 | |
151226ab | 1903 | r = dns_packet_read_name(p, &rr->soa.rname, true, NULL); |
7e8e0422 | 1904 | if (r < 0) |
e18a3c73 | 1905 | return r; |
7e8e0422 LP |
1906 | |
1907 | r = dns_packet_read_uint32(p, &rr->soa.serial, NULL); | |
1908 | if (r < 0) | |
e18a3c73 | 1909 | return r; |
7e8e0422 LP |
1910 | |
1911 | r = dns_packet_read_uint32(p, &rr->soa.refresh, NULL); | |
1912 | if (r < 0) | |
e18a3c73 | 1913 | return r; |
7e8e0422 LP |
1914 | |
1915 | r = dns_packet_read_uint32(p, &rr->soa.retry, NULL); | |
1916 | if (r < 0) | |
e18a3c73 | 1917 | return r; |
7e8e0422 LP |
1918 | |
1919 | r = dns_packet_read_uint32(p, &rr->soa.expire, NULL); | |
1920 | if (r < 0) | |
e18a3c73 | 1921 | return r; |
7e8e0422 LP |
1922 | |
1923 | r = dns_packet_read_uint32(p, &rr->soa.minimum, NULL); | |
1924 | break; | |
1925 | ||
623a4c97 | 1926 | case DNS_TYPE_MX: |
946c7094 ZJS |
1927 | r = dns_packet_read_uint16(p, &rr->mx.priority, NULL); |
1928 | if (r < 0) | |
e18a3c73 | 1929 | return r; |
946c7094 | 1930 | |
151226ab | 1931 | r = dns_packet_read_name(p, &rr->mx.exchange, true, NULL); |
946c7094 ZJS |
1932 | break; |
1933 | ||
0dae31d4 ZJS |
1934 | case DNS_TYPE_LOC: { |
1935 | uint8_t t; | |
1936 | size_t pos; | |
1937 | ||
1938 | r = dns_packet_read_uint8(p, &t, &pos); | |
1939 | if (r < 0) | |
e18a3c73 | 1940 | return r; |
0dae31d4 ZJS |
1941 | |
1942 | if (t == 0) { | |
1943 | rr->loc.version = t; | |
1944 | ||
1945 | r = dns_packet_read_uint8(p, &rr->loc.size, NULL); | |
1946 | if (r < 0) | |
e18a3c73 | 1947 | return r; |
0dae31d4 | 1948 | |
e18a3c73 ZJS |
1949 | if (!loc_size_ok(rr->loc.size)) |
1950 | return -EBADMSG; | |
afbc4f26 | 1951 | |
0dae31d4 ZJS |
1952 | r = dns_packet_read_uint8(p, &rr->loc.horiz_pre, NULL); |
1953 | if (r < 0) | |
e18a3c73 | 1954 | return r; |
0dae31d4 | 1955 | |
e18a3c73 ZJS |
1956 | if (!loc_size_ok(rr->loc.horiz_pre)) |
1957 | return -EBADMSG; | |
afbc4f26 | 1958 | |
0dae31d4 ZJS |
1959 | r = dns_packet_read_uint8(p, &rr->loc.vert_pre, NULL); |
1960 | if (r < 0) | |
e18a3c73 | 1961 | return r; |
0dae31d4 | 1962 | |
e18a3c73 ZJS |
1963 | if (!loc_size_ok(rr->loc.vert_pre)) |
1964 | return -EBADMSG; | |
afbc4f26 | 1965 | |
0dae31d4 ZJS |
1966 | r = dns_packet_read_uint32(p, &rr->loc.latitude, NULL); |
1967 | if (r < 0) | |
e18a3c73 | 1968 | return r; |
0dae31d4 ZJS |
1969 | |
1970 | r = dns_packet_read_uint32(p, &rr->loc.longitude, NULL); | |
1971 | if (r < 0) | |
e18a3c73 | 1972 | return r; |
0dae31d4 ZJS |
1973 | |
1974 | r = dns_packet_read_uint32(p, &rr->loc.altitude, NULL); | |
1975 | if (r < 0) | |
e18a3c73 | 1976 | return r; |
0dae31d4 ZJS |
1977 | |
1978 | break; | |
1979 | } else { | |
1980 | dns_packet_rewind(p, pos); | |
52e085af ZJS |
1981 | rr->unparsable = true; |
1982 | goto unparsable; | |
0dae31d4 ZJS |
1983 | } |
1984 | } | |
1985 | ||
abf126a3 TG |
1986 | case DNS_TYPE_DS: |
1987 | r = dns_packet_read_uint16(p, &rr->ds.key_tag, NULL); | |
1988 | if (r < 0) | |
e18a3c73 | 1989 | return r; |
abf126a3 TG |
1990 | |
1991 | r = dns_packet_read_uint8(p, &rr->ds.algorithm, NULL); | |
1992 | if (r < 0) | |
e18a3c73 | 1993 | return r; |
abf126a3 TG |
1994 | |
1995 | r = dns_packet_read_uint8(p, &rr->ds.digest_type, NULL); | |
1996 | if (r < 0) | |
e18a3c73 | 1997 | return r; |
abf126a3 | 1998 | |
8a0f6d1f SL |
1999 | if (rdlength < 4) |
2000 | return -EBADMSG; | |
2001 | ||
f5430a3e LP |
2002 | r = dns_packet_read_memdup(p, rdlength - 4, |
2003 | &rr->ds.digest, &rr->ds.digest_size, | |
2004 | NULL); | |
abf126a3 | 2005 | if (r < 0) |
e18a3c73 | 2006 | return r; |
abf126a3 | 2007 | |
e18a3c73 | 2008 | if (rr->ds.digest_size <= 0) |
f1d178cc TG |
2009 | /* the accepted size depends on the algorithm, but for now |
2010 | just ensure that the value is greater than zero */ | |
e18a3c73 | 2011 | return -EBADMSG; |
f1d178cc | 2012 | |
abf126a3 | 2013 | break; |
d75acfb0 | 2014 | |
623a4c97 | 2015 | case DNS_TYPE_SSHFP: |
42cc2eeb LP |
2016 | r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL); |
2017 | if (r < 0) | |
e18a3c73 | 2018 | return r; |
42cc2eeb LP |
2019 | |
2020 | r = dns_packet_read_uint8(p, &rr->sshfp.fptype, NULL); | |
2021 | if (r < 0) | |
e18a3c73 | 2022 | return r; |
42cc2eeb | 2023 | |
8a0f6d1f SL |
2024 | if (rdlength < 2) |
2025 | return -EBADMSG; | |
2026 | ||
f5430a3e | 2027 | r = dns_packet_read_memdup(p, rdlength - 2, |
549c1a25 | 2028 | &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size, |
f5430a3e | 2029 | NULL); |
f1d178cc | 2030 | |
e18a3c73 | 2031 | if (rr->sshfp.fingerprint_size <= 0) |
f1d178cc TG |
2032 | /* the accepted size depends on the algorithm, but for now |
2033 | just ensure that the value is greater than zero */ | |
e18a3c73 | 2034 | return -EBADMSG; |
f1d178cc | 2035 | |
8db0d2f5 ZJS |
2036 | break; |
2037 | ||
f91dc240 LP |
2038 | case DNS_TYPE_DNSKEY: |
2039 | r = dns_packet_read_uint16(p, &rr->dnskey.flags, NULL); | |
8db0d2f5 | 2040 | if (r < 0) |
e18a3c73 | 2041 | return r; |
8db0d2f5 | 2042 | |
f91dc240 | 2043 | r = dns_packet_read_uint8(p, &rr->dnskey.protocol, NULL); |
8db0d2f5 | 2044 | if (r < 0) |
e18a3c73 | 2045 | return r; |
8db0d2f5 | 2046 | |
8db0d2f5 ZJS |
2047 | r = dns_packet_read_uint8(p, &rr->dnskey.algorithm, NULL); |
2048 | if (r < 0) | |
e18a3c73 | 2049 | return r; |
8db0d2f5 | 2050 | |
8a0f6d1f SL |
2051 | if (rdlength < 4) |
2052 | return -EBADMSG; | |
2053 | ||
f5430a3e LP |
2054 | r = dns_packet_read_memdup(p, rdlength - 4, |
2055 | &rr->dnskey.key, &rr->dnskey.key_size, | |
2056 | NULL); | |
f1d178cc | 2057 | |
e18a3c73 | 2058 | if (rr->dnskey.key_size <= 0) |
f1d178cc TG |
2059 | /* the accepted size depends on the algorithm, but for now |
2060 | just ensure that the value is greater than zero */ | |
e18a3c73 | 2061 | return -EBADMSG; |
f1d178cc | 2062 | |
42cc2eeb LP |
2063 | break; |
2064 | ||
151226ab ZJS |
2065 | case DNS_TYPE_RRSIG: |
2066 | r = dns_packet_read_uint16(p, &rr->rrsig.type_covered, NULL); | |
2067 | if (r < 0) | |
e18a3c73 | 2068 | return r; |
151226ab ZJS |
2069 | |
2070 | r = dns_packet_read_uint8(p, &rr->rrsig.algorithm, NULL); | |
2071 | if (r < 0) | |
e18a3c73 | 2072 | return r; |
151226ab ZJS |
2073 | |
2074 | r = dns_packet_read_uint8(p, &rr->rrsig.labels, NULL); | |
2075 | if (r < 0) | |
e18a3c73 | 2076 | return r; |
151226ab ZJS |
2077 | |
2078 | r = dns_packet_read_uint32(p, &rr->rrsig.original_ttl, NULL); | |
2079 | if (r < 0) | |
e18a3c73 | 2080 | return r; |
151226ab ZJS |
2081 | |
2082 | r = dns_packet_read_uint32(p, &rr->rrsig.expiration, NULL); | |
2083 | if (r < 0) | |
e18a3c73 | 2084 | return r; |
151226ab ZJS |
2085 | |
2086 | r = dns_packet_read_uint32(p, &rr->rrsig.inception, NULL); | |
2087 | if (r < 0) | |
e18a3c73 | 2088 | return r; |
151226ab ZJS |
2089 | |
2090 | r = dns_packet_read_uint16(p, &rr->rrsig.key_tag, NULL); | |
2091 | if (r < 0) | |
e18a3c73 | 2092 | return r; |
151226ab ZJS |
2093 | |
2094 | r = dns_packet_read_name(p, &rr->rrsig.signer, false, NULL); | |
2095 | if (r < 0) | |
e18a3c73 | 2096 | return r; |
151226ab | 2097 | |
370999c0 | 2098 | if (rdlength < p->rindex - offset) |
8a0f6d1f SL |
2099 | return -EBADMSG; |
2100 | ||
f5430a3e LP |
2101 | r = dns_packet_read_memdup(p, offset + rdlength - p->rindex, |
2102 | &rr->rrsig.signature, &rr->rrsig.signature_size, | |
2103 | NULL); | |
f1d178cc | 2104 | |
e18a3c73 | 2105 | if (rr->rrsig.signature_size <= 0) |
f1d178cc TG |
2106 | /* the accepted size depends on the algorithm, but for now |
2107 | just ensure that the value is greater than zero */ | |
e18a3c73 | 2108 | return -EBADMSG; |
f1d178cc | 2109 | |
151226ab ZJS |
2110 | break; |
2111 | ||
d84e543d DM |
2112 | case DNS_TYPE_NSEC: { |
2113 | ||
2114 | /* | |
5238e957 | 2115 | * RFC6762, section 18.14 explicitly states mDNS should use name compression. |
d84e543d DM |
2116 | * This contradicts RFC3845, section 2.1.1 |
2117 | */ | |
2118 | ||
2119 | bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS; | |
2120 | ||
2121 | r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL); | |
50f1e641 | 2122 | if (r < 0) |
e18a3c73 | 2123 | return r; |
50f1e641 | 2124 | |
370999c0 YW |
2125 | if (rdlength < p->rindex - offset) |
2126 | return -EBADMSG; | |
2127 | ||
89492aaf | 2128 | r = dns_packet_read_type_windows(p, &rr->nsec.types, offset + rdlength - p->rindex, NULL); |
89492aaf | 2129 | |
09eaf68c TG |
2130 | /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself |
2131 | * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records | |
2132 | * without the NSEC bit set. */ | |
50f1e641 TG |
2133 | |
2134 | break; | |
d84e543d | 2135 | } |
5d45a880 TG |
2136 | case DNS_TYPE_NSEC3: { |
2137 | uint8_t size; | |
2138 | ||
2139 | r = dns_packet_read_uint8(p, &rr->nsec3.algorithm, NULL); | |
2140 | if (r < 0) | |
e18a3c73 | 2141 | return r; |
5d45a880 TG |
2142 | |
2143 | r = dns_packet_read_uint8(p, &rr->nsec3.flags, NULL); | |
2144 | if (r < 0) | |
e18a3c73 | 2145 | return r; |
5d45a880 TG |
2146 | |
2147 | r = dns_packet_read_uint16(p, &rr->nsec3.iterations, NULL); | |
2148 | if (r < 0) | |
e18a3c73 | 2149 | return r; |
5d45a880 | 2150 | |
f1d178cc | 2151 | /* this may be zero */ |
5d45a880 TG |
2152 | r = dns_packet_read_uint8(p, &size, NULL); |
2153 | if (r < 0) | |
e18a3c73 | 2154 | return r; |
5d45a880 | 2155 | |
f5430a3e | 2156 | r = dns_packet_read_memdup(p, size, &rr->nsec3.salt, &rr->nsec3.salt_size, NULL); |
5d45a880 | 2157 | if (r < 0) |
e18a3c73 | 2158 | return r; |
5d45a880 | 2159 | |
5d45a880 TG |
2160 | r = dns_packet_read_uint8(p, &size, NULL); |
2161 | if (r < 0) | |
e18a3c73 | 2162 | return r; |
5d45a880 | 2163 | |
e18a3c73 ZJS |
2164 | if (size <= 0) |
2165 | return -EBADMSG; | |
f1d178cc | 2166 | |
e18a3c73 ZJS |
2167 | r = dns_packet_read_memdup(p, size, |
2168 | &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size, | |
2169 | NULL); | |
5d45a880 | 2170 | if (r < 0) |
e18a3c73 | 2171 | return r; |
5d45a880 | 2172 | |
370999c0 YW |
2173 | if (rdlength < p->rindex - offset) |
2174 | return -EBADMSG; | |
2175 | ||
6b9308d1 | 2176 | r = dns_packet_read_type_windows(p, &rr->nsec3.types, offset + rdlength - p->rindex, NULL); |
5d45a880 | 2177 | |
0bbd72b2 TG |
2178 | /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */ |
2179 | ||
5d45a880 TG |
2180 | break; |
2181 | } | |
d75acfb0 | 2182 | |
48d45d2b ZJS |
2183 | case DNS_TYPE_TLSA: |
2184 | r = dns_packet_read_uint8(p, &rr->tlsa.cert_usage, NULL); | |
2185 | if (r < 0) | |
e18a3c73 | 2186 | return r; |
48d45d2b ZJS |
2187 | |
2188 | r = dns_packet_read_uint8(p, &rr->tlsa.selector, NULL); | |
2189 | if (r < 0) | |
e18a3c73 | 2190 | return r; |
48d45d2b ZJS |
2191 | |
2192 | r = dns_packet_read_uint8(p, &rr->tlsa.matching_type, NULL); | |
2193 | if (r < 0) | |
e18a3c73 | 2194 | return r; |
48d45d2b | 2195 | |
8a0f6d1f SL |
2196 | if (rdlength < 3) |
2197 | return -EBADMSG; | |
2198 | ||
48d45d2b ZJS |
2199 | r = dns_packet_read_memdup(p, rdlength - 3, |
2200 | &rr->tlsa.data, &rr->tlsa.data_size, | |
2201 | NULL); | |
e18a3c73 ZJS |
2202 | |
2203 | if (rr->tlsa.data_size <= 0) | |
48d45d2b ZJS |
2204 | /* the accepted size depends on the algorithm, but for now |
2205 | just ensure that the value is greater than zero */ | |
e18a3c73 | 2206 | return -EBADMSG; |
48d45d2b ZJS |
2207 | |
2208 | break; | |
2209 | ||
e7634d6b RP |
2210 | case DNS_TYPE_SVCB: |
2211 | case DNS_TYPE_HTTPS: | |
2212 | r = dns_packet_read_uint16(p, &rr->svcb.priority, NULL); | |
2213 | if (r < 0) | |
2214 | return r; | |
2215 | ||
2216 | r = dns_packet_read_name(p, &rr->svcb.target_name, false /* uncompressed */, NULL); | |
2217 | if (r < 0) | |
2218 | return r; | |
2219 | ||
2220 | DnsSvcParam *last = NULL; | |
2221 | while (p->rindex - offset < rdlength) { | |
2222 | _cleanup_free_ DnsSvcParam *i = NULL; | |
2223 | uint16_t svc_param_key; | |
2224 | uint16_t sz; | |
2225 | ||
2226 | r = dns_packet_read_uint16(p, &svc_param_key, NULL); | |
2227 | if (r < 0) | |
2228 | return r; | |
2229 | /* RFC 9460, section 2.2 says we must consider an RR malformed if SvcParamKeys are | |
2230 | * not in strictly increasing order */ | |
2231 | if (last && last->key >= svc_param_key) | |
2232 | return -EBADMSG; | |
2233 | ||
2234 | r = dns_packet_read_uint16(p, &sz, NULL); | |
2235 | if (r < 0) | |
2236 | return r; | |
2237 | ||
2238 | i = malloc0(offsetof(DnsSvcParam, value) + sz); | |
2239 | if (!i) | |
2240 | return -ENOMEM; | |
2241 | ||
2242 | i->key = svc_param_key; | |
2243 | i->length = sz; | |
2244 | r = dns_packet_read_blob(p, &i->value, sz, NULL); | |
2245 | if (r < 0) | |
2246 | return r; | |
2247 | if (!dns_svc_param_is_valid(i)) | |
2248 | return -EBADMSG; | |
2249 | ||
2250 | LIST_INSERT_AFTER(params, rr->svcb.params, last, i); | |
2251 | last = TAKE_PTR(i); | |
2252 | } | |
2253 | ||
2254 | break; | |
2255 | ||
95052df3 ZJS |
2256 | case DNS_TYPE_CAA: |
2257 | r = dns_packet_read_uint8(p, &rr->caa.flags, NULL); | |
2258 | if (r < 0) | |
2259 | return r; | |
2260 | ||
2261 | r = dns_packet_read_string(p, &rr->caa.tag, NULL); | |
2262 | if (r < 0) | |
2263 | return r; | |
2264 | ||
370999c0 | 2265 | if (rdlength < p->rindex - offset) |
8a0f6d1f SL |
2266 | return -EBADMSG; |
2267 | ||
95052df3 ZJS |
2268 | r = dns_packet_read_memdup(p, |
2269 | rdlength + offset - p->rindex, | |
2270 | &rr->caa.value, &rr->caa.value_size, NULL); | |
48d45d2b ZJS |
2271 | |
2272 | break; | |
2273 | ||
17615676 LP |
2274 | case DNS_TYPE_NAPTR: |
2275 | r = dns_packet_read_uint16(p, &rr->naptr.order, NULL); | |
2276 | if (r < 0) | |
2277 | return r; | |
2278 | ||
2279 | r = dns_packet_read_uint16(p, &rr->naptr.preference, NULL); | |
2280 | if (r < 0) | |
2281 | return r; | |
2282 | ||
2283 | r = dns_packet_read_string(p, &rr->naptr.flags, NULL); | |
2284 | if (r < 0) | |
2285 | return r; | |
2286 | ||
2287 | r = dns_packet_read_string(p, &rr->naptr.services, NULL); | |
2288 | if (r < 0) | |
2289 | return r; | |
2290 | ||
2291 | r = dns_packet_read_string(p, &rr->naptr.regexp, NULL); | |
2292 | if (r < 0) | |
2293 | return r; | |
2294 | ||
2295 | r = dns_packet_read_name(p, &rr->naptr.replacement, /* allow_compressed= */ false, NULL); | |
2296 | break; | |
2297 | ||
d75acfb0 | 2298 | case DNS_TYPE_OPT: /* we only care about the header of OPT for now. */ |
d93a16b8 | 2299 | case DNS_TYPE_OPENPGPKEY: |
74b2466e | 2300 | default: |
52e085af | 2301 | unparsable: |
a43a068a | 2302 | r = dns_packet_read_memdup(p, rdlength, &rr->generic.data, &rr->generic.data_size, NULL); |
e18a3c73 | 2303 | |
74b2466e LP |
2304 | break; |
2305 | } | |
2306 | if (r < 0) | |
e18a3c73 | 2307 | return r; |
370999c0 | 2308 | if (p->rindex - offset != rdlength) |
e18a3c73 | 2309 | return -EBADMSG; |
74b2466e | 2310 | |
81b4d94d LP |
2311 | if (ret) |
2312 | *ret = TAKE_PTR(rr); | |
d2579eec LP |
2313 | if (ret_cache_flush) |
2314 | *ret_cache_flush = cache_flush; | |
81b4d94d LP |
2315 | if (ret_start) |
2316 | *ret_start = rewinder.saved_rindex; | |
74b2466e | 2317 | |
81b4d94d | 2318 | CANCEL_REWINDER(rewinder); |
74b2466e | 2319 | return 0; |
74b2466e LP |
2320 | } |
2321 | ||
c3f7000e LP |
2322 | static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) { |
2323 | const uint8_t* p; | |
2324 | bool found_dau_dhu_n3u = false; | |
2325 | size_t l; | |
2326 | ||
2327 | /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in | |
2328 | * a reply). */ | |
2329 | ||
2330 | assert(rr); | |
2331 | assert(rr->key->type == DNS_TYPE_OPT); | |
2332 | ||
2333 | /* Check that the version is 0 */ | |
b30bf55d LP |
2334 | if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) { |
2335 | *rfc6975 = false; | |
2336 | return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */ | |
2337 | } | |
c3f7000e LP |
2338 | |
2339 | p = rr->opt.data; | |
a43a068a | 2340 | l = rr->opt.data_size; |
c3f7000e LP |
2341 | while (l > 0) { |
2342 | uint16_t option_code, option_length; | |
2343 | ||
2344 | /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */ | |
2345 | if (l < 4U) | |
2346 | return false; | |
2347 | ||
2348 | option_code = unaligned_read_be16(p); | |
2349 | option_length = unaligned_read_be16(p + 2); | |
2350 | ||
2351 | if (l < option_length + 4U) | |
2352 | return false; | |
2353 | ||
2354 | /* RFC 6975 DAU, DHU or N3U fields found. */ | |
980cb160 | 2355 | if (IN_SET(option_code, DNS_EDNS_OPT_DAU, DNS_EDNS_OPT_DHU, DNS_EDNS_OPT_N3U)) |
c3f7000e LP |
2356 | found_dau_dhu_n3u = true; |
2357 | ||
2358 | p += option_length + 4U; | |
2359 | l -= option_length + 4U; | |
2360 | } | |
2361 | ||
2362 | *rfc6975 = found_dau_dhu_n3u; | |
2363 | return true; | |
2364 | } | |
2365 | ||
4a49e560 | 2366 | static int dns_packet_extract_question(DnsPacket *p, DnsQuestion **ret_question) { |
faa133f3 | 2367 | _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; |
64ea42e9 | 2368 | unsigned n; |
74b2466e LP |
2369 | int r; |
2370 | ||
3cb10d3a | 2371 | n = DNS_PACKET_QDCOUNT(p); |
faa133f3 LP |
2372 | if (n > 0) { |
2373 | question = dns_question_new(n); | |
e18a3c73 ZJS |
2374 | if (!question) |
2375 | return -ENOMEM; | |
74b2466e | 2376 | |
2d34cf0c ZJS |
2377 | _cleanup_set_free_ Set *keys = NULL; /* references to keys are kept by Question */ |
2378 | ||
2379 | keys = set_new(&dns_resource_key_hash_ops); | |
2380 | if (!keys) | |
2381 | return log_oom(); | |
2382 | ||
2383 | r = set_reserve(keys, n * 2); /* Higher multipliers give slightly higher efficiency through | |
e9665ac2 | 2384 | * hash collisions, but the gains quickly drop off after 2. */ |
2d34cf0c ZJS |
2385 | if (r < 0) |
2386 | return r; | |
2387 | ||
64ea42e9 | 2388 | for (unsigned i = 0; i < n; i++) { |
faa133f3 | 2389 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; |
82d39576 | 2390 | bool qu; |
74b2466e | 2391 | |
82d39576 | 2392 | r = dns_packet_read_key(p, &key, &qu, NULL); |
faa133f3 | 2393 | if (r < 0) |
e18a3c73 | 2394 | return r; |
74b2466e | 2395 | |
e18a3c73 ZJS |
2396 | if (!dns_type_is_valid_query(key->type)) |
2397 | return -EBADMSG; | |
c463eb78 | 2398 | |
2d34cf0c ZJS |
2399 | r = set_put(keys, key); |
2400 | if (r < 0) | |
2401 | return r; | |
2402 | if (r == 0) | |
2403 | /* Already in the Question, let's skip */ | |
2404 | continue; | |
2405 | ||
82d39576 | 2406 | r = dns_question_add_raw(question, key, qu ? DNS_QUESTION_WANTS_UNICAST_REPLY : 0); |
faa133f3 | 2407 | if (r < 0) |
e18a3c73 | 2408 | return r; |
faa133f3 LP |
2409 | } |
2410 | } | |
322345fd | 2411 | |
1cc6c93a YW |
2412 | *ret_question = TAKE_PTR(question); |
2413 | ||
4a49e560 ZJS |
2414 | return 0; |
2415 | } | |
2416 | ||
2417 | static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { | |
2418 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; | |
64ea42e9 | 2419 | unsigned n; |
4a49e560 ZJS |
2420 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *previous = NULL; |
2421 | bool bad_opt = false; | |
2422 | int r; | |
2423 | ||
faa133f3 | 2424 | n = DNS_PACKET_RRCOUNT(p); |
4a49e560 ZJS |
2425 | if (n == 0) |
2426 | return 0; | |
c3f7000e | 2427 | |
4a49e560 ZJS |
2428 | answer = dns_answer_new(n); |
2429 | if (!answer) | |
2430 | return -ENOMEM; | |
322345fd | 2431 | |
64ea42e9 | 2432 | for (unsigned i = 0; i < n; i++) { |
4a49e560 ZJS |
2433 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; |
2434 | bool cache_flush = false; | |
93748b26 | 2435 | size_t start; |
322345fd | 2436 | |
729c5deb | 2437 | if (p->rindex == p->size && p->opt) { |
18674159 LP |
2438 | /* If we reached the end of the packet already, but there are still more RRs |
2439 | * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's | |
2440 | * apparently a common bug in routers. Let's however suppress OPT support in this | |
2441 | * case, so that we force the rest of the logic into lowest DNS baseline support. Or | |
2442 | * to say this differently: if the DNS server doesn't even get the RR counts right, | |
2443 | * it's highly unlikely it gets EDNS right. */ | |
2444 | log_debug("More resource records declared in packet than included, suppressing OPT."); | |
2445 | bad_opt = true; | |
2446 | break; | |
2447 | } | |
2448 | ||
93748b26 | 2449 | r = dns_packet_read_rr(p, &rr, &cache_flush, &start); |
4a49e560 ZJS |
2450 | if (r < 0) |
2451 | return r; | |
322345fd | 2452 | |
4a49e560 ZJS |
2453 | /* Try to reduce memory usage a bit */ |
2454 | if (previous) | |
2455 | dns_resource_key_reduce(&rr->key, &previous->key); | |
f57e3cd5 | 2456 | |
4a49e560 ZJS |
2457 | if (rr->key->type == DNS_TYPE_OPT) { |
2458 | bool has_rfc6975; | |
c3f7000e | 2459 | |
4a49e560 ZJS |
2460 | if (p->opt || bad_opt) { |
2461 | /* Multiple OPT RRs? if so, let's ignore all, because there's | |
2462 | * something wrong with the server, and if one is valid we wouldn't | |
2463 | * know which one. */ | |
2464 | log_debug("Multiple OPT RRs detected, ignoring all."); | |
2465 | bad_opt = true; | |
2466 | continue; | |
2467 | } | |
e6b57b37 | 2468 | |
4a49e560 ZJS |
2469 | if (!dns_name_is_root(dns_resource_key_name(rr->key))) { |
2470 | /* If the OPT RR is not owned by the root domain, then it is bad, | |
2471 | * let's ignore it. */ | |
2472 | log_debug("OPT RR is not owned by root domain, ignoring."); | |
2473 | bad_opt = true; | |
2474 | continue; | |
2475 | } | |
c3f7000e | 2476 | |
4a49e560 ZJS |
2477 | if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) { |
2478 | /* OPT RR is in the wrong section? Some Belkin routers do this. This | |
2479 | * is a hint the EDNS implementation is borked, like the Belkin one | |
2480 | * is, hence ignore it. */ | |
2481 | log_debug("OPT RR in wrong section, ignoring."); | |
2482 | bad_opt = true; | |
2483 | continue; | |
2484 | } | |
2485 | ||
2486 | if (!opt_is_good(rr, &has_rfc6975)) { | |
2487 | log_debug("Malformed OPT RR, ignoring."); | |
2488 | bad_opt = true; | |
2489 | continue; | |
2490 | } | |
2491 | ||
2492 | if (DNS_PACKET_QR(p)) { | |
2493 | /* Additional checks for responses */ | |
2494 | ||
d7a0f1f4 | 2495 | if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr)) |
4a49e560 ZJS |
2496 | /* If this is a reply and we don't know the EDNS version |
2497 | * then something is weird... */ | |
d7a0f1f4 FS |
2498 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), |
2499 | "EDNS version newer that our request, bad server."); | |
ff7febd5 | 2500 | |
4a49e560 ZJS |
2501 | if (has_rfc6975) { |
2502 | /* If the OPT RR contains RFC6975 algorithm data, then this | |
2503 | * is indication that the server just copied the OPT it got | |
2504 | * from us (which contained that data) back into the reply. | |
2505 | * If so, then it doesn't properly support EDNS, as RFC6975 | |
2506 | * makes it very clear that the algorithm data should only | |
2507 | * be contained in questions, never in replies. Crappy | |
2508 | * Belkin routers copy the OPT data for example, hence let's | |
2509 | * detect this so that we downgrade early. */ | |
dffb8277 | 2510 | log_debug("OPT RR contains RFC6975 data, ignoring."); |
c3f7000e LP |
2511 | bad_opt = true; |
2512 | continue; | |
2513 | } | |
4a49e560 | 2514 | } |
e6b57b37 | 2515 | |
4a49e560 | 2516 | p->opt = dns_resource_record_ref(rr); |
93748b26 LP |
2517 | p->opt_start = start; |
2518 | assert(p->rindex >= start); | |
2519 | p->opt_size = p->rindex - start; | |
4a49e560 | 2520 | } else { |
fa4e74b8 LP |
2521 | DnsAnswerFlags flags = 0; |
2522 | ||
8ec951e8 BP |
2523 | if (p->protocol == DNS_PROTOCOL_MDNS) { |
2524 | flags |= DNS_ANSWER_REFUSE_TTL_NO_MATCH; | |
2525 | if (!cache_flush) | |
2526 | flags |= DNS_ANSWER_SHARED_OWNER; | |
2527 | } | |
fa4e74b8 LP |
2528 | |
2529 | /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be | |
2530 | * cached. Hence mark only those RRs as cacheable by default, but not the ones from | |
82af03c2 VCS |
2531 | * the Additional or Authority sections. |
2532 | * This restriction does not apply to mDNS records (RFC 6762). */ | |
fa4e74b8 LP |
2533 | if (i < DNS_PACKET_ANCOUNT(p)) |
2534 | flags |= DNS_ANSWER_CACHEABLE|DNS_ANSWER_SECTION_ANSWER; | |
2535 | else if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) | |
2536 | flags |= DNS_ANSWER_SECTION_AUTHORITY; | |
82af03c2 | 2537 | else { |
fa4e74b8 | 2538 | flags |= DNS_ANSWER_SECTION_ADDITIONAL; |
82af03c2 VCS |
2539 | if (p->protocol == DNS_PROTOCOL_MDNS) |
2540 | flags |= DNS_ANSWER_CACHEABLE; | |
2541 | } | |
4a49e560 | 2542 | |
04617bf8 | 2543 | r = dns_answer_add(answer, rr, p->ifindex, flags, NULL); |
4a49e560 ZJS |
2544 | if (r < 0) |
2545 | return r; | |
2546 | } | |
d75acfb0 | 2547 | |
b87fbe5f | 2548 | /* Remember this RR, so that we can potentially merge its ->key object with the |
4a49e560 ZJS |
2549 | * next RR. Note that we only do this if we actually decided to keep the RR around. |
2550 | */ | |
7daeec3e | 2551 | DNS_RR_REPLACE(previous, dns_resource_record_ref(rr)); |
4a49e560 | 2552 | } |
105e1512 | 2553 | |
18674159 | 2554 | if (bad_opt) { |
4a49e560 | 2555 | p->opt = dns_resource_record_unref(p->opt); |
18674159 LP |
2556 | p->opt_start = p->opt_size = SIZE_MAX; |
2557 | } | |
105e1512 | 2558 | |
1cc6c93a YW |
2559 | *ret_answer = TAKE_PTR(answer); |
2560 | ||
4a49e560 ZJS |
2561 | return 0; |
2562 | } | |
ebc8a106 | 2563 | |
4a49e560 | 2564 | int dns_packet_extract(DnsPacket *p) { |
0c4f37f0 | 2565 | assert(p); |
c3f7000e | 2566 | |
4a49e560 ZJS |
2567 | if (p->extracted) |
2568 | return 0; | |
2569 | ||
0c4f37f0 ZJS |
2570 | _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; |
2571 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; | |
fc44acc0 | 2572 | _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); |
0c4f37f0 ZJS |
2573 | int r; |
2574 | ||
4a49e560 ZJS |
2575 | dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE); |
2576 | ||
2577 | r = dns_packet_extract_question(p, &question); | |
2578 | if (r < 0) | |
2579 | return r; | |
2580 | ||
2581 | r = dns_packet_extract_answer(p, &answer); | |
2582 | if (r < 0) | |
2583 | return r; | |
322345fd | 2584 | |
894c7b77 LP |
2585 | if (p->rindex < p->size) { |
2586 | log_debug("Trailing garbage in packet, suppressing OPT."); | |
2587 | p->opt = dns_resource_record_unref(p->opt); | |
2588 | p->opt_start = p->opt_size = SIZE_MAX; | |
2589 | } | |
2590 | ||
1cc6c93a YW |
2591 | p->question = TAKE_PTR(question); |
2592 | p->answer = TAKE_PTR(answer); | |
a4076574 LP |
2593 | p->extracted = true; |
2594 | ||
e18a3c73 ZJS |
2595 | /* no CANCEL, always rewind */ |
2596 | return 0; | |
322345fd LP |
2597 | } |
2598 | ||
8af5b883 LP |
2599 | int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) { |
2600 | int r; | |
2601 | ||
2602 | assert(p); | |
2603 | assert(key); | |
2604 | ||
2605 | /* Checks if the specified packet is a reply for the specified | |
2606 | * key and the specified key is the only one in the question | |
2607 | * section. */ | |
2608 | ||
2609 | if (DNS_PACKET_QR(p) != 1) | |
2610 | return 0; | |
2611 | ||
2612 | /* Let's unpack the packet, if that hasn't happened yet. */ | |
2613 | r = dns_packet_extract(p); | |
2614 | if (r < 0) | |
2615 | return r; | |
2616 | ||
a924f43f EV |
2617 | if (!p->question) |
2618 | return 0; | |
2619 | ||
8af5b883 LP |
2620 | if (p->question->n_keys != 1) |
2621 | return 0; | |
2622 | ||
ab715ddb | 2623 | return dns_resource_key_equal(dns_question_first_key(p->question), key); |
8af5b883 LP |
2624 | } |
2625 | ||
93748b26 LP |
2626 | int dns_packet_patch_max_udp_size(DnsPacket *p, uint16_t max_udp_size) { |
2627 | assert(p); | |
2628 | assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX); | |
2629 | ||
f5fbe71d | 2630 | if (p->opt_start == SIZE_MAX) /* No OPT section, nothing to patch */ |
93748b26 LP |
2631 | return 0; |
2632 | ||
f5fbe71d | 2633 | assert(p->opt_size != SIZE_MAX); |
93748b26 LP |
2634 | assert(p->opt_size >= 5); |
2635 | ||
2636 | unaligned_write_be16(DNS_PACKET_DATA(p) + p->opt_start + 3, max_udp_size); | |
2637 | return 1; | |
2638 | } | |
2639 | ||
81b4d94d | 2640 | static int patch_rr(DnsPacket *p, usec_t age) { |
0c4f37f0 | 2641 | _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); |
81b4d94d LP |
2642 | size_t ttl_index; |
2643 | uint32_t ttl; | |
2644 | uint16_t type, rdlength; | |
2645 | int r; | |
2646 | ||
0f1f933b | 2647 | /* Patches the RR at the current rindex, subtracts the specified time from the TTL */ |
81b4d94d LP |
2648 | |
2649 | r = dns_packet_read_name(p, NULL, true, NULL); | |
2650 | if (r < 0) | |
2651 | return r; | |
2652 | ||
2653 | r = dns_packet_read_uint16(p, &type, NULL); | |
2654 | if (r < 0) | |
2655 | return r; | |
2656 | ||
2657 | r = dns_packet_read_uint16(p, NULL, NULL); | |
2658 | if (r < 0) | |
2659 | return r; | |
2660 | ||
2661 | r = dns_packet_read_uint32(p, &ttl, &ttl_index); | |
2662 | if (r < 0) | |
2663 | return r; | |
2664 | ||
2665 | if (type != DNS_TYPE_OPT) { /* The TTL of the OPT field is not actually a TTL, skip it */ | |
2666 | ttl = LESS_BY(ttl * USEC_PER_SEC, age) / USEC_PER_SEC; | |
2667 | unaligned_write_be32(DNS_PACKET_DATA(p) + ttl_index, ttl); | |
2668 | } | |
2669 | ||
2670 | r = dns_packet_read_uint16(p, &rdlength, NULL); | |
2671 | if (r < 0) | |
2672 | return r; | |
2673 | ||
2674 | r = dns_packet_read(p, rdlength, NULL, NULL); | |
2675 | if (r < 0) | |
2676 | return r; | |
2677 | ||
2678 | CANCEL_REWINDER(rewinder); | |
2679 | return 0; | |
2680 | } | |
2681 | ||
2682 | int dns_packet_patch_ttls(DnsPacket *p, usec_t timestamp) { | |
81b4d94d LP |
2683 | assert(p); |
2684 | assert(timestamp_is_set(timestamp)); | |
2685 | ||
2686 | /* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */ | |
2687 | ||
fc44acc0 | 2688 | _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p); |
64ea42e9 | 2689 | unsigned n; |
0c4f37f0 ZJS |
2690 | usec_t k; |
2691 | int r; | |
2692 | ||
ba4e0427 | 2693 | k = now(CLOCK_BOOTTIME); |
81b4d94d LP |
2694 | assert(k >= timestamp); |
2695 | k -= timestamp; | |
2696 | ||
81b4d94d LP |
2697 | dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE); |
2698 | ||
2699 | n = DNS_PACKET_QDCOUNT(p); | |
64ea42e9 | 2700 | for (unsigned i = 0; i < n; i++) { |
81b4d94d LP |
2701 | r = dns_packet_read_key(p, NULL, NULL, NULL); |
2702 | if (r < 0) | |
2703 | return r; | |
2704 | } | |
2705 | ||
2706 | n = DNS_PACKET_RRCOUNT(p); | |
64ea42e9 | 2707 | for (unsigned i = 0; i < n; i++) { |
81b4d94d LP |
2708 | |
2709 | /* DNS servers suck, hence the RR count is in many servers off. If we reached the end | |
2710 | * prematurely, accept that, exit early */ | |
2711 | if (p->rindex == p->size) | |
2712 | break; | |
2713 | ||
2714 | r = patch_rr(p, k); | |
2715 | if (r < 0) | |
2716 | return r; | |
2717 | } | |
2718 | ||
2719 | return 0; | |
2720 | } | |
2721 | ||
7a08d314 | 2722 | static void dns_packet_hash_func(const DnsPacket *s, struct siphash *state) { |
98767d75 IT |
2723 | assert(s); |
2724 | ||
c01a5c05 | 2725 | siphash24_compress_typesafe(s->size, state); |
98767d75 IT |
2726 | siphash24_compress(DNS_PACKET_DATA((DnsPacket*) s), s->size, state); |
2727 | } | |
2728 | ||
7a08d314 | 2729 | static int dns_packet_compare_func(const DnsPacket *x, const DnsPacket *y) { |
a0edd02e | 2730 | int r; |
98767d75 | 2731 | |
a0edd02e FB |
2732 | r = CMP(x->size, y->size); |
2733 | if (r != 0) | |
2734 | return r; | |
98767d75 IT |
2735 | |
2736 | return memcmp(DNS_PACKET_DATA((DnsPacket*) x), DNS_PACKET_DATA((DnsPacket*) y), x->size); | |
2737 | } | |
2738 | ||
7a08d314 | 2739 | DEFINE_HASH_OPS(dns_packet_hash_ops, DnsPacket, dns_packet_hash_func, dns_packet_compare_func); |
98767d75 | 2740 | |
a9fd8837 LP |
2741 | bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b) { |
2742 | return dns_packet_compare_func(a, b) == 0; | |
2743 | } | |
2744 | ||
71682ac6 | 2745 | int dns_packet_ede_rcode(DnsPacket *p, int *ret_ede_rcode, char **ret_ede_msg) { |
ac684446 RP |
2746 | const uint8_t *d; |
2747 | size_t l; | |
71682ac6 YW |
2748 | int r; |
2749 | ||
2750 | assert(p); | |
ac684446 RP |
2751 | |
2752 | if (!p->opt) | |
71682ac6 | 2753 | return -ENOENT; |
ac684446 RP |
2754 | |
2755 | d = p->opt->opt.data; | |
2756 | l = p->opt->opt.data_size; | |
2757 | ||
2758 | while (l > 0) { | |
2759 | uint16_t code, length; | |
2760 | ||
2761 | if (l < 4U) | |
2762 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2763 | "EDNS0 variable part has invalid size."); | |
2764 | ||
2765 | code = unaligned_read_be16(d); | |
2766 | length = unaligned_read_be16(d + 2); | |
2767 | ||
2768 | if (l < 4U + length) | |
2769 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2770 | "Truncated option in EDNS0 variable part."); | |
2771 | ||
2772 | if (code == DNS_EDNS_OPT_EXT_ERROR) { | |
71682ac6 YW |
2773 | _cleanup_free_ char *msg = NULL; |
2774 | ||
ac684446 RP |
2775 | if (length < 2U) |
2776 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
71682ac6 YW |
2777 | "EDNS0 truncated EDE info code."); |
2778 | ||
2779 | r = make_cstring((char *) d + 6, length - 2U, MAKE_CSTRING_ALLOW_TRAILING_NUL, &msg); | |
ac684446 | 2780 | if (r < 0) |
71682ac6 YW |
2781 | return log_debug_errno(r, "Invalid EDE text in opt."); |
2782 | ||
2783 | if (ret_ede_msg) { | |
2784 | if (!utf8_is_valid(msg)) { | |
2785 | _cleanup_free_ char *msg_escaped = NULL; | |
2786 | ||
2787 | msg_escaped = cescape(msg); | |
2788 | if (!msg_escaped) | |
2789 | return log_oom_debug(); | |
2790 | ||
2791 | *ret_ede_msg = TAKE_PTR(msg_escaped); | |
2792 | } else | |
2793 | *ret_ede_msg = TAKE_PTR(msg); | |
ac684446 | 2794 | } |
71682ac6 YW |
2795 | |
2796 | if (ret_ede_rcode) | |
2797 | *ret_ede_rcode = unaligned_read_be16(d + 4); | |
2798 | ||
2799 | return 0; | |
ac684446 RP |
2800 | } |
2801 | ||
2802 | d += 4U + length; | |
2803 | l -= 4U + length; | |
2804 | } | |
2805 | ||
71682ac6 | 2806 | return -ENOENT; |
ac684446 RP |
2807 | } |
2808 | ||
2809 | bool dns_ede_rcode_is_dnssec(int ede_rcode) { | |
2810 | return IN_SET(ede_rcode, | |
2811 | DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG, | |
2812 | DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST, | |
2813 | DNS_EDE_RCODE_DNSSEC_INDETERMINATE, | |
2814 | DNS_EDE_RCODE_DNSSEC_BOGUS, | |
2815 | DNS_EDE_RCODE_SIG_EXPIRED, | |
2816 | DNS_EDE_RCODE_SIG_NOT_YET_VALID, | |
2817 | DNS_EDE_RCODE_DNSKEY_MISSING, | |
2818 | DNS_EDE_RCODE_RRSIG_MISSING, | |
2819 | DNS_EDE_RCODE_NO_ZONE_KEY_BIT, | |
2820 | DNS_EDE_RCODE_NSEC_MISSING | |
2821 | ); | |
2822 | } | |
2823 | ||
4a6eb824 LP |
2824 | int dns_packet_has_nsid_request(DnsPacket *p) { |
2825 | bool has_nsid = false; | |
2826 | const uint8_t *d; | |
2827 | size_t l; | |
2828 | ||
2829 | assert(p); | |
2830 | ||
2831 | if (!p->opt) | |
2832 | return false; | |
2833 | ||
2834 | d = p->opt->opt.data; | |
2835 | l = p->opt->opt.data_size; | |
2836 | ||
2837 | while (l > 0) { | |
2838 | uint16_t code, length; | |
2839 | ||
2840 | if (l < 4U) | |
2841 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2842 | "EDNS0 variable part has invalid size."); | |
2843 | ||
2844 | code = unaligned_read_be16(d); | |
2845 | length = unaligned_read_be16(d + 2); | |
2846 | ||
2847 | if (l < 4U + length) | |
2848 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2849 | "Truncated option in EDNS0 variable part."); | |
2850 | ||
980cb160 | 2851 | if (code == DNS_EDNS_OPT_NSID) { |
4a6eb824 LP |
2852 | if (has_nsid) |
2853 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2854 | "Duplicate NSID option in EDNS0 variable part."); | |
2855 | ||
2856 | if (length != 0) | |
2857 | return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), | |
2858 | "Non-empty NSID option in DNS request."); | |
2859 | ||
2860 | has_nsid = true; | |
2861 | } | |
2862 | ||
2863 | d += 4U + length; | |
2864 | l -= 4U + length; | |
2865 | } | |
2866 | ||
2867 | return has_nsid; | |
2868 | } | |
2869 | ||
acbf761b LP |
2870 | size_t dns_packet_size_unfragmented(DnsPacket *p) { |
2871 | assert(p); | |
2872 | ||
2873 | if (p->fragsize == 0) /* Wasn't fragmented */ | |
2874 | return p->size; | |
2875 | ||
2876 | /* The fragment size (p->fragsize) covers the whole (fragmented) IP packet, while the regular packet | |
2877 | * size (p->size) only covers the DNS part. Thus, subtract the UDP header from the largest fragment | |
2878 | * size, in order to determine which size of DNS packet would have gone through without | |
2879 | * fragmenting. */ | |
2880 | ||
2881 | return LESS_BY(p->fragsize, udp_header_size(p->family)); | |
2882 | } | |
2883 | ||
74b2466e | 2884 | static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = { |
e3e64a1a ZJS |
2885 | [DNS_RCODE_SUCCESS] = "SUCCESS", |
2886 | [DNS_RCODE_FORMERR] = "FORMERR", | |
2887 | [DNS_RCODE_SERVFAIL] = "SERVFAIL", | |
2888 | [DNS_RCODE_NXDOMAIN] = "NXDOMAIN", | |
2889 | [DNS_RCODE_NOTIMP] = "NOTIMP", | |
2890 | [DNS_RCODE_REFUSED] = "REFUSED", | |
2891 | [DNS_RCODE_YXDOMAIN] = "YXDOMAIN", | |
2892 | [DNS_RCODE_YXRRSET] = "YRRSET", | |
2893 | [DNS_RCODE_NXRRSET] = "NXRRSET", | |
2894 | [DNS_RCODE_NOTAUTH] = "NOTAUTH", | |
2895 | [DNS_RCODE_NOTZONE] = "NOTZONE", | |
a92ea352 | 2896 | [DNS_RCODE_DSOTYPENI] = "DSOTYPENI", |
e3e64a1a ZJS |
2897 | [DNS_RCODE_BADVERS] = "BADVERS", |
2898 | [DNS_RCODE_BADKEY] = "BADKEY", | |
2899 | [DNS_RCODE_BADTIME] = "BADTIME", | |
2900 | [DNS_RCODE_BADMODE] = "BADMODE", | |
2901 | [DNS_RCODE_BADNAME] = "BADNAME", | |
2902 | [DNS_RCODE_BADALG] = "BADALG", | |
2903 | [DNS_RCODE_BADTRUNC] = "BADTRUNC", | |
6f21e066 | 2904 | [DNS_RCODE_BADCOOKIE] = "BADCOOKIE", |
74b2466e LP |
2905 | }; |
2906 | DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int); | |
1716f6dc | 2907 | |
0d609349 YW |
2908 | const char *format_dns_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) { |
2909 | const char *p = dns_rcode_to_string(i); | |
2910 | if (p) | |
2911 | return p; | |
2912 | ||
2913 | return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i); | |
2914 | } | |
2915 | ||
056db786 RP |
2916 | static const char* const dns_ede_rcode_table[_DNS_EDE_RCODE_MAX_DEFINED] = { |
2917 | [DNS_EDE_RCODE_OTHER] = "Other", | |
2918 | [DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG] = "Unsupported DNSKEY Algorithm", | |
2919 | [DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST] = "Unsupported DS Digest Type", | |
2920 | [DNS_EDE_RCODE_STALE_ANSWER] = "Stale Answer", | |
2921 | [DNS_EDE_RCODE_FORGED_ANSWER] = "Forged Answer", | |
2922 | [DNS_EDE_RCODE_DNSSEC_INDETERMINATE] = "DNSSEC Indeterminate", | |
2923 | [DNS_EDE_RCODE_DNSSEC_BOGUS] = "DNSSEC Bogus", | |
2924 | [DNS_EDE_RCODE_SIG_EXPIRED] = "Signature Expired", | |
2925 | [DNS_EDE_RCODE_SIG_NOT_YET_VALID] = "Signature Not Yet Valid", | |
2926 | [DNS_EDE_RCODE_DNSKEY_MISSING] = "DNSKEY Missing", | |
2927 | [DNS_EDE_RCODE_RRSIG_MISSING] = "RRSIG Missing", | |
2928 | [DNS_EDE_RCODE_NO_ZONE_KEY_BIT] = "No Zone Key Bit Set", | |
2929 | [DNS_EDE_RCODE_NSEC_MISSING] = "NSEC Missing", | |
2930 | [DNS_EDE_RCODE_CACHED_ERROR] = "Cached Error", | |
2931 | [DNS_EDE_RCODE_NOT_READY] = "Not Ready", | |
2932 | [DNS_EDE_RCODE_BLOCKED] = "Blocked", | |
2933 | [DNS_EDE_RCODE_CENSORED] = "Censored", | |
2934 | [DNS_EDE_RCODE_FILTERED] = "Filtered", | |
2935 | [DNS_EDE_RCODE_PROHIBITIED] = "Prohibited", | |
2936 | [DNS_EDE_RCODE_STALE_NXDOMAIN_ANSWER] = "Stale NXDOMAIN Answer", | |
2937 | [DNS_EDE_RCODE_NOT_AUTHORITATIVE] = "Not Authoritative", | |
2938 | [DNS_EDE_RCODE_NOT_SUPPORTED] = "Not Supported", | |
2939 | [DNS_EDE_RCODE_UNREACH_AUTHORITY] = "No Reachable Authority", | |
2940 | [DNS_EDE_RCODE_NET_ERROR] = "Network Error", | |
2941 | [DNS_EDE_RCODE_INVALID_DATA] = "Invalid Data", | |
2942 | [DNS_EDE_RCODE_SIG_NEVER] = "Signature Never Valid", | |
2943 | [DNS_EDE_RCODE_TOO_EARLY] = "Too Early", | |
2944 | [DNS_EDE_RCODE_UNSUPPORTED_NSEC3_ITER] = "Unsupported NSEC3 Iterations", | |
2945 | [DNS_EDE_RCODE_TRANSPORT_POLICY] = "Impossible Transport Policy", | |
2946 | [DNS_EDE_RCODE_SYNTHESIZED] = "Synthesized", | |
2947 | }; | |
ac684446 | 2948 | DEFINE_STRING_TABLE_LOOKUP_TO_STRING(dns_ede_rcode, int); |
056db786 RP |
2949 | |
2950 | const char *format_dns_ede_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) { | |
2951 | const char *p = dns_ede_rcode_to_string(i); | |
2952 | if (p) | |
2953 | return p; | |
2954 | ||
2955 | return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i); | |
2956 | } | |
2957 | ||
ee9581e5 RP |
2958 | static const char* const dns_svc_param_key_table[_DNS_SVC_PARAM_KEY_MAX_DEFINED] = { |
2959 | [DNS_SVC_PARAM_KEY_MANDATORY] = "mandatory", | |
2960 | [DNS_SVC_PARAM_KEY_ALPN] = "alpn", | |
2961 | [DNS_SVC_PARAM_KEY_NO_DEFAULT_ALPN] = "no-default-alpn", | |
2962 | [DNS_SVC_PARAM_KEY_PORT] = "port", | |
2963 | [DNS_SVC_PARAM_KEY_IPV4HINT] = "ipv4hint", | |
2964 | [DNS_SVC_PARAM_KEY_ECH] = "ech", | |
2965 | [DNS_SVC_PARAM_KEY_IPV6HINT] = "ipv6hint", | |
2966 | [DNS_SVC_PARAM_KEY_DOHPATH] = "dohpath", | |
2967 | [DNS_SVC_PARAM_KEY_OHTTP] = "ohttp", | |
2968 | }; | |
2969 | DEFINE_STRING_TABLE_LOOKUP_TO_STRING(dns_svc_param_key, int); | |
2970 | ||
2971 | const char *format_dns_svc_param_key(uint16_t i, char buf[static DECIMAL_STR_MAX(uint16_t)+3]) { | |
2972 | const char *p = dns_svc_param_key_to_string(i); | |
2973 | if (p) | |
2974 | return p; | |
2975 | ||
2976 | return snprintf_ok(buf, DECIMAL_STR_MAX(uint16_t)+3, "key%i", i); | |
2977 | } | |
2978 | ||
1716f6dc | 2979 | static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = { |
e3e64a1a ZJS |
2980 | [DNS_PROTOCOL_DNS] = "dns", |
2981 | [DNS_PROTOCOL_MDNS] = "mdns", | |
1716f6dc LP |
2982 | [DNS_PROTOCOL_LLMNR] = "llmnr", |
2983 | }; | |
2984 | DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol); |