]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-packet.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wise: several cleanups for logging
[thirdparty/systemd.git] / src / resolve / resolved-dns-packet.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
74b2466e 2
73a4cd17 3#if HAVE_GCRYPT
7e8facb3 4# include <gcrypt.h>
73a4cd17
MCO		 5#endif
6
b5efdb8a 7#include "alloc-util.h"
4ad7f276 8#include "dns-domain.h"
ac684446 9#include "escape.h"
0a970718 10#include "memory-util.h"
74b2466e 11#include "resolved-dns-packet.h"
2d34cf0c 12#include "set.h"
0d609349 13#include "stdio-util.h"
8b43440b
LP		 14#include "string-table.h"
15#include "strv.h"
16#include "unaligned.h"
17#include "utf8.h"
74b2466e 18
7586f4d1
TG		 19#define EDNS0_OPT_DO (1<<15)
20
ab1a1ba5 21assert_cc(DNS_PACKET_SIZE_START > DNS_PACKET_HEADER_SIZE);
88795538 22
e18a3c73
ZJS		 23typedef struct DnsPacketRewinder {
24 DnsPacket *packet;
25 size_t saved_rindex;
26} DnsPacketRewinder;
27
28static void rewind_dns_packet(DnsPacketRewinder *rewinder) {
29 if (rewinder->packet)
30 dns_packet_rewind(rewinder->packet, rewinder->saved_rindex);
31}
32
0c4f37f0
ZJS		 33#define REWINDER_INIT(p) { \
34 .packet = (p), \
35 .saved_rindex = (p)->rindex, \
36 }
37#define CANCEL_REWINDER(rewinder) do { (rewinder).packet = NULL; } while (0)
e18a3c73 38
51027656
LP		 39int dns_packet_new(
40 DnsPacket **ret,
41 DnsProtocol protocol,
42 size_t min_alloc_dsize,
43 size_t max_size) {
44
74b2466e
LP		 45 DnsPacket *p;
46 size_t a;
47
48 assert(ret);
51027656
LP		 49 assert(max_size >= DNS_PACKET_HEADER_SIZE);
50
51 if (max_size > DNS_PACKET_SIZE_MAX)
52 max_size = DNS_PACKET_SIZE_MAX;
74b2466e 53
46a58596
BR		 54 /* The caller may not check what is going to be truly allocated, so do not allow to
55 * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX.
56 */
baaa35ad
ZJS		 57 if (min_alloc_dsize > DNS_PACKET_SIZE_MAX)
58 return log_error_errno(SYNTHETIC_ERRNO(EFBIG),
59 "Requested packet data size too big: %zu",
60 min_alloc_dsize);
46a58596
BR		 61
62 /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the
88795538
ZJS		 63 * absolute minimum (which is the dns packet header size), to avoid
64 * resizing immediately again after appending the first data to the packet.
65 */
46a58596 66 if (min_alloc_dsize < DNS_PACKET_HEADER_SIZE)
88795538
ZJS		 67 a = DNS_PACKET_SIZE_START;
68 else
46a58596 69 a = min_alloc_dsize;
74b2466e 70
c73ce96b
LP		 71 /* round up to next page size */
72 a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
73
74 /* make sure we never allocate more than useful */
51027656
LP		 75 if (a > max_size)
76 a = max_size;
c73ce96b 77
74b2466e
LP		 78 p = malloc0(ALIGN(sizeof(DnsPacket)) + a);
79 if (!p)
80 return -ENOMEM;
81
1ed31408
LP		 82 *p = (DnsPacket) {
83 .n_ref = 1,
84 .protocol = protocol,
85 .size = DNS_PACKET_HEADER_SIZE,
86 .rindex = DNS_PACKET_HEADER_SIZE,
87 .allocated = a,
88 .max_size = max_size,
f5fbe71d
YW		 89 .opt_start = SIZE_MAX,
90 .opt_size = SIZE_MAX,
1ed31408 91 };
74b2466e
LP		 92
93 *ret = p;
94
95 return 0;
96}
97
dbfbb6e7 98void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) {
74b2466e 99
dbfbb6e7 100 DnsPacketHeader *h;
74b2466e 101
dbfbb6e7 102 assert(p);
74b2466e
LP		 103
104 h = DNS_PACKET_HEADER(p);
1716f6dc 105
79893116 106 switch (p->protocol) {
dbfbb6e7
DM		 107 case DNS_PROTOCOL_LLMNR:
108 assert(!truncated);
109
069360a6
LP		 110 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
111 0 /* opcode */,
112 0 /* c */,
e5abebab 113 0 /* tc */,
069360a6
LP		 114 0 /* t */,
115 0 /* ra */,
116 0 /* ad */,
117 0 /* cd */,
118 0 /* rcode */));
dbfbb6e7
DM		 119 break;
120
121 case DNS_PROTOCOL_MDNS:
122 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
123 0 /* opcode */,
124 0 /* aa */,
125 truncated /* tc */,
126 0 /* rd (ask for recursion) */,
127 0 /* ra */,
128 0 /* ad */,
129 0 /* cd */,
130 0 /* rcode */));
131 break;
132
133 default:
134 assert(!truncated);
135
069360a6
LP		 136 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
137 0 /* opcode */,
138 0 /* aa */,
139 0 /* tc */,
140 1 /* rd (ask for recursion) */,
141 0 /* ra */,
142 0 /* ad */,
24710c48 143 dnssec_checking_disabled /* cd */,
069360a6 144 0 /* rcode */));
dbfbb6e7
DM		 145 }
146}
147
46a58596 148int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t min_alloc_dsize, bool dnssec_checking_disabled) {
dbfbb6e7
DM		 149 DnsPacket *p;
150 int r;
151
152 assert(ret);
153
51027656 154 r = dns_packet_new(&p, protocol, min_alloc_dsize, DNS_PACKET_SIZE_MAX);
dbfbb6e7
DM		 155 if (r < 0)
156 return r;
157
158 /* Always set the TC bit to 0 initially.
159 * If there are multiple packets later, we'll update the bit shortly before sending.
160 */
161 dns_packet_set_flags(p, dnssec_checking_disabled, false);
74b2466e
LP		 162
163 *ret = p;
164 return 0;
165}
166
1a6cd020
LP		 167int dns_packet_dup(DnsPacket **ret, DnsPacket *p) {
168 DnsPacket *c;
169 int r;
170
171 assert(ret);
172 assert(p);
173
174 r = dns_packet_validate(p);
175 if (r < 0)
176 return r;
177
178 c = malloc(ALIGN(sizeof(DnsPacket)) + p->size);
179 if (!c)
180 return -ENOMEM;
181
182 *c = (DnsPacket) {
183 .n_ref = 1,
184 .protocol = p->protocol,
185 .size = p->size,
186 .rindex = DNS_PACKET_HEADER_SIZE,
187 .allocated = p->size,
188 .max_size = p->max_size,
f5fbe71d
YW		 189 .opt_start = SIZE_MAX,
190 .opt_size = SIZE_MAX,
1a6cd020
LP		 191 };
192
193 memcpy(DNS_PACKET_DATA(c), DNS_PACKET_DATA(p), p->size);
194
195 *ret = c;
196 return 0;
197}
198
74b2466e
LP		 199DnsPacket *dns_packet_ref(DnsPacket *p) {
200
201 if (!p)
202 return NULL;
203
a8812dd7
LP		 204 assert(!p->on_stack);
205
74b2466e
LP		 206 assert(p->n_ref > 0);
207 p->n_ref++;
208 return p;
209}
210
211static void dns_packet_free(DnsPacket *p) {
212 char *s;
213
214 assert(p);
215
faa133f3
LP		 216 dns_question_unref(p->question);
217 dns_answer_unref(p->answer);
d75acfb0 218 dns_resource_record_unref(p->opt);
322345fd 219
74b2466e
LP		 220 while ((s = hashmap_steal_first_key(p->names)))
221 free(s);
222 hashmap_free(p->names);
223
faa133f3 224 free(p->_data);
a8812dd7
LP		 225
226 if (!p->on_stack)
227 free(p);
74b2466e
LP		 228}
229
230DnsPacket *dns_packet_unref(DnsPacket *p) {
231 if (!p)
232 return NULL;
233
234 assert(p->n_ref > 0);
235
6728a58d 236 dns_packet_unref(p->more);
9c491563 237
74b2466e
LP		 238 if (p->n_ref == 1)
239 dns_packet_free(p);
240 else
241 p->n_ref--;
242
243 return NULL;
244}
245
246int dns_packet_validate(DnsPacket *p) {
247 assert(p);
248
249 if (p->size < DNS_PACKET_HEADER_SIZE)
250 return -EBADMSG;
251
c73ce96b
LP		 252 if (p->size > DNS_PACKET_SIZE_MAX)
253 return -EBADMSG;
254
623a4c97 255 return 1;
74b2466e
LP		 256}
257
258int dns_packet_validate_reply(DnsPacket *p) {
74b2466e
LP		 259 int r;
260
261 assert(p);
262
263 r = dns_packet_validate(p);
264 if (r < 0)
265 return r;
266
623a4c97
LP		 267 if (DNS_PACKET_QR(p) != 1)
268 return 0;
269
270 if (DNS_PACKET_OPCODE(p) != 0)
74b2466e
LP		 271 return -EBADMSG;
272
818ef443 273 switch (p->protocol) {
d75acfb0 274
818ef443
DM		 275 case DNS_PROTOCOL_LLMNR:
276 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
277 if (DNS_PACKET_QDCOUNT(p) != 1)
278 return -EBADMSG;
279
280 break;
281
4e5bf5e1
DM		 282 case DNS_PROTOCOL_MDNS:
283 /* RFC 6762, Section 18 */
284 if (DNS_PACKET_RCODE(p) != 0)
285 return -EBADMSG;
286
287 break;
288
818ef443
DM		 289 default:
290 break;
291 }
ea917db9 292
623a4c97
LP		 293 return 1;
294}
295
296int dns_packet_validate_query(DnsPacket *p) {
297 int r;
298
299 assert(p);
300
301 r = dns_packet_validate(p);
302 if (r < 0)
303 return r;
304
305 if (DNS_PACKET_QR(p) != 0)
306 return 0;
307
3cb10d3a 308 if (DNS_PACKET_OPCODE(p) != 0)
74b2466e
LP		 309 return -EBADMSG;
310
818ef443 311 switch (p->protocol) {
d75acfb0 312
b30bf55d 313 case DNS_PROTOCOL_DNS:
ba1749f6
YW		 314 if (DNS_PACKET_TC(p))
315 return -EBADMSG;
316
317 if (DNS_PACKET_QDCOUNT(p) != 1)
318 return -EBADMSG;
319
320 if (DNS_PACKET_ANCOUNT(p) > 0)
321 return -EBADMSG;
322
323 /* Note, in most cases, DNS query packet does not have authority section. But some query
324 * types, e.g. IXFR, have Authority sections. Hence, unlike the check for LLMNR, we do not
325 * check DNS_PACKET_NSCOUNT(p) here. */
326 break;
327
328 case DNS_PROTOCOL_LLMNR:
329 if (DNS_PACKET_TC(p))
6f087266
YW		 330 return -EBADMSG;
331
818ef443
DM		 332 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
333 if (DNS_PACKET_QDCOUNT(p) != 1)
334 return -EBADMSG;
623a4c97 335
818ef443
DM		 336 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
337 if (DNS_PACKET_ANCOUNT(p) > 0)
338 return -EBADMSG;
623a4c97 339
818ef443
DM		 340 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
341 if (DNS_PACKET_NSCOUNT(p) > 0)
342 return -EBADMSG;
343
344 break;
345
4e5bf5e1 346 case DNS_PROTOCOL_MDNS:
ba1749f6
YW		 347 /* Note, mDNS query may have truncation flag. So, unlike the check for DNS and LLMNR,
348 * we do not check DNS_PACKET_TC(p) here. */
349
2aaf3765
SB		 350 /* RFC 6762, Section 18 specifies that messages with non-zero RCODE
351 * must be silently ignored, and that we must ignore the values of
352 * AA, RD, RA, AD, and CD bits. */
353 if (DNS_PACKET_RCODE(p) != 0)
4e5bf5e1
DM		 354 return -EBADMSG;
355
356 break;
357
818ef443
DM		 358 default:
359 break;
360 }
623a4c97
LP		 361
362 return 1;
74b2466e
LP		 363}
364
365static int dns_packet_extend(DnsPacket *p, size_t add, void **ret, size_t *start) {
366 assert(p);
367
c73ce96b 368 if (p->size + add > p->allocated) {
51027656 369 size_t a, ms;
c73ce96b
LP		 370
371 a = PAGE_ALIGN((p->size + add) * 2);
51027656
LP		 372
373 ms = dns_packet_size_max(p);
374 if (a > ms)
375 a = ms;
c73ce96b
LP		 376
377 if (p->size + add > a)
378 return -EMSGSIZE;
379
faa133f3 380 if (p->_data) {
c73ce96b
LP		 381 void *d;
382
faa133f3 383 d = realloc(p->_data, a);
c73ce96b
LP		 384 if (!d)
385 return -ENOMEM;
386
faa133f3 387 p->_data = d;
c73ce96b 388 } else {
faa133f3
LP		 389 p->_data = malloc(a);
390 if (!p->_data)
c73ce96b
LP		 391 return -ENOMEM;
392
faa133f3
LP		 393 memcpy(p->_data, (uint8_t*) p + ALIGN(sizeof(DnsPacket)), p->size);
394 memzero((uint8_t*) p->_data + p->size, a - p->size);
c73ce96b
LP		 395 }
396
397 p->allocated = a;
398 }
74b2466e
LP		 399
400 if (start)
401 *start = p->size;
402
403 if (ret)
404 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->size;
405
406 p->size += add;
407 return 0;
408}
409
9c5e12a4 410void dns_packet_truncate(DnsPacket *p, size_t sz) {
74b2466e
LP		 411 char *s;
412 void *n;
413
414 assert(p);
415
416 if (p->size <= sz)
417 return;
418
90e74a66 419 HASHMAP_FOREACH_KEY(n, s, p->names) {
74b2466e
LP		 420
421 if (PTR_TO_SIZE(n) < sz)
422 continue;
423
424 hashmap_remove(p->names, s);
425 free(s);
426 }
427
428 p->size = sz;
429}
430
623a4c97
LP		 431int dns_packet_append_blob(DnsPacket *p, const void *d, size_t l, size_t *start) {
432 void *q;
433 int r;
434
435 assert(p);
436
437 r = dns_packet_extend(p, l, &q, start);
438 if (r < 0)
439 return r;
440
1f66559c 441 memcpy_safe(q, d, l);
623a4c97
LP		 442 return 0;
443}
444
74b2466e
LP		 445int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start) {
446 void *d;
447 int r;
448
449 assert(p);
450
451 r = dns_packet_extend(p, sizeof(uint8_t), &d, start);
452 if (r < 0)
453 return r;
454
455 ((uint8_t*) d)[0] = v;
456
457 return 0;
458}
459
460int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start) {
461 void *d;
462 int r;
463
464 assert(p);
465
466 r = dns_packet_extend(p, sizeof(uint16_t), &d, start);
467 if (r < 0)
468 return r;
469
725ca0e5 470 unaligned_write_be16(d, v);
623a4c97
LP		 471
472 return 0;
473}
474
475int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start) {
476 void *d;
477 int r;
478
479 assert(p);
480
481 r = dns_packet_extend(p, sizeof(uint32_t), &d, start);
482 if (r < 0)
483 return r;
484
725ca0e5 485 unaligned_write_be32(d, v);
74b2466e
LP		 486
487 return 0;
488}
489
490int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start) {
74b2466e
LP		 491 assert(p);
492 assert(s);
493
c38a52da 494 return dns_packet_append_raw_string(p, s, strlen(s), start);
74b2466e
LP		 495}
496
2001c805
LP		 497int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start) {
498 void *d;
499 int r;
500
501 assert(p);
502 assert(s || size == 0);
503
504 if (size > 255)
505 return -E2BIG;
506
507 r = dns_packet_extend(p, 1 + size, &d, start);
508 if (r < 0)
509 return r;
510
511 ((uint8_t*) d)[0] = (uint8_t) size;
512
75f32f04 513 memcpy_safe(((uint8_t*) d) + 1, s, size);
2001c805
LP		 514
515 return 0;
516}
517
a3db237b 518int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, bool canonical_candidate, size_t *start) {
a8812dd7 519 uint8_t *w;
74b2466e
LP		 520 int r;
521
a3db237b
LP		 522 /* Append a label to a packet. Optionally, does this in DNSSEC
523 * canonical form, if this label is marked as a candidate for
524 * it, and the canonical form logic is enabled for the
525 * packet */
526
74b2466e
LP		 527 assert(p);
528 assert(d);
529
530 if (l > DNS_LABEL_MAX)
531 return -E2BIG;
532
a8812dd7 533 r = dns_packet_extend(p, 1 + l, (void**) &w, start);
74b2466e
LP		 534 if (r < 0)
535 return r;
536
a8812dd7
LP		 537 *(w++) = (uint8_t) l;
538
64ea42e9 539 if (p->canonical_form && canonical_candidate)
a8812dd7
LP		 540 /* Generate in canonical form, as defined by DNSSEC
541 * RFC 4034, Section 6.2, i.e. all lower-case. */
64ea42e9 542 for (size_t i = 0; i < l; i++)
b577e3d5 543 w[i] = (uint8_t) ascii_tolower(d[i]);
64ea42e9 544 else
a8812dd7
LP		 545 /* Otherwise, just copy the string unaltered. This is
546 * essential for DNS-SD, where the casing of labels
547 * matters and needs to be retained. */
548 memcpy(w, d, l);
74b2466e
LP		 549
550 return 0;
551}
552
f6a5fec6
LP		 553int dns_packet_append_name(
554 DnsPacket *p,
555 const char *name,
556 bool allow_compression,
a3db237b 557 bool canonical_candidate,
f6a5fec6
LP		 558 size_t *start) {
559
74b2466e
LP		 560 size_t saved_size;
561 int r;
562
563 assert(p);
564 assert(name);
565
f6a5fec6
LP		 566 if (p->refuse_compression)
567 allow_compression = false;
568
74b2466e
LP		 569 saved_size = p->size;
570
e48b9a64 571 while (!dns_name_is_root(name)) {
08f904fd 572 const char *z = name;
fd7e9887 573 char label[DNS_LABEL_MAX+1];
151226ab 574 size_t n = 0;
74b2466e 575
151226ab
ZJS		 576 if (allow_compression)
577 n = PTR_TO_SIZE(hashmap_get(p->names, name));
74b2466e
LP		 578 if (n > 0) {
579 assert(n < p->size);
580
581 if (n < 0x4000) {
582 r = dns_packet_append_uint16(p, 0xC000 | n, NULL);
583 if (r < 0)
584 goto fail;
585
586 goto done;
587 }
588 }
589
7470cc4c 590 r = dns_label_unescape(&name, label, sizeof label, 0);
74b2466e
LP		 591 if (r < 0)
592 goto fail;
593
a3db237b 594 r = dns_packet_append_label(p, label, r, canonical_candidate, &n);
74b2466e
LP		 595 if (r < 0)
596 goto fail;
597
151226ab 598 if (allow_compression) {
08f904fd
LP		 599 _cleanup_free_ char *s = NULL;
600
601 s = strdup(z);
602 if (!s) {
603 r = -ENOMEM;
604 goto fail;
605 }
606
3004fcd0 607 r = hashmap_ensure_put(&p->names, &dns_name_hash_ops, s, SIZE_TO_PTR(n));
151226ab
ZJS		 608 if (r < 0)
609 goto fail;
74b2466e 610
daced748 611 TAKE_PTR(s);
151226ab 612 }
74b2466e
LP		 613 }
614
615 r = dns_packet_append_uint8(p, 0, NULL);
616 if (r < 0)
617 return r;
618
619done:
620 if (start)
621 *start = saved_size;
622
623 return 0;
624
625fail:
626 dns_packet_truncate(p, saved_size);
627 return r;
628}
629
58ab31d5 630int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *k, const DnsAnswerFlags flags, size_t *start) {
74b2466e 631 size_t saved_size;
58ab31d5 632 uint16_t class;
74b2466e
LP		 633 int r;
634
635 assert(p);
636 assert(k);
637
638 saved_size = p->size;
639
1c02e7ba 640 r = dns_packet_append_name(p, dns_resource_key_name(k), true, true, NULL);
74b2466e
LP		 641 if (r < 0)
642 goto fail;
643
644 r = dns_packet_append_uint16(p, k->type, NULL);
645 if (r < 0)
646 goto fail;
647
82d39576 648 class = flags & DNS_ANSWER_CACHE_FLUSH ? k->class | MDNS_RR_CACHE_FLUSH_OR_QU : k->class;
58ab31d5 649 r = dns_packet_append_uint16(p, class, NULL);
74b2466e
LP		 650 if (r < 0)
651 goto fail;
652
653 if (start)
654 *start = saved_size;
655
656 return 0;
657
658fail:
659 dns_packet_truncate(p, saved_size);
660 return r;
661}
662
e1a9f1a8 663static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, const uint8_t *types, size_t *start) {
50f1e641
TG		 664 size_t saved_size;
665 int r;
666
667 assert(p);
668 assert(types);
1792f223 669 assert(length > 0);
50f1e641 670
50f1e641
TG		 671 saved_size = p->size;
672
1792f223
TG		 673 r = dns_packet_append_uint8(p, window, NULL);
674 if (r < 0)
675 goto fail;
50f1e641 676
1792f223
TG		 677 r = dns_packet_append_uint8(p, length, NULL);
678 if (r < 0)
679 goto fail;
6fa91901 680
1792f223
TG		 681 r = dns_packet_append_blob(p, types, length, NULL);
682 if (r < 0)
683 goto fail;
50f1e641
TG		 684
685 if (start)
686 *start = saved_size;
687
688 return 0;
689fail:
690 dns_packet_truncate(p, saved_size);
691 return r;
692}
693
694static int dns_packet_append_types(DnsPacket *p, Bitmap *types, size_t *start) {
695 uint8_t window = 0;
1792f223 696 uint8_t entry = 0;
50f1e641
TG		 697 uint8_t bitmaps[32] = {};
698 unsigned n;
699 size_t saved_size;
700 int r;
701
702 assert(p);
50f1e641
TG		 703
704 saved_size = p->size;
705
90e74a66 706 BITMAP_FOREACH(n, types) {
50f1e641
TG		 707 assert(n <= 0xffff);
708
1792f223
TG		 709 if ((n >> 8) != window && bitmaps[entry / 8] != 0) {
710 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
50f1e641
TG		 711 if (r < 0)
712 goto fail;
713
1792f223 714 zero(bitmaps);
50f1e641
TG		 715 }
716
1792f223 717 window = n >> 8;
50f1e641
TG		 718 entry = n & 255;
719
720 bitmaps[entry / 8] |= 1 << (7 - (entry % 8));
721 }
722
d0ae14ff
LP		 723 if (bitmaps[entry / 8] != 0) {
724 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
725 if (r < 0)
726 goto fail;
727 }
50f1e641
TG		 728
729 if (start)
730 *start = saved_size;
731
732 return 0;
733fail:
734 dns_packet_truncate(p, saved_size);
735 return r;
736}
737
dc913c9a 738/* Append the OPT pseudo-RR described in RFC6891 */
c36d5b5b
LP		 739int dns_packet_append_opt(
740 DnsPacket *p,
741 uint16_t max_udp_size,
742 bool edns0_do,
743 bool include_rfc6975,
4a6eb824 744 const char *nsid,
c36d5b5b 745 int rcode,
4a6eb824 746 size_t *ret_start) {
c36d5b5b 747
dc913c9a
TG		 748 size_t saved_size;
749 int r;
750
751 assert(p);
752 /* we must never advertise supported packet size smaller than the legacy max */
753 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
f2ed4c69
LP		 754 assert(rcode >= 0);
755 assert(rcode <= _DNS_RCODE_MAX);
dc913c9a 756
f5fbe71d 757 if (p->opt_start != SIZE_MAX)
519ef046
LP		 758 return -EBUSY;
759
f5fbe71d 760 assert(p->opt_size == SIZE_MAX);
519ef046 761
dc913c9a
TG		 762 saved_size = p->size;
763
764 /* empty name */
765 r = dns_packet_append_uint8(p, 0, NULL);
766 if (r < 0)
767 return r;
768
769 /* type */
770 r = dns_packet_append_uint16(p, DNS_TYPE_OPT, NULL);
771 if (r < 0)
772 goto fail;
773
f2ed4c69 774 /* class: maximum udp packet that can be received */
dc913c9a
TG		 775 r = dns_packet_append_uint16(p, max_udp_size, NULL);
776 if (r < 0)
777 goto fail;
778
779 /* extended RCODE and VERSION */
f2ed4c69 780 r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL);
dc913c9a
TG		 781 if (r < 0)
782 goto fail;
783
7586f4d1
TG		 784 /* flags: DNSSEC OK (DO), see RFC3225 */
785 r = dns_packet_append_uint16(p, edns0_do ? EDNS0_OPT_DO : 0, NULL);
dc913c9a
TG		 786 if (r < 0)
787 goto fail;
788
c36d5b5b
LP		 789 if (edns0_do && include_rfc6975) {
790 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
791 * be done on queries, not on replies, hencer callers should turn this off when finishing off
792 * replies. */
665408ac
LP		 793
794 static const uint8_t rfc6975[] = {
795
980cb160 796 0, DNS_EDNS_OPT_DAU, /* OPTION_CODE */
7e8facb3 797#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
73a4cd17
MCO		 798 0, 7, /* LIST_LENGTH */
799#else
665408ac 800 0, 6, /* LIST_LENGTH */
73a4cd17 801#endif
665408ac
LP		 802 DNSSEC_ALGORITHM_RSASHA1,
803 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
804 DNSSEC_ALGORITHM_RSASHA256,
805 DNSSEC_ALGORITHM_RSASHA512,
806 DNSSEC_ALGORITHM_ECDSAP256SHA256,
807 DNSSEC_ALGORITHM_ECDSAP384SHA384,
7e8facb3 808#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
73a4cd17
MCO		 809 DNSSEC_ALGORITHM_ED25519,
810#endif
665408ac 811
980cb160 812 0, DNS_EDNS_OPT_DHU, /* OPTION_CODE */
665408ac
LP		 813 0, 3, /* LIST_LENGTH */
814 DNSSEC_DIGEST_SHA1,
815 DNSSEC_DIGEST_SHA256,
816 DNSSEC_DIGEST_SHA384,
817
980cb160 818 0, DNS_EDNS_OPT_N3U, /* OPTION_CODE */
665408ac
LP		 819 0, 1, /* LIST_LENGTH */
820 NSEC3_ALGORITHM_SHA1,
821 };
822
4a6eb824
LP		 823 r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL); /* RDLENGTH */
824 if (r < 0)
825 goto fail;
826
827 r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); /* the payload, as defined above */
828
829 } else if (nsid) {
830
831 if (strlen(nsid) > UINT16_MAX - 4) {
832 r = -E2BIG;
833 goto fail;
834 }
835
836 r = dns_packet_append_uint16(p, 4 + strlen(nsid), NULL); /* RDLENGTH */
665408ac
LP		 837 if (r < 0)
838 goto fail;
839
4a6eb824
LP		 840 r = dns_packet_append_uint16(p, 3, NULL); /* OPTION-CODE: NSID */
841 if (r < 0)
842 goto fail;
843
844 r = dns_packet_append_uint16(p, strlen(nsid), NULL); /* OPTION-LENGTH */
845 if (r < 0)
846 goto fail;
847
848 r = dns_packet_append_blob(p, nsid, strlen(nsid), NULL);
665408ac
LP		 849 } else
850 r = dns_packet_append_uint16(p, 0, NULL);
dc913c9a
TG		 851 if (r < 0)
852 goto fail;
853
519ef046
LP		 854 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) + 1);
855
856 p->opt_start = saved_size;
857 p->opt_size = p->size - saved_size;
858
4a6eb824
LP		 859 if (ret_start)
860 *ret_start = saved_size;
dc913c9a
TG		 861
862 return 0;
863
864fail:
865 dns_packet_truncate(p, saved_size);
866 return r;
867}
868
519ef046
LP		 869int dns_packet_truncate_opt(DnsPacket *p) {
870 assert(p);
871
f5fbe71d
YW		 872 if (p->opt_start == SIZE_MAX) {
873 assert(p->opt_size == SIZE_MAX);
519ef046
LP		 874 return 0;
875 }
876
f5fbe71d 877 assert(p->opt_size != SIZE_MAX);
519ef046
LP		 878 assert(DNS_PACKET_ARCOUNT(p) > 0);
879
880 if (p->opt_start + p->opt_size != p->size)
881 return -EBUSY;
882
883 dns_packet_truncate(p, p->opt_start);
884 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) - 1);
f5fbe71d 885 p->opt_start = p->opt_size = SIZE_MAX;
519ef046
LP		 886
887 return 1;
888}
889
58ab31d5 890int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAnswerFlags flags, size_t *start, size_t *rdata_start) {
f471bc11 891
a8812dd7 892 size_t saved_size, rdlength_offset, end, rdlength, rds;
c3ae4188 893 uint32_t ttl;
623a4c97
LP		 894 int r;
895
896 assert(p);
897 assert(rr);
898
899 saved_size = p->size;
900
58ab31d5 901 r = dns_packet_append_key(p, rr->key, flags, NULL);
623a4c97
LP		 902 if (r < 0)
903 goto fail;
904
c3ae4188
DR		 905 ttl = flags & DNS_ANSWER_GOODBYE ? 0 : rr->ttl;
906 r = dns_packet_append_uint32(p, ttl, NULL);
623a4c97
LP		 907 if (r < 0)
908 goto fail;
909
910 /* Initially we write 0 here */
911 r = dns_packet_append_uint16(p, 0, &rdlength_offset);
912 if (r < 0)
913 goto fail;
914
a8812dd7
LP		 915 rds = p->size - saved_size;
916
52e085af 917 switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
623a4c97 918
9c92ce6d
LP		 919 case DNS_TYPE_SRV:
920 r = dns_packet_append_uint16(p, rr->srv.priority, NULL);
921 if (r < 0)
922 goto fail;
923
924 r = dns_packet_append_uint16(p, rr->srv.weight, NULL);
925 if (r < 0)
926 goto fail;
927
928 r = dns_packet_append_uint16(p, rr->srv.port, NULL);
929 if (r < 0)
930 goto fail;
931
d9a55740
LP		 932 /* RFC 2782 states "Unless and until permitted by future standards action, name compression
933 * is not to be used for this field." Hence we turn off compression here. */
934 r = dns_packet_append_name(p, rr->srv.name, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL);
9c92ce6d
LP		 935 break;
936
623a4c97
LP		 937 case DNS_TYPE_PTR:
938 case DNS_TYPE_NS:
939 case DNS_TYPE_CNAME:
8ac4e9e1 940 case DNS_TYPE_DNAME:
4e58741d 941 r = dns_packet_append_name(p, rr->ptr.name, true, true, NULL);
623a4c97
LP		 942 break;
943
944 case DNS_TYPE_HINFO:
945 r = dns_packet_append_string(p, rr->hinfo.cpu, NULL);
946 if (r < 0)
947 goto fail;
948
949 r = dns_packet_append_string(p, rr->hinfo.os, NULL);
950 break;
951
9de3e329 952 case DNS_TYPE_SPF: /* exactly the same as TXT */
2001c805 953 case DNS_TYPE_TXT:
2e276efc 954
2001c805 955 if (!rr->txt.items) {
1ccda9b7
LP		 956 /* RFC 6763, section 6.1 suggests to generate
957 * single empty string for an empty array. */
958
2001c805 959 r = dns_packet_append_raw_string(p, NULL, 0, NULL);
2e276efc
ZJS		 960 if (r < 0)
961 goto fail;
03677889 962 } else
2001c805
LP		 963 LIST_FOREACH(items, i, rr->txt.items) {
964 r = dns_packet_append_raw_string(p, i->data, i->length, NULL);
1ccda9b7
LP		 965 if (r < 0)
966 goto fail;
967 }
2e276efc 968
6a6fc3df 969 r = 0;
2e276efc 970 break;
2e276efc 971
623a4c97
LP		 972 case DNS_TYPE_A:
973 r = dns_packet_append_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
974 break;
975
976 case DNS_TYPE_AAAA:
977 r = dns_packet_append_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
978 break;
979
980 case DNS_TYPE_SOA:
4e58741d 981 r = dns_packet_append_name(p, rr->soa.mname, true, true, NULL);
623a4c97
LP		 982 if (r < 0)
983 goto fail;
984
4e58741d 985 r = dns_packet_append_name(p, rr->soa.rname, true, true, NULL);
623a4c97
LP		 986 if (r < 0)
987 goto fail;
988
989 r = dns_packet_append_uint32(p, rr->soa.serial, NULL);
990 if (r < 0)
991 goto fail;
992
993 r = dns_packet_append_uint32(p, rr->soa.refresh, NULL);
994 if (r < 0)
995 goto fail;
996
997 r = dns_packet_append_uint32(p, rr->soa.retry, NULL);
998 if (r < 0)
999 goto fail;
1000
1001 r = dns_packet_append_uint32(p, rr->soa.expire, NULL);
1002 if (r < 0)
1003 goto fail;
1004
1005 r = dns_packet_append_uint32(p, rr->soa.minimum, NULL);
1006 break;
1007
1008 case DNS_TYPE_MX:
946c7094
ZJS		 1009 r = dns_packet_append_uint16(p, rr->mx.priority, NULL);
1010 if (r < 0)
1011 goto fail;
1012
4e58741d 1013 r = dns_packet_append_name(p, rr->mx.exchange, true, true, NULL);
946c7094
ZJS		 1014 break;
1015
0dae31d4
ZJS		 1016 case DNS_TYPE_LOC:
1017 r = dns_packet_append_uint8(p, rr->loc.version, NULL);
1018 if (r < 0)
1019 goto fail;
1020
1021 r = dns_packet_append_uint8(p, rr->loc.size, NULL);
1022 if (r < 0)
1023 goto fail;
1024
1025 r = dns_packet_append_uint8(p, rr->loc.horiz_pre, NULL);
1026 if (r < 0)
1027 goto fail;
1028
1029 r = dns_packet_append_uint8(p, rr->loc.vert_pre, NULL);
1030 if (r < 0)
1031 goto fail;
1032
afbc4f26 1033 r = dns_packet_append_uint32(p, rr->loc.latitude, NULL);
0dae31d4
ZJS		 1034 if (r < 0)
1035 goto fail;
1036
afbc4f26 1037 r = dns_packet_append_uint32(p, rr->loc.longitude, NULL);
0dae31d4
ZJS		 1038 if (r < 0)
1039 goto fail;
1040
afbc4f26 1041 r = dns_packet_append_uint32(p, rr->loc.altitude, NULL);
0dae31d4
ZJS		 1042 break;
1043
abf126a3
TG		 1044 case DNS_TYPE_DS:
1045 r = dns_packet_append_uint16(p, rr->ds.key_tag, NULL);
1046 if (r < 0)
1047 goto fail;
1048
1049 r = dns_packet_append_uint8(p, rr->ds.algorithm, NULL);
1050 if (r < 0)
1051 goto fail;
1052
1053 r = dns_packet_append_uint8(p, rr->ds.digest_type, NULL);
1054 if (r < 0)
1055 goto fail;
1056
1057 r = dns_packet_append_blob(p, rr->ds.digest, rr->ds.digest_size, NULL);
1058 break;
1059
623a4c97 1060 case DNS_TYPE_SSHFP:
42cc2eeb
LP		 1061 r = dns_packet_append_uint8(p, rr->sshfp.algorithm, NULL);
1062 if (r < 0)
1063 goto fail;
8db0d2f5 1064
42cc2eeb
LP		 1065 r = dns_packet_append_uint8(p, rr->sshfp.fptype, NULL);
1066 if (r < 0)
1067 goto fail;
1068
549c1a25 1069 r = dns_packet_append_blob(p, rr->sshfp.fingerprint, rr->sshfp.fingerprint_size, NULL);
42cc2eeb
LP		 1070 break;
1071
8db0d2f5 1072 case DNS_TYPE_DNSKEY:
f91dc240 1073 r = dns_packet_append_uint16(p, rr->dnskey.flags, NULL);
8db0d2f5
ZJS		 1074 if (r < 0)
1075 goto fail;
1076
f91dc240 1077 r = dns_packet_append_uint8(p, rr->dnskey.protocol, NULL);
8db0d2f5
ZJS		 1078 if (r < 0)
1079 goto fail;
1080
1081 r = dns_packet_append_uint8(p, rr->dnskey.algorithm, NULL);
1082 if (r < 0)
1083 goto fail;
1084
1085 r = dns_packet_append_blob(p, rr->dnskey.key, rr->dnskey.key_size, NULL);
1086 break;
1087
151226ab
ZJS		 1088 case DNS_TYPE_RRSIG:
1089 r = dns_packet_append_uint16(p, rr->rrsig.type_covered, NULL);
1090 if (r < 0)
1091 goto fail;
1092
1093 r = dns_packet_append_uint8(p, rr->rrsig.algorithm, NULL);
1094 if (r < 0)
1095 goto fail;
1096
1097 r = dns_packet_append_uint8(p, rr->rrsig.labels, NULL);
1098 if (r < 0)
1099 goto fail;
1100
1101 r = dns_packet_append_uint32(p, rr->rrsig.original_ttl, NULL);
1102 if (r < 0)
1103 goto fail;
1104
1105 r = dns_packet_append_uint32(p, rr->rrsig.expiration, NULL);
1106 if (r < 0)
1107 goto fail;
1108
1109 r = dns_packet_append_uint32(p, rr->rrsig.inception, NULL);
1110 if (r < 0)
1111 goto fail;
1112
0b1b17d3 1113 r = dns_packet_append_uint16(p, rr->rrsig.key_tag, NULL);
151226ab
ZJS		 1114 if (r < 0)
1115 goto fail;
1116
a3db237b 1117 r = dns_packet_append_name(p, rr->rrsig.signer, false, true, NULL);
151226ab
ZJS		 1118 if (r < 0)
1119 goto fail;
1120
1121 r = dns_packet_append_blob(p, rr->rrsig.signature, rr->rrsig.signature_size, NULL);
1122 break;
1123
50f1e641 1124 case DNS_TYPE_NSEC:
a3db237b 1125 r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, false, NULL);
50f1e641
TG		 1126 if (r < 0)
1127 goto fail;
1128
1129 r = dns_packet_append_types(p, rr->nsec.types, NULL);
1130 if (r < 0)
1131 goto fail;
1132
5d45a880 1133 break;
d75acfb0 1134
5d45a880
TG		 1135 case DNS_TYPE_NSEC3:
1136 r = dns_packet_append_uint8(p, rr->nsec3.algorithm, NULL);
1137 if (r < 0)
1138 goto fail;
1139
1140 r = dns_packet_append_uint8(p, rr->nsec3.flags, NULL);
1141 if (r < 0)
1142 goto fail;
1143
1144 r = dns_packet_append_uint16(p, rr->nsec3.iterations, NULL);
1145 if (r < 0)
1146 goto fail;
1147
1148 r = dns_packet_append_uint8(p, rr->nsec3.salt_size, NULL);
1149 if (r < 0)
1150 goto fail;
1151
1152 r = dns_packet_append_blob(p, rr->nsec3.salt, rr->nsec3.salt_size, NULL);
1153 if (r < 0)
1154 goto fail;
1155
1156 r = dns_packet_append_uint8(p, rr->nsec3.next_hashed_name_size, NULL);
1157 if (r < 0)
1158 goto fail;
1159
1160 r = dns_packet_append_blob(p, rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, NULL);
1161 if (r < 0)
1162 goto fail;
1163
1164 r = dns_packet_append_types(p, rr->nsec3.types, NULL);
1165 if (r < 0)
1166 goto fail;
1167
50f1e641 1168 break;
d75acfb0 1169
48d45d2b
ZJS		 1170 case DNS_TYPE_TLSA:
1171 r = dns_packet_append_uint8(p, rr->tlsa.cert_usage, NULL);
1172 if (r < 0)
1173 goto fail;
1174
1175 r = dns_packet_append_uint8(p, rr->tlsa.selector, NULL);
1176 if (r < 0)
1177 goto fail;
1178
1179 r = dns_packet_append_uint8(p, rr->tlsa.matching_type, NULL);
1180 if (r < 0)
1181 goto fail;
1182
1183 r = dns_packet_append_blob(p, rr->tlsa.data, rr->tlsa.data_size, NULL);
1184 break;
1185
e7634d6b
RP		 1186 case DNS_TYPE_SVCB:
1187 case DNS_TYPE_HTTPS:
1188 r = dns_packet_append_uint16(p, rr->svcb.priority, NULL);
1189 if (r < 0)
1190 goto fail;
1191
1192 r = dns_packet_append_name(p, rr->svcb.target_name, false, false, NULL);
1193 if (r < 0)
1194 goto fail;
1195
1196 LIST_FOREACH(params, i, rr->svcb.params) {
1197 r = dns_packet_append_uint16(p, i->key, NULL);
1198 if (r < 0)
1199 goto fail;
1200
1201 r = dns_packet_append_uint16(p, i->length, NULL);
1202 if (r < 0)
1203 goto fail;
1204
1205 r = dns_packet_append_blob(p, i->value, i->length, NULL);
1206 if (r < 0)
1207 goto fail;
1208 }
1209 break;
1210
95052df3
ZJS		 1211 case DNS_TYPE_CAA:
1212 r = dns_packet_append_uint8(p, rr->caa.flags, NULL);
1213 if (r < 0)
1214 goto fail;
1215
1216 r = dns_packet_append_string(p, rr->caa.tag, NULL);
1217 if (r < 0)
1218 goto fail;
1219
1220 r = dns_packet_append_blob(p, rr->caa.value, rr->caa.value_size, NULL);
1221 break;
1222
17615676
LP		 1223 case DNS_TYPE_NAPTR:
1224 r = dns_packet_append_uint16(p, rr->naptr.order, NULL);
1225 if (r < 0)
1226 goto fail;
1227
1228 r = dns_packet_append_uint16(p, rr->naptr.preference, NULL);
1229 if (r < 0)
1230 goto fail;
1231
1232 r = dns_packet_append_string(p, rr->naptr.flags, NULL);
1233 if (r < 0)
1234 goto fail;
1235
1236 r = dns_packet_append_string(p, rr->naptr.services, NULL);
1237 if (r < 0)
1238 goto fail;
1239
1240 r = dns_packet_append_string(p, rr->naptr.regexp, NULL);
1241 if (r < 0)
1242 goto fail;
1243
1244 r = dns_packet_append_name(p, rr->naptr.replacement, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL);
1245 break;
1246
d75acfb0 1247 case DNS_TYPE_OPT:
d93a16b8 1248 case DNS_TYPE_OPENPGPKEY:
52e085af 1249 case _DNS_TYPE_INVALID: /* unparsable */
623a4c97 1250 default:
0dae31d4 1251
a43a068a 1252 r = dns_packet_append_blob(p, rr->generic.data, rr->generic.data_size, NULL);
623a4c97
LP		 1253 break;
1254 }
1255 if (r < 0)
1256 goto fail;
1257
1258 /* Let's calculate the actual data size and update the field */
1259 rdlength = p->size - rdlength_offset - sizeof(uint16_t);
1260 if (rdlength > 0xFFFF) {
555f5cdc 1261 r = -ENOSPC;
623a4c97
LP		 1262 goto fail;
1263 }
1264
1265 end = p->size;
1266 p->size = rdlength_offset;
1267 r = dns_packet_append_uint16(p, rdlength, NULL);
1268 if (r < 0)
1269 goto fail;
1270 p->size = end;
1271
351e6342
LP		 1272 if (start)
1273 *start = saved_size;
1274
a8812dd7
LP		 1275 if (rdata_start)
1276 *rdata_start = rds;
1277
623a4c97
LP		 1278 return 0;
1279
1280fail:
1281 dns_packet_truncate(p, saved_size);
1282 return r;
1283}
1284
f471bc11
LP		 1285int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) {
1286 DnsResourceKey *key;
1287 int r;
1288
1289 assert(p);
1290
1291 DNS_QUESTION_FOREACH(key, q) {
58ab31d5 1292 r = dns_packet_append_key(p, key, 0, NULL);
f471bc11
LP		 1293 if (r < 0)
1294 return r;
1295 }
1296
1297 return 0;
1298}
1299
6f76e68a 1300int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a, unsigned *completed) {
f471bc11 1301 DnsResourceRecord *rr;
58ab31d5 1302 DnsAnswerFlags flags;
f471bc11
LP		 1303 int r;
1304
1305 assert(p);
1306
58ab31d5
DR		 1307 DNS_ANSWER_FOREACH_FLAGS(rr, flags, a) {
1308 r = dns_packet_append_rr(p, rr, flags, NULL, NULL);
f471bc11
LP		 1309 if (r < 0)
1310 return r;
6f76e68a
LP		 1311
1312 if (completed)
1313 (*completed)++;
f471bc11
LP		 1314 }
1315
1316 return 0;
1317}
1318
74b2466e
LP		 1319int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) {
1320 assert(p);
370999c0 1321 assert(p->rindex <= p->size);
74b2466e 1322
370999c0 1323 if (sz > p->size - p->rindex)
74b2466e
LP		 1324 return -EMSGSIZE;
1325
1326 if (ret)
1327 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->rindex;
1328
1329 if (start)
1330 *start = p->rindex;
1331
1332 p->rindex += sz;
1333 return 0;
1334}
1335
8ba9fd9c 1336void dns_packet_rewind(DnsPacket *p, size_t idx) {
74b2466e
LP		 1337 assert(p);
1338 assert(idx <= p->size);
1339 assert(idx >= DNS_PACKET_HEADER_SIZE);
1340
1341 p->rindex = idx;
1342}
1343
623a4c97
LP		 1344int dns_packet_read_blob(DnsPacket *p, void *d, size_t sz, size_t *start) {
1345 const void *q;
1346 int r;
1347
1348 assert(p);
1349 assert(d);
1350
1351 r = dns_packet_read(p, sz, &q, start);
1352 if (r < 0)
1353 return r;
1354
1355 memcpy(d, q, sz);
1356 return 0;
1357}
1358
f5430a3e
LP		 1359static int dns_packet_read_memdup(
1360 DnsPacket *p, size_t size,
1361 void **ret, size_t *ret_size,
1362 size_t *ret_start) {
1363
1364 const void *src;
1365 size_t start;
1366 int r;
1367
1368 assert(p);
1369 assert(ret);
1370
1371 r = dns_packet_read(p, size, &src, &start);
1372 if (r < 0)
1373 return r;
1374
1375 if (size <= 0)
1376 *ret = NULL;
1377 else {
1378 void *copy;
1379
1380 copy = memdup(src, size);
1381 if (!copy)
1382 return -ENOMEM;
1383
1384 *ret = copy;
1385 }
1386
1387 if (ret_size)
1388 *ret_size = size;
1389 if (ret_start)
1390 *ret_start = start;
1391
1392 return 0;
1393}
1394
74b2466e
LP		 1395int dns_packet_read_uint8(DnsPacket *p, uint8_t *ret, size_t *start) {
1396 const void *d;
1397 int r;
1398
1399 assert(p);
1400
1401 r = dns_packet_read(p, sizeof(uint8_t), &d, start);
1402 if (r < 0)
1403 return r;
1404
1405 *ret = ((uint8_t*) d)[0];
1406 return 0;
1407}
1408
1409int dns_packet_read_uint16(DnsPacket *p, uint16_t *ret, size_t *start) {
1410 const void *d;
1411 int r;
1412
1413 assert(p);
1414
1415 r = dns_packet_read(p, sizeof(uint16_t), &d, start);
1416 if (r < 0)
1417 return r;
1418
81b4d94d
LP		 1419 if (ret)
1420 *ret = unaligned_read_be16(d);
725ca0e5 1421
74b2466e
LP		 1422 return 0;
1423}
1424
1425int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start) {
1426 const void *d;
1427 int r;
1428
1429 assert(p);
1430
1431 r = dns_packet_read(p, sizeof(uint32_t), &d, start);
1432 if (r < 0)
1433 return r;
1434
725ca0e5 1435 *ret = unaligned_read_be32(d);
74b2466e
LP		 1436
1437 return 0;
1438}
1439
1440int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) {
0c4f37f0 1441 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
7153213e 1442 _cleanup_free_ char *t = NULL;
74b2466e 1443 const void *d;
74b2466e
LP		 1444 uint8_t c;
1445 int r;
1446
7153213e
LP		 1447 assert(p);
1448
74b2466e
LP		 1449 r = dns_packet_read_uint8(p, &c, NULL);
1450 if (r < 0)
e18a3c73 1451 return r;
74b2466e
LP		 1452
1453 r = dns_packet_read(p, c, &d, NULL);
1454 if (r < 0)
e18a3c73 1455 return r;
74b2466e 1456
7153213e
LP		 1457 r = make_cstring(d, c, MAKE_CSTRING_REFUSE_TRAILING_NUL, &t);
1458 if (r < 0)
1459 return r;
74b2466e 1460
7153213e 1461 if (!utf8_is_valid(t))
e18a3c73 1462 return -EBADMSG;
74b2466e 1463
7153213e 1464 *ret = TAKE_PTR(t);
74b2466e
LP		 1465
1466 if (start)
e18a3c73
ZJS		 1467 *start = rewinder.saved_rindex;
1468 CANCEL_REWINDER(rewinder);
74b2466e
LP		 1469
1470 return 0;
74b2466e
LP		 1471}
1472
2001c805 1473int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start) {
0c4f37f0
ZJS		 1474 assert(p);
1475
1476 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
2001c805
LP		 1477 uint8_t c;
1478 int r;
1479
2001c805
LP		 1480 r = dns_packet_read_uint8(p, &c, NULL);
1481 if (r < 0)
e18a3c73 1482 return r;
2001c805
LP		 1483
1484 r = dns_packet_read(p, c, ret, NULL);
1485 if (r < 0)
e18a3c73 1486 return r;
2001c805
LP		 1487
1488 if (size)
1489 *size = c;
1490 if (start)
e18a3c73
ZJS		 1491 *start = rewinder.saved_rindex;
1492 CANCEL_REWINDER(rewinder);
2001c805
LP		 1493
1494 return 0;
2001c805
LP		 1495}
1496
f6a5fec6
LP		 1497int dns_packet_read_name(
1498 DnsPacket *p,
81b4d94d 1499 char **ret,
f6a5fec6 1500 bool allow_compression,
81b4d94d 1501 size_t *ret_start) {
f6a5fec6 1502
0c4f37f0
ZJS		 1503 assert(p);
1504
1505 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1506 size_t after_rindex = 0, jump_barrier = p->rindex;
81b4d94d 1507 _cleanup_free_ char *name = NULL;
74b2466e 1508 bool first = true;
319a4f4b 1509 size_t n = 0;
74b2466e
LP		 1510 int r;
1511
f6a5fec6
LP		 1512 if (p->refuse_compression)
1513 allow_compression = false;
1514
74b2466e
LP		 1515 for (;;) {
1516 uint8_t c, d;
1517
1518 r = dns_packet_read_uint8(p, &c, NULL);
1519 if (r < 0)
e18a3c73 1520 return r;
74b2466e
LP		 1521
1522 if (c == 0)
1523 /* End of name */
1524 break;
1525 else if (c <= 63) {
74b2466e
LP		 1526 const char *label;
1527
1528 /* Literal label */
1529 r = dns_packet_read(p, c, (const void**) &label, NULL);
1530 if (r < 0)
e18a3c73 1531 return r;
74b2466e 1532
319a4f4b 1533 if (!GREEDY_REALLOC(name, n + !first + DNS_LABEL_ESCAPED_MAX))
e18a3c73 1534 return -ENOMEM;
74b2466e 1535
422baca0 1536 if (first)
74b2466e 1537 first = false;
422baca0 1538 else
81b4d94d 1539 name[n++] = '.';
422baca0 1540
81b4d94d 1541 r = dns_label_escape(label, c, name + n, DNS_LABEL_ESCAPED_MAX);
422baca0 1542 if (r < 0)
e18a3c73 1543 return r;
74b2466e 1544
74b2466e
LP		 1545 n += r;
1546 continue;
d7a0f1f4 1547 } else if (allow_compression && FLAGS_SET(c, 0xc0)) {
74b2466e
LP		 1548 uint16_t ptr;
1549
1550 /* Pointer */
1551 r = dns_packet_read_uint8(p, &d, NULL);
1552 if (r < 0)
e18a3c73 1553 return r;
74b2466e
LP		 1554
1555 ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d;
e18a3c73
ZJS		 1556 if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= jump_barrier)
1557 return -EBADMSG;
74b2466e
LP		 1558
1559 if (after_rindex == 0)
1560 after_rindex = p->rindex;
1561
f131770b 1562 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
c75dbf9b 1563 jump_barrier = ptr;
74b2466e 1564 p->rindex = ptr;
e18a3c73
ZJS		 1565 } else
1566 return -EBADMSG;
74b2466e
LP		 1567 }
1568
319a4f4b 1569 if (!GREEDY_REALLOC(name, n + 1))
e18a3c73 1570 return -ENOMEM;
74b2466e 1571
81b4d94d 1572 name[n] = 0;
74b2466e
LP		 1573
1574 if (after_rindex != 0)
1575 p->rindex= after_rindex;
1576
81b4d94d
LP		 1577 if (ret)
1578 *ret = TAKE_PTR(name);
1579 if (ret_start)
1580 *ret_start = rewinder.saved_rindex;
74b2466e 1581
e18a3c73 1582 CANCEL_REWINDER(rewinder);
74b2466e
LP		 1583
1584 return 0;
74b2466e
LP		 1585}
1586
50f1e641 1587static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *start) {
0c4f37f0
ZJS		 1588 assert(p);
1589 assert(types);
1590
1591 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1592 uint8_t window, length;
50f1e641 1593 const uint8_t *bitmap;
2ad613ad 1594 uint8_t bit = 0;
50f1e641 1595 bool found = false;
50f1e641
TG		 1596 int r;
1597
50f1e641
TG		 1598 r = bitmap_ensure_allocated(types);
1599 if (r < 0)
e18a3c73 1600 return r;
50f1e641
TG		 1601
1602 r = dns_packet_read_uint8(p, &window, NULL);
1603 if (r < 0)
e18a3c73 1604 return r;
50f1e641
TG		 1605
1606 r = dns_packet_read_uint8(p, &length, NULL);
1607 if (r < 0)
e18a3c73 1608 return r;
50f1e641
TG		 1609
1610 if (length == 0 || length > 32)
1611 return -EBADMSG;
1612
1613 r = dns_packet_read(p, length, (const void **)&bitmap, NULL);
1614 if (r < 0)
e18a3c73 1615 return r;
50f1e641 1616
64ea42e9 1617 for (uint8_t i = 0; i < length; i++) {
50f1e641 1618 uint8_t bitmask = 1 << 7;
50f1e641
TG		 1619
1620 if (!bitmap[i]) {
1621 found = false;
2ad613ad 1622 bit += 8;
50f1e641
TG		 1623 continue;
1624 }
1625
1626 found = true;
1627
9f939335 1628 for (; bitmask; bit++, bitmask >>= 1)
50f1e641
TG		 1629 if (bitmap[i] & bitmask) {
1630 uint16_t n;
1631
50f1e641
TG		 1632 n = (uint16_t) window << 8 | (uint16_t) bit;
1633
8e6edc49
TG		 1634 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1635 if (dns_type_is_pseudo(n))
1636 continue;
1637
50f1e641
TG		 1638 r = bitmap_set(*types, n);
1639 if (r < 0)
e18a3c73 1640 return r;
50f1e641 1641 }
50f1e641
TG		 1642 }
1643
1644 if (!found)
1645 return -EBADMSG;
1646
1647 if (start)
e18a3c73
ZJS		 1648 *start = rewinder.saved_rindex;
1649 CANCEL_REWINDER(rewinder);
50f1e641
TG		 1650
1651 return 0;
50f1e641
TG		 1652}
1653
89492aaf 1654static int dns_packet_read_type_windows(DnsPacket *p, Bitmap **types, size_t size, size_t *start) {
0c4f37f0 1655 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
89492aaf
TG		 1656 int r;
1657
370999c0 1658 while (p->rindex - rewinder.saved_rindex < size) {
89492aaf
TG		 1659 r = dns_packet_read_type_window(p, types, NULL);
1660 if (r < 0)
e18a3c73 1661 return r;
89492aaf 1662
370999c0
YW		 1663 assert(p->rindex >= rewinder.saved_rindex);
1664
89492aaf 1665 /* don't read past end of current RR */
370999c0 1666 if (p->rindex - rewinder.saved_rindex > size)
e18a3c73 1667 return -EBADMSG;
89492aaf
TG		 1668 }
1669
370999c0 1670 if (p->rindex - rewinder.saved_rindex != size)
e18a3c73 1671 return -EBADMSG;
89492aaf
TG		 1672
1673 if (start)
e18a3c73
ZJS		 1674 *start = rewinder.saved_rindex;
1675 CANCEL_REWINDER(rewinder);
89492aaf
TG		 1676
1677 return 0;
89492aaf
TG		 1678}
1679
81b4d94d
LP		 1680int dns_packet_read_key(
1681 DnsPacket *p,
1682 DnsResourceKey **ret,
82d39576 1683 bool *ret_cache_flush_or_qu,
81b4d94d
LP		 1684 size_t *ret_start) {
1685
0c4f37f0
ZJS		 1686 assert(p);
1687
1688 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
faa133f3 1689 _cleanup_free_ char *name = NULL;
82d39576 1690 bool cache_flush_or_qu = false;
faa133f3 1691 uint16_t class, type;
74b2466e
LP		 1692 int r;
1693
151226ab 1694 r = dns_packet_read_name(p, &name, true, NULL);
74b2466e 1695 if (r < 0)
e18a3c73 1696 return r;
74b2466e 1697
faa133f3 1698 r = dns_packet_read_uint16(p, &type, NULL);
74b2466e 1699 if (r < 0)
e18a3c73 1700 return r;
74b2466e 1701
faa133f3 1702 r = dns_packet_read_uint16(p, &class, NULL);
74b2466e 1703 if (r < 0)
e18a3c73 1704 return r;
74b2466e 1705
23502de3 1706 if (p->protocol == DNS_PROTOCOL_MDNS) {
82d39576 1707 /* See RFC6762, sections 5.4 and 10.2 */
23502de3 1708
82d39576
SB		 1709 if (type != DNS_TYPE_OPT && (class & MDNS_RR_CACHE_FLUSH_OR_QU)) {
1710 class &= ~MDNS_RR_CACHE_FLUSH_OR_QU;
1711 cache_flush_or_qu = true;
d2579eec 1712 }
23502de3
DM		 1713 }
1714
81b4d94d
LP		 1715 if (ret) {
1716 DnsResourceKey *key;
faa133f3 1717
81b4d94d
LP		 1718 key = dns_resource_key_new_consume(class, type, name);
1719 if (!key)
1720 return -ENOMEM;
1721
1722 TAKE_PTR(name);
1723 *ret = key;
1724 }
74b2466e 1725
82d39576
SB		 1726 if (ret_cache_flush_or_qu)
1727 *ret_cache_flush_or_qu = cache_flush_or_qu;
81b4d94d
LP		 1728 if (ret_start)
1729 *ret_start = rewinder.saved_rindex;
74b2466e 1730
81b4d94d 1731 CANCEL_REWINDER(rewinder);
74b2466e 1732 return 0;
74b2466e
LP		 1733}
1734
afbc4f26
ZJS		 1735static bool loc_size_ok(uint8_t size) {
1736 uint8_t m = size >> 4, e = size & 0xF;
1737
1738 return m <= 9 && e <= 9 && (m > 0 || e == 0);
1739}
1740
e7634d6b
RP		 1741static bool dns_svc_param_is_valid(DnsSvcParam *i) {
1742 if (!i)
1743 return false;
1744
1745 switch (i->key) {
1746 /* RFC 9460, section 7.1.1: alpn-ids must exactly fill SvcParamValue */
1747 case DNS_SVC_PARAM_KEY_ALPN: {
1748 size_t sz = 0;
1749 if (i->length <= 0)
1750 return false;
1751 while (sz < i->length)
1752 sz += 1 + i->value[sz]; /* N.B. will not overflow */
1753 return sz == i->length;
1754 }
1755
1756 /* RFC 9460, section 7.1.1: value must be empty */
1757 case DNS_SVC_PARAM_KEY_NO_DEFAULT_ALPN:
1758 return i->length == 0;
1759
1760 /* RFC 9460, section 7.2 */
1761 case DNS_SVC_PARAM_KEY_PORT:
1762 return i->length == 2;
1763
1764 /* RFC 9460, section 7.3: addrs must exactly fill SvcParamValue */
1765 case DNS_SVC_PARAM_KEY_IPV4HINT:
1766 return i->length % (sizeof (struct in_addr)) == 0;
1767 case DNS_SVC_PARAM_KEY_IPV6HINT:
1768 return i->length % (sizeof (struct in6_addr)) == 0;
1769
1770 /* Otherwise, permit any value */
1771 default:
1772 return true;
1773 }
1774}
1775
81b4d94d
LP		 1776int dns_packet_read_rr(
1777 DnsPacket *p,
1778 DnsResourceRecord **ret,
1779 bool *ret_cache_flush,
1780 size_t *ret_start) {
1781
0c4f37f0
ZJS		 1782 assert(p);
1783
1784 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
faa133f3
LP		 1785 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
1786 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
e18a3c73 1787 size_t offset;
74b2466e 1788 uint16_t rdlength;
d2579eec 1789 bool cache_flush;
74b2466e
LP		 1790 int r;
1791
d2579eec 1792 r = dns_packet_read_key(p, &key, &cache_flush, NULL);
74b2466e 1793 if (r < 0)
e18a3c73 1794 return r;
74b2466e 1795
e18a3c73
ZJS		 1796 if (!dns_class_is_valid_rr(key->class) || !dns_type_is_valid_rr(key->type))
1797 return -EBADMSG;
0e2bcd6a 1798
faa133f3 1799 rr = dns_resource_record_new(key);
e18a3c73
ZJS		 1800 if (!rr)
1801 return -ENOMEM;
faa133f3 1802
74b2466e
LP		 1803 r = dns_packet_read_uint32(p, &rr->ttl, NULL);
1804 if (r < 0)
e18a3c73 1805 return r;
74b2466e 1806
0d0b52d7
LP		 1807 /* RFC 2181, Section 8, suggests to
1808 * treat a TTL with the MSB set as a zero TTL. */
1809 if (rr->ttl & UINT32_C(0x80000000))
1810 rr->ttl = 0;
1811
74b2466e
LP		 1812 r = dns_packet_read_uint16(p, &rdlength, NULL);
1813 if (r < 0)
e18a3c73 1814 return r;
74b2466e 1815
370999c0 1816 if (rdlength > p->size - p->rindex)
e18a3c73 1817 return -EBADMSG;
74b2466e
LP		 1818
1819 offset = p->rindex;
1820
faa133f3 1821 switch (rr->key->type) {
74b2466e 1822
9c92ce6d
LP		 1823 case DNS_TYPE_SRV:
1824 r = dns_packet_read_uint16(p, &rr->srv.priority, NULL);
1825 if (r < 0)
e18a3c73 1826 return r;
9c92ce6d
LP		 1827 r = dns_packet_read_uint16(p, &rr->srv.weight, NULL);
1828 if (r < 0)
e18a3c73 1829 return r;
9c92ce6d
LP		 1830 r = dns_packet_read_uint16(p, &rr->srv.port, NULL);
1831 if (r < 0)
e18a3c73 1832 return r;
d9a55740
LP		 1833
1834 /* RFC 2782 states "Unless and until permitted by future standards action, name compression
1835 * is not to be used for this field." Nonetheless, we support it here, in the interest of
1836 * increasing compatibility with implementations that do not implement this correctly. After
1837 * all we didn't do this right once upon a time ourselves (see
1838 * https://github.com/systemd/systemd/issues/9793). */
1839 r = dns_packet_read_name(p, &rr->srv.name, /* allow_compression= */ true, NULL);
9c92ce6d
LP		 1840 break;
1841
74b2466e
LP		 1842 case DNS_TYPE_PTR:
1843 case DNS_TYPE_NS:
1844 case DNS_TYPE_CNAME:
8ac4e9e1 1845 case DNS_TYPE_DNAME:
151226ab 1846 r = dns_packet_read_name(p, &rr->ptr.name, true, NULL);
74b2466e
LP		 1847 break;
1848
1849 case DNS_TYPE_HINFO:
1850 r = dns_packet_read_string(p, &rr->hinfo.cpu, NULL);
1851 if (r < 0)
e18a3c73 1852 return r;
74b2466e
LP		 1853
1854 r = dns_packet_read_string(p, &rr->hinfo.os, NULL);
1855 break;
1856
9de3e329 1857 case DNS_TYPE_SPF: /* exactly the same as TXT */
1ccda9b7
LP		 1858 case DNS_TYPE_TXT:
1859 if (rdlength <= 0) {
ebb779dc
DR		 1860 r = dns_txt_item_new_empty(&rr->txt.items);
1861 if (r < 0)
1862 return r;
1ccda9b7 1863 } else {
2001c805
LP		 1864 DnsTxtItem *last = NULL;
1865
370999c0 1866 while (p->rindex - offset < rdlength) {
2001c805
LP		 1867 DnsTxtItem *i;
1868 const void *data;
1869 size_t sz;
2e276efc 1870
2001c805 1871 r = dns_packet_read_raw_string(p, &data, &sz, NULL);
1ccda9b7 1872 if (r < 0)
2001c805 1873 return r;
1ccda9b7 1874
2001c805
LP		 1875 i = malloc0(offsetof(DnsTxtItem, data) + sz + 1); /* extra NUL byte at the end */
1876 if (!i)
1877 return -ENOMEM;
1878
1879 memcpy(i->data, data, sz);
1880 i->length = sz;
1881
1882 LIST_INSERT_AFTER(items, rr->txt.items, last, i);
1883 last = i;
1ccda9b7 1884 }
6a6fc3df
LP		 1885 }
1886
1887 r = 0;
2e276efc 1888 break;
2e276efc 1889
74b2466e 1890 case DNS_TYPE_A:
623a4c97 1891 r = dns_packet_read_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
74b2466e
LP		 1892 break;
1893
1894 case DNS_TYPE_AAAA:
623a4c97 1895 r = dns_packet_read_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
74b2466e
LP		 1896 break;
1897
7e8e0422 1898 case DNS_TYPE_SOA:
151226ab 1899 r = dns_packet_read_name(p, &rr->soa.mname, true, NULL);
7e8e0422 1900 if (r < 0)
e18a3c73 1901 return r;
7e8e0422 1902
151226ab 1903 r = dns_packet_read_name(p, &rr->soa.rname, true, NULL);
7e8e0422 1904 if (r < 0)
e18a3c73 1905 return r;
7e8e0422
LP		 1906
1907 r = dns_packet_read_uint32(p, &rr->soa.serial, NULL);
1908 if (r < 0)
e18a3c73 1909 return r;
7e8e0422
LP		 1910
1911 r = dns_packet_read_uint32(p, &rr->soa.refresh, NULL);
1912 if (r < 0)
e18a3c73 1913 return r;
7e8e0422
LP		 1914
1915 r = dns_packet_read_uint32(p, &rr->soa.retry, NULL);
1916 if (r < 0)
e18a3c73 1917 return r;
7e8e0422
LP		 1918
1919 r = dns_packet_read_uint32(p, &rr->soa.expire, NULL);
1920 if (r < 0)
e18a3c73 1921 return r;
7e8e0422
LP		 1922
1923 r = dns_packet_read_uint32(p, &rr->soa.minimum, NULL);
1924 break;
1925
623a4c97 1926 case DNS_TYPE_MX:
946c7094
ZJS		 1927 r = dns_packet_read_uint16(p, &rr->mx.priority, NULL);
1928 if (r < 0)
e18a3c73 1929 return r;
946c7094 1930
151226ab 1931 r = dns_packet_read_name(p, &rr->mx.exchange, true, NULL);
946c7094
ZJS		 1932 break;
1933
0dae31d4
ZJS		 1934 case DNS_TYPE_LOC: {
1935 uint8_t t;
1936 size_t pos;
1937
1938 r = dns_packet_read_uint8(p, &t, &pos);
1939 if (r < 0)
e18a3c73 1940 return r;
0dae31d4
ZJS		 1941
1942 if (t == 0) {
1943 rr->loc.version = t;
1944
1945 r = dns_packet_read_uint8(p, &rr->loc.size, NULL);
1946 if (r < 0)
e18a3c73 1947 return r;
0dae31d4 1948
e18a3c73
ZJS		 1949 if (!loc_size_ok(rr->loc.size))
1950 return -EBADMSG;
afbc4f26 1951
0dae31d4
ZJS		 1952 r = dns_packet_read_uint8(p, &rr->loc.horiz_pre, NULL);
1953 if (r < 0)
e18a3c73 1954 return r;
0dae31d4 1955
e18a3c73
ZJS		 1956 if (!loc_size_ok(rr->loc.horiz_pre))
1957 return -EBADMSG;
afbc4f26 1958
0dae31d4
ZJS		 1959 r = dns_packet_read_uint8(p, &rr->loc.vert_pre, NULL);
1960 if (r < 0)
e18a3c73 1961 return r;
0dae31d4 1962
e18a3c73
ZJS		 1963 if (!loc_size_ok(rr->loc.vert_pre))
1964 return -EBADMSG;
afbc4f26 1965
0dae31d4
ZJS		 1966 r = dns_packet_read_uint32(p, &rr->loc.latitude, NULL);
1967 if (r < 0)
e18a3c73 1968 return r;
0dae31d4
ZJS		 1969
1970 r = dns_packet_read_uint32(p, &rr->loc.longitude, NULL);
1971 if (r < 0)
e18a3c73 1972 return r;
0dae31d4
ZJS		 1973
1974 r = dns_packet_read_uint32(p, &rr->loc.altitude, NULL);
1975 if (r < 0)
e18a3c73 1976 return r;
0dae31d4
ZJS		 1977
1978 break;
1979 } else {
1980 dns_packet_rewind(p, pos);
52e085af
ZJS		 1981 rr->unparsable = true;
1982 goto unparsable;
0dae31d4
ZJS		 1983 }
1984 }
1985
abf126a3
TG		 1986 case DNS_TYPE_DS:
1987 r = dns_packet_read_uint16(p, &rr->ds.key_tag, NULL);
1988 if (r < 0)
e18a3c73 1989 return r;
abf126a3
TG		 1990
1991 r = dns_packet_read_uint8(p, &rr->ds.algorithm, NULL);
1992 if (r < 0)
e18a3c73 1993 return r;
abf126a3
TG		 1994
1995 r = dns_packet_read_uint8(p, &rr->ds.digest_type, NULL);
1996 if (r < 0)
e18a3c73 1997 return r;
abf126a3 1998
8a0f6d1f
SL		 1999 if (rdlength < 4)
2000 return -EBADMSG;
2001
f5430a3e
LP		 2002 r = dns_packet_read_memdup(p, rdlength - 4,
2003 &rr->ds.digest, &rr->ds.digest_size,
2004 NULL);
abf126a3 2005 if (r < 0)
e18a3c73 2006 return r;
abf126a3 2007
e18a3c73 2008 if (rr->ds.digest_size <= 0)
f1d178cc
TG		 2009 /* the accepted size depends on the algorithm, but for now
2010 just ensure that the value is greater than zero */
e18a3c73 2011 return -EBADMSG;
f1d178cc 2012
abf126a3 2013 break;
d75acfb0 2014
623a4c97 2015 case DNS_TYPE_SSHFP:
42cc2eeb
LP		 2016 r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL);
2017 if (r < 0)
e18a3c73 2018 return r;
42cc2eeb
LP		 2019
2020 r = dns_packet_read_uint8(p, &rr->sshfp.fptype, NULL);
2021 if (r < 0)
e18a3c73 2022 return r;
42cc2eeb 2023
8a0f6d1f
SL		 2024 if (rdlength < 2)
2025 return -EBADMSG;
2026
f5430a3e 2027 r = dns_packet_read_memdup(p, rdlength - 2,
549c1a25 2028 &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
f5430a3e 2029 NULL);
f1d178cc 2030
e18a3c73 2031 if (rr->sshfp.fingerprint_size <= 0)
f1d178cc
TG		 2032 /* the accepted size depends on the algorithm, but for now
2033 just ensure that the value is greater than zero */
e18a3c73 2034 return -EBADMSG;
f1d178cc 2035
8db0d2f5
ZJS		 2036 break;
2037
f91dc240
LP		 2038 case DNS_TYPE_DNSKEY:
2039 r = dns_packet_read_uint16(p, &rr->dnskey.flags, NULL);
8db0d2f5 2040 if (r < 0)
e18a3c73 2041 return r;
8db0d2f5 2042
f91dc240 2043 r = dns_packet_read_uint8(p, &rr->dnskey.protocol, NULL);
8db0d2f5 2044 if (r < 0)
e18a3c73 2045 return r;
8db0d2f5 2046
8db0d2f5
ZJS		 2047 r = dns_packet_read_uint8(p, &rr->dnskey.algorithm, NULL);
2048 if (r < 0)
e18a3c73 2049 return r;
8db0d2f5 2050
8a0f6d1f
SL		 2051 if (rdlength < 4)
2052 return -EBADMSG;
2053
f5430a3e
LP		 2054 r = dns_packet_read_memdup(p, rdlength - 4,
2055 &rr->dnskey.key, &rr->dnskey.key_size,
2056 NULL);
f1d178cc 2057
e18a3c73 2058 if (rr->dnskey.key_size <= 0)
f1d178cc
TG		 2059 /* the accepted size depends on the algorithm, but for now
2060 just ensure that the value is greater than zero */
e18a3c73 2061 return -EBADMSG;
f1d178cc 2062
42cc2eeb
LP		 2063 break;
2064
151226ab
ZJS		 2065 case DNS_TYPE_RRSIG:
2066 r = dns_packet_read_uint16(p, &rr->rrsig.type_covered, NULL);
2067 if (r < 0)
e18a3c73 2068 return r;
151226ab
ZJS		 2069
2070 r = dns_packet_read_uint8(p, &rr->rrsig.algorithm, NULL);
2071 if (r < 0)
e18a3c73 2072 return r;
151226ab
ZJS		 2073
2074 r = dns_packet_read_uint8(p, &rr->rrsig.labels, NULL);
2075 if (r < 0)
e18a3c73 2076 return r;
151226ab
ZJS		 2077
2078 r = dns_packet_read_uint32(p, &rr->rrsig.original_ttl, NULL);
2079 if (r < 0)
e18a3c73 2080 return r;
151226ab
ZJS		 2081
2082 r = dns_packet_read_uint32(p, &rr->rrsig.expiration, NULL);
2083 if (r < 0)
e18a3c73 2084 return r;
151226ab
ZJS		 2085
2086 r = dns_packet_read_uint32(p, &rr->rrsig.inception, NULL);
2087 if (r < 0)
e18a3c73 2088 return r;
151226ab
ZJS		 2089
2090 r = dns_packet_read_uint16(p, &rr->rrsig.key_tag, NULL);
2091 if (r < 0)
e18a3c73 2092 return r;
151226ab
ZJS		 2093
2094 r = dns_packet_read_name(p, &rr->rrsig.signer, false, NULL);
2095 if (r < 0)
e18a3c73 2096 return r;
151226ab 2097
370999c0 2098 if (rdlength < p->rindex - offset)
8a0f6d1f
SL		 2099 return -EBADMSG;
2100
f5430a3e
LP		 2101 r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
2102 &rr->rrsig.signature, &rr->rrsig.signature_size,
2103 NULL);
f1d178cc 2104
e18a3c73 2105 if (rr->rrsig.signature_size <= 0)
f1d178cc
TG		 2106 /* the accepted size depends on the algorithm, but for now
2107 just ensure that the value is greater than zero */
e18a3c73 2108 return -EBADMSG;
f1d178cc 2109
151226ab
ZJS		 2110 break;
2111
d84e543d
DM		 2112 case DNS_TYPE_NSEC: {
2113
2114 /*
5238e957 2115 * RFC6762, section 18.14 explicitly states mDNS should use name compression.
d84e543d
DM		 2116 * This contradicts RFC3845, section 2.1.1
2117 */
2118
2119 bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS;
2120
2121 r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL);
50f1e641 2122 if (r < 0)
e18a3c73 2123 return r;
50f1e641 2124
370999c0
YW		 2125 if (rdlength < p->rindex - offset)
2126 return -EBADMSG;
2127
89492aaf 2128 r = dns_packet_read_type_windows(p, &rr->nsec.types, offset + rdlength - p->rindex, NULL);
89492aaf 2129
09eaf68c
TG		 2130 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
2131 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
2132 * without the NSEC bit set. */
50f1e641
TG		 2133
2134 break;
d84e543d 2135 }
5d45a880
TG		 2136 case DNS_TYPE_NSEC3: {
2137 uint8_t size;
2138
2139 r = dns_packet_read_uint8(p, &rr->nsec3.algorithm, NULL);
2140 if (r < 0)
e18a3c73 2141 return r;
5d45a880
TG		 2142
2143 r = dns_packet_read_uint8(p, &rr->nsec3.flags, NULL);
2144 if (r < 0)
e18a3c73 2145 return r;
5d45a880
TG		 2146
2147 r = dns_packet_read_uint16(p, &rr->nsec3.iterations, NULL);
2148 if (r < 0)
e18a3c73 2149 return r;
5d45a880 2150
f1d178cc 2151 /* this may be zero */
5d45a880
TG		 2152 r = dns_packet_read_uint8(p, &size, NULL);
2153 if (r < 0)
e18a3c73 2154 return r;
5d45a880 2155
f5430a3e 2156 r = dns_packet_read_memdup(p, size, &rr->nsec3.salt, &rr->nsec3.salt_size, NULL);
5d45a880 2157 if (r < 0)
e18a3c73 2158 return r;
5d45a880 2159
5d45a880
TG		 2160 r = dns_packet_read_uint8(p, &size, NULL);
2161 if (r < 0)
e18a3c73 2162 return r;
5d45a880 2163
e18a3c73
ZJS		 2164 if (size <= 0)
2165 return -EBADMSG;
f1d178cc 2166
e18a3c73
ZJS		 2167 r = dns_packet_read_memdup(p, size,
2168 &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size,
2169 NULL);
5d45a880 2170 if (r < 0)
e18a3c73 2171 return r;
5d45a880 2172
370999c0
YW		 2173 if (rdlength < p->rindex - offset)
2174 return -EBADMSG;
2175
6b9308d1 2176 r = dns_packet_read_type_windows(p, &rr->nsec3.types, offset + rdlength - p->rindex, NULL);
5d45a880 2177
0bbd72b2
TG		 2178 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
2179
5d45a880
TG		 2180 break;
2181 }
d75acfb0 2182
48d45d2b
ZJS		 2183 case DNS_TYPE_TLSA:
2184 r = dns_packet_read_uint8(p, &rr->tlsa.cert_usage, NULL);
2185 if (r < 0)
e18a3c73 2186 return r;
48d45d2b
ZJS		 2187
2188 r = dns_packet_read_uint8(p, &rr->tlsa.selector, NULL);
2189 if (r < 0)
e18a3c73 2190 return r;
48d45d2b
ZJS		 2191
2192 r = dns_packet_read_uint8(p, &rr->tlsa.matching_type, NULL);
2193 if (r < 0)
e18a3c73 2194 return r;
48d45d2b 2195
8a0f6d1f
SL		 2196 if (rdlength < 3)
2197 return -EBADMSG;
2198
48d45d2b
ZJS		 2199 r = dns_packet_read_memdup(p, rdlength - 3,
2200 &rr->tlsa.data, &rr->tlsa.data_size,
2201 NULL);
e18a3c73
ZJS		 2202
2203 if (rr->tlsa.data_size <= 0)
48d45d2b
ZJS		 2204 /* the accepted size depends on the algorithm, but for now
2205 just ensure that the value is greater than zero */
e18a3c73 2206 return -EBADMSG;
48d45d2b
ZJS		 2207
2208 break;
2209
e7634d6b
RP		 2210 case DNS_TYPE_SVCB:
2211 case DNS_TYPE_HTTPS:
2212 r = dns_packet_read_uint16(p, &rr->svcb.priority, NULL);
2213 if (r < 0)
2214 return r;
2215
2216 r = dns_packet_read_name(p, &rr->svcb.target_name, false /* uncompressed */, NULL);
2217 if (r < 0)
2218 return r;
2219
2220 DnsSvcParam *last = NULL;
2221 while (p->rindex - offset < rdlength) {
2222 _cleanup_free_ DnsSvcParam *i = NULL;
2223 uint16_t svc_param_key;
2224 uint16_t sz;
2225
2226 r = dns_packet_read_uint16(p, &svc_param_key, NULL);
2227 if (r < 0)
2228 return r;
2229 /* RFC 9460, section 2.2 says we must consider an RR malformed if SvcParamKeys are
2230 * not in strictly increasing order */
2231 if (last && last->key >= svc_param_key)
2232 return -EBADMSG;
2233
2234 r = dns_packet_read_uint16(p, &sz, NULL);
2235 if (r < 0)
2236 return r;
2237
2238 i = malloc0(offsetof(DnsSvcParam, value) + sz);
2239 if (!i)
2240 return -ENOMEM;
2241
2242 i->key = svc_param_key;
2243 i->length = sz;
2244 r = dns_packet_read_blob(p, &i->value, sz, NULL);
2245 if (r < 0)
2246 return r;
2247 if (!dns_svc_param_is_valid(i))
2248 return -EBADMSG;
2249
2250 LIST_INSERT_AFTER(params, rr->svcb.params, last, i);
2251 last = TAKE_PTR(i);
2252 }
2253
2254 break;
2255
95052df3
ZJS		 2256 case DNS_TYPE_CAA:
2257 r = dns_packet_read_uint8(p, &rr->caa.flags, NULL);
2258 if (r < 0)
2259 return r;
2260
2261 r = dns_packet_read_string(p, &rr->caa.tag, NULL);
2262 if (r < 0)
2263 return r;
2264
370999c0 2265 if (rdlength < p->rindex - offset)
8a0f6d1f
SL		 2266 return -EBADMSG;
2267
95052df3
ZJS		 2268 r = dns_packet_read_memdup(p,
2269 rdlength + offset - p->rindex,
2270 &rr->caa.value, &rr->caa.value_size, NULL);
48d45d2b
ZJS		 2271
2272 break;
2273
17615676
LP		 2274 case DNS_TYPE_NAPTR:
2275 r = dns_packet_read_uint16(p, &rr->naptr.order, NULL);
2276 if (r < 0)
2277 return r;
2278
2279 r = dns_packet_read_uint16(p, &rr->naptr.preference, NULL);
2280 if (r < 0)
2281 return r;
2282
2283 r = dns_packet_read_string(p, &rr->naptr.flags, NULL);
2284 if (r < 0)
2285 return r;
2286
2287 r = dns_packet_read_string(p, &rr->naptr.services, NULL);
2288 if (r < 0)
2289 return r;
2290
2291 r = dns_packet_read_string(p, &rr->naptr.regexp, NULL);
2292 if (r < 0)
2293 return r;
2294
2295 r = dns_packet_read_name(p, &rr->naptr.replacement, /* allow_compressed= */ false, NULL);
2296 break;
2297
d75acfb0 2298 case DNS_TYPE_OPT: /* we only care about the header of OPT for now. */
d93a16b8 2299 case DNS_TYPE_OPENPGPKEY:
74b2466e 2300 default:
52e085af 2301 unparsable:
a43a068a 2302 r = dns_packet_read_memdup(p, rdlength, &rr->generic.data, &rr->generic.data_size, NULL);
e18a3c73 2303
74b2466e
LP		 2304 break;
2305 }
2306 if (r < 0)
e18a3c73 2307 return r;
370999c0 2308 if (p->rindex - offset != rdlength)
e18a3c73 2309 return -EBADMSG;
74b2466e 2310
81b4d94d
LP		 2311 if (ret)
2312 *ret = TAKE_PTR(rr);
d2579eec
LP		 2313 if (ret_cache_flush)
2314 *ret_cache_flush = cache_flush;
81b4d94d
LP		 2315 if (ret_start)
2316 *ret_start = rewinder.saved_rindex;
74b2466e 2317
81b4d94d 2318 CANCEL_REWINDER(rewinder);
74b2466e 2319 return 0;
74b2466e
LP		 2320}
2321
c3f7000e
LP		 2322static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) {
2323 const uint8_t* p;
2324 bool found_dau_dhu_n3u = false;
2325 size_t l;
2326
2327 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2328 * a reply). */
2329
2330 assert(rr);
2331 assert(rr->key->type == DNS_TYPE_OPT);
2332
2333 /* Check that the version is 0 */
b30bf55d
LP		 2334 if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) {
2335 *rfc6975 = false;
2336 return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
2337 }
c3f7000e
LP		 2338
2339 p = rr->opt.data;
a43a068a 2340 l = rr->opt.data_size;
c3f7000e
LP		 2341 while (l > 0) {
2342 uint16_t option_code, option_length;
2343
2344 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2345 if (l < 4U)
2346 return false;
2347
2348 option_code = unaligned_read_be16(p);
2349 option_length = unaligned_read_be16(p + 2);
2350
2351 if (l < option_length + 4U)
2352 return false;
2353
2354 /* RFC 6975 DAU, DHU or N3U fields found. */
980cb160 2355 if (IN_SET(option_code, DNS_EDNS_OPT_DAU, DNS_EDNS_OPT_DHU, DNS_EDNS_OPT_N3U))
c3f7000e
LP		 2356 found_dau_dhu_n3u = true;
2357
2358 p += option_length + 4U;
2359 l -= option_length + 4U;
2360 }
2361
2362 *rfc6975 = found_dau_dhu_n3u;
2363 return true;
2364}
2365
4a49e560 2366static int dns_packet_extract_question(DnsPacket *p, DnsQuestion **ret_question) {
faa133f3 2367 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
64ea42e9 2368 unsigned n;
74b2466e
LP		 2369 int r;
2370
3cb10d3a 2371 n = DNS_PACKET_QDCOUNT(p);
faa133f3
LP		 2372 if (n > 0) {
2373 question = dns_question_new(n);
e18a3c73
ZJS		 2374 if (!question)
2375 return -ENOMEM;
74b2466e 2376
2d34cf0c
ZJS		 2377 _cleanup_set_free_ Set *keys = NULL; /* references to keys are kept by Question */
2378
2379 keys = set_new(&dns_resource_key_hash_ops);
2380 if (!keys)
2381 return log_oom();
2382
2383 r = set_reserve(keys, n * 2); /* Higher multipliers give slightly higher efficiency through
e9665ac2 2384 * hash collisions, but the gains quickly drop off after 2. */
2d34cf0c
ZJS		 2385 if (r < 0)
2386 return r;
2387
64ea42e9 2388 for (unsigned i = 0; i < n; i++) {
faa133f3 2389 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
82d39576 2390 bool qu;
74b2466e 2391
82d39576 2392 r = dns_packet_read_key(p, &key, &qu, NULL);
faa133f3 2393 if (r < 0)
e18a3c73 2394 return r;
74b2466e 2395
e18a3c73
ZJS		 2396 if (!dns_type_is_valid_query(key->type))
2397 return -EBADMSG;
c463eb78 2398
2d34cf0c
ZJS		 2399 r = set_put(keys, key);
2400 if (r < 0)
2401 return r;
2402 if (r == 0)
2403 /* Already in the Question, let's skip */
2404 continue;
2405
82d39576 2406 r = dns_question_add_raw(question, key, qu ? DNS_QUESTION_WANTS_UNICAST_REPLY : 0);
faa133f3 2407 if (r < 0)
e18a3c73 2408 return r;
faa133f3
LP		 2409 }
2410 }
322345fd 2411
1cc6c93a
YW		 2412 *ret_question = TAKE_PTR(question);
2413
4a49e560
ZJS		 2414 return 0;
2415}
2416
2417static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) {
2418 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
64ea42e9 2419 unsigned n;
4a49e560
ZJS		 2420 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *previous = NULL;
2421 bool bad_opt = false;
2422 int r;
2423
faa133f3 2424 n = DNS_PACKET_RRCOUNT(p);
4a49e560
ZJS		 2425 if (n == 0)
2426 return 0;
c3f7000e 2427
4a49e560
ZJS		 2428 answer = dns_answer_new(n);
2429 if (!answer)
2430 return -ENOMEM;
322345fd 2431
64ea42e9 2432 for (unsigned i = 0; i < n; i++) {
4a49e560
ZJS		 2433 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
2434 bool cache_flush = false;
93748b26 2435 size_t start;
322345fd 2436
729c5deb 2437 if (p->rindex == p->size && p->opt) {
18674159
LP		 2438 /* If we reached the end of the packet already, but there are still more RRs
2439 * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's
2440 * apparently a common bug in routers. Let's however suppress OPT support in this
2441 * case, so that we force the rest of the logic into lowest DNS baseline support. Or
2442 * to say this differently: if the DNS server doesn't even get the RR counts right,
2443 * it's highly unlikely it gets EDNS right. */
2444 log_debug("More resource records declared in packet than included, suppressing OPT.");
2445 bad_opt = true;
2446 break;
2447 }
2448
93748b26 2449 r = dns_packet_read_rr(p, &rr, &cache_flush, &start);
4a49e560
ZJS		 2450 if (r < 0)
2451 return r;
322345fd 2452
4a49e560
ZJS		 2453 /* Try to reduce memory usage a bit */
2454 if (previous)
2455 dns_resource_key_reduce(&rr->key, &previous->key);
f57e3cd5 2456
4a49e560
ZJS		 2457 if (rr->key->type == DNS_TYPE_OPT) {
2458 bool has_rfc6975;
c3f7000e 2459
4a49e560
ZJS		 2460 if (p->opt || bad_opt) {
2461 /* Multiple OPT RRs? if so, let's ignore all, because there's
2462 * something wrong with the server, and if one is valid we wouldn't
2463 * know which one. */
2464 log_debug("Multiple OPT RRs detected, ignoring all.");
2465 bad_opt = true;
2466 continue;
2467 }
e6b57b37 2468
4a49e560
ZJS		 2469 if (!dns_name_is_root(dns_resource_key_name(rr->key))) {
2470 /* If the OPT RR is not owned by the root domain, then it is bad,
2471 * let's ignore it. */
2472 log_debug("OPT RR is not owned by root domain, ignoring.");
2473 bad_opt = true;
2474 continue;
2475 }
c3f7000e 2476
4a49e560
ZJS		 2477 if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) {
2478 /* OPT RR is in the wrong section? Some Belkin routers do this. This
2479 * is a hint the EDNS implementation is borked, like the Belkin one
2480 * is, hence ignore it. */
2481 log_debug("OPT RR in wrong section, ignoring.");
2482 bad_opt = true;
2483 continue;
2484 }
2485
2486 if (!opt_is_good(rr, &has_rfc6975)) {
2487 log_debug("Malformed OPT RR, ignoring.");
2488 bad_opt = true;
2489 continue;
2490 }
2491
2492 if (DNS_PACKET_QR(p)) {
2493 /* Additional checks for responses */
2494
d7a0f1f4 2495 if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr))
4a49e560
ZJS		 2496 /* If this is a reply and we don't know the EDNS version
2497 * then something is weird... */
d7a0f1f4
FS		 2498 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2499 "EDNS version newer that our request, bad server.");
ff7febd5 2500
4a49e560
ZJS		 2501 if (has_rfc6975) {
2502 /* If the OPT RR contains RFC6975 algorithm data, then this
2503 * is indication that the server just copied the OPT it got
2504 * from us (which contained that data) back into the reply.
2505 * If so, then it doesn't properly support EDNS, as RFC6975
2506 * makes it very clear that the algorithm data should only
2507 * be contained in questions, never in replies. Crappy
2508 * Belkin routers copy the OPT data for example, hence let's
2509 * detect this so that we downgrade early. */
dffb8277 2510 log_debug("OPT RR contains RFC6975 data, ignoring.");
c3f7000e
LP		 2511 bad_opt = true;
2512 continue;
2513 }
4a49e560 2514 }
e6b57b37 2515
4a49e560 2516 p->opt = dns_resource_record_ref(rr);
93748b26
LP		 2517 p->opt_start = start;
2518 assert(p->rindex >= start);
2519 p->opt_size = p->rindex - start;
4a49e560 2520 } else {
fa4e74b8
LP		 2521 DnsAnswerFlags flags = 0;
2522
8ec951e8
BP		 2523 if (p->protocol == DNS_PROTOCOL_MDNS) {
2524 flags |= DNS_ANSWER_REFUSE_TTL_NO_MATCH;
2525 if (!cache_flush)
2526 flags |= DNS_ANSWER_SHARED_OWNER;
2527 }
fa4e74b8
LP		 2528
2529 /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
2530 * cached. Hence mark only those RRs as cacheable by default, but not the ones from
82af03c2
VCS		 2531 * the Additional or Authority sections.
2532 * This restriction does not apply to mDNS records (RFC 6762). */
fa4e74b8
LP		 2533 if (i < DNS_PACKET_ANCOUNT(p))
2534 flags |= DNS_ANSWER_CACHEABLE|DNS_ANSWER_SECTION_ANSWER;
2535 else if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p))
2536 flags |= DNS_ANSWER_SECTION_AUTHORITY;
82af03c2 2537 else {
fa4e74b8 2538 flags |= DNS_ANSWER_SECTION_ADDITIONAL;
82af03c2
VCS		 2539 if (p->protocol == DNS_PROTOCOL_MDNS)
2540 flags |= DNS_ANSWER_CACHEABLE;
2541 }
4a49e560 2542
04617bf8 2543 r = dns_answer_add(answer, rr, p->ifindex, flags, NULL);
4a49e560
ZJS		 2544 if (r < 0)
2545 return r;
2546 }
d75acfb0 2547
b87fbe5f 2548 /* Remember this RR, so that we can potentially merge its ->key object with the
4a49e560
ZJS		 2549 * next RR. Note that we only do this if we actually decided to keep the RR around.
2550 */
7daeec3e 2551 DNS_RR_REPLACE(previous, dns_resource_record_ref(rr));
4a49e560 2552 }
105e1512 2553
18674159 2554 if (bad_opt) {
4a49e560 2555 p->opt = dns_resource_record_unref(p->opt);
18674159
LP		 2556 p->opt_start = p->opt_size = SIZE_MAX;
2557 }
105e1512 2558
1cc6c93a
YW		 2559 *ret_answer = TAKE_PTR(answer);
2560
4a49e560
ZJS		 2561 return 0;
2562}
ebc8a106 2563
4a49e560 2564int dns_packet_extract(DnsPacket *p) {
0c4f37f0 2565 assert(p);
c3f7000e 2566
4a49e560
ZJS		 2567 if (p->extracted)
2568 return 0;
2569
0c4f37f0
ZJS		 2570 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
2571 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
fc44acc0 2572 _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
0c4f37f0
ZJS		 2573 int r;
2574
4a49e560
ZJS		 2575 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2576
2577 r = dns_packet_extract_question(p, &question);
2578 if (r < 0)
2579 return r;
2580
2581 r = dns_packet_extract_answer(p, &answer);
2582 if (r < 0)
2583 return r;
322345fd 2584
894c7b77
LP		 2585 if (p->rindex < p->size) {
2586 log_debug("Trailing garbage in packet, suppressing OPT.");
2587 p->opt = dns_resource_record_unref(p->opt);
2588 p->opt_start = p->opt_size = SIZE_MAX;
2589 }
2590
1cc6c93a
YW		 2591 p->question = TAKE_PTR(question);
2592 p->answer = TAKE_PTR(answer);
a4076574
LP		 2593 p->extracted = true;
2594
e18a3c73
ZJS		 2595 /* no CANCEL, always rewind */
2596 return 0;
322345fd
LP		 2597}
2598
8af5b883
LP		 2599int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
2600 int r;
2601
2602 assert(p);
2603 assert(key);
2604
2605 /* Checks if the specified packet is a reply for the specified
2606 * key and the specified key is the only one in the question
2607 * section. */
2608
2609 if (DNS_PACKET_QR(p) != 1)
2610 return 0;
2611
2612 /* Let's unpack the packet, if that hasn't happened yet. */
2613 r = dns_packet_extract(p);
2614 if (r < 0)
2615 return r;
2616
a924f43f
EV		 2617 if (!p->question)
2618 return 0;
2619
8af5b883
LP		 2620 if (p->question->n_keys != 1)
2621 return 0;
2622
ab715ddb 2623 return dns_resource_key_equal(dns_question_first_key(p->question), key);
8af5b883
LP		 2624}
2625
93748b26
LP		 2626int dns_packet_patch_max_udp_size(DnsPacket *p, uint16_t max_udp_size) {
2627 assert(p);
2628 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
2629
f5fbe71d 2630 if (p->opt_start == SIZE_MAX) /* No OPT section, nothing to patch */
93748b26
LP		 2631 return 0;
2632
f5fbe71d 2633 assert(p->opt_size != SIZE_MAX);
93748b26
LP		 2634 assert(p->opt_size >= 5);
2635
2636 unaligned_write_be16(DNS_PACKET_DATA(p) + p->opt_start + 3, max_udp_size);
2637 return 1;
2638}
2639
81b4d94d 2640static int patch_rr(DnsPacket *p, usec_t age) {
0c4f37f0 2641 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
81b4d94d
LP		 2642 size_t ttl_index;
2643 uint32_t ttl;
2644 uint16_t type, rdlength;
2645 int r;
2646
0f1f933b 2647 /* Patches the RR at the current rindex, subtracts the specified time from the TTL */
81b4d94d
LP		 2648
2649 r = dns_packet_read_name(p, NULL, true, NULL);
2650 if (r < 0)
2651 return r;
2652
2653 r = dns_packet_read_uint16(p, &type, NULL);
2654 if (r < 0)
2655 return r;
2656
2657 r = dns_packet_read_uint16(p, NULL, NULL);
2658 if (r < 0)
2659 return r;
2660
2661 r = dns_packet_read_uint32(p, &ttl, &ttl_index);
2662 if (r < 0)
2663 return r;
2664
2665 if (type != DNS_TYPE_OPT) { /* The TTL of the OPT field is not actually a TTL, skip it */
2666 ttl = LESS_BY(ttl * USEC_PER_SEC, age) / USEC_PER_SEC;
2667 unaligned_write_be32(DNS_PACKET_DATA(p) + ttl_index, ttl);
2668 }
2669
2670 r = dns_packet_read_uint16(p, &rdlength, NULL);
2671 if (r < 0)
2672 return r;
2673
2674 r = dns_packet_read(p, rdlength, NULL, NULL);
2675 if (r < 0)
2676 return r;
2677
2678 CANCEL_REWINDER(rewinder);
2679 return 0;
2680}
2681
2682int dns_packet_patch_ttls(DnsPacket *p, usec_t timestamp) {
81b4d94d
LP		 2683 assert(p);
2684 assert(timestamp_is_set(timestamp));
2685
2686 /* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */
2687
fc44acc0 2688 _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
64ea42e9 2689 unsigned n;
0c4f37f0
ZJS		 2690 usec_t k;
2691 int r;
2692
ba4e0427 2693 k = now(CLOCK_BOOTTIME);
81b4d94d
LP		 2694 assert(k >= timestamp);
2695 k -= timestamp;
2696
81b4d94d
LP		 2697 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2698
2699 n = DNS_PACKET_QDCOUNT(p);
64ea42e9 2700 for (unsigned i = 0; i < n; i++) {
81b4d94d
LP		 2701 r = dns_packet_read_key(p, NULL, NULL, NULL);
2702 if (r < 0)
2703 return r;
2704 }
2705
2706 n = DNS_PACKET_RRCOUNT(p);
64ea42e9 2707 for (unsigned i = 0; i < n; i++) {
81b4d94d
LP		 2708
2709 /* DNS servers suck, hence the RR count is in many servers off. If we reached the end
2710 * prematurely, accept that, exit early */
2711 if (p->rindex == p->size)
2712 break;
2713
2714 r = patch_rr(p, k);
2715 if (r < 0)
2716 return r;
2717 }
2718
2719 return 0;
2720}
2721
7a08d314 2722static void dns_packet_hash_func(const DnsPacket *s, struct siphash *state) {
98767d75
IT		 2723 assert(s);
2724
c01a5c05 2725 siphash24_compress_typesafe(s->size, state);
98767d75
IT		 2726 siphash24_compress(DNS_PACKET_DATA((DnsPacket*) s), s->size, state);
2727}
2728
7a08d314 2729static int dns_packet_compare_func(const DnsPacket *x, const DnsPacket *y) {
a0edd02e 2730 int r;
98767d75 2731
a0edd02e
FB		 2732 r = CMP(x->size, y->size);
2733 if (r != 0)
2734 return r;
98767d75
IT		 2735
2736 return memcmp(DNS_PACKET_DATA((DnsPacket*) x), DNS_PACKET_DATA((DnsPacket*) y), x->size);
2737}
2738
7a08d314 2739DEFINE_HASH_OPS(dns_packet_hash_ops, DnsPacket, dns_packet_hash_func, dns_packet_compare_func);
98767d75 2740
a9fd8837
LP		 2741bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b) {
2742 return dns_packet_compare_func(a, b) == 0;
2743}
2744
71682ac6 2745int dns_packet_ede_rcode(DnsPacket *p, int *ret_ede_rcode, char **ret_ede_msg) {
ac684446
RP		 2746 const uint8_t *d;
2747 size_t l;
71682ac6
YW		 2748 int r;
2749
2750 assert(p);
ac684446
RP		 2751
2752 if (!p->opt)
71682ac6 2753 return -ENOENT;
ac684446
RP		 2754
2755 d = p->opt->opt.data;
2756 l = p->opt->opt.data_size;
2757
2758 while (l > 0) {
2759 uint16_t code, length;
2760
2761 if (l < 4U)
2762 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2763 "EDNS0 variable part has invalid size.");
2764
2765 code = unaligned_read_be16(d);
2766 length = unaligned_read_be16(d + 2);
2767
2768 if (l < 4U + length)
2769 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2770 "Truncated option in EDNS0 variable part.");
2771
2772 if (code == DNS_EDNS_OPT_EXT_ERROR) {
71682ac6
YW		 2773 _cleanup_free_ char *msg = NULL;
2774
ac684446
RP		 2775 if (length < 2U)
2776 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
71682ac6
YW		 2777 "EDNS0 truncated EDE info code.");
2778
2779 r = make_cstring((char *) d + 6, length - 2U, MAKE_CSTRING_ALLOW_TRAILING_NUL, &msg);
ac684446 2780 if (r < 0)
71682ac6
YW		 2781 return log_debug_errno(r, "Invalid EDE text in opt.");
2782
2783 if (ret_ede_msg) {
2784 if (!utf8_is_valid(msg)) {
2785 _cleanup_free_ char *msg_escaped = NULL;
2786
2787 msg_escaped = cescape(msg);
2788 if (!msg_escaped)
2789 return log_oom_debug();
2790
2791 *ret_ede_msg = TAKE_PTR(msg_escaped);
2792 } else
2793 *ret_ede_msg = TAKE_PTR(msg);
ac684446 2794 }
71682ac6
YW		 2795
2796 if (ret_ede_rcode)
2797 *ret_ede_rcode = unaligned_read_be16(d + 4);
2798
2799 return 0;
ac684446
RP		 2800 }
2801
2802 d += 4U + length;
2803 l -= 4U + length;
2804 }
2805
71682ac6 2806 return -ENOENT;
ac684446
RP		 2807}
2808
2809bool dns_ede_rcode_is_dnssec(int ede_rcode) {
2810 return IN_SET(ede_rcode,
2811 DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG,
2812 DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST,
2813 DNS_EDE_RCODE_DNSSEC_INDETERMINATE,
2814 DNS_EDE_RCODE_DNSSEC_BOGUS,
2815 DNS_EDE_RCODE_SIG_EXPIRED,
2816 DNS_EDE_RCODE_SIG_NOT_YET_VALID,
2817 DNS_EDE_RCODE_DNSKEY_MISSING,
2818 DNS_EDE_RCODE_RRSIG_MISSING,
2819 DNS_EDE_RCODE_NO_ZONE_KEY_BIT,
2820 DNS_EDE_RCODE_NSEC_MISSING
2821 );
2822}
2823
4a6eb824
LP		 2824int dns_packet_has_nsid_request(DnsPacket *p) {
2825 bool has_nsid = false;
2826 const uint8_t *d;
2827 size_t l;
2828
2829 assert(p);
2830
2831 if (!p->opt)
2832 return false;
2833
2834 d = p->opt->opt.data;
2835 l = p->opt->opt.data_size;
2836
2837 while (l > 0) {
2838 uint16_t code, length;
2839
2840 if (l < 4U)
2841 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2842 "EDNS0 variable part has invalid size.");
2843
2844 code = unaligned_read_be16(d);
2845 length = unaligned_read_be16(d + 2);
2846
2847 if (l < 4U + length)
2848 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2849 "Truncated option in EDNS0 variable part.");
2850
980cb160 2851 if (code == DNS_EDNS_OPT_NSID) {
4a6eb824
LP		 2852 if (has_nsid)
2853 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2854 "Duplicate NSID option in EDNS0 variable part.");
2855
2856 if (length != 0)
2857 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2858 "Non-empty NSID option in DNS request.");
2859
2860 has_nsid = true;
2861 }
2862
2863 d += 4U + length;
2864 l -= 4U + length;
2865 }
2866
2867 return has_nsid;
2868}
2869
acbf761b
LP		 2870size_t dns_packet_size_unfragmented(DnsPacket *p) {
2871 assert(p);
2872
2873 if (p->fragsize == 0) /* Wasn't fragmented */
2874 return p->size;
2875
2876 /* The fragment size (p->fragsize) covers the whole (fragmented) IP packet, while the regular packet
2877 * size (p->size) only covers the DNS part. Thus, subtract the UDP header from the largest fragment
2878 * size, in order to determine which size of DNS packet would have gone through without
2879 * fragmenting. */
2880
2881 return LESS_BY(p->fragsize, udp_header_size(p->family));
2882}
2883
74b2466e 2884static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {
e3e64a1a
ZJS		 2885 [DNS_RCODE_SUCCESS] = "SUCCESS",
2886 [DNS_RCODE_FORMERR] = "FORMERR",
2887 [DNS_RCODE_SERVFAIL] = "SERVFAIL",
2888 [DNS_RCODE_NXDOMAIN] = "NXDOMAIN",
2889 [DNS_RCODE_NOTIMP] = "NOTIMP",
2890 [DNS_RCODE_REFUSED] = "REFUSED",
2891 [DNS_RCODE_YXDOMAIN] = "YXDOMAIN",
2892 [DNS_RCODE_YXRRSET] = "YRRSET",
2893 [DNS_RCODE_NXRRSET] = "NXRRSET",
2894 [DNS_RCODE_NOTAUTH] = "NOTAUTH",
2895 [DNS_RCODE_NOTZONE] = "NOTZONE",
a92ea352 2896 [DNS_RCODE_DSOTYPENI] = "DSOTYPENI",
e3e64a1a
ZJS		 2897 [DNS_RCODE_BADVERS] = "BADVERS",
2898 [DNS_RCODE_BADKEY] = "BADKEY",
2899 [DNS_RCODE_BADTIME] = "BADTIME",
2900 [DNS_RCODE_BADMODE] = "BADMODE",
2901 [DNS_RCODE_BADNAME] = "BADNAME",
2902 [DNS_RCODE_BADALG] = "BADALG",
2903 [DNS_RCODE_BADTRUNC] = "BADTRUNC",
6f21e066 2904 [DNS_RCODE_BADCOOKIE] = "BADCOOKIE",
74b2466e
LP		 2905};
2906DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int);
1716f6dc 2907
0d609349
YW		 2908const char *format_dns_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) {
2909 const char *p = dns_rcode_to_string(i);
2910 if (p)
2911 return p;
2912
2913 return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i);
2914}
2915
056db786
RP		 2916static const char* const dns_ede_rcode_table[_DNS_EDE_RCODE_MAX_DEFINED] = {
2917 [DNS_EDE_RCODE_OTHER] = "Other",
2918 [DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG] = "Unsupported DNSKEY Algorithm",
2919 [DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST] = "Unsupported DS Digest Type",
2920 [DNS_EDE_RCODE_STALE_ANSWER] = "Stale Answer",
2921 [DNS_EDE_RCODE_FORGED_ANSWER] = "Forged Answer",
2922 [DNS_EDE_RCODE_DNSSEC_INDETERMINATE] = "DNSSEC Indeterminate",
2923 [DNS_EDE_RCODE_DNSSEC_BOGUS] = "DNSSEC Bogus",
2924 [DNS_EDE_RCODE_SIG_EXPIRED] = "Signature Expired",
2925 [DNS_EDE_RCODE_SIG_NOT_YET_VALID] = "Signature Not Yet Valid",
2926 [DNS_EDE_RCODE_DNSKEY_MISSING] = "DNSKEY Missing",
2927 [DNS_EDE_RCODE_RRSIG_MISSING] = "RRSIG Missing",
2928 [DNS_EDE_RCODE_NO_ZONE_KEY_BIT] = "No Zone Key Bit Set",
2929 [DNS_EDE_RCODE_NSEC_MISSING] = "NSEC Missing",
2930 [DNS_EDE_RCODE_CACHED_ERROR] = "Cached Error",
2931 [DNS_EDE_RCODE_NOT_READY] = "Not Ready",
2932 [DNS_EDE_RCODE_BLOCKED] = "Blocked",
2933 [DNS_EDE_RCODE_CENSORED] = "Censored",
2934 [DNS_EDE_RCODE_FILTERED] = "Filtered",
2935 [DNS_EDE_RCODE_PROHIBITIED] = "Prohibited",
2936 [DNS_EDE_RCODE_STALE_NXDOMAIN_ANSWER] = "Stale NXDOMAIN Answer",
2937 [DNS_EDE_RCODE_NOT_AUTHORITATIVE] = "Not Authoritative",
2938 [DNS_EDE_RCODE_NOT_SUPPORTED] = "Not Supported",
2939 [DNS_EDE_RCODE_UNREACH_AUTHORITY] = "No Reachable Authority",
2940 [DNS_EDE_RCODE_NET_ERROR] = "Network Error",
2941 [DNS_EDE_RCODE_INVALID_DATA] = "Invalid Data",
2942 [DNS_EDE_RCODE_SIG_NEVER] = "Signature Never Valid",
2943 [DNS_EDE_RCODE_TOO_EARLY] = "Too Early",
2944 [DNS_EDE_RCODE_UNSUPPORTED_NSEC3_ITER] = "Unsupported NSEC3 Iterations",
2945 [DNS_EDE_RCODE_TRANSPORT_POLICY] = "Impossible Transport Policy",
2946 [DNS_EDE_RCODE_SYNTHESIZED] = "Synthesized",
2947};
ac684446 2948DEFINE_STRING_TABLE_LOOKUP_TO_STRING(dns_ede_rcode, int);
056db786
RP		 2949
2950const char *format_dns_ede_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) {
2951 const char *p = dns_ede_rcode_to_string(i);
2952 if (p)
2953 return p;
2954
2955 return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i);
2956}
2957
ee9581e5
RP		 2958static const char* const dns_svc_param_key_table[_DNS_SVC_PARAM_KEY_MAX_DEFINED] = {
2959 [DNS_SVC_PARAM_KEY_MANDATORY] = "mandatory",
2960 [DNS_SVC_PARAM_KEY_ALPN] = "alpn",
2961 [DNS_SVC_PARAM_KEY_NO_DEFAULT_ALPN] = "no-default-alpn",
2962 [DNS_SVC_PARAM_KEY_PORT] = "port",
2963 [DNS_SVC_PARAM_KEY_IPV4HINT] = "ipv4hint",
2964 [DNS_SVC_PARAM_KEY_ECH] = "ech",
2965 [DNS_SVC_PARAM_KEY_IPV6HINT] = "ipv6hint",
2966 [DNS_SVC_PARAM_KEY_DOHPATH] = "dohpath",
2967 [DNS_SVC_PARAM_KEY_OHTTP] = "ohttp",
2968};
2969DEFINE_STRING_TABLE_LOOKUP_TO_STRING(dns_svc_param_key, int);
2970
2971const char *format_dns_svc_param_key(uint16_t i, char buf[static DECIMAL_STR_MAX(uint16_t)+3]) {
2972 const char *p = dns_svc_param_key_to_string(i);
2973 if (p)
2974 return p;
2975
2976 return snprintf_ok(buf, DECIMAL_STR_MAX(uint16_t)+3, "key%i", i);
2977}
2978
1716f6dc 2979static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
e3e64a1a
ZJS		 2980 [DNS_PROTOCOL_DNS] = "dns",
2981 [DNS_PROTOCOL_MDNS] = "mdns",
1716f6dc
LP		 2982 [DNS_PROTOCOL_LLMNR] = "llmnr",
2983};
2984DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol);
Unnamed repository; edit this file 'description' to name the repository.