1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include "alloc-util.h"
23 #include "dns-domain.h"
24 #include "resolved-dns-packet.h"
25 #include "string-table.h"
27 #include "unaligned.h"
31 #define EDNS0_OPT_DO (1<<15)
33 int dns_packet_new(DnsPacket
**ret
, DnsProtocol protocol
, size_t mtu
) {
39 if (mtu
<= UDP_PACKET_HEADER_SIZE
)
40 a
= DNS_PACKET_SIZE_START
;
42 a
= mtu
- UDP_PACKET_HEADER_SIZE
;
44 if (a
< DNS_PACKET_HEADER_SIZE
)
45 a
= DNS_PACKET_HEADER_SIZE
;
47 /* round up to next page size */
48 a
= PAGE_ALIGN(ALIGN(sizeof(DnsPacket
)) + a
) - ALIGN(sizeof(DnsPacket
));
50 /* make sure we never allocate more than useful */
51 if (a
> DNS_PACKET_SIZE_MAX
)
52 a
= DNS_PACKET_SIZE_MAX
;
54 p
= malloc0(ALIGN(sizeof(DnsPacket
)) + a
);
58 p
->size
= p
->rindex
= DNS_PACKET_HEADER_SIZE
;
60 p
->protocol
= protocol
;
61 p
->opt_start
= p
->opt_size
= (size_t) -1;
69 void dns_packet_set_flags(DnsPacket
*p
, bool dnssec_checking_disabled
, bool truncated
) {
75 h
= DNS_PACKET_HEADER(p
);
78 case DNS_PROTOCOL_LLMNR
:
81 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
92 case DNS_PROTOCOL_MDNS
:
93 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
97 0 /* rd (ask for recursion) */,
107 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
111 1 /* rd (ask for recursion) */,
114 dnssec_checking_disabled
/* cd */,
119 int dns_packet_new_query(DnsPacket
**ret
, DnsProtocol protocol
, size_t mtu
, bool dnssec_checking_disabled
) {
125 r
= dns_packet_new(&p
, protocol
, mtu
);
129 /* Always set the TC bit to 0 initially.
130 * If there are multiple packets later, we'll update the bit shortly before sending.
132 dns_packet_set_flags(p
, dnssec_checking_disabled
, false);
138 DnsPacket
*dns_packet_ref(DnsPacket
*p
) {
143 assert(!p
->on_stack
);
145 assert(p
->n_ref
> 0);
150 static void dns_packet_free(DnsPacket
*p
) {
155 dns_question_unref(p
->question
);
156 dns_answer_unref(p
->answer
);
157 dns_resource_record_unref(p
->opt
);
159 while ((s
= hashmap_steal_first_key(p
->names
)))
161 hashmap_free(p
->names
);
169 DnsPacket
*dns_packet_unref(DnsPacket
*p
) {
173 assert(p
->n_ref
> 0);
175 dns_packet_unref(p
->more
);
185 int dns_packet_validate(DnsPacket
*p
) {
188 if (p
->size
< DNS_PACKET_HEADER_SIZE
)
191 if (p
->size
> DNS_PACKET_SIZE_MAX
)
197 int dns_packet_validate_reply(DnsPacket
*p
) {
202 r
= dns_packet_validate(p
);
206 if (DNS_PACKET_QR(p
) != 1)
209 if (DNS_PACKET_OPCODE(p
) != 0)
212 switch (p
->protocol
) {
214 case DNS_PROTOCOL_LLMNR
:
215 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
216 if (DNS_PACKET_QDCOUNT(p
) != 1)
221 case DNS_PROTOCOL_MDNS
:
222 /* RFC 6762, Section 18 */
223 if (DNS_PACKET_RCODE(p
) != 0)
235 int dns_packet_validate_query(DnsPacket
*p
) {
240 r
= dns_packet_validate(p
);
244 if (DNS_PACKET_QR(p
) != 0)
247 if (DNS_PACKET_OPCODE(p
) != 0)
250 if (DNS_PACKET_TC(p
))
253 switch (p
->protocol
) {
255 case DNS_PROTOCOL_LLMNR
:
256 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
257 if (DNS_PACKET_QDCOUNT(p
) != 1)
260 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
261 if (DNS_PACKET_ANCOUNT(p
) > 0)
264 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
265 if (DNS_PACKET_NSCOUNT(p
) > 0)
270 case DNS_PROTOCOL_MDNS
:
271 /* RFC 6762, Section 18 */
272 if (DNS_PACKET_AA(p
) != 0 ||
273 DNS_PACKET_RD(p
) != 0 ||
274 DNS_PACKET_RA(p
) != 0 ||
275 DNS_PACKET_AD(p
) != 0 ||
276 DNS_PACKET_CD(p
) != 0 ||
277 DNS_PACKET_RCODE(p
) != 0)
289 static int dns_packet_extend(DnsPacket
*p
, size_t add
, void **ret
, size_t *start
) {
292 if (p
->size
+ add
> p
->allocated
) {
295 a
= PAGE_ALIGN((p
->size
+ add
) * 2);
296 if (a
> DNS_PACKET_SIZE_MAX
)
297 a
= DNS_PACKET_SIZE_MAX
;
299 if (p
->size
+ add
> a
)
305 d
= realloc(p
->_data
, a
);
311 p
->_data
= malloc(a
);
315 memcpy(p
->_data
, (uint8_t*) p
+ ALIGN(sizeof(DnsPacket
)), p
->size
);
316 memzero((uint8_t*) p
->_data
+ p
->size
, a
- p
->size
);
326 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->size
;
332 void dns_packet_truncate(DnsPacket
*p
, size_t sz
) {
342 HASHMAP_FOREACH_KEY(n
, s
, p
->names
, i
) {
344 if (PTR_TO_SIZE(n
) < sz
)
347 hashmap_remove(p
->names
, s
);
354 int dns_packet_append_blob(DnsPacket
*p
, const void *d
, size_t l
, size_t *start
) {
360 r
= dns_packet_extend(p
, l
, &q
, start
);
368 int dns_packet_append_uint8(DnsPacket
*p
, uint8_t v
, size_t *start
) {
374 r
= dns_packet_extend(p
, sizeof(uint8_t), &d
, start
);
378 ((uint8_t*) d
)[0] = v
;
383 int dns_packet_append_uint16(DnsPacket
*p
, uint16_t v
, size_t *start
) {
389 r
= dns_packet_extend(p
, sizeof(uint16_t), &d
, start
);
393 unaligned_write_be16(d
, v
);
398 int dns_packet_append_uint32(DnsPacket
*p
, uint32_t v
, size_t *start
) {
404 r
= dns_packet_extend(p
, sizeof(uint32_t), &d
, start
);
408 unaligned_write_be32(d
, v
);
413 int dns_packet_append_string(DnsPacket
*p
, const char *s
, size_t *start
) {
417 return dns_packet_append_raw_string(p
, s
, strlen(s
), start
);
420 int dns_packet_append_raw_string(DnsPacket
*p
, const void *s
, size_t size
, size_t *start
) {
425 assert(s
|| size
== 0);
430 r
= dns_packet_extend(p
, 1 + size
, &d
, start
);
434 ((uint8_t*) d
)[0] = (uint8_t) size
;
437 memcpy(((uint8_t*) d
) + 1, s
, size
);
442 int dns_packet_append_label(DnsPacket
*p
, const char *d
, size_t l
, bool canonical_candidate
, size_t *start
) {
446 /* Append a label to a packet. Optionally, does this in DNSSEC
447 * canonical form, if this label is marked as a candidate for
448 * it, and the canonical form logic is enabled for the
454 if (l
> DNS_LABEL_MAX
)
457 r
= dns_packet_extend(p
, 1 + l
, (void**) &w
, start
);
461 *(w
++) = (uint8_t) l
;
463 if (p
->canonical_form
&& canonical_candidate
) {
466 /* Generate in canonical form, as defined by DNSSEC
467 * RFC 4034, Section 6.2, i.e. all lower-case. */
469 for (i
= 0; i
< l
; i
++)
470 w
[i
] = (uint8_t) ascii_tolower(d
[i
]);
472 /* Otherwise, just copy the string unaltered. This is
473 * essential for DNS-SD, where the casing of labels
474 * matters and needs to be retained. */
480 int dns_packet_append_name(
483 bool allow_compression
,
484 bool canonical_candidate
,
493 if (p
->refuse_compression
)
494 allow_compression
= false;
496 saved_size
= p
->size
;
498 while (!dns_name_is_root(name
)) {
499 const char *z
= name
;
500 char label
[DNS_LABEL_MAX
];
503 if (allow_compression
)
504 n
= PTR_TO_SIZE(hashmap_get(p
->names
, name
));
509 r
= dns_packet_append_uint16(p
, 0xC000 | n
, NULL
);
517 r
= dns_label_unescape(&name
, label
, sizeof(label
));
521 r
= dns_packet_append_label(p
, label
, r
, canonical_candidate
, &n
);
525 if (allow_compression
) {
526 _cleanup_free_
char *s
= NULL
;
534 r
= hashmap_ensure_allocated(&p
->names
, &dns_name_hash_ops
);
538 r
= hashmap_put(p
->names
, s
, SIZE_TO_PTR(n
));
546 r
= dns_packet_append_uint8(p
, 0, NULL
);
557 dns_packet_truncate(p
, saved_size
);
561 int dns_packet_append_key(DnsPacket
*p
, const DnsResourceKey
*k
, size_t *start
) {
568 saved_size
= p
->size
;
570 r
= dns_packet_append_name(p
, DNS_RESOURCE_KEY_NAME(k
), true, true, NULL
);
574 r
= dns_packet_append_uint16(p
, k
->type
, NULL
);
578 r
= dns_packet_append_uint16(p
, k
->class, NULL
);
588 dns_packet_truncate(p
, saved_size
);
592 static int dns_packet_append_type_window(DnsPacket
*p
, uint8_t window
, uint8_t length
, const uint8_t *types
, size_t *start
) {
600 saved_size
= p
->size
;
602 r
= dns_packet_append_uint8(p
, window
, NULL
);
606 r
= dns_packet_append_uint8(p
, length
, NULL
);
610 r
= dns_packet_append_blob(p
, types
, length
, NULL
);
619 dns_packet_truncate(p
, saved_size
);
623 static int dns_packet_append_types(DnsPacket
*p
, Bitmap
*types
, size_t *start
) {
627 uint8_t bitmaps
[32] = {};
634 saved_size
= p
->size
;
636 BITMAP_FOREACH(n
, types
, i
) {
639 if ((n
>> 8) != window
&& bitmaps
[entry
/ 8] != 0) {
640 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
650 bitmaps
[entry
/ 8] |= 1 << (7 - (entry
% 8));
653 if (bitmaps
[entry
/ 8] != 0) {
654 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
664 dns_packet_truncate(p
, saved_size
);
668 /* Append the OPT pseudo-RR described in RFC6891 */
669 int dns_packet_append_opt(DnsPacket
*p
, uint16_t max_udp_size
, bool edns0_do
, size_t *start
) {
674 /* we must never advertise supported packet size smaller than the legacy max */
675 assert(max_udp_size
>= DNS_PACKET_UNICAST_SIZE_MAX
);
677 if (p
->opt_start
!= (size_t) -1)
680 assert(p
->opt_size
== (size_t) -1);
682 saved_size
= p
->size
;
685 r
= dns_packet_append_uint8(p
, 0, NULL
);
690 r
= dns_packet_append_uint16(p
, DNS_TYPE_OPT
, NULL
);
694 /* maximum udp packet that can be received */
695 r
= dns_packet_append_uint16(p
, max_udp_size
, NULL
);
699 /* extended RCODE and VERSION */
700 r
= dns_packet_append_uint16(p
, 0, NULL
);
704 /* flags: DNSSEC OK (DO), see RFC3225 */
705 r
= dns_packet_append_uint16(p
, edns0_do
? EDNS0_OPT_DO
: 0, NULL
);
712 /* If DO is on, also append RFC6975 Algorithm data */
714 static const uint8_t rfc6975
[] = {
716 0, 5, /* OPTION_CODE: DAU */
717 0, 6, /* LIST_LENGTH */
718 DNSSEC_ALGORITHM_RSASHA1
,
719 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1
,
720 DNSSEC_ALGORITHM_RSASHA256
,
721 DNSSEC_ALGORITHM_RSASHA512
,
722 DNSSEC_ALGORITHM_ECDSAP256SHA256
,
723 DNSSEC_ALGORITHM_ECDSAP384SHA384
,
725 0, 6, /* OPTION_CODE: DHU */
726 0, 3, /* LIST_LENGTH */
728 DNSSEC_DIGEST_SHA256
,
729 DNSSEC_DIGEST_SHA384
,
731 0, 7, /* OPTION_CODE: N3U */
732 0, 1, /* LIST_LENGTH */
733 NSEC3_ALGORITHM_SHA1
,
736 r
= dns_packet_append_uint16(p
, sizeof(rfc6975
), NULL
);
740 r
= dns_packet_append_blob(p
, rfc6975
, sizeof(rfc6975
), NULL
);
742 r
= dns_packet_append_uint16(p
, 0, NULL
);
747 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) + 1);
749 p
->opt_start
= saved_size
;
750 p
->opt_size
= p
->size
- saved_size
;
758 dns_packet_truncate(p
, saved_size
);
762 int dns_packet_truncate_opt(DnsPacket
*p
) {
765 if (p
->opt_start
== (size_t) -1) {
766 assert(p
->opt_size
== (size_t) -1);
770 assert(p
->opt_size
!= (size_t) -1);
771 assert(DNS_PACKET_ARCOUNT(p
) > 0);
773 if (p
->opt_start
+ p
->opt_size
!= p
->size
)
776 dns_packet_truncate(p
, p
->opt_start
);
777 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) - 1);
778 p
->opt_start
= p
->opt_size
= (size_t) -1;
783 int dns_packet_append_rr(DnsPacket
*p
, const DnsResourceRecord
*rr
, size_t *start
, size_t *rdata_start
) {
784 size_t saved_size
, rdlength_offset
, end
, rdlength
, rds
;
790 saved_size
= p
->size
;
792 r
= dns_packet_append_key(p
, rr
->key
, NULL
);
796 r
= dns_packet_append_uint32(p
, rr
->ttl
, NULL
);
800 /* Initially we write 0 here */
801 r
= dns_packet_append_uint16(p
, 0, &rdlength_offset
);
805 rds
= p
->size
- saved_size
;
807 switch (rr
->unparseable
? _DNS_TYPE_INVALID
: rr
->key
->type
) {
810 r
= dns_packet_append_uint16(p
, rr
->srv
.priority
, NULL
);
814 r
= dns_packet_append_uint16(p
, rr
->srv
.weight
, NULL
);
818 r
= dns_packet_append_uint16(p
, rr
->srv
.port
, NULL
);
822 r
= dns_packet_append_name(p
, rr
->srv
.name
, true, false, NULL
);
829 r
= dns_packet_append_name(p
, rr
->ptr
.name
, true, false, NULL
);
833 r
= dns_packet_append_string(p
, rr
->hinfo
.cpu
, NULL
);
837 r
= dns_packet_append_string(p
, rr
->hinfo
.os
, NULL
);
840 case DNS_TYPE_SPF
: /* exactly the same as TXT */
843 if (!rr
->txt
.items
) {
844 /* RFC 6763, section 6.1 suggests to generate
845 * single empty string for an empty array. */
847 r
= dns_packet_append_raw_string(p
, NULL
, 0, NULL
);
853 LIST_FOREACH(items
, i
, rr
->txt
.items
) {
854 r
= dns_packet_append_raw_string(p
, i
->data
, i
->length
, NULL
);
864 r
= dns_packet_append_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
868 r
= dns_packet_append_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
872 r
= dns_packet_append_name(p
, rr
->soa
.mname
, true, false, NULL
);
876 r
= dns_packet_append_name(p
, rr
->soa
.rname
, true, false, NULL
);
880 r
= dns_packet_append_uint32(p
, rr
->soa
.serial
, NULL
);
884 r
= dns_packet_append_uint32(p
, rr
->soa
.refresh
, NULL
);
888 r
= dns_packet_append_uint32(p
, rr
->soa
.retry
, NULL
);
892 r
= dns_packet_append_uint32(p
, rr
->soa
.expire
, NULL
);
896 r
= dns_packet_append_uint32(p
, rr
->soa
.minimum
, NULL
);
900 r
= dns_packet_append_uint16(p
, rr
->mx
.priority
, NULL
);
904 r
= dns_packet_append_name(p
, rr
->mx
.exchange
, true, false, NULL
);
908 r
= dns_packet_append_uint8(p
, rr
->loc
.version
, NULL
);
912 r
= dns_packet_append_uint8(p
, rr
->loc
.size
, NULL
);
916 r
= dns_packet_append_uint8(p
, rr
->loc
.horiz_pre
, NULL
);
920 r
= dns_packet_append_uint8(p
, rr
->loc
.vert_pre
, NULL
);
924 r
= dns_packet_append_uint32(p
, rr
->loc
.latitude
, NULL
);
928 r
= dns_packet_append_uint32(p
, rr
->loc
.longitude
, NULL
);
932 r
= dns_packet_append_uint32(p
, rr
->loc
.altitude
, NULL
);
936 r
= dns_packet_append_uint16(p
, rr
->ds
.key_tag
, NULL
);
940 r
= dns_packet_append_uint8(p
, rr
->ds
.algorithm
, NULL
);
944 r
= dns_packet_append_uint8(p
, rr
->ds
.digest_type
, NULL
);
948 r
= dns_packet_append_blob(p
, rr
->ds
.digest
, rr
->ds
.digest_size
, NULL
);
952 r
= dns_packet_append_uint8(p
, rr
->sshfp
.algorithm
, NULL
);
956 r
= dns_packet_append_uint8(p
, rr
->sshfp
.fptype
, NULL
);
960 r
= dns_packet_append_blob(p
, rr
->sshfp
.fingerprint
, rr
->sshfp
.fingerprint_size
, NULL
);
963 case DNS_TYPE_DNSKEY
:
964 r
= dns_packet_append_uint16(p
, rr
->dnskey
.flags
, NULL
);
968 r
= dns_packet_append_uint8(p
, rr
->dnskey
.protocol
, NULL
);
972 r
= dns_packet_append_uint8(p
, rr
->dnskey
.algorithm
, NULL
);
976 r
= dns_packet_append_blob(p
, rr
->dnskey
.key
, rr
->dnskey
.key_size
, NULL
);
980 r
= dns_packet_append_uint16(p
, rr
->rrsig
.type_covered
, NULL
);
984 r
= dns_packet_append_uint8(p
, rr
->rrsig
.algorithm
, NULL
);
988 r
= dns_packet_append_uint8(p
, rr
->rrsig
.labels
, NULL
);
992 r
= dns_packet_append_uint32(p
, rr
->rrsig
.original_ttl
, NULL
);
996 r
= dns_packet_append_uint32(p
, rr
->rrsig
.expiration
, NULL
);
1000 r
= dns_packet_append_uint32(p
, rr
->rrsig
.inception
, NULL
);
1004 r
= dns_packet_append_uint16(p
, rr
->rrsig
.key_tag
, NULL
);
1008 r
= dns_packet_append_name(p
, rr
->rrsig
.signer
, false, true, NULL
);
1012 r
= dns_packet_append_blob(p
, rr
->rrsig
.signature
, rr
->rrsig
.signature_size
, NULL
);
1016 r
= dns_packet_append_name(p
, rr
->nsec
.next_domain_name
, false, false, NULL
);
1020 r
= dns_packet_append_types(p
, rr
->nsec
.types
, NULL
);
1026 case DNS_TYPE_NSEC3
:
1027 r
= dns_packet_append_uint8(p
, rr
->nsec3
.algorithm
, NULL
);
1031 r
= dns_packet_append_uint8(p
, rr
->nsec3
.flags
, NULL
);
1035 r
= dns_packet_append_uint16(p
, rr
->nsec3
.iterations
, NULL
);
1039 r
= dns_packet_append_uint8(p
, rr
->nsec3
.salt_size
, NULL
);
1043 r
= dns_packet_append_blob(p
, rr
->nsec3
.salt
, rr
->nsec3
.salt_size
, NULL
);
1047 r
= dns_packet_append_uint8(p
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1051 r
= dns_packet_append_blob(p
, rr
->nsec3
.next_hashed_name
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1055 r
= dns_packet_append_types(p
, rr
->nsec3
.types
, NULL
);
1062 case _DNS_TYPE_INVALID
: /* unparseable */
1065 r
= dns_packet_append_blob(p
, rr
->generic
.data
, rr
->generic
.size
, NULL
);
1071 /* Let's calculate the actual data size and update the field */
1072 rdlength
= p
->size
- rdlength_offset
- sizeof(uint16_t);
1073 if (rdlength
> 0xFFFF) {
1079 p
->size
= rdlength_offset
;
1080 r
= dns_packet_append_uint16(p
, rdlength
, NULL
);
1086 *start
= saved_size
;
1094 dns_packet_truncate(p
, saved_size
);
1098 int dns_packet_read(DnsPacket
*p
, size_t sz
, const void **ret
, size_t *start
) {
1101 if (p
->rindex
+ sz
> p
->size
)
1105 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->rindex
;
1114 void dns_packet_rewind(DnsPacket
*p
, size_t idx
) {
1116 assert(idx
<= p
->size
);
1117 assert(idx
>= DNS_PACKET_HEADER_SIZE
);
1122 int dns_packet_read_blob(DnsPacket
*p
, void *d
, size_t sz
, size_t *start
) {
1129 r
= dns_packet_read(p
, sz
, &q
, start
);
1137 static int dns_packet_read_memdup(
1138 DnsPacket
*p
, size_t size
,
1139 void **ret
, size_t *ret_size
,
1140 size_t *ret_start
) {
1149 r
= dns_packet_read(p
, size
, &src
, &start
);
1158 copy
= memdup(src
, size
);
1173 int dns_packet_read_uint8(DnsPacket
*p
, uint8_t *ret
, size_t *start
) {
1179 r
= dns_packet_read(p
, sizeof(uint8_t), &d
, start
);
1183 *ret
= ((uint8_t*) d
)[0];
1187 int dns_packet_read_uint16(DnsPacket
*p
, uint16_t *ret
, size_t *start
) {
1193 r
= dns_packet_read(p
, sizeof(uint16_t), &d
, start
);
1197 *ret
= unaligned_read_be16(d
);
1202 int dns_packet_read_uint32(DnsPacket
*p
, uint32_t *ret
, size_t *start
) {
1208 r
= dns_packet_read(p
, sizeof(uint32_t), &d
, start
);
1212 *ret
= unaligned_read_be32(d
);
1217 int dns_packet_read_string(DnsPacket
*p
, char **ret
, size_t *start
) {
1218 size_t saved_rindex
;
1226 saved_rindex
= p
->rindex
;
1228 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1232 r
= dns_packet_read(p
, c
, &d
, NULL
);
1236 if (memchr(d
, 0, c
)) {
1247 if (!utf8_is_valid(t
)) {
1256 *start
= saved_rindex
;
1261 dns_packet_rewind(p
, saved_rindex
);
1265 int dns_packet_read_raw_string(DnsPacket
*p
, const void **ret
, size_t *size
, size_t *start
) {
1266 size_t saved_rindex
;
1272 saved_rindex
= p
->rindex
;
1274 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1278 r
= dns_packet_read(p
, c
, ret
, NULL
);
1285 *start
= saved_rindex
;
1290 dns_packet_rewind(p
, saved_rindex
);
1294 int dns_packet_read_name(
1297 bool allow_compression
,
1300 size_t saved_rindex
, after_rindex
= 0, jump_barrier
;
1301 _cleanup_free_
char *ret
= NULL
;
1302 size_t n
= 0, allocated
= 0;
1309 if (p
->refuse_compression
)
1310 allow_compression
= false;
1312 saved_rindex
= p
->rindex
;
1313 jump_barrier
= p
->rindex
;
1318 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1329 r
= dns_packet_read(p
, c
, (const void**) &label
, NULL
);
1333 if (!GREEDY_REALLOC(ret
, allocated
, n
+ !first
+ DNS_LABEL_ESCAPED_MAX
)) {
1343 r
= dns_label_escape(label
, c
, ret
+ n
, DNS_LABEL_ESCAPED_MAX
);
1349 } else if (allow_compression
&& (c
& 0xc0) == 0xc0) {
1353 r
= dns_packet_read_uint8(p
, &d
, NULL
);
1357 ptr
= (uint16_t) (c
& ~0xc0) << 8 | (uint16_t) d
;
1358 if (ptr
< DNS_PACKET_HEADER_SIZE
|| ptr
>= jump_barrier
) {
1363 if (after_rindex
== 0)
1364 after_rindex
= p
->rindex
;
1366 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
1375 if (!GREEDY_REALLOC(ret
, allocated
, n
+ 1)) {
1382 if (after_rindex
!= 0)
1383 p
->rindex
= after_rindex
;
1389 *start
= saved_rindex
;
1394 dns_packet_rewind(p
, saved_rindex
);
1398 static int dns_packet_read_type_window(DnsPacket
*p
, Bitmap
**types
, size_t *start
) {
1401 const uint8_t *bitmap
;
1405 size_t saved_rindex
;
1411 saved_rindex
= p
->rindex
;
1413 r
= bitmap_ensure_allocated(types
);
1417 r
= dns_packet_read_uint8(p
, &window
, NULL
);
1421 r
= dns_packet_read_uint8(p
, &length
, NULL
);
1425 if (length
== 0 || length
> 32)
1428 r
= dns_packet_read(p
, length
, (const void **)&bitmap
, NULL
);
1432 for (i
= 0; i
< length
; i
++) {
1433 uint8_t bitmask
= 1 << 7;
1444 if (bitmap
[i
] & bitmask
) {
1447 n
= (uint16_t) window
<< 8 | (uint16_t) bit
;
1449 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1450 if (dns_type_is_pseudo(n
))
1453 r
= bitmap_set(*types
, n
);
1467 *start
= saved_rindex
;
1471 dns_packet_rewind(p
, saved_rindex
);
1475 static int dns_packet_read_type_windows(DnsPacket
*p
, Bitmap
**types
, size_t size
, size_t *start
) {
1476 size_t saved_rindex
;
1479 saved_rindex
= p
->rindex
;
1481 while (p
->rindex
< saved_rindex
+ size
) {
1482 r
= dns_packet_read_type_window(p
, types
, NULL
);
1486 /* don't read past end of current RR */
1487 if (p
->rindex
> saved_rindex
+ size
) {
1493 if (p
->rindex
!= saved_rindex
+ size
) {
1499 *start
= saved_rindex
;
1503 dns_packet_rewind(p
, saved_rindex
);
1507 int dns_packet_read_key(DnsPacket
*p
, DnsResourceKey
**ret
, bool *ret_cache_flush
, size_t *start
) {
1508 _cleanup_free_
char *name
= NULL
;
1509 bool cache_flush
= false;
1510 uint16_t class, type
;
1511 DnsResourceKey
*key
;
1512 size_t saved_rindex
;
1518 saved_rindex
= p
->rindex
;
1520 r
= dns_packet_read_name(p
, &name
, true, NULL
);
1524 r
= dns_packet_read_uint16(p
, &type
, NULL
);
1528 r
= dns_packet_read_uint16(p
, &class, NULL
);
1532 if (p
->protocol
== DNS_PROTOCOL_MDNS
) {
1533 /* See RFC6762, Section 10.2 */
1535 if (type
!= DNS_TYPE_OPT
&& (class & MDNS_RR_CACHE_FLUSH
)) {
1536 class &= ~MDNS_RR_CACHE_FLUSH
;
1541 key
= dns_resource_key_new_consume(class, type
, name
);
1550 if (ret_cache_flush
)
1551 *ret_cache_flush
= cache_flush
;
1553 *start
= saved_rindex
;
1557 dns_packet_rewind(p
, saved_rindex
);
1561 static bool loc_size_ok(uint8_t size
) {
1562 uint8_t m
= size
>> 4, e
= size
& 0xF;
1564 return m
<= 9 && e
<= 9 && (m
> 0 || e
== 0);
1567 int dns_packet_read_rr(DnsPacket
*p
, DnsResourceRecord
**ret
, bool *ret_cache_flush
, size_t *start
) {
1568 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1569 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1570 size_t saved_rindex
, offset
;
1578 saved_rindex
= p
->rindex
;
1580 r
= dns_packet_read_key(p
, &key
, &cache_flush
, NULL
);
1584 if (!dns_class_is_valid_rr(key
->class)||
1585 !dns_type_is_valid_rr(key
->type
)) {
1590 rr
= dns_resource_record_new(key
);
1596 r
= dns_packet_read_uint32(p
, &rr
->ttl
, NULL
);
1600 /* RFC 2181, Section 8, suggests to
1601 * treat a TTL with the MSB set as a zero TTL. */
1602 if (rr
->ttl
& UINT32_C(0x80000000))
1605 r
= dns_packet_read_uint16(p
, &rdlength
, NULL
);
1609 if (p
->rindex
+ rdlength
> p
->size
) {
1616 switch (rr
->key
->type
) {
1619 r
= dns_packet_read_uint16(p
, &rr
->srv
.priority
, NULL
);
1622 r
= dns_packet_read_uint16(p
, &rr
->srv
.weight
, NULL
);
1625 r
= dns_packet_read_uint16(p
, &rr
->srv
.port
, NULL
);
1628 r
= dns_packet_read_name(p
, &rr
->srv
.name
, true, NULL
);
1633 case DNS_TYPE_CNAME
:
1634 case DNS_TYPE_DNAME
:
1635 r
= dns_packet_read_name(p
, &rr
->ptr
.name
, true, NULL
);
1638 case DNS_TYPE_HINFO
:
1639 r
= dns_packet_read_string(p
, &rr
->hinfo
.cpu
, NULL
);
1643 r
= dns_packet_read_string(p
, &rr
->hinfo
.os
, NULL
);
1646 case DNS_TYPE_SPF
: /* exactly the same as TXT */
1648 if (rdlength
<= 0) {
1650 /* RFC 6763, section 6.1 suggests to treat
1651 * empty TXT RRs as equivalent to a TXT record
1652 * with a single empty string. */
1654 i
= malloc0(offsetof(DnsTxtItem
, data
) + 1); /* for safety reasons we add an extra NUL byte */
1660 DnsTxtItem
*last
= NULL
;
1662 while (p
->rindex
< offset
+ rdlength
) {
1667 r
= dns_packet_read_raw_string(p
, &data
, &sz
, NULL
);
1671 i
= malloc0(offsetof(DnsTxtItem
, data
) + sz
+ 1); /* extra NUL byte at the end */
1675 memcpy(i
->data
, data
, sz
);
1678 LIST_INSERT_AFTER(items
, rr
->txt
.items
, last
, i
);
1687 r
= dns_packet_read_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
1691 r
= dns_packet_read_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
1695 r
= dns_packet_read_name(p
, &rr
->soa
.mname
, true, NULL
);
1699 r
= dns_packet_read_name(p
, &rr
->soa
.rname
, true, NULL
);
1703 r
= dns_packet_read_uint32(p
, &rr
->soa
.serial
, NULL
);
1707 r
= dns_packet_read_uint32(p
, &rr
->soa
.refresh
, NULL
);
1711 r
= dns_packet_read_uint32(p
, &rr
->soa
.retry
, NULL
);
1715 r
= dns_packet_read_uint32(p
, &rr
->soa
.expire
, NULL
);
1719 r
= dns_packet_read_uint32(p
, &rr
->soa
.minimum
, NULL
);
1723 r
= dns_packet_read_uint16(p
, &rr
->mx
.priority
, NULL
);
1727 r
= dns_packet_read_name(p
, &rr
->mx
.exchange
, true, NULL
);
1730 case DNS_TYPE_LOC
: {
1734 r
= dns_packet_read_uint8(p
, &t
, &pos
);
1739 rr
->loc
.version
= t
;
1741 r
= dns_packet_read_uint8(p
, &rr
->loc
.size
, NULL
);
1745 if (!loc_size_ok(rr
->loc
.size
)) {
1750 r
= dns_packet_read_uint8(p
, &rr
->loc
.horiz_pre
, NULL
);
1754 if (!loc_size_ok(rr
->loc
.horiz_pre
)) {
1759 r
= dns_packet_read_uint8(p
, &rr
->loc
.vert_pre
, NULL
);
1763 if (!loc_size_ok(rr
->loc
.vert_pre
)) {
1768 r
= dns_packet_read_uint32(p
, &rr
->loc
.latitude
, NULL
);
1772 r
= dns_packet_read_uint32(p
, &rr
->loc
.longitude
, NULL
);
1776 r
= dns_packet_read_uint32(p
, &rr
->loc
.altitude
, NULL
);
1782 dns_packet_rewind(p
, pos
);
1783 rr
->unparseable
= true;
1789 r
= dns_packet_read_uint16(p
, &rr
->ds
.key_tag
, NULL
);
1793 r
= dns_packet_read_uint8(p
, &rr
->ds
.algorithm
, NULL
);
1797 r
= dns_packet_read_uint8(p
, &rr
->ds
.digest_type
, NULL
);
1801 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1802 &rr
->ds
.digest
, &rr
->ds
.digest_size
,
1807 if (rr
->ds
.digest_size
<= 0) {
1808 /* the accepted size depends on the algorithm, but for now
1809 just ensure that the value is greater than zero */
1816 case DNS_TYPE_SSHFP
:
1817 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.algorithm
, NULL
);
1821 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.fptype
, NULL
);
1825 r
= dns_packet_read_memdup(p
, rdlength
- 2,
1826 &rr
->sshfp
.fingerprint
, &rr
->sshfp
.fingerprint_size
,
1829 if (rr
->sshfp
.fingerprint_size
<= 0) {
1830 /* the accepted size depends on the algorithm, but for now
1831 just ensure that the value is greater than zero */
1838 case DNS_TYPE_DNSKEY
:
1839 r
= dns_packet_read_uint16(p
, &rr
->dnskey
.flags
, NULL
);
1843 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.protocol
, NULL
);
1847 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.algorithm
, NULL
);
1851 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1852 &rr
->dnskey
.key
, &rr
->dnskey
.key_size
,
1855 if (rr
->dnskey
.key_size
<= 0) {
1856 /* the accepted size depends on the algorithm, but for now
1857 just ensure that the value is greater than zero */
1864 case DNS_TYPE_RRSIG
:
1865 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.type_covered
, NULL
);
1869 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.algorithm
, NULL
);
1873 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.labels
, NULL
);
1877 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.original_ttl
, NULL
);
1881 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.expiration
, NULL
);
1885 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.inception
, NULL
);
1889 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.key_tag
, NULL
);
1893 r
= dns_packet_read_name(p
, &rr
->rrsig
.signer
, false, NULL
);
1897 r
= dns_packet_read_memdup(p
, offset
+ rdlength
- p
->rindex
,
1898 &rr
->rrsig
.signature
, &rr
->rrsig
.signature_size
,
1901 if (rr
->rrsig
.signature_size
<= 0) {
1902 /* the accepted size depends on the algorithm, but for now
1903 just ensure that the value is greater than zero */
1910 case DNS_TYPE_NSEC
: {
1913 * RFC6762, section 18.14 explictly states mDNS should use name compression.
1914 * This contradicts RFC3845, section 2.1.1
1917 bool allow_compressed
= p
->protocol
== DNS_PROTOCOL_MDNS
;
1919 r
= dns_packet_read_name(p
, &rr
->nsec
.next_domain_name
, allow_compressed
, NULL
);
1923 r
= dns_packet_read_type_windows(p
, &rr
->nsec
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
1927 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
1928 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
1929 * without the NSEC bit set. */
1933 case DNS_TYPE_NSEC3
: {
1936 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.algorithm
, NULL
);
1940 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.flags
, NULL
);
1944 r
= dns_packet_read_uint16(p
, &rr
->nsec3
.iterations
, NULL
);
1948 /* this may be zero */
1949 r
= dns_packet_read_uint8(p
, &size
, NULL
);
1953 r
= dns_packet_read_memdup(p
, size
, &rr
->nsec3
.salt
, &rr
->nsec3
.salt_size
, NULL
);
1957 r
= dns_packet_read_uint8(p
, &size
, NULL
);
1966 r
= dns_packet_read_memdup(p
, size
, &rr
->nsec3
.next_hashed_name
, &rr
->nsec3
.next_hashed_name_size
, NULL
);
1970 r
= dns_packet_read_type_windows(p
, &rr
->nsec3
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
1974 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
1979 case DNS_TYPE_OPT
: /* we only care about the header of OPT for now. */
1982 r
= dns_packet_read_memdup(p
, rdlength
, &rr
->generic
.data
, &rr
->generic
.size
, NULL
);
1989 if (p
->rindex
!= offset
+ rdlength
) {
1997 if (ret_cache_flush
)
1998 *ret_cache_flush
= cache_flush
;
2000 *start
= saved_rindex
;
2004 dns_packet_rewind(p
, saved_rindex
);
2008 static bool opt_is_good(DnsResourceRecord
*rr
, bool *rfc6975
) {
2010 bool found_dau_dhu_n3u
= false;
2013 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2017 assert(rr
->key
->type
== DNS_TYPE_OPT
);
2019 /* Check that the version is 0 */
2020 if (((rr
->ttl
>> 16) & UINT32_C(0xFF)) != 0)
2026 uint16_t option_code
, option_length
;
2028 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2032 option_code
= unaligned_read_be16(p
);
2033 option_length
= unaligned_read_be16(p
+ 2);
2035 if (l
< option_length
+ 4U)
2038 /* RFC 6975 DAU, DHU or N3U fields found. */
2039 if (IN_SET(option_code
, 5, 6, 7))
2040 found_dau_dhu_n3u
= true;
2042 p
+= option_length
+ 4U;
2043 l
-= option_length
+ 4U;
2046 *rfc6975
= found_dau_dhu_n3u
;
2050 int dns_packet_extract(DnsPacket
*p
) {
2051 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
2052 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
2053 size_t saved_rindex
;
2060 saved_rindex
= p
->rindex
;
2061 dns_packet_rewind(p
, DNS_PACKET_HEADER_SIZE
);
2063 n
= DNS_PACKET_QDCOUNT(p
);
2065 question
= dns_question_new(n
);
2071 for (i
= 0; i
< n
; i
++) {
2072 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
2075 r
= dns_packet_read_key(p
, &key
, &cache_flush
, NULL
);
2084 if (!dns_type_is_valid_query(key
->type
)) {
2089 r
= dns_question_add(question
, key
);
2095 n
= DNS_PACKET_RRCOUNT(p
);
2097 DnsResourceRecord
*previous
= NULL
;
2098 bool bad_opt
= false;
2100 answer
= dns_answer_new(n
);
2106 for (i
= 0; i
< n
; i
++) {
2107 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
2110 r
= dns_packet_read_rr(p
, &rr
, &cache_flush
, NULL
);
2114 /* Try to reduce memory usage a bit */
2116 dns_resource_key_reduce(&rr
->key
, &previous
->key
);
2118 if (rr
->key
->type
== DNS_TYPE_OPT
) {
2121 if (p
->opt
|| bad_opt
) {
2122 /* Multiple OPT RRs? if so, let's ignore all, because there's something wrong
2123 * with the server, and if one is valid we wouldn't know which one. */
2124 log_debug("Multiple OPT RRs detected, ignoring all.");
2129 if (!dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr
->key
))) {
2130 /* If the OPT RR qis not owned by the root domain, then it is bad, let's ignore
2132 log_debug("OPT RR is not owned by root domain, ignoring.");
2137 if (i
< DNS_PACKET_ANCOUNT(p
) + DNS_PACKET_NSCOUNT(p
)) {
2138 /* OPT RR is in the wrong section? Some Belkin routers do this. This is a hint
2139 * the EDNS implementation is borked, like the Belkin one is, hence ignore
2141 log_debug("OPT RR in wrong section, ignoring.");
2146 if (!opt_is_good(rr
, &has_rfc6975
)) {
2147 log_debug("Malformed OPT RR, ignoring.");
2153 /* OPT RR contains RFC6975 algorithm data, then this is indication that the
2154 * server just copied the OPT it got from us (which contained that data) back
2155 * into the reply. If so, then it doesn't properly support EDNS, as RFC6975
2156 * makes it very clear that the algorithm data should only be contained in
2157 * questions, never in replies. Crappy Belkin copy the OPT data for example,
2158 * hence let's detect this so that we downgrade early. */
2159 log_debug("OPT RR contained RFC6975 data, ignoring.");
2164 p
->opt
= dns_resource_record_ref(rr
);
2167 /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
2168 * cached. Hence mark only those RRs as cacheable by default, but not the ones from the
2169 * Additional or Authority sections. */
2171 r
= dns_answer_add(answer
, rr
, p
->ifindex
,
2172 (i
< DNS_PACKET_ANCOUNT(p
) ? DNS_ANSWER_CACHEABLE
: 0) |
2173 (p
->protocol
== DNS_PROTOCOL_MDNS
&& !cache_flush
? DNS_ANSWER_SHARED_OWNER
: 0));
2180 p
->opt
= dns_resource_record_unref(p
->opt
);
2183 p
->question
= question
;
2189 p
->extracted
= true;
2194 p
->rindex
= saved_rindex
;
2198 int dns_packet_is_reply_for(DnsPacket
*p
, const DnsResourceKey
*key
) {
2204 /* Checks if the specified packet is a reply for the specified
2205 * key and the specified key is the only one in the question
2208 if (DNS_PACKET_QR(p
) != 1)
2211 /* Let's unpack the packet, if that hasn't happened yet. */
2212 r
= dns_packet_extract(p
);
2216 if (p
->question
->n_keys
!= 1)
2219 return dns_resource_key_equal(p
->question
->keys
[0], key
);
2222 static const char* const dns_rcode_table
[_DNS_RCODE_MAX_DEFINED
] = {
2223 [DNS_RCODE_SUCCESS
] = "SUCCESS",
2224 [DNS_RCODE_FORMERR
] = "FORMERR",
2225 [DNS_RCODE_SERVFAIL
] = "SERVFAIL",
2226 [DNS_RCODE_NXDOMAIN
] = "NXDOMAIN",
2227 [DNS_RCODE_NOTIMP
] = "NOTIMP",
2228 [DNS_RCODE_REFUSED
] = "REFUSED",
2229 [DNS_RCODE_YXDOMAIN
] = "YXDOMAIN",
2230 [DNS_RCODE_YXRRSET
] = "YRRSET",
2231 [DNS_RCODE_NXRRSET
] = "NXRRSET",
2232 [DNS_RCODE_NOTAUTH
] = "NOTAUTH",
2233 [DNS_RCODE_NOTZONE
] = "NOTZONE",
2234 [DNS_RCODE_BADVERS
] = "BADVERS",
2235 [DNS_RCODE_BADKEY
] = "BADKEY",
2236 [DNS_RCODE_BADTIME
] = "BADTIME",
2237 [DNS_RCODE_BADMODE
] = "BADMODE",
2238 [DNS_RCODE_BADNAME
] = "BADNAME",
2239 [DNS_RCODE_BADALG
] = "BADALG",
2240 [DNS_RCODE_BADTRUNC
] = "BADTRUNC",
2242 DEFINE_STRING_TABLE_LOOKUP(dns_rcode
, int);
2244 static const char* const dns_protocol_table
[_DNS_PROTOCOL_MAX
] = {
2245 [DNS_PROTOCOL_DNS
] = "dns",
2246 [DNS_PROTOCOL_MDNS
] = "mdns",
2247 [DNS_PROTOCOL_LLMNR
] = "llmnr",
2249 DEFINE_STRING_TABLE_LOOKUP(dns_protocol
, DnsProtocol
);