From: TCY16 <tom@nlnetlabs.nl>
Date: Mon, 20 Sep 2021 09:35:00 +0000 (+0200)
Subject: add routine to do EDE on ACL blocked messages
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d15603a8ce6ff3543991b54202895684f0723df;p=thirdparty%2Funbound.git

add routine to do EDE on ACL blocked messages
---

diff --git a/daemon/worker.c b/daemon/worker.c
index c059214ef..ed06a8c58 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1155,6 +1155,12 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	acl = acl_get_control(acladdr);
 	if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
 	{
+		/* parse packet to check for EDNS. Add EDE blocked if possible */
+		sldns_buffer_rewind(c->buffer)
+		if (msgparse_check_edns_in_packet(c->buffer))
+			EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+				LDNS_EDE_BLOCKED, "");
+
 		if(ret == 1)
 			goto send_reply;
 		return ret;
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 6ee5559db..db3e229e1 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -1127,3 +1127,25 @@ log_edns_opt_list(enum verbosity_value level, const char* info_str,
 		}
 	}
 }
+
+
+/** parse a DNS packet to find out if it contains an EDNS section */
+int
+msgparse_check_edns_in_packet(sldns_buffer* pkt)
+{
+	size_t rdata_len;
+	uint8_t* rdata_ptr;
+	log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1);
+	if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0 ||
+		LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
+		if(!skip_pkt_rrs(pkt, ((int)LDNS_ANCOUNT(sldns_buffer_begin(pkt)))+
+			((int)LDNS_NSCOUNT(sldns_buffer_begin(pkt)))))
+			return LDNS_RCODE_FORMERR;
+	}
+	/* check edns section is present */
+	if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 1)
+		return 0;
+	else
+		return 1;
+}
+
diff --git a/util/data/msgparse.h b/util/data/msgparse.h
index d2fd9c806..5e22f6f74 100644
--- a/util/data/msgparse.h
+++ b/util/data/msgparse.h
@@ -341,4 +341,12 @@ void msgparse_bucket_remove(struct msg_parse* msg, struct rrset_parse* rrset);
 void log_edns_opt_list(enum verbosity_value level, const char* info_str,
 	struct edns_option* list);
 
+/**
+ * Verify if the packet contains EDNS (RFC6891)
+ * @param pkt: the packet.
+ * @return 0 if true, 1 if false
+ */
+int msgparse_check_edns_in_packet(sldns_buffer* pkt);
+
+
 #endif /* UTIL_DATA_MSGPARSE_H */