int
parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns)
{
log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1);
log_assert(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0);
log_assert(LDNS_NSCOUNT(sldns_buffer_begin(pkt)) == 0);
/* check edns section is present */
if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
return LDNS_RCODE_FORMERR;
}
if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 0) {
memset(edns, 0, sizeof(*edns));
edns->udp_size = 512;
return 0;
}
/* domain name must be the root of length 1. */
if(pkt_dname_len(pkt) != 1)
return LDNS_RCODE_FORMERR;
if(sldns_buffer_remaining(pkt) < 10) /* type, class, ttl, rdatalen */
return LDNS_RCODE_FORMERR;
if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_OPT)
return LDNS_RCODE_FORMERR;
edns->edns_present = 1;
edns->udp_size = sldns_buffer_read_u16(pkt); /* class is udp size */
edns->ext_rcode = sldns_buffer_read_u8(pkt); /* ttl used for bits */
edns->edns_version = sldns_buffer_read_u8(pkt);
edns->bits = sldns_buffer_read_u16(pkt);
/* ignore rdata and rrsigs */
return 0;
}
/** check request sanity.
* @param pkt: the wire packet to examine for sanity.
* @param worker: parameters for checking.
* @return error code, 0 OK, or -1 discard.
*/
static int
worker_check_request(sldns_buffer* pkt, struct worker* worker)
{
if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
verbose(VERB_QUERY, "request too short, discarded");
return -1;
}
if(sldns_buffer_limit(pkt) > NORMAL_UDP_SIZE &&
worker->daemon->cfg->harden_large_queries) {
verbose(VERB_QUERY, "request too large, discarded");
return -1;
}
if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) {
verbose(VERB_QUERY, "request has QR bit on, discarded");
return -1;
}
if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) {
LDNS_TC_CLR(sldns_buffer_begin(pkt));
verbose(VERB_QUERY, "request bad, has TC bit on");
return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR);
}
if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) {
verbose(VERB_QUERY, "request unknown opcode %d",
LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)));
return worker_err_ratelimit(worker, LDNS_RCODE_NOTIMPL);
}
if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) {
verbose(VERB_QUERY, "request wrong nr qd=%d",
LDNS_QDCOUNT(sldns_buffer_begin(pkt)));
return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR);
}
if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0) {
verbose(VERB_QUERY, "request wrong nr an=%d",
LDNS_ANCOUNT(sldns_buffer_begin(pkt)));
return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR);
}
if(LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
verbose(VERB_QUERY, "request wrong nr ns=%d",
LDNS_NSCOUNT(sldns_buffer_begin(pkt)));
return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR);
}
if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
verbose(VERB_QUERY, "request wrong nr ar=%d",
LDNS_ARCOUNT(sldns_buffer_begin(pkt)));
return worker_err_ratelimit(worker, LDNS_RCODE_FORMERR);
}
return 0;
}
/** check the packet and make sure that EDNS and DO and the type and RRSIG */
static int
check_packet(uint8_t* wire, size_t len, int tp)
{
ldns_pkt *p = NULL;
ldns_status s;
if( (s=ldns_wire2pkt(&p, wire, len)) != LDNS_STATUS_OK) {
if(verb) printf("error: %s\n", ldns_get_errorstr_by_id(s));
goto failed;
}
if(!p) {
if(verb) printf("error: out of memory\n");
goto failed;
}
/* does DNS work? */
if(ldns_pkt_get_rcode(p) != LDNS_RCODE_NOERROR) {
char* r = ldns_pkt_rcode2str(ldns_pkt_get_rcode(p));
if(verb) printf("no answer, %s\n", r?r:"(out of memory)");
LDNS_FREE(r);
goto failed;
}
/* test EDNS0 presence, of OPT record */
/* LDNS forgets during pkt parse, but we test the ARCOUNT;
* 0 additionals means no EDNS(on the wire), and after parsing the
* same additional RRs as before means no EDNS OPT */
if(LDNS_ARCOUNT(wire) == 0 ||
ldns_pkt_arcount(p) == LDNS_ARCOUNT(wire)) {
if(verb) printf("no EDNS\n");
goto failed;
}
/* test if the type, RRSIG present */
if(!check_type_in_answer(p, tp) ||
!check_type_in_answer(p, LDNS_RR_TYPE_RRSIG)) {
goto failed;
}
LDNS_FREE(wire);
ldns_pkt_free(p);
return 1;
failed:
LDNS_FREE(wire);
ldns_pkt_free(p);
return 0;
}
/*
* Makes an exact copy of the wire, but with the tsig rr removed
*/
static uint8_t *
ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
{
uint8_t *wire2 = NULL;
uint16_t qd_count;
uint16_t an_count;
uint16_t ns_count;
uint16_t ar_count;
ldns_rr *rr;
size_t pos;
uint16_t i;
ldns_status status;
if(wire_len < LDNS_HEADER_SIZE) {
return NULL;
}
/* fake parse the wire */
qd_count = LDNS_QDCOUNT(wire);
an_count = LDNS_ANCOUNT(wire);
ns_count = LDNS_NSCOUNT(wire);
ar_count = LDNS_ARCOUNT(wire);
if (ar_count > 0) {
ar_count--;
} else {
return NULL;
}
pos = LDNS_HEADER_SIZE;
for (i = 0; i < qd_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < an_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < ns_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
for (i = 0; i < ar_count; i++) {
status = ldns_wire2rr(&rr, wire, wire_len, &pos,
LDNS_SECTION_ADDITIONAL);
if (status != LDNS_STATUS_OK) {
return NULL;
}
ldns_rr_free(rr);
}
*result_len = pos;
wire2 = LDNS_XMALLOC(uint8_t, *result_len);
if(!wire2) {
return NULL;
}
memcpy(wire2, wire, *result_len);
ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
return wire2;
}
