summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-packet.c
AgeCommit message (Collapse)Author
2015-12-03resolved: introduce a dnssec_mode setting per scopeLennart Poettering
The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested.
2015-12-03resolved: move algorithm/digest definitions into resolved-dns-rr.hLennart Poettering
After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02resolved: add code to generate the wire format for a single RRLennart Poettering
This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02resolved: add code to map DNSSEC digest types to strings and backLennart Poettering
2015-12-02resolved: store DNSKEY fields flags+protocol as-isLennart Poettering
When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-12-02resolved: add RFC 5702 defined DNSSEC algorithms to tableLennart Poettering
2015-12-02resolved: simplify dns_packet_append_string()Lennart Poettering
It essentially does the same as dns_packet_append_raw_string(), hence make it a wrapper around it.
2015-11-27resolved: set the DNSSEC OK (DO) flagTom Gundersen
This indicates that we can handle DNSSEC records (per RFC3225), even if all we do is silently drop them. This feature requires EDNS0 support. As we do not yet support larger UDP packets, this feature increases the risk of getting truncated packets. Similarly to how we fall back to plain UDP if EDNS0 fails, we will fall back to plain EDNS0 if EDNS0+DO fails (with the same logic of remembering success and retrying after a grace period after failure).
2015-11-27resolved: implement minimal EDNS0 supportTom Gundersen
This is a minimal implementation of RFC6891. Only default values are used, so in reality this will be a noop. EDNS0 support is dependent on the current server's feature level, so appending the OPT pseudo RR is done when the packet is emitted, rather than when it is assembled. To handle different feature levels on retransmission, we strip off the OPT RR again after sending the packet. Similarly, to how we fall back to TCP if UDP fails, we fall back to plain UDP if EDNS0 fails (but if EDNS0 ever succeeded we never fall back again, and after a timeout we will retry EDNS0).
2015-11-27resolved: rr - add OPT pseudo-rr supportTom Gundersen
Needed for EDNS0.
2015-11-26Merge pull request #2031 from poettering/resolved-search-domainsTom Gundersen
resolved. Fully implement search domains for single-label names
2015-11-26resolved: do not reject NSEC records with empty bitmapsTom Gundersen
The assumption that no NSEC bitmap could be empty due to the presence of the bit representing the record itself turns out to be flawed. See (the admittedly experimental) RFC4956 for a counter example.
2015-11-25dns-domain: rework dns_label_escape() to not imply memory allocationLennart Poettering
The new dns_label_escape() call now operates on a buffer passed in, similar to dns_label_unescape(). This should make decoding a bit faster, and nicer.
2015-11-23resolved: accept TXT records with non-UTF8 stringsLennart Poettering
RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-27util-lib: move string table stuff into its own string-table.[ch]Lennart Poettering
2015-08-25resolved: make packet flags logic more expressive againLennart Poettering
This partially reverts 106784ebb7b303ae471851100a773ad2aebf5b80, ad readds separate DNS_PACKET_MAKE_FLAGS() invocations for the LLMNR and DNS case. This is important since SOme flags have different names and meanings on LLMNR and on DNS and we should clarify that via the comments and how we put things together.
2015-08-25resolved: use switch-case statements for protocol detailsDaniel Mack
With more protocols to come, switch repetitive if-else blocks with a switch-case statements.
2015-08-21resolved: when passing RRs across the bus, make sure not to use name compressionLennart Poettering
We explicitly need to turn off name compression when marshalling or demarshalling RRs for bus transfer, since they otherwise refer to packet offsets that reference packets that are not transmitted themselves.
2015-08-21resolved: rework synthesizing logicLennart Poettering
With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-16resolved: packet - fix typo in read_rr()Tom Gundersen
2015-07-28resolved: packet - refuse empty type bitmapsTom Gundersen
The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus.
2015-07-28resolved: packet - fix read_type_window()Tom Gundersen
We were tracking the bit offset inside each byte, rather than inside the whole bitmap.
2015-07-28resolve: packet - fix append_types()Tom Gundersen
We were counting the number of bits set rather than the number of bytes they occupied.
2015-07-23resolved: packet - fix segfault in truncate()Tom Gundersen
A size_t was being accessed as a char* due to the order of arguments being inverted.
2015-07-23resolved: rr - ignore pseudo types in NSEC(3) bitmapsTom Gundersen
2015-07-23resolved: rr - fix parsing of NSEC3Tom Gundersen
We were appending rather than reading the bitmap.
2015-07-23resolved: rr - don't read past end of RR when parsing NSEC(3)Tom Gundersen
We can never read past the end of the packet, so this seems impossible to exploit, but let's error out early as reading past the end of the current RR is clearly an error. Found by Lennart, based on patch by Daniel.
2015-07-23resolved: rr - SSHFP contains the fingerprint, not the keyTom Gundersen
Rename the field to make this clearer.
2015-07-23resolved: packet - fail on invalid zero-length dataTom Gundersen
Most blobs (keys, signatures, ...) should have a specific size given by the relevant algorithm. However, as we don't use/verify the algorithms yet, let's just ensure that we don't read out zero-length data in cases where this does not make sense. The only exceptions, where zero-length data is allowed are in the NSEC3 salt field, and the generic data (which we don't know anything about, so better not make any assumptions).
2015-07-23Merge pull request #669 from poettering/dns-rr-memdupTom Gundersen
resolve: unify memdup() code when parsing RRs
2015-07-23resolved: make sure we alway initialize *start in ↵Lennart Poettering
dns_packet_append_type_window()
2015-07-23resolve: unify memdup() code when parsing RRsLennart Poettering
Let's make dns_packet_read_public_key() more generic by renaming it to dns_packet_read_memdup() (which more accurately describes what it does...). Then, patch all cases where we memdup() RR data to use this new call. This specifically checks for zero-length objects, and handles them gracefully. It will set zero length payload fields as a result. Special care should be taken to ensure that any code using this call can handle the returned allocated field to be NULL if the size is specified as 0!
2015-07-16bitmap: use external iteratorTom Gundersen
Reuse the Iterator object from hashmap.h and expose a similar API. This allows us to do { Iterator i; unsigned n; BITMAP_FOREACH(n, b, i) { Iterator j; unsigned m; BITMAP_FOREACH(m, b, j) { ... } } } without getting confused. Requested by David.
2015-07-14resolved: rr - add NSEC3 supportTom Gundersen
Needed for DNSSEC.
2015-07-14resolved: rr - add NSEC supportTom Gundersen
Needed for DNSSEC.
2015-07-14Merge pull request #586 from teg/resolved-rrs-3Daniel Mack
resolved: minor improvements to RR handling
2015-07-14resolved: rr - add DS supportTom Gundersen
Needed for DNSSEC.
2015-07-14resolved: packet - ensure there is space for IP+UDP headersTom Gundersen
Currently we only make sure our links can handle the size of the payload witohut taking the headers into account.
2015-07-13resolved: make LLMNR checks conditionalDaniel Mack
Make all LLMNR related packet inspections conditional to p->protocol. Use switch-case statements while at it, which will make future additions more readable.
2015-07-08resolved: fix marshalling of RRSIG recordsTom Gundersen
The key tag is 16, not 8 bits.
2015-06-10resolve: move dns routines into sharedNick Owens
2014-12-30tree-wide: spelling fixesVeres Lajos
https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.
2014-12-01resolved: make TXT RR generation and parsing more in-line with RFC 6763, ↵Lennart Poettering
section 6.1 The RFC says to encode an single empty TXT string instead of an empty TXT array. It also says to treat a zero-length TXT RR as a TXT array with a single zero-length string.
2014-11-27resolve: reject empty TXT recordsStanisław Pitucha
TXT records should have at least one character, so enforce this. Before 0f84a72 parser SIGSEGV'd on ->txt.strings being NULL, but even if this is fixed we should reject invalid TXT records.
2014-11-27resolve: set error code on failureStanisław Pitucha
Set the error code in case of incorrect name. This prevents continuing and failing an assert(name) later on.
2014-11-27resolve: fix redirection loops in compressed RRStanisław Pitucha
Loops in RR compression were only detected for the first entry. Multiple redirections should be allowed, each one checking for an infinite loop on its own starting point. Also update the pointer on each redirection to avoid longer loops of labels and redirections, in names like: (start) [len=1] "A", [ptr to start] (David: rename variable to "jump_barrier" and add reference to RFC)
2014-11-01resolved: dns-packet - use unaligned read/write helpersTom Gundersen
2014-09-15hashmap: introduce hash_ops to make struct Hashmap smallerMichal Schmidt
It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-11resolved: implement full LLMNR conflict detection logicLennart Poettering