435c0d9fc8
This PR switches the Nomad repository from using govendor to Go modules for managing dependencies. Aspects of the Nomad workflow remain pretty much the same. The usual Makefile targets should continue to work as they always did. The API submodule simply defers to the parent Nomad version on the repository, keeping the semantics of API versioning that currently exists.
1197 lines
32 KiB
Go
1197 lines
32 KiB
Go
// DNS packet assembly, see RFC 1035. Converting from - Unpack() -
|
|
// and to - Pack() - wire format.
|
|
// All the packers and unpackers take a (msg []byte, off int)
|
|
// and return (off1 int, ok bool). If they return ok==false, they
|
|
// also return off1==len(msg), so that the next unpacker will
|
|
// also fail. This lets us avoid checks of ok until the end of a
|
|
// packing sequence.
|
|
|
|
package dns
|
|
|
|
//go:generate go run msg_generate.go
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"math/big"
|
|
"strconv"
|
|
"strings"
|
|
)
|
|
|
|
const (
|
|
maxCompressionOffset = 2 << 13 // We have 14 bits for the compression pointer
|
|
maxDomainNameWireOctets = 255 // See RFC 1035 section 2.3.4
|
|
|
|
// This is the maximum number of compression pointers that should occur in a
|
|
// semantically valid message. Each label in a domain name must be at least one
|
|
// octet and is separated by a period. The root label won't be represented by a
|
|
// compression pointer to a compression pointer, hence the -2 to exclude the
|
|
// smallest valid root label.
|
|
//
|
|
// It is possible to construct a valid message that has more compression pointers
|
|
// than this, and still doesn't loop, by pointing to a previous pointer. This is
|
|
// not something a well written implementation should ever do, so we leave them
|
|
// to trip the maximum compression pointer check.
|
|
maxCompressionPointers = (maxDomainNameWireOctets+1)/2 - 2
|
|
|
|
// This is the maximum length of a domain name in presentation format. The
|
|
// maximum wire length of a domain name is 255 octets (see above), with the
|
|
// maximum label length being 63. The wire format requires one extra byte over
|
|
// the presentation format, reducing the number of octets by 1. Each label in
|
|
// the name will be separated by a single period, with each octet in the label
|
|
// expanding to at most 4 bytes (\DDD). If all other labels are of the maximum
|
|
// length, then the final label can only be 61 octets long to not exceed the
|
|
// maximum allowed wire length.
|
|
maxDomainNamePresentationLength = 61*4 + 1 + 63*4 + 1 + 63*4 + 1 + 63*4 + 1
|
|
)
|
|
|
|
// Errors defined in this package.
|
|
var (
|
|
ErrAlg error = &Error{err: "bad algorithm"} // ErrAlg indicates an error with the (DNSSEC) algorithm.
|
|
ErrAuth error = &Error{err: "bad authentication"} // ErrAuth indicates an error in the TSIG authentication.
|
|
ErrBuf error = &Error{err: "buffer size too small"} // ErrBuf indicates that the buffer used is too small for the message.
|
|
ErrConnEmpty error = &Error{err: "conn has no connection"} // ErrConnEmpty indicates a connection is being used before it is initialized.
|
|
ErrExtendedRcode error = &Error{err: "bad extended rcode"} // ErrExtendedRcode ...
|
|
ErrFqdn error = &Error{err: "domain must be fully qualified"} // ErrFqdn indicates that a domain name does not have a closing dot.
|
|
ErrId error = &Error{err: "id mismatch"} // ErrId indicates there is a mismatch with the message's ID.
|
|
ErrKeyAlg error = &Error{err: "bad key algorithm"} // ErrKeyAlg indicates that the algorithm in the key is not valid.
|
|
ErrKey error = &Error{err: "bad key"}
|
|
ErrKeySize error = &Error{err: "bad key size"}
|
|
ErrLongDomain error = &Error{err: fmt.Sprintf("domain name exceeded %d wire-format octets", maxDomainNameWireOctets)}
|
|
ErrNoSig error = &Error{err: "no signature found"}
|
|
ErrPrivKey error = &Error{err: "bad private key"}
|
|
ErrRcode error = &Error{err: "bad rcode"}
|
|
ErrRdata error = &Error{err: "bad rdata"}
|
|
ErrRRset error = &Error{err: "bad rrset"}
|
|
ErrSecret error = &Error{err: "no secrets defined"}
|
|
ErrShortRead error = &Error{err: "short read"}
|
|
ErrSig error = &Error{err: "bad signature"} // ErrSig indicates that a signature can not be cryptographically validated.
|
|
ErrSoa error = &Error{err: "no SOA"} // ErrSOA indicates that no SOA RR was seen when doing zone transfers.
|
|
ErrTime error = &Error{err: "bad time"} // ErrTime indicates a timing error in TSIG authentication.
|
|
)
|
|
|
|
// Id by default returns a 16-bit random number to be used as a message id. The
|
|
// number is drawn from a cryptographically secure random number generator.
|
|
// This being a variable the function can be reassigned to a custom function.
|
|
// For instance, to make it return a static value for testing:
|
|
//
|
|
// dns.Id = func() uint16 { return 3 }
|
|
var Id = id
|
|
|
|
// id returns a 16 bits random number to be used as a
|
|
// message id. The random provided should be good enough.
|
|
func id() uint16 {
|
|
var output uint16
|
|
err := binary.Read(rand.Reader, binary.BigEndian, &output)
|
|
if err != nil {
|
|
panic("dns: reading random id failed: " + err.Error())
|
|
}
|
|
return output
|
|
}
|
|
|
|
// MsgHdr is a a manually-unpacked version of (id, bits).
|
|
type MsgHdr struct {
|
|
Id uint16
|
|
Response bool
|
|
Opcode int
|
|
Authoritative bool
|
|
Truncated bool
|
|
RecursionDesired bool
|
|
RecursionAvailable bool
|
|
Zero bool
|
|
AuthenticatedData bool
|
|
CheckingDisabled bool
|
|
Rcode int
|
|
}
|
|
|
|
// Msg contains the layout of a DNS message.
|
|
type Msg struct {
|
|
MsgHdr
|
|
Compress bool `json:"-"` // If true, the message will be compressed when converted to wire format.
|
|
Question []Question // Holds the RR(s) of the question section.
|
|
Answer []RR // Holds the RR(s) of the answer section.
|
|
Ns []RR // Holds the RR(s) of the authority section.
|
|
Extra []RR // Holds the RR(s) of the additional section.
|
|
}
|
|
|
|
// ClassToString is a maps Classes to strings for each CLASS wire type.
|
|
var ClassToString = map[uint16]string{
|
|
ClassINET: "IN",
|
|
ClassCSNET: "CS",
|
|
ClassCHAOS: "CH",
|
|
ClassHESIOD: "HS",
|
|
ClassNONE: "NONE",
|
|
ClassANY: "ANY",
|
|
}
|
|
|
|
// OpcodeToString maps Opcodes to strings.
|
|
var OpcodeToString = map[int]string{
|
|
OpcodeQuery: "QUERY",
|
|
OpcodeIQuery: "IQUERY",
|
|
OpcodeStatus: "STATUS",
|
|
OpcodeNotify: "NOTIFY",
|
|
OpcodeUpdate: "UPDATE",
|
|
}
|
|
|
|
// RcodeToString maps Rcodes to strings.
|
|
var RcodeToString = map[int]string{
|
|
RcodeSuccess: "NOERROR",
|
|
RcodeFormatError: "FORMERR",
|
|
RcodeServerFailure: "SERVFAIL",
|
|
RcodeNameError: "NXDOMAIN",
|
|
RcodeNotImplemented: "NOTIMP",
|
|
RcodeRefused: "REFUSED",
|
|
RcodeYXDomain: "YXDOMAIN", // See RFC 2136
|
|
RcodeYXRrset: "YXRRSET",
|
|
RcodeNXRrset: "NXRRSET",
|
|
RcodeNotAuth: "NOTAUTH",
|
|
RcodeNotZone: "NOTZONE",
|
|
RcodeBadSig: "BADSIG", // Also known as RcodeBadVers, see RFC 6891
|
|
// RcodeBadVers: "BADVERS",
|
|
RcodeBadKey: "BADKEY",
|
|
RcodeBadTime: "BADTIME",
|
|
RcodeBadMode: "BADMODE",
|
|
RcodeBadName: "BADNAME",
|
|
RcodeBadAlg: "BADALG",
|
|
RcodeBadTrunc: "BADTRUNC",
|
|
RcodeBadCookie: "BADCOOKIE",
|
|
}
|
|
|
|
// compressionMap is used to allow a more efficient compression map
|
|
// to be used for internal packDomainName calls without changing the
|
|
// signature or functionality of public API.
|
|
//
|
|
// In particular, map[string]uint16 uses 25% less per-entry memory
|
|
// than does map[string]int.
|
|
type compressionMap struct {
|
|
ext map[string]int // external callers
|
|
int map[string]uint16 // internal callers
|
|
}
|
|
|
|
func (m compressionMap) valid() bool {
|
|
return m.int != nil || m.ext != nil
|
|
}
|
|
|
|
func (m compressionMap) insert(s string, pos int) {
|
|
if m.ext != nil {
|
|
m.ext[s] = pos
|
|
} else {
|
|
m.int[s] = uint16(pos)
|
|
}
|
|
}
|
|
|
|
func (m compressionMap) find(s string) (int, bool) {
|
|
if m.ext != nil {
|
|
pos, ok := m.ext[s]
|
|
return pos, ok
|
|
}
|
|
|
|
pos, ok := m.int[s]
|
|
return int(pos), ok
|
|
}
|
|
|
|
// Domain names are a sequence of counted strings
|
|
// split at the dots. They end with a zero-length string.
|
|
|
|
// PackDomainName packs a domain name s into msg[off:].
|
|
// If compression is wanted compress must be true and the compression
|
|
// map needs to hold a mapping between domain names and offsets
|
|
// pointing into msg.
|
|
func PackDomainName(s string, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error) {
|
|
return packDomainName(s, msg, off, compressionMap{ext: compression}, compress)
|
|
}
|
|
|
|
func packDomainName(s string, msg []byte, off int, compression compressionMap, compress bool) (off1 int, err error) {
|
|
// XXX: A logical copy of this function exists in IsDomainName and
|
|
// should be kept in sync with this function.
|
|
|
|
ls := len(s)
|
|
if ls == 0 { // Ok, for instance when dealing with update RR without any rdata.
|
|
return off, nil
|
|
}
|
|
|
|
// If not fully qualified, error out.
|
|
if !IsFqdn(s) {
|
|
return len(msg), ErrFqdn
|
|
}
|
|
|
|
// Each dot ends a segment of the name.
|
|
// We trade each dot byte for a length byte.
|
|
// Except for escaped dots (\.), which are normal dots.
|
|
// There is also a trailing zero.
|
|
|
|
// Compression
|
|
pointer := -1
|
|
|
|
// Emit sequence of counted strings, chopping at dots.
|
|
var (
|
|
begin int
|
|
compBegin int
|
|
compOff int
|
|
bs []byte
|
|
wasDot bool
|
|
)
|
|
loop:
|
|
for i := 0; i < ls; i++ {
|
|
var c byte
|
|
if bs == nil {
|
|
c = s[i]
|
|
} else {
|
|
c = bs[i]
|
|
}
|
|
|
|
switch c {
|
|
case '\\':
|
|
if off+1 > len(msg) {
|
|
return len(msg), ErrBuf
|
|
}
|
|
|
|
if bs == nil {
|
|
bs = []byte(s)
|
|
}
|
|
|
|
// check for \DDD
|
|
if i+3 < ls && isDigit(bs[i+1]) && isDigit(bs[i+2]) && isDigit(bs[i+3]) {
|
|
bs[i] = dddToByte(bs[i+1:])
|
|
copy(bs[i+1:ls-3], bs[i+4:])
|
|
ls -= 3
|
|
compOff += 3
|
|
} else {
|
|
copy(bs[i:ls-1], bs[i+1:])
|
|
ls--
|
|
compOff++
|
|
}
|
|
|
|
wasDot = false
|
|
case '.':
|
|
if wasDot {
|
|
// two dots back to back is not legal
|
|
return len(msg), ErrRdata
|
|
}
|
|
wasDot = true
|
|
|
|
labelLen := i - begin
|
|
if labelLen >= 1<<6 { // top two bits of length must be clear
|
|
return len(msg), ErrRdata
|
|
}
|
|
|
|
// off can already (we're in a loop) be bigger than len(msg)
|
|
// this happens when a name isn't fully qualified
|
|
if off+1+labelLen > len(msg) {
|
|
return len(msg), ErrBuf
|
|
}
|
|
|
|
// Don't try to compress '.'
|
|
// We should only compress when compress is true, but we should also still pick
|
|
// up names that can be used for *future* compression(s).
|
|
if compression.valid() && !isRootLabel(s, bs, begin, ls) {
|
|
if p, ok := compression.find(s[compBegin:]); ok {
|
|
// The first hit is the longest matching dname
|
|
// keep the pointer offset we get back and store
|
|
// the offset of the current name, because that's
|
|
// where we need to insert the pointer later
|
|
|
|
// If compress is true, we're allowed to compress this dname
|
|
if compress {
|
|
pointer = p // Where to point to
|
|
break loop
|
|
}
|
|
} else if off < maxCompressionOffset {
|
|
// Only offsets smaller than maxCompressionOffset can be used.
|
|
compression.insert(s[compBegin:], off)
|
|
}
|
|
}
|
|
|
|
// The following is covered by the length check above.
|
|
msg[off] = byte(labelLen)
|
|
|
|
if bs == nil {
|
|
copy(msg[off+1:], s[begin:i])
|
|
} else {
|
|
copy(msg[off+1:], bs[begin:i])
|
|
}
|
|
off += 1 + labelLen
|
|
|
|
begin = i + 1
|
|
compBegin = begin + compOff
|
|
default:
|
|
wasDot = false
|
|
}
|
|
}
|
|
|
|
// Root label is special
|
|
if isRootLabel(s, bs, 0, ls) {
|
|
return off, nil
|
|
}
|
|
|
|
// If we did compression and we find something add the pointer here
|
|
if pointer != -1 {
|
|
// We have two bytes (14 bits) to put the pointer in
|
|
binary.BigEndian.PutUint16(msg[off:], uint16(pointer^0xC000))
|
|
return off + 2, nil
|
|
}
|
|
|
|
if off < len(msg) {
|
|
msg[off] = 0
|
|
}
|
|
|
|
return off + 1, nil
|
|
}
|
|
|
|
// isRootLabel returns whether s or bs, from off to end, is the root
|
|
// label ".".
|
|
//
|
|
// If bs is nil, s will be checked, otherwise bs will be checked.
|
|
func isRootLabel(s string, bs []byte, off, end int) bool {
|
|
if bs == nil {
|
|
return s[off:end] == "."
|
|
}
|
|
|
|
return end-off == 1 && bs[off] == '.'
|
|
}
|
|
|
|
// Unpack a domain name.
|
|
// In addition to the simple sequences of counted strings above,
|
|
// domain names are allowed to refer to strings elsewhere in the
|
|
// packet, to avoid repeating common suffixes when returning
|
|
// many entries in a single domain. The pointers are marked
|
|
// by a length byte with the top two bits set. Ignoring those
|
|
// two bits, that byte and the next give a 14 bit offset from msg[0]
|
|
// where we should pick up the trail.
|
|
// Note that if we jump elsewhere in the packet,
|
|
// we return off1 == the offset after the first pointer we found,
|
|
// which is where the next record will start.
|
|
// In theory, the pointers are only allowed to jump backward.
|
|
// We let them jump anywhere and stop jumping after a while.
|
|
|
|
// UnpackDomainName unpacks a domain name into a string. It returns
|
|
// the name, the new offset into msg and any error that occurred.
|
|
//
|
|
// When an error is encountered, the unpacked name will be discarded
|
|
// and len(msg) will be returned as the offset.
|
|
func UnpackDomainName(msg []byte, off int) (string, int, error) {
|
|
s := make([]byte, 0, maxDomainNamePresentationLength)
|
|
off1 := 0
|
|
lenmsg := len(msg)
|
|
budget := maxDomainNameWireOctets
|
|
ptr := 0 // number of pointers followed
|
|
Loop:
|
|
for {
|
|
if off >= lenmsg {
|
|
return "", lenmsg, ErrBuf
|
|
}
|
|
c := int(msg[off])
|
|
off++
|
|
switch c & 0xC0 {
|
|
case 0x00:
|
|
if c == 0x00 {
|
|
// end of name
|
|
break Loop
|
|
}
|
|
// literal string
|
|
if off+c > lenmsg {
|
|
return "", lenmsg, ErrBuf
|
|
}
|
|
budget -= c + 1 // +1 for the label separator
|
|
if budget <= 0 {
|
|
return "", lenmsg, ErrLongDomain
|
|
}
|
|
for _, b := range msg[off : off+c] {
|
|
switch b {
|
|
case '.', '(', ')', ';', ' ', '@':
|
|
fallthrough
|
|
case '"', '\\':
|
|
s = append(s, '\\', b)
|
|
default:
|
|
if b < ' ' || b > '~' { // unprintable, use \DDD
|
|
s = append(s, escapeByte(b)...)
|
|
} else {
|
|
s = append(s, b)
|
|
}
|
|
}
|
|
}
|
|
s = append(s, '.')
|
|
off += c
|
|
case 0xC0:
|
|
// pointer to somewhere else in msg.
|
|
// remember location after first ptr,
|
|
// since that's how many bytes we consumed.
|
|
// also, don't follow too many pointers --
|
|
// maybe there's a loop.
|
|
if off >= lenmsg {
|
|
return "", lenmsg, ErrBuf
|
|
}
|
|
c1 := msg[off]
|
|
off++
|
|
if ptr == 0 {
|
|
off1 = off
|
|
}
|
|
if ptr++; ptr > maxCompressionPointers {
|
|
return "", lenmsg, &Error{err: "too many compression pointers"}
|
|
}
|
|
// pointer should guarantee that it advances and points forwards at least
|
|
// but the condition on previous three lines guarantees that it's
|
|
// at least loop-free
|
|
off = (c^0xC0)<<8 | int(c1)
|
|
default:
|
|
// 0x80 and 0x40 are reserved
|
|
return "", lenmsg, ErrRdata
|
|
}
|
|
}
|
|
if ptr == 0 {
|
|
off1 = off
|
|
}
|
|
if len(s) == 0 {
|
|
return ".", off1, nil
|
|
}
|
|
return string(s), off1, nil
|
|
}
|
|
|
|
func packTxt(txt []string, msg []byte, offset int, tmp []byte) (int, error) {
|
|
if len(txt) == 0 {
|
|
if offset >= len(msg) {
|
|
return offset, ErrBuf
|
|
}
|
|
msg[offset] = 0
|
|
return offset, nil
|
|
}
|
|
var err error
|
|
for _, s := range txt {
|
|
if len(s) > len(tmp) {
|
|
return offset, ErrBuf
|
|
}
|
|
offset, err = packTxtString(s, msg, offset, tmp)
|
|
if err != nil {
|
|
return offset, err
|
|
}
|
|
}
|
|
return offset, nil
|
|
}
|
|
|
|
func packTxtString(s string, msg []byte, offset int, tmp []byte) (int, error) {
|
|
lenByteOffset := offset
|
|
if offset >= len(msg) || len(s) > len(tmp) {
|
|
return offset, ErrBuf
|
|
}
|
|
offset++
|
|
bs := tmp[:len(s)]
|
|
copy(bs, s)
|
|
for i := 0; i < len(bs); i++ {
|
|
if len(msg) <= offset {
|
|
return offset, ErrBuf
|
|
}
|
|
if bs[i] == '\\' {
|
|
i++
|
|
if i == len(bs) {
|
|
break
|
|
}
|
|
// check for \DDD
|
|
if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
|
|
msg[offset] = dddToByte(bs[i:])
|
|
i += 2
|
|
} else {
|
|
msg[offset] = bs[i]
|
|
}
|
|
} else {
|
|
msg[offset] = bs[i]
|
|
}
|
|
offset++
|
|
}
|
|
l := offset - lenByteOffset - 1
|
|
if l > 255 {
|
|
return offset, &Error{err: "string exceeded 255 bytes in txt"}
|
|
}
|
|
msg[lenByteOffset] = byte(l)
|
|
return offset, nil
|
|
}
|
|
|
|
func packOctetString(s string, msg []byte, offset int, tmp []byte) (int, error) {
|
|
if offset >= len(msg) || len(s) > len(tmp) {
|
|
return offset, ErrBuf
|
|
}
|
|
bs := tmp[:len(s)]
|
|
copy(bs, s)
|
|
for i := 0; i < len(bs); i++ {
|
|
if len(msg) <= offset {
|
|
return offset, ErrBuf
|
|
}
|
|
if bs[i] == '\\' {
|
|
i++
|
|
if i == len(bs) {
|
|
break
|
|
}
|
|
// check for \DDD
|
|
if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
|
|
msg[offset] = dddToByte(bs[i:])
|
|
i += 2
|
|
} else {
|
|
msg[offset] = bs[i]
|
|
}
|
|
} else {
|
|
msg[offset] = bs[i]
|
|
}
|
|
offset++
|
|
}
|
|
return offset, nil
|
|
}
|
|
|
|
func unpackTxt(msg []byte, off0 int) (ss []string, off int, err error) {
|
|
off = off0
|
|
var s string
|
|
for off < len(msg) && err == nil {
|
|
s, off, err = unpackString(msg, off)
|
|
if err == nil {
|
|
ss = append(ss, s)
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
// Helpers for dealing with escaped bytes
|
|
func isDigit(b byte) bool { return b >= '0' && b <= '9' }
|
|
|
|
func dddToByte(s []byte) byte {
|
|
_ = s[2] // bounds check hint to compiler; see golang.org/issue/14808
|
|
return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0'))
|
|
}
|
|
|
|
func dddStringToByte(s string) byte {
|
|
_ = s[2] // bounds check hint to compiler; see golang.org/issue/14808
|
|
return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0'))
|
|
}
|
|
|
|
// Helper function for packing and unpacking
|
|
func intToBytes(i *big.Int, length int) []byte {
|
|
buf := i.Bytes()
|
|
if len(buf) < length {
|
|
b := make([]byte, length)
|
|
copy(b[length-len(buf):], buf)
|
|
return b
|
|
}
|
|
return buf
|
|
}
|
|
|
|
// PackRR packs a resource record rr into msg[off:].
|
|
// See PackDomainName for documentation about the compression.
|
|
func PackRR(rr RR, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error) {
|
|
headerEnd, off1, err := packRR(rr, msg, off, compressionMap{ext: compression}, compress)
|
|
if err == nil {
|
|
// packRR no longer sets the Rdlength field on the rr, but
|
|
// callers might be expecting it so we set it here.
|
|
rr.Header().Rdlength = uint16(off1 - headerEnd)
|
|
}
|
|
return off1, err
|
|
}
|
|
|
|
func packRR(rr RR, msg []byte, off int, compression compressionMap, compress bool) (headerEnd int, off1 int, err error) {
|
|
if rr == nil {
|
|
return len(msg), len(msg), &Error{err: "nil rr"}
|
|
}
|
|
|
|
headerEnd, err = rr.Header().packHeader(msg, off, compression, compress)
|
|
if err != nil {
|
|
return headerEnd, len(msg), err
|
|
}
|
|
|
|
off1, err = rr.pack(msg, headerEnd, compression, compress)
|
|
if err != nil {
|
|
return headerEnd, len(msg), err
|
|
}
|
|
|
|
rdlength := off1 - headerEnd
|
|
if int(uint16(rdlength)) != rdlength { // overflow
|
|
return headerEnd, len(msg), ErrRdata
|
|
}
|
|
|
|
// The RDLENGTH field is the last field in the header and we set it here.
|
|
binary.BigEndian.PutUint16(msg[headerEnd-2:], uint16(rdlength))
|
|
return headerEnd, off1, nil
|
|
}
|
|
|
|
// UnpackRR unpacks msg[off:] into an RR.
|
|
func UnpackRR(msg []byte, off int) (rr RR, off1 int, err error) {
|
|
h, off, msg, err := unpackHeader(msg, off)
|
|
if err != nil {
|
|
return nil, len(msg), err
|
|
}
|
|
|
|
return UnpackRRWithHeader(h, msg, off)
|
|
}
|
|
|
|
// UnpackRRWithHeader unpacks the record type specific payload given an existing
|
|
// RR_Header.
|
|
func UnpackRRWithHeader(h RR_Header, msg []byte, off int) (rr RR, off1 int, err error) {
|
|
if newFn, ok := TypeToRR[h.Rrtype]; ok {
|
|
rr = newFn()
|
|
*rr.Header() = h
|
|
} else {
|
|
rr = &RFC3597{Hdr: h}
|
|
}
|
|
|
|
if noRdata(h) {
|
|
return rr, off, nil
|
|
}
|
|
|
|
end := off + int(h.Rdlength)
|
|
|
|
off, err = rr.unpack(msg, off)
|
|
if err != nil {
|
|
return nil, end, err
|
|
}
|
|
if off != end {
|
|
return &h, end, &Error{err: "bad rdlength"}
|
|
}
|
|
|
|
return rr, off, nil
|
|
}
|
|
|
|
// unpackRRslice unpacks msg[off:] into an []RR.
|
|
// If we cannot unpack the whole array, then it will return nil
|
|
func unpackRRslice(l int, msg []byte, off int) (dst1 []RR, off1 int, err error) {
|
|
var r RR
|
|
// Don't pre-allocate, l may be under attacker control
|
|
var dst []RR
|
|
for i := 0; i < l; i++ {
|
|
off1 := off
|
|
r, off, err = UnpackRR(msg, off)
|
|
if err != nil {
|
|
off = len(msg)
|
|
break
|
|
}
|
|
// If offset does not increase anymore, l is a lie
|
|
if off1 == off {
|
|
l = i
|
|
break
|
|
}
|
|
dst = append(dst, r)
|
|
}
|
|
if err != nil && off == len(msg) {
|
|
dst = nil
|
|
}
|
|
return dst, off, err
|
|
}
|
|
|
|
// Convert a MsgHdr to a string, with dig-like headers:
|
|
//
|
|
//;; opcode: QUERY, status: NOERROR, id: 48404
|
|
//
|
|
//;; flags: qr aa rd ra;
|
|
func (h *MsgHdr) String() string {
|
|
if h == nil {
|
|
return "<nil> MsgHdr"
|
|
}
|
|
|
|
s := ";; opcode: " + OpcodeToString[h.Opcode]
|
|
s += ", status: " + RcodeToString[h.Rcode]
|
|
s += ", id: " + strconv.Itoa(int(h.Id)) + "\n"
|
|
|
|
s += ";; flags:"
|
|
if h.Response {
|
|
s += " qr"
|
|
}
|
|
if h.Authoritative {
|
|
s += " aa"
|
|
}
|
|
if h.Truncated {
|
|
s += " tc"
|
|
}
|
|
if h.RecursionDesired {
|
|
s += " rd"
|
|
}
|
|
if h.RecursionAvailable {
|
|
s += " ra"
|
|
}
|
|
if h.Zero { // Hmm
|
|
s += " z"
|
|
}
|
|
if h.AuthenticatedData {
|
|
s += " ad"
|
|
}
|
|
if h.CheckingDisabled {
|
|
s += " cd"
|
|
}
|
|
|
|
s += ";"
|
|
return s
|
|
}
|
|
|
|
// Pack packs a Msg: it is converted to to wire format.
|
|
// If the dns.Compress is true the message will be in compressed wire format.
|
|
func (dns *Msg) Pack() (msg []byte, err error) {
|
|
return dns.PackBuffer(nil)
|
|
}
|
|
|
|
// PackBuffer packs a Msg, using the given buffer buf. If buf is too small a new buffer is allocated.
|
|
func (dns *Msg) PackBuffer(buf []byte) (msg []byte, err error) {
|
|
// If this message can't be compressed, avoid filling the
|
|
// compression map and creating garbage.
|
|
if dns.Compress && dns.isCompressible() {
|
|
compression := make(map[string]uint16) // Compression pointer mappings.
|
|
return dns.packBufferWithCompressionMap(buf, compressionMap{int: compression}, true)
|
|
}
|
|
|
|
return dns.packBufferWithCompressionMap(buf, compressionMap{}, false)
|
|
}
|
|
|
|
// packBufferWithCompressionMap packs a Msg, using the given buffer buf.
|
|
func (dns *Msg) packBufferWithCompressionMap(buf []byte, compression compressionMap, compress bool) (msg []byte, err error) {
|
|
if dns.Rcode < 0 || dns.Rcode > 0xFFF {
|
|
return nil, ErrRcode
|
|
}
|
|
|
|
// Set extended rcode unconditionally if we have an opt, this will allow
|
|
// reseting the extended rcode bits if they need to.
|
|
if opt := dns.IsEdns0(); opt != nil {
|
|
opt.SetExtendedRcode(uint16(dns.Rcode))
|
|
} else if dns.Rcode > 0xF {
|
|
// If Rcode is an extended one and opt is nil, error out.
|
|
return nil, ErrExtendedRcode
|
|
}
|
|
|
|
// Convert convenient Msg into wire-like Header.
|
|
var dh Header
|
|
dh.Id = dns.Id
|
|
dh.Bits = uint16(dns.Opcode)<<11 | uint16(dns.Rcode&0xF)
|
|
if dns.Response {
|
|
dh.Bits |= _QR
|
|
}
|
|
if dns.Authoritative {
|
|
dh.Bits |= _AA
|
|
}
|
|
if dns.Truncated {
|
|
dh.Bits |= _TC
|
|
}
|
|
if dns.RecursionDesired {
|
|
dh.Bits |= _RD
|
|
}
|
|
if dns.RecursionAvailable {
|
|
dh.Bits |= _RA
|
|
}
|
|
if dns.Zero {
|
|
dh.Bits |= _Z
|
|
}
|
|
if dns.AuthenticatedData {
|
|
dh.Bits |= _AD
|
|
}
|
|
if dns.CheckingDisabled {
|
|
dh.Bits |= _CD
|
|
}
|
|
|
|
dh.Qdcount = uint16(len(dns.Question))
|
|
dh.Ancount = uint16(len(dns.Answer))
|
|
dh.Nscount = uint16(len(dns.Ns))
|
|
dh.Arcount = uint16(len(dns.Extra))
|
|
|
|
// We need the uncompressed length here, because we first pack it and then compress it.
|
|
msg = buf
|
|
uncompressedLen := msgLenWithCompressionMap(dns, nil)
|
|
if packLen := uncompressedLen + 1; len(msg) < packLen {
|
|
msg = make([]byte, packLen)
|
|
}
|
|
|
|
// Pack it in: header and then the pieces.
|
|
off := 0
|
|
off, err = dh.pack(msg, off, compression, compress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, r := range dns.Question {
|
|
off, err = r.pack(msg, off, compression, compress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
for _, r := range dns.Answer {
|
|
_, off, err = packRR(r, msg, off, compression, compress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
for _, r := range dns.Ns {
|
|
_, off, err = packRR(r, msg, off, compression, compress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
for _, r := range dns.Extra {
|
|
_, off, err = packRR(r, msg, off, compression, compress)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
return msg[:off], nil
|
|
}
|
|
|
|
func (dns *Msg) unpack(dh Header, msg []byte, off int) (err error) {
|
|
// If we are at the end of the message we should return *just* the
|
|
// header. This can still be useful to the caller. 9.9.9.9 sends these
|
|
// when responding with REFUSED for instance.
|
|
if off == len(msg) {
|
|
// reset sections before returning
|
|
dns.Question, dns.Answer, dns.Ns, dns.Extra = nil, nil, nil, nil
|
|
return nil
|
|
}
|
|
|
|
// Qdcount, Ancount, Nscount, Arcount can't be trusted, as they are
|
|
// attacker controlled. This means we can't use them to pre-allocate
|
|
// slices.
|
|
dns.Question = nil
|
|
for i := 0; i < int(dh.Qdcount); i++ {
|
|
off1 := off
|
|
var q Question
|
|
q, off, err = unpackQuestion(msg, off)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if off1 == off { // Offset does not increase anymore, dh.Qdcount is a lie!
|
|
dh.Qdcount = uint16(i)
|
|
break
|
|
}
|
|
dns.Question = append(dns.Question, q)
|
|
}
|
|
|
|
dns.Answer, off, err = unpackRRslice(int(dh.Ancount), msg, off)
|
|
// The header counts might have been wrong so we need to update it
|
|
dh.Ancount = uint16(len(dns.Answer))
|
|
if err == nil {
|
|
dns.Ns, off, err = unpackRRslice(int(dh.Nscount), msg, off)
|
|
}
|
|
// The header counts might have been wrong so we need to update it
|
|
dh.Nscount = uint16(len(dns.Ns))
|
|
if err == nil {
|
|
dns.Extra, off, err = unpackRRslice(int(dh.Arcount), msg, off)
|
|
}
|
|
// The header counts might have been wrong so we need to update it
|
|
dh.Arcount = uint16(len(dns.Extra))
|
|
|
|
// Set extended Rcode
|
|
if opt := dns.IsEdns0(); opt != nil {
|
|
dns.Rcode |= opt.ExtendedRcode()
|
|
}
|
|
|
|
if off != len(msg) {
|
|
// TODO(miek) make this an error?
|
|
// use PackOpt to let people tell how detailed the error reporting should be?
|
|
// println("dns: extra bytes in dns packet", off, "<", len(msg))
|
|
}
|
|
return err
|
|
|
|
}
|
|
|
|
// Unpack unpacks a binary message to a Msg structure.
|
|
func (dns *Msg) Unpack(msg []byte) (err error) {
|
|
dh, off, err := unpackMsgHdr(msg, 0)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
dns.setHdr(dh)
|
|
return dns.unpack(dh, msg, off)
|
|
}
|
|
|
|
// Convert a complete message to a string with dig-like output.
|
|
func (dns *Msg) String() string {
|
|
if dns == nil {
|
|
return "<nil> MsgHdr"
|
|
}
|
|
s := dns.MsgHdr.String() + " "
|
|
s += "QUERY: " + strconv.Itoa(len(dns.Question)) + ", "
|
|
s += "ANSWER: " + strconv.Itoa(len(dns.Answer)) + ", "
|
|
s += "AUTHORITY: " + strconv.Itoa(len(dns.Ns)) + ", "
|
|
s += "ADDITIONAL: " + strconv.Itoa(len(dns.Extra)) + "\n"
|
|
if len(dns.Question) > 0 {
|
|
s += "\n;; QUESTION SECTION:\n"
|
|
for _, r := range dns.Question {
|
|
s += r.String() + "\n"
|
|
}
|
|
}
|
|
if len(dns.Answer) > 0 {
|
|
s += "\n;; ANSWER SECTION:\n"
|
|
for _, r := range dns.Answer {
|
|
if r != nil {
|
|
s += r.String() + "\n"
|
|
}
|
|
}
|
|
}
|
|
if len(dns.Ns) > 0 {
|
|
s += "\n;; AUTHORITY SECTION:\n"
|
|
for _, r := range dns.Ns {
|
|
if r != nil {
|
|
s += r.String() + "\n"
|
|
}
|
|
}
|
|
}
|
|
if len(dns.Extra) > 0 {
|
|
s += "\n;; ADDITIONAL SECTION:\n"
|
|
for _, r := range dns.Extra {
|
|
if r != nil {
|
|
s += r.String() + "\n"
|
|
}
|
|
}
|
|
}
|
|
return s
|
|
}
|
|
|
|
// isCompressible returns whether the msg may be compressible.
|
|
func (dns *Msg) isCompressible() bool {
|
|
// If we only have one question, there is nothing we can ever compress.
|
|
return len(dns.Question) > 1 || len(dns.Answer) > 0 ||
|
|
len(dns.Ns) > 0 || len(dns.Extra) > 0
|
|
}
|
|
|
|
// Len returns the message length when in (un)compressed wire format.
|
|
// If dns.Compress is true compression it is taken into account. Len()
|
|
// is provided to be a faster way to get the size of the resulting packet,
|
|
// than packing it, measuring the size and discarding the buffer.
|
|
func (dns *Msg) Len() int {
|
|
// If this message can't be compressed, avoid filling the
|
|
// compression map and creating garbage.
|
|
if dns.Compress && dns.isCompressible() {
|
|
compression := make(map[string]struct{})
|
|
return msgLenWithCompressionMap(dns, compression)
|
|
}
|
|
|
|
return msgLenWithCompressionMap(dns, nil)
|
|
}
|
|
|
|
func msgLenWithCompressionMap(dns *Msg, compression map[string]struct{}) int {
|
|
l := headerSize
|
|
|
|
for _, r := range dns.Question {
|
|
l += r.len(l, compression)
|
|
}
|
|
for _, r := range dns.Answer {
|
|
if r != nil {
|
|
l += r.len(l, compression)
|
|
}
|
|
}
|
|
for _, r := range dns.Ns {
|
|
if r != nil {
|
|
l += r.len(l, compression)
|
|
}
|
|
}
|
|
for _, r := range dns.Extra {
|
|
if r != nil {
|
|
l += r.len(l, compression)
|
|
}
|
|
}
|
|
|
|
return l
|
|
}
|
|
|
|
func domainNameLen(s string, off int, compression map[string]struct{}, compress bool) int {
|
|
if s == "" || s == "." {
|
|
return 1
|
|
}
|
|
|
|
escaped := strings.Contains(s, "\\")
|
|
|
|
if compression != nil && (compress || off < maxCompressionOffset) {
|
|
// compressionLenSearch will insert the entry into the compression
|
|
// map if it doesn't contain it.
|
|
if l, ok := compressionLenSearch(compression, s, off); ok && compress {
|
|
if escaped {
|
|
return escapedNameLen(s[:l]) + 2
|
|
}
|
|
|
|
return l + 2
|
|
}
|
|
}
|
|
|
|
if escaped {
|
|
return escapedNameLen(s) + 1
|
|
}
|
|
|
|
return len(s) + 1
|
|
}
|
|
|
|
func escapedNameLen(s string) int {
|
|
nameLen := len(s)
|
|
for i := 0; i < len(s); i++ {
|
|
if s[i] != '\\' {
|
|
continue
|
|
}
|
|
|
|
if i+3 < len(s) && isDigit(s[i+1]) && isDigit(s[i+2]) && isDigit(s[i+3]) {
|
|
nameLen -= 3
|
|
i += 3
|
|
} else {
|
|
nameLen--
|
|
i++
|
|
}
|
|
}
|
|
|
|
return nameLen
|
|
}
|
|
|
|
func compressionLenSearch(c map[string]struct{}, s string, msgOff int) (int, bool) {
|
|
for off, end := 0, false; !end; off, end = NextLabel(s, off) {
|
|
if _, ok := c[s[off:]]; ok {
|
|
return off, true
|
|
}
|
|
|
|
if msgOff+off < maxCompressionOffset {
|
|
c[s[off:]] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return 0, false
|
|
}
|
|
|
|
// Copy returns a new RR which is a deep-copy of r.
|
|
func Copy(r RR) RR { return r.copy() }
|
|
|
|
// Len returns the length (in octets) of the uncompressed RR in wire format.
|
|
func Len(r RR) int { return r.len(0, nil) }
|
|
|
|
// Copy returns a new *Msg which is a deep-copy of dns.
|
|
func (dns *Msg) Copy() *Msg { return dns.CopyTo(new(Msg)) }
|
|
|
|
// CopyTo copies the contents to the provided message using a deep-copy and returns the copy.
|
|
func (dns *Msg) CopyTo(r1 *Msg) *Msg {
|
|
r1.MsgHdr = dns.MsgHdr
|
|
r1.Compress = dns.Compress
|
|
|
|
if len(dns.Question) > 0 {
|
|
r1.Question = make([]Question, len(dns.Question))
|
|
copy(r1.Question, dns.Question) // TODO(miek): Question is an immutable value, ok to do a shallow-copy
|
|
}
|
|
|
|
rrArr := make([]RR, len(dns.Answer)+len(dns.Ns)+len(dns.Extra))
|
|
r1.Answer, rrArr = rrArr[:0:len(dns.Answer)], rrArr[len(dns.Answer):]
|
|
r1.Ns, rrArr = rrArr[:0:len(dns.Ns)], rrArr[len(dns.Ns):]
|
|
r1.Extra = rrArr[:0:len(dns.Extra)]
|
|
|
|
for _, r := range dns.Answer {
|
|
r1.Answer = append(r1.Answer, r.copy())
|
|
}
|
|
|
|
for _, r := range dns.Ns {
|
|
r1.Ns = append(r1.Ns, r.copy())
|
|
}
|
|
|
|
for _, r := range dns.Extra {
|
|
r1.Extra = append(r1.Extra, r.copy())
|
|
}
|
|
|
|
return r1
|
|
}
|
|
|
|
func (q *Question) pack(msg []byte, off int, compression compressionMap, compress bool) (int, error) {
|
|
off, err := packDomainName(q.Name, msg, off, compression, compress)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(q.Qtype, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(q.Qclass, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
return off, nil
|
|
}
|
|
|
|
func unpackQuestion(msg []byte, off int) (Question, int, error) {
|
|
var (
|
|
q Question
|
|
err error
|
|
)
|
|
q.Name, off, err = UnpackDomainName(msg, off)
|
|
if err != nil {
|
|
return q, off, err
|
|
}
|
|
if off == len(msg) {
|
|
return q, off, nil
|
|
}
|
|
q.Qtype, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return q, off, err
|
|
}
|
|
if off == len(msg) {
|
|
return q, off, nil
|
|
}
|
|
q.Qclass, off, err = unpackUint16(msg, off)
|
|
if off == len(msg) {
|
|
return q, off, nil
|
|
}
|
|
return q, off, err
|
|
}
|
|
|
|
func (dh *Header) pack(msg []byte, off int, compression compressionMap, compress bool) (int, error) {
|
|
off, err := packUint16(dh.Id, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(dh.Bits, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(dh.Qdcount, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(dh.Ancount, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(dh.Nscount, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
off, err = packUint16(dh.Arcount, msg, off)
|
|
if err != nil {
|
|
return off, err
|
|
}
|
|
return off, nil
|
|
}
|
|
|
|
func unpackMsgHdr(msg []byte, off int) (Header, int, error) {
|
|
var (
|
|
dh Header
|
|
err error
|
|
)
|
|
dh.Id, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
dh.Bits, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
dh.Qdcount, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
dh.Ancount, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
dh.Nscount, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
dh.Arcount, off, err = unpackUint16(msg, off)
|
|
if err != nil {
|
|
return dh, off, err
|
|
}
|
|
return dh, off, nil
|
|
}
|
|
|
|
// setHdr set the header in the dns using the binary data in dh.
|
|
func (dns *Msg) setHdr(dh Header) {
|
|
dns.Id = dh.Id
|
|
dns.Response = dh.Bits&_QR != 0
|
|
dns.Opcode = int(dh.Bits>>11) & 0xF
|
|
dns.Authoritative = dh.Bits&_AA != 0
|
|
dns.Truncated = dh.Bits&_TC != 0
|
|
dns.RecursionDesired = dh.Bits&_RD != 0
|
|
dns.RecursionAvailable = dh.Bits&_RA != 0
|
|
dns.Zero = dh.Bits&_Z != 0 // _Z covers the zero bit, which should be zero; not sure why we set it to the opposite.
|
|
dns.AuthenticatedData = dh.Bits&_AD != 0
|
|
dns.CheckingDisabled = dh.Bits&_CD != 0
|
|
dns.Rcode = int(dh.Bits & 0xF)
|
|
}
|