Commit Diff
Diff:
a3b48f1e1bd52fb84ce30ab79cb2911bfd0dfe2f
63fcbadbaf50917680bf9173bf3c589936c93c30
Commit:
63fcbadbaf50917680bf9173bf3c589936c93c30
Tree:
8465b348333f5b40985dd3322eda466ee451b33f
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Sun Feb 24 14:53:02 2019 UTC
Message:
add tsig variables in their own struct tsig when we filter 0.0.0.0/0 nothing gets through, with tsig on 0.0.0.0/0 only tsig will get through, and without filter and tsig on 0.0.0.0/0 both regular and tsig'ed queries will get through, was a little complicated getting this right but here we are.
blob - 6224e9f470aebb15d50c12d78d12dced8b45b62b
blob + 5c04605229730524124f8e001c8b6f560e202889
--- additional.c
+++ additional.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: additional.c,v 1.21 2019/02/24 07:14:02 pjp Exp $
+ * $Id: additional.c,v 1.22 2019/02/24 14:53:02 pjp Exp $
*/
#include "ddd-include.h"
@@ -376,7 +376,7 @@ additional_tsig(struct question *question, char *reply
}
if (request == 0) {
- if (question->tsigerrorcode && question->tsigerrorcode != DNS_BADTIME) {
+ if (question->tsig.tsigerrorcode && question->tsig.tsigerrorcode != DNS_BADTIME) {
ppoffset = 0;
sval = (u_int16_t *)&pseudo_packet[ppoffset];
*sval = htons(0);
@@ -385,11 +385,11 @@ additional_tsig(struct question *question, char *reply
/* RFC 2845 section 3.4.3 */
ppoffset = 0;
sval = (u_int16_t *)&pseudo_packet[ppoffset];
- *sval = htons(question->tsigmaclen);
+ *sval = htons(question->tsig.tsigmaclen);
ppoffset += 2;
- memcpy(&pseudo_packet[ppoffset], question->tsigmac, question->tsigmaclen);
- ppoffset += question->tsigmaclen;
+ memcpy(&pseudo_packet[ppoffset], question->tsig.tsigmac, question->tsig.tsigmaclen);
+ ppoffset += question->tsig.tsigmaclen;
}
}
@@ -397,25 +397,25 @@ additional_tsig(struct question *question, char *reply
memcpy(&pseudo_packet[ppoffset], &reply[0], offset);
ppoffset += offset;
- if ((tsignamelen = find_tsig_key(question->tsigkey,
- question->tsigkeylen, (char *)&tsigkey, sizeof(tsigkey))) < 0) {
+ if ((tsignamelen = find_tsig_key(question->tsig.tsigkey,
+ question->tsig.tsigkeylen, (char *)&tsigkey, sizeof(tsigkey))) < 0) {
/* do nothing here? */
memset(tsigkey, 0, sizeof(tsigkey));
tsignamelen = 0;
}
- if ((offset + 2 + 8 + 2 + question->tsigmaclen +
- question->tsigkeylen +
- question->tsigalglen + 2 + 2 + 4) > replylen) {
+ if ((offset + 2 + 8 + 2 + question->tsig.tsigmaclen +
+ question->tsig.tsigkeylen +
+ question->tsig.tsigalglen + 2 + 2 + 4) > replylen) {
goto out;
}
/* keyname */
- memcpy(&reply[offset], question->tsigkey, question->tsigkeylen);
- offset += question->tsigkeylen;
+ memcpy(&reply[offset], question->tsig.tsigkey, question->tsig.tsigkeylen);
+ offset += question->tsig.tsigkeylen;
- memcpy(&pseudo_packet[ppoffset], question->tsigkey, question->tsigkeylen);
- ppoffset += question->tsigkeylen;
+ memcpy(&pseudo_packet[ppoffset], question->tsig.tsigkey, question->tsig.tsigkeylen);
+ ppoffset += question->tsig.tsigkeylen;
/* type TSIG */
sval = (u_int16_t *)&reply[offset];
@@ -442,31 +442,31 @@ additional_tsig(struct question *question, char *reply
/* rdlen */
sval = (u_int16_t *)&reply[offset];
- *sval = htons(2 + 8 + question->tsigalglen + question->tsigmaclen + 2 + 2 + 2);
+ *sval = htons(2 + 8 + question->tsig.tsigalglen + question->tsig.tsigmaclen + 2 + 2 + 2);
offset += 2;
- memcpy(&reply[offset], question->tsigalg, question->tsigalglen);
- offset += question->tsigalglen;
+ memcpy(&reply[offset], question->tsig.tsigalg, question->tsig.tsigalglen);
+ offset += question->tsig.tsigalglen;
- memcpy(&pseudo_packet[ppoffset], question->tsigalg, question->tsigalglen);
- ppoffset += question->tsigalglen;
+ memcpy(&pseudo_packet[ppoffset], question->tsig.tsigalg, question->tsig.tsigalglen);
+ ppoffset += question->tsig.tsigalglen;
now = time(NULL);
answer = (struct dns_tsigrr *)&reply[offset];
answer->timefudge = htobe64((u_int64_t)(now << 16) | (300 & 0xffff));
- answer->macsize = htons(question->tsigmaclen);
+ answer->macsize = htons(question->tsig.tsigmaclen);
offset += (8 + 2);
/* skip mac */
- offset += question->tsigmaclen;
+ offset += question->tsig.tsigmaclen;
sval = (u_int16_t *)&reply[offset];
*sval = odh->id;
offset += 2;
sval = (u_int16_t *)&reply[offset];
- *sval = htons(question->tsigerrorcode);
+ *sval = htons(question->tsig.tsigerrorcode);
offset += 2;
sval = (u_int16_t *)&reply[offset];
@@ -480,7 +480,7 @@ additional_tsig(struct question *question, char *reply
/* error */
sval = (u_int16_t *)&pseudo_packet[ppoffset];
- *sval = htons(question->tsigerrorcode);
+ *sval = htons(question->tsig.tsigerrorcode);
ppoffset += 2;
/* other len */
@@ -489,12 +489,12 @@ additional_tsig(struct question *question, char *reply
ppoffset += 2;
- if (question->tsigerrorcode == DNS_BADTIME) {
+ if (question->tsig.tsigerrorcode == DNS_BADTIME) {
HMAC(EVP_sha256(), tsigkey, tsignamelen,
(unsigned char *)pseudo_packet, ppoffset,
(unsigned char *)&answer->mac[0], (u_int *)&macsize);
- } else if (question->tsigerrorcode) {
- memset(&answer->mac[0], 0, question->tsigmaclen);
+ } else if (question->tsig.tsigerrorcode) {
+ memset(&answer->mac[0], 0, question->tsig.tsigmaclen);
} else {
HMAC(EVP_sha256(), tsigkey, tsignamelen,
(unsigned char *)pseudo_packet, ppoffset,
blob - 0e5f4d5f203a57c066071bb02e6bae81bc7a8993
blob + 6d755e5049cf31c7e97a1194b24638b661d1bad3
--- ddd-dns.h
+++ ddd-dns.h
@@ -27,7 +27,7 @@
*/
/*
- * $Id: ddd-dns.h,v 1.7 2019/02/24 07:14:02 pjp Exp $
+ * $Id: ddd-dns.h,v 1.8 2019/02/24 14:53:02 pjp Exp $
*/
#ifndef _DNS_H
@@ -236,14 +236,8 @@ struct dns_question_hdr {
#define DNS_TLSA_SIZE_SHA256 32 /* RFC 6698 */
#define DNS_TLSA_SIZE_SHA512 64 /* RFC 6698 */
-struct question {
- struct dns_question_hdr *hdr;
- char *converted_name;
- u_int16_t edns0len;
- u_int8_t ednsversion;
- int rd;
- int dnssecok;
- int badvers;
+struct tsig {
+ int have_tsig;
int tsigverified;
int tsigerrorcode;
char tsigalg[DNS_MAXNAME];
@@ -256,6 +250,17 @@ struct question {
u_int16_t tsigorigid;
};
+struct question {
+ struct dns_question_hdr *hdr;
+ char *converted_name;
+ u_int16_t edns0len;
+ u_int8_t ednsversion;
+ int rd;
+ int dnssecok;
+ int badvers;
+ struct tsig tsig;
+};
+
struct parsequestion {
char name[DNS_MAXNAME];
u_int namelen;
@@ -267,17 +272,7 @@ struct parsequestion {
int rd;
int dnssecok;
int badvers;
- int tsigverified;
- int tsigerrorcode; /* see above ie. DNS_BADTIME */
- char tsigalg[DNS_MAXNAME];
- int tsigalglen;
- char tsigkey[DNS_MAXNAME];
- int tsigkeylen;
- char tsigmac[32];
- int tsigmaclen;
- u_int64_t tsig_timefudge;
- u_int16_t tsigorigid;
-
+ struct tsig tsig;
int rc; /* return code */
#define PARSE_RETURN_ACK 0
#define PARSE_RETURN_NAK 1
blob - ecfea5d4f1dfec1b836e8fe2f5f1c38a31fc4520
blob + 2211883c3d2647961f6f97c149cfe1b98785a62c
--- delphinusdnsd.c
+++ delphinusdnsd.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: delphinusdnsd.c,v 1.57 2019/02/24 11:11:19 pjp Exp $
+ * $Id: delphinusdnsd.c,v 1.58 2019/02/24 14:53:02 pjp Exp $
*/
#include "ddd-include.h"
@@ -93,7 +93,7 @@ extern char *rrlimit_setup(int);
extern char *dns_label(char *, int *);
extern void slave_shutdown(void);
extern int get_record_size(ddDB *, char *, int);
-extern struct question *build_question(char *, int, int, int);
+extern struct question *build_question(char *, int, int);
extern int free_question(struct question *);
extern struct rbtree * create_rr(ddDB *db, char *name, int len, int type, void *rdata);
extern struct rbtree * find_rrset(ddDB *db, char *name, int len);
@@ -1611,6 +1611,7 @@ axfrentry:
}
aregion = find_region((struct sockaddr_storage *)sin6, AF_INET6);
+ filter = 0;
filter = find_filter((struct sockaddr_storage *)sin6, AF_INET6);
if (whitelist) {
blacklist = find_whitelist((struct sockaddr_storage *)sin6, AF_INET6);
@@ -1634,6 +1635,7 @@ axfrentry:
}
aregion = find_region((struct sockaddr_storage *)sin, AF_INET);
+ filter = 0;
filter = find_filter((struct sockaddr_storage *)sin, AF_INET);
if (whitelist) {
blacklist = find_whitelist((struct sockaddr_storage *)sin, AF_INET);
@@ -1679,10 +1681,7 @@ axfrentry:
}
/* pjp - branch to pledge parser here */
- if (require_tsig)
- imsg_type = IMSG_PARSEAUTH_MESSAGE;
- else
- imsg_type = IMSG_PARSE_MESSAGE;
+ imsg_type = IMSG_PARSE_MESSAGE;
if (imsg_compose(pibuf, imsg_type,
0, 0, -1, buf, len) < 0) {
@@ -1760,7 +1759,7 @@ axfrentry:
goto drop;
case PARSE_RETURN_NOTAUTH:
/* we didn't see a tsig header */
- if (pq.tsigerrorcode == 1) {
+ if (filter && pq.tsig.have_tsig == 0) {
build_reply(&sreply, so, buf, len, NULL, from, fromlen, NULL, NULL, aregion, istcp, 0, NULL, replybuf);
slen = reply_refused(&sreply, NULL);
dolog(LOG_INFO, "UDP connection refused on descriptor %u interface \"%s\" from %s (ttl=%d, region=%d) replying REFUSED, not a tsig\n", so, cfg->ident[i], address, received_ttl, aregion);
@@ -1790,8 +1789,8 @@ axfrentry:
/* goto drop beyond this point should goto out instead */
- if (require_tsig && question->tsigerrorcode != 0) {
- dolog(LOG_INFO, "on descriptor %u interface \"%s\" not authenticated dns packet (code = %d) from %s, replying notauth\n", so, cfg->ident[i], question->tsigerrorcode, address);
+ if (question->tsig.have_tsig && question->tsig.tsigerrorcode != 0) {
+ dolog(LOG_INFO, "on descriptor %u interface \"%s\" not authenticated dns packet (code = %d) from %s, replying notauth\n", so, cfg->ident[i], question->tsig.tsigerrorcode, address);
snprintf(replystring, DNS_MAXNAME, "NOTAUTH");
build_reply(&sreply, so, buf, len, question, from, fromlen, NULL, NULL, aregion, istcp, 0, NULL, replybuf);
reply_notauth(&sreply, NULL);
@@ -2007,7 +2006,7 @@ axfrentry:
udpout:
if (lflag) {
- dolog(LOG_INFO, "request on descriptor %u interface \"%s\" from %s (ttl=%u, region=%d) for \"%s\" type=%s class=%u, %s%s%sanswering \"%s\" (%d/%d)\n", so, cfg->ident[i], address, received_ttl, aregion, question->converted_name, get_dns_type(ntohs(question->hdr->qtype), 1), ntohs(question->hdr->qclass), (question->edns0len ? "edns0, " : ""), (question->dnssecok ? "dnssecok, " : ""), (question->tsigverified ? "tsig, " : "") , replystring, len, slen);
+ dolog(LOG_INFO, "request on descriptor %u interface \"%s\" from %s (ttl=%u, region=%d) for \"%s\" type=%s class=%u, %s%s%sanswering \"%s\" (%d/%d)\n", so, cfg->ident[i], address, received_ttl, aregion, question->converted_name, get_dns_type(ntohs(question->hdr->qtype), 1), ntohs(question->hdr->qclass), (question->edns0len ? "edns0, " : ""), (question->dnssecok ? "dnssecok, " : ""), (question->tsig.tsigverified ? "tsig, " : "") , replystring, len, slen);
}
@@ -2533,9 +2532,11 @@ tcploop(struct cfg *cfg, struct imsgbuf **ibuf)
}
/* pjp send to parseloop */
+#if 0
if (require_tsig)
imsg_type = IMSG_PARSEAUTH_MESSAGE;
else
+#endif
imsg_type = IMSG_PARSE_MESSAGE;
@@ -2613,7 +2614,7 @@ tcploop(struct cfg *cfg, struct imsgbuf **ibuf)
imsg_free(&imsg);
goto drop;
case PARSE_RETURN_NOTAUTH:
- if (pq.tsigerrorcode == 1) {
+ if (filter && pq.tsig.have_tsig == 0) {
build_reply(&sreply, so, buf, len, NULL, from, fromlen, NULL, NULL, aregion, istcp, 0, NULL, replybuf);
slen = reply_refused(&sreply, NULL);
dolog(LOG_INFO, "TCP connection refused on descriptor %u interface \"%s\" from %s (ttl=TCP, region=%d) replying REFUSED, not a tsig\n", so, cfg->ident[i], address, aregion);
@@ -2641,8 +2642,8 @@ tcploop(struct cfg *cfg, struct imsgbuf **ibuf)
/* goto drop beyond this point should goto out instead */
fakequestion = NULL;
- if (require_tsig && question->tsigerrorcode != 0) {
- dolog(LOG_INFO, "on TCP descriptor %u interface \"%s\" not authenticated dns packet (code = %d) from %s, replying notauth\n", so, cfg->ident[i], question->tsigerrorcode, address);
+ if (question->tsig.have_tsig && question->tsig.tsigerrorcode != 0) {
+ dolog(LOG_INFO, "on TCP descriptor %u interface \"%s\" not authenticated dns packet (code = %d) from %s, replying notauth\n", so, cfg->ident[i], question->tsig.tsigerrorcode, address);
snprintf(replystring, DNS_MAXNAME, "NOTAUTH");
build_reply(&sreply, so, buf, len, question, from, fromlen, NULL, NULL, aregion, istcp, 0, NULL, replybuf);
reply_notauth(&sreply, NULL);
@@ -2879,7 +2880,7 @@ tcploop(struct cfg *cfg, struct imsgbuf **ibuf)
tcpout:
if (lflag)
- dolog(LOG_INFO, "request on descriptor %u interface \"%s\" from %s (ttl=TCP, region=%d) for \"%s\" type=%s class=%u, %s%s%s answering \"%s\" (%d/%d)\n", so, cfg->ident[i], address, aregion, question->converted_name, get_dns_type(ntohs(question->hdr->qtype), 1), ntohs(question->hdr->qclass), (question->edns0len) ? "edns0, " : "", (question->dnssecok) ? "dnssecok, " : "", (question->tsigverified ? "tsig, " : ""), replystring, len, slen);
+ dolog(LOG_INFO, "request on descriptor %u interface \"%s\" from %s (ttl=TCP, region=%d) for \"%s\" type=%s class=%u, %s%s%s answering \"%s\" (%d/%d)\n", so, cfg->ident[i], address, aregion, question->converted_name, get_dns_type(ntohs(question->hdr->qtype), 1), ntohs(question->hdr->qclass), (question->edns0len) ? "edns0, " : "", (question->dnssecok) ? "dnssecok, " : "", (question->tsig.tsigverified ? "tsig, " : ""), replystring, len, slen);
if (fakequestion != NULL) {
@@ -2980,9 +2981,6 @@ parseloop(struct cfg *cfg, struct imsgbuf **ibuf)
require_tsig = 0;
switch (imsg.hdr.type) {
- case IMSG_PARSEAUTH_MESSAGE:
- require_tsig = 1;
- /* FALLTHROUGH */
case IMSG_PARSE_MESSAGE:
memset(&pq, 0, sizeof(struct parsequestion));
@@ -3026,7 +3024,7 @@ parseloop(struct cfg *cfg, struct imsgbuf **ibuf)
break;
}
- if ((question = build_question(packet, datalen, ntohs(dh->additional), require_tsig)) == NULL) {
+ if ((question = build_question(packet, datalen, ntohs(dh->additional))) == NULL) {
/* XXX reply nak here */
pq.rc = PARSE_RETURN_MALFORMED;
imsg_compose(mybuf, IMSG_PARSEREPLY_MESSAGE, 0, 0, -1, &pq, sizeof(struct parsequestion));
@@ -3045,18 +3043,19 @@ parseloop(struct cfg *cfg, struct imsgbuf **ibuf)
pq.dnssecok = question->dnssecok;
pq.badvers = question->badvers;
pq.rc = PARSE_RETURN_ACK;
- pq.tsigverified = question->tsigverified;
- pq.tsigerrorcode = question->tsigerrorcode;
- if (pq.tsigerrorcode)
+ pq.tsig.have_tsig = question->tsig.have_tsig;
+ pq.tsig.tsigverified = question->tsig.tsigverified;
+ pq.tsig.tsigerrorcode = question->tsig.tsigerrorcode;
+ if (pq.tsig.have_tsig == 0 || pq.tsig.tsigerrorcode)
pq.rc = PARSE_RETURN_NOTAUTH;
- memcpy(&pq.tsigmac, question->tsigmac, sizeof(pq.tsigmac));
- pq.tsigmaclen = question->tsigmaclen;
- memcpy(&pq.tsigkey, question->tsigkey, sizeof(pq.tsigkey));
- pq.tsigkeylen = question->tsigkeylen;
- memcpy(&pq.tsigalg, question->tsigalg, sizeof(pq.tsigalg));
- pq.tsigalglen = question->tsigalglen;
- pq.tsig_timefudge = question->tsig_timefudge;
- pq.tsigorigid = question->tsigorigid;
+ memcpy(&pq.tsig.tsigmac, question->tsig.tsigmac, sizeof(pq.tsig.tsigmac));
+ pq.tsig.tsigmaclen = question->tsig.tsigmaclen;
+ memcpy(&pq.tsig.tsigkey, question->tsig.tsigkey, sizeof(pq.tsig.tsigkey));
+ pq.tsig.tsigkeylen = question->tsig.tsigkeylen;
+ memcpy(&pq.tsig.tsigalg, question->tsig.tsigalg, sizeof(pq.tsig.tsigalg));
+ pq.tsig.tsigalglen = question->tsig.tsigalglen;
+ pq.tsig.tsig_timefudge = question->tsig.tsig_timefudge;
+ pq.tsig.tsigorigid = question->tsig.tsigorigid;
imsg_compose(mybuf, IMSG_PARSEREPLY_MESSAGE, 0, 0, -1, (char *)&pq, sizeof(struct parsequestion));
msgbuf_write(&mybuf->w);
@@ -3124,19 +3123,20 @@ convert_question(struct parsequestion *pq)
q->rd = pq->rd;
q->dnssecok = pq->dnssecok;
q->badvers = pq->badvers;
- q->tsigverified = pq->tsigverified;
- q->tsigerrorcode = pq->tsigerrorcode;
+ q->tsig.have_tsig = pq->tsig.have_tsig;
+ q->tsig.tsigverified = pq->tsig.tsigverified;
+ q->tsig.tsigerrorcode = pq->tsig.tsigerrorcode;
- memcpy(&q->tsigmac, pq->tsigmac, sizeof(q->tsigmac));
- memcpy(&q->tsigalg, pq->tsigalg, sizeof(q->tsigalg));
- memcpy(&q->tsigkey, pq->tsigkey, sizeof(q->tsigkey));
+ memcpy(&q->tsig.tsigmac, pq->tsig.tsigmac, sizeof(q->tsig.tsigmac));
+ memcpy(&q->tsig.tsigalg, pq->tsig.tsigalg, sizeof(q->tsig.tsigalg));
+ memcpy(&q->tsig.tsigkey, pq->tsig.tsigkey, sizeof(q->tsig.tsigkey));
- q->tsigmaclen = pq->tsigmaclen;
- q->tsigalglen = pq->tsigalglen;
- q->tsigkeylen = pq->tsigkeylen;
+ q->tsig.tsigmaclen = pq->tsig.tsigmaclen;
+ q->tsig.tsigalglen = pq->tsig.tsigalglen;
+ q->tsig.tsigkeylen = pq->tsig.tsigkeylen;
- q->tsig_timefudge = pq->tsig_timefudge;
- q->tsigorigid = pq->tsigorigid;
+ q->tsig.tsig_timefudge = pq->tsig.tsig_timefudge;
+ q->tsig.tsigorigid = pq->tsig.tsigorigid;
return (q);
}
blob - f1caf0468ba33011299d96438634d2af8f7a970f
blob + 0858dd6a045ff33677b9d54026ce8b97c11e756d
--- reply.c
+++ reply.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: reply.c,v 1.70 2019/02/24 08:01:23 pjp Exp $
+ * $Id: reply.c,v 1.71 2019/02/24 14:53:02 pjp Exp $
*/
#include "ddd-include.h"
@@ -263,7 +263,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -473,7 +473,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -698,7 +698,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -893,7 +893,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -1086,7 +1086,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -1297,7 +1297,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -1449,7 +1449,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -1621,7 +1621,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -1817,7 +1817,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -2016,7 +2016,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -2332,7 +2332,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -2521,7 +2521,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -2780,7 +2780,7 @@ out:
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -2952,7 +2952,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -3273,7 +3273,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -3461,7 +3461,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -3684,7 +3684,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -3878,7 +3878,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -4353,7 +4353,7 @@ out:
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -4422,7 +4422,11 @@ reply_refused(struct sreply *sreply, ddDB *db)
return (retlen);
}
- memcpy((char *)&odh->id, buf, sizeof(u_int16_t));
+ if (istcp)
+ memcpy((char *)&odh->id, &buf[2], sizeof(u_int16_t));
+ else
+ memcpy((char *)&odh->id, buf, sizeof(u_int16_t));
+
memset((char *)&odh->query, 0, sizeof(u_int16_t));
SET_DNS_REPLY(odh);
@@ -4914,7 +4918,7 @@ out:
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
@@ -5055,7 +5059,7 @@ reply_any(struct sreply *sreply, ddDB *db)
outlen = additional_opt(q, reply, replysize, outlen);
}
- if (q->tsigverified == 1) {
+ if (q->tsig.tsigverified == 1) {
outlen = additional_tsig(q, reply, replysize, outlen, 0);
NTOHS(odh->additional);
blob - 45b405c99dbeaae215c03c0030dcc9cc7b97d86a
blob + 8e477db73ec92ddd198934c66107dea0f50925a7
--- util.c
+++ util.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: util.c,v 1.24 2019/02/24 10:27:15 pjp Exp $
+ * $Id: util.c,v 1.25 2019/02/24 14:53:03 pjp Exp $
*/
#include "ddd-include.h"
@@ -51,7 +51,7 @@ struct question *build_fake_question(char *, int, u_i
char *get_dns_type(int, int);
int memcasecmp(u_char *, u_char *, int);
-struct question *build_question(char *, int, int, int);
+struct question *build_question(char *, int, int);
int free_question(struct question *);
struct rrtab *rrlookup(char *);
char * expand_compression(u_char *, u_char *, u_char *, u_char *, int *, int);
@@ -625,7 +625,7 @@ memcasecmp(u_char *b1, u_char *b2, int len)
*/
struct question *
-build_question(char *buf, int len, int additional, int require_tsig)
+build_question(char *buf, int len, int additional)
{
char pseudo_packet[4096]; /* for tsig */
u_int rollback, i;
@@ -834,20 +834,19 @@ build_question(char *buf, int len, int additional, int
int pseudolen1, pseudolen2, ppoffset = 0;
int pseudolen3 , pseudolen4;
+ q->tsig.have_tsig = 0;
+ q->tsig.tsigerrorcode = 1;
+
/* if we don't have an additional section, break */
if (additional < 1) {
break;
}
- if (require_tsig == 0) {
- break;
- }
+ memset(q->tsig.tsigkey, 0, sizeof(q->tsig.tsigkey));
+ memset(q->tsig.tsigalg, 0, sizeof(q->tsig.tsigalg));
+ memset(q->tsig.tsigmac, 0, sizeof(q->tsig.tsigmac));
+ q->tsig.tsigkeylen = q->tsig.tsigalglen = q->tsig.tsigmaclen = 0;
- memset(q->tsigkey, 0, sizeof(q->tsigkey));
- memset(q->tsigalg, 0, sizeof(q->tsigalg));
- memset(q->tsigmac, 0, sizeof(q->tsigmac));
- q->tsigkeylen = q->tsigalglen = q->tsigmaclen = 0;
-
/* the key name is parsed here */
rollback = i;
elen = 0;
@@ -860,8 +859,8 @@ build_question(char *buf, int len, int additional, int
i = (pb - buf);
pseudolen1 = i;
- memcpy(q->tsigkey, expand, elen);
- q->tsigkeylen = elen;
+ memcpy(q->tsig.tsigkey, expand, elen);
+ q->tsig.tsigkeylen = elen;
if (i + 10 > len) { /* type + class + ttl + rdlen == 10 */
@@ -878,18 +877,16 @@ build_question(char *buf, int len, int additional, int
i += 2;
pseudolen2 = i;
+ q->tsig.have_tsig = 1;
+
/* we don't have any tsig keys configured, no auth done */
if (tsig == 0) {
i = rollback;
break;
}
- q->tsigerrorcode = DNS_BADKEY;
+ q->tsig.tsigerrorcode = DNS_BADKEY;
- if (require_tsig)
- require_tsig = 0;
-
-
/* class */
val16 = (u_int16_t *)&buf[i];
if (ntohs(*val16) != DNS_CLASS_ANY) {
@@ -926,8 +923,8 @@ build_question(char *buf, int len, int additional, int
i = (pb - buf);
pseudolen4 = i;
- memcpy(q->tsigalg, expand, elen);
- q->tsigalglen = elen;
+ memcpy(q->tsig.tsigalg, expand, elen);
+ q->tsig.tsigalglen = elen;
/* now check for MAC type, since it's given once again */
if (elen == 11) {
@@ -945,8 +942,9 @@ build_question(char *buf, int len, int additional, int
memcasecmp(&expand[1], "hmac-md5", 8) != 0) {
break;
}
- } else
+ } else {
break;
+ }
/*
* this is a delayed (moved down) check of the key, we don't
@@ -954,7 +952,7 @@ build_question(char *buf, int len, int additional, int
* type, that's why it's delayed...
*/
- if ((tsignamelen = find_tsig_key(q->tsigkey, q->tsigkeylen, (char *)&tsigkey, sizeof(tsigkey))) < 0) {
+ if ((tsignamelen = find_tsig_key(q->tsig.tsigkey, q->tsig.tsigkeylen, (char *)&tsigkey, sizeof(tsigkey))) < 0) {
/* we don't have the name configured, let it pass */
i = rollback;
break;
@@ -970,19 +968,19 @@ build_question(char *buf, int len, int additional, int
fudge = ntohs(tsigrr->timefudge & 0xffff);
tsigtime = ntohl((tsigrr->timefudge >> 16));
- q->tsig_timefudge = tsigrr->timefudge;
+ q->tsig.tsig_timefudge = tsigrr->timefudge;
now = time(NULL);
/* outside our fudge window */
if (tsigtime < (now - fudge) || tsigtime > (now + fudge)) {
- q->tsigerrorcode = DNS_BADTIME;
+ q->tsig.tsigerrorcode = DNS_BADTIME;
break;
}
i += (8 + 2); /* timefudge + macsize */
if (ntohs(tsigrr->macsize) != 32) {
- q->tsigerrorcode = DNS_BADSIG;
+ q->tsig.tsigerrorcode = DNS_BADSIG;
break;
}
@@ -999,7 +997,7 @@ build_question(char *buf, int len, int additional, int
i += 2;
if (hdr->id != *val16)
hdr->id = *val16;
- q->tsigorigid = *val16;
+ q->tsig.tsigorigid = *val16;
/* error */
tsigerror = (u_int16_t *)&buf[i];
@@ -1040,24 +1038,19 @@ build_question(char *buf, int len, int additional, int
#if DEBUG
dolog(LOG_INFO, "HMAC did not verify\n");
#endif
- q->tsigerrorcode = DNS_BADSIG;
+ q->tsig.tsigerrorcode = DNS_BADSIG;
break;
}
/* copy the mac for error coding */
- memcpy(q->tsigmac, tsigrr->mac, sizeof(q->tsigmac));
- q->tsigmaclen = 32;
+ memcpy(q->tsig.tsigmac, tsigrr->mac, sizeof(q->tsig.tsigmac));
+ q->tsig.tsigmaclen = 32;
/* we're now authenticated */
- q->tsigerrorcode = 0;
- q->tsigverified = 1;
+ q->tsig.tsigerrorcode = 0;
+ q->tsig.tsigverified = 1;
} while (0);
-
- if (require_tsig) {
- if (q->tsigerrorcode == 0)
- q->tsigerrorcode = 1; /* 1 for now */
- }
/* fill our name into the dns header struct */
repomaster@centroid.eu