i = GET_U_1(cp);
cp++;
while (i) {
- if ((i & INDIR_MASK) == INDIR_MASK)
+ switch (i & TYPE_MASK) {
+
+ case TYPE_INDIR:
return (cp + 1);
- if ((i & INDIR_MASK) == EDNS0_MASK) {
+
+ case TYPE_EDNS0: {
int bitlen, bytelen;
- if ((i & ~INDIR_MASK) != EDNS0_ELT_BITLABEL)
+ if ((i & ~TYPE_MASK) != EDNS0_ELT_BITLABEL)
return(NULL); /* unknown ELT */
if (!ND_TTEST_1(cp))
return (NULL);
cp++;
bytelen = (bitlen + 7) / 8;
cp += bytelen;
- } else
+ }
+ break;
+
+ case TYPE_RESERVED:
+ return (NULL);
+
+ case TYPE_LABEL:
cp += i;
+ break;
+ }
if (!ND_TTEST_1(cp))
return (NULL);
i = GET_U_1(cp);
/* print the bit string as a hex string */
ND_PRINT("\\[x");
for (bitp = cp + 1, b = bitlen; bitp < lim && b > 7; b -= 8, bitp++) {
- ND_TCHECK_1(bitp);
ND_PRINT("%02x", GET_U_1(bitp));
}
if (b > 4) {
- ND_TCHECK_1(bitp);
tc = GET_U_1(bitp);
bitp++;
ND_PRINT("%02x", tc & (0xff << (8 - b)));
} else if (b > 0) {
- ND_TCHECK_1(bitp);
tc = GET_U_1(bitp);
bitp++;
ND_PRINT("%1x", ((tc >> 4) & 0x0f) & (0x0f << (4 - b)));
}
ND_PRINT("/%u]", bitlen);
return lim;
-trunc:
- ND_PRINT(".../%u]", bitlen);
- return NULL;
}
static int
if (!ND_TTEST_1(cp))
return(-1);
i = GET_U_1(cp);
- if ((i & INDIR_MASK) == EDNS0_MASK) {
+ switch (i & TYPE_MASK) {
+
+ case TYPE_EDNS0: {
u_int bitlen, elt;
- if ((elt = (i & ~INDIR_MASK)) != EDNS0_ELT_BITLABEL) {
+ if ((elt = (i & ~TYPE_MASK)) != EDNS0_ELT_BITLABEL) {
ND_PRINT("<ELT %d>", elt);
return(-1);
}
if ((bitlen = GET_U_1(cp + 1)) == 0)
bitlen = 256;
return(((bitlen + 7) / 8) + 1);
- } else
+ }
+
+ case TYPE_INDIR:
+ case TYPE_LABEL:
return(i);
+
+ default:
+ /*
+ * TYPE_RESERVED, but we use default to suppress compiler
+ * warnings about falling out of the switch statement.
+ */
+ ND_PRINT("<BAD LABEL TYPE>");
+ return(-1);
+ }
}
/* print a <domain-name> */
int compress = 0;
u_int elt;
u_int offset, max_offset;
+ u_int name_chars = 0;
if ((l = labellen(ndo, cp)) == (u_int)-1)
return(NULL);
max_offset = (u_int)(cp - bp);
i = GET_U_1(cp);
cp++;
- if ((i & INDIR_MASK) != INDIR_MASK) {
+ if ((i & TYPE_MASK) != TYPE_INDIR) {
compress = 0;
rp = cp + l;
}
- if (i != 0)
+ if (i != 0) {
while (i && cp < ndo->ndo_snapend) {
- if ((i & INDIR_MASK) == INDIR_MASK) {
+ switch (i & TYPE_MASK) {
+
+ case TYPE_INDIR:
if (!compress) {
rp = cp + 1;
compress = 1;
}
max_offset = offset;
cp = bp + offset;
- if ((l = labellen(ndo, cp)) == (u_int)-1)
- return(NULL);
if (!ND_TTEST_1(cp))
return(NULL);
i = GET_U_1(cp);
+ if ((l = labellen(ndo, cp)) == (u_int)-1)
+ return(NULL);
cp++;
continue;
- }
- if ((i & INDIR_MASK) == EDNS0_MASK) {
- elt = (i & ~INDIR_MASK);
+
+ case TYPE_EDNS0:
+ elt = (i & ~TYPE_MASK);
switch(elt) {
case EDNS0_ELT_BITLABEL:
if (blabel_print(ndo, cp) == NULL)
ND_PRINT("<ELT %u>", elt);
return(NULL);
}
- } else {
- if (nd_printn(ndo, cp, l, ndo->ndo_snapend))
- return(NULL);
+ break;
+
+ case TYPE_RESERVED:
+ ND_PRINT("<BAD LABEL TYPE>");
+ return(NULL);
+
+ case TYPE_LABEL:
+ if (name_chars + l <= MAXCDNAME) {
+ if (nd_printn(ndo, cp, l, ndo->ndo_snapend))
+ return(NULL);
+ } else if (name_chars < MAXCDNAME) {
+ if (nd_printn(ndo, cp,
+ MAXCDNAME - name_chars, ndo->ndo_snapend))
+ return(NULL);
+ }
+ name_chars += l;
+ break;
}
cp += l;
- ND_PRINT(".");
- if ((l = labellen(ndo, cp)) == (u_int)-1)
- return(NULL);
+ if (name_chars <= MAXCDNAME)
+ ND_PRINT(".");
+ name_chars++;
if (!ND_TTEST_1(cp))
return(NULL);
i = GET_U_1(cp);
+ if ((l = labellen(ndo, cp)) == (u_int)-1)
+ return(NULL);
cp++;
if (!compress)
rp += l + 1;
}
- else
+ if (name_chars > MAXCDNAME)
+ ND_PRINT("<DOMAIN NAME TOO LONG>");
+ } else
ND_PRINT(".");
return (rp);
}
return (cp + i);
}
+static void
+print_eopt_ecs(netdissect_options *ndo, const u_char *cp,
+ u_int data_len)
+{
+ u_int family, addr_bits, src_len, scope_len;
+
+ u_char padded[32];
+ char addr[INET6_ADDRSTRLEN];
+
+ /* ecs option must at least contain family, src len, and scope len */
+ if (data_len < 4) {
+ nd_print_invalid(ndo);
+ return;
+ }
+
+ family = GET_BE_U_2(cp);
+ cp += 2;
+ src_len = GET_U_1(cp);
+ cp += 1;
+ scope_len = GET_U_1(cp);
+ cp += 1;
+
+ if (family == 1)
+ addr_bits = 32;
+ else if (family == 2)
+ addr_bits = 128;
+ else {
+ nd_print_invalid(ndo);
+ return;
+ }
+
+ if (data_len - 4 > (addr_bits / 8)) {
+ nd_print_invalid(ndo);
+ return;
+ }
+ /* checks for invalid ecs scope or source length */
+ if (src_len > addr_bits || scope_len > addr_bits || ((src_len + 7) / 8) != (data_len - 4)) {
+ nd_print_invalid(ndo);
+ return;
+ }
+
+ /* pad the truncated address from ecs with zeros */
+ memset(padded, 0, sizeof(padded));
+ memcpy(padded, cp, data_len - 4);
+
+
+ if (family == 1)
+ ND_PRINT("%s/%d/%d", addrtostr(padded, addr, INET_ADDRSTRLEN),
+ src_len, scope_len);
+ else
+ ND_PRINT("%s/%d/%d", addrtostr6(padded, addr, INET6_ADDRSTRLEN),
+ src_len, scope_len);
+
+}
+
+extern const struct tok edns_opt2str[];
+extern const struct tok dau_alg2str[];
+extern const struct tok dhu_alg2str[];
+extern const struct tok n3u_alg2str[];
+
+
+/* print an <EDNS-option> */
+static const u_char *
+eopt_print(netdissect_options *ndo,
+ const u_char *cp)
+{
+ u_int opt, data_len, i;
+
+ if (!ND_TTEST_2(cp))
+ return (NULL);
+ opt = GET_BE_U_2(cp);
+ cp += 2;
+ ND_PRINT("%s", tok2str(edns_opt2str, "Opt%u", opt));
+ if (!ND_TTEST_2(cp))
+ return (NULL);
+ data_len = GET_BE_U_2(cp);
+ cp += 2;
+
+ ND_TCHECK_LEN(cp, data_len);
+
+ if (data_len > 0) {
+ ND_PRINT(" ");
+ switch (opt) {
+
+ case E_ECS:
+ print_eopt_ecs(ndo, cp, data_len);
+ break;
+ case E_COOKIE:
+ if (data_len < 8 || (data_len > 8 && data_len < 16) || data_len > 40)
+ nd_print_invalid(ndo);
+ else {
+ for (i = 0; i < data_len; ++i) {
+ /* split client and server cookie */
+ if (i == 8)
+ ND_PRINT(" ");
+ ND_PRINT("%02x", GET_U_1(cp + i));
+ }
+ }
+ break;
+ case E_KEEPALIVE:
+ if (data_len != 2)
+ nd_print_invalid(ndo);
+ else
+ /* keepalive is in increments of 100ms. Convert to seconds */
+ ND_PRINT("%0.1f sec", (GET_BE_U_2(cp) / 10.0));
+ break;
+ case E_EXPIRE:
+ if (data_len != 4)
+ nd_print_invalid(ndo);
+ else
+ ND_PRINT("%u sec", GET_BE_U_4(cp));
+ break;
+ case E_PADDING:
+ /* ignore contents and just print length */
+ ND_PRINT("(%u)", data_len);
+ break;
+ case E_KEYTAG:
+ if (data_len % 2 != 0)
+ nd_print_invalid(ndo);
+ else
+ for (i = 0; i < data_len; i += 2) {
+ if (i > 0)
+ ND_PRINT(" ");
+ ND_PRINT("%u", GET_BE_U_2(cp + i));
+ }
+ break;
+ case E_DAU:
+ for (i = 0; i < data_len; ++i) {
+ if (i > 0)
+ ND_PRINT(" ");
+ ND_PRINT("%s", tok2str(dau_alg2str, "Alg_%u", GET_U_1(cp + i)));
+ }
+ break;
+ case E_DHU:
+ for (i = 0; i < data_len; ++i) {
+ if (i > 0)
+ ND_PRINT(" ");
+ ND_PRINT("%s", tok2str(dhu_alg2str, "Alg_%u", GET_U_1(cp + i)));
+ }
+ break;
+ case E_N3U:
+ for (i = 0; i < data_len; ++i) {
+ if (i > 0)
+ ND_PRINT(" ");
+ ND_PRINT("%s", tok2str(n3u_alg2str, "Alg_%u", GET_U_1(cp + i)));
+ }
+ break;
+ case E_CHAIN:
+ fqdn_print(ndo, cp, cp + data_len);
+ break;
+ case E_NSID:
+ /* intentional fall-through. NSID is an undefined byte string */
+ default:
+ for (i = 0; i < data_len; ++i)
+ ND_PRINT("%02x", GET_U_1(cp + i));
+ break;
+ }
+ }
+ return (cp + data_len);
+
+ trunc:
+ return (NULL);
+
+}
+
+
+
extern const struct tok ns_type2str[];
/* https://www.iana.org/assignments/dns-parameters */
{ T_MX, "MX" }, /* RFC 1035 */
{ T_TXT, "TXT" }, /* RFC 1035 */
{ T_RP, "RP" }, /* RFC 1183 */
- { T_AFSDB, "AFSDB" }, /* RFC 1183 */
+ { T_AFSDB, "AFSDB" }, /* RFC 5864 */
{ T_X25, "X25" }, /* RFC 1183 */
{ T_ISDN, "ISDN" }, /* RFC 1183 */
{ T_RT, "RT" }, /* RFC 1183 */
{ T_NSAP, "NSAP" }, /* RFC 1706 */
- { T_NSAP_PTR, "NSAP_PTR" },
- { T_SIG, "SIG" }, /* RFC 2535 */
- { T_KEY, "KEY" }, /* RFC 2535 */
+ { T_NSAP_PTR, "NSAP_PTR" }, /* RFC 1706 */
+ { T_SIG, "SIG" }, /* RFC 3008 */
+ { T_KEY, "KEY" }, /* RFC 3110 */
{ T_PX, "PX" }, /* RFC 2163 */
{ T_GPOS, "GPOS" }, /* RFC 1712 */
- { T_AAAA, "AAAA" }, /* RFC 1886 */
+ { T_AAAA, "AAAA" }, /* RFC 3596 */
{ T_LOC, "LOC" }, /* RFC 1876 */
- { T_NXT, "NXT" }, /* RFC 2535 */
+ { T_NXT, "NXT" }, /* RFC 3755 */
{ T_EID, "EID" }, /* Nimrod */
{ T_NIMLOC, "NIMLOC" }, /* Nimrod */
{ T_SRV, "SRV" }, /* RFC 2782 */
{ T_ATMA, "ATMA" }, /* ATM Forum */
- { T_NAPTR, "NAPTR" }, /* RFC 2168, RFC 2915 */
+ { T_NAPTR, "NAPTR" }, /* RFC 3403 */
{ T_KX, "KX" }, /* RFC 2230 */
- { T_CERT, "CERT" }, /* RFC 2538 */
- { T_A6, "A6" }, /* RFC 2874 */
- { T_DNAME, "DNAME" }, /* RFC 2672 */
+ { T_CERT, "CERT" }, /* RFC 4398 */
+ { T_A6, "A6" }, /* RFC 6563 */
+ { T_DNAME, "DNAME" }, /* RFC 6672 */
{ T_SINK, "SINK" },
- { T_OPT, "OPT" }, /* RFC 2671 */
+ { T_OPT, "OPT" }, /* RFC 6891 */
{ T_APL, "APL" }, /* RFC 3123 */
{ T_DS, "DS" }, /* RFC 4034 */
{ T_SSHFP, "SSHFP" }, /* RFC 4255 */
{ T_RRSIG, "RRSIG" }, /* RFC 4034 */
{ T_NSEC, "NSEC" }, /* RFC 4034 */
{ T_DNSKEY, "DNSKEY" }, /* RFC 4034 */
- { T_SPF, "SPF" }, /* RFC-schlitt-spf-classic-02.txt */
+ { T_DHCID, "DHCID" }, /* RFC 4071 */
+ { T_NSEC3, "NSEC3" }, /* RFC 5155 */
+ { T_NSEC3PARAM, "NSEC3PARAM" }, /* RFC 5155 */
+ { T_TLSA, "TLSA" }, /* RFC 6698 */
+ { T_SMIMEA, "SMIMEA" }, /* RFC 8162 */
+ { T_HIP, "HIP" }, /* RFC 8005 */
+ { T_NINFO, "NINFO" },
+ { T_RKEY, "RKEY" },
+ { T_TALINK, "TALINK" },
+ { T_CDS, "CDS" }, /* RFC 7344 */
+ { T_CDNSKEY, "CDNSKEY" }, /* RFC 7344 */
+ { T_OPENPGPKEY, "OPENPGPKEY" }, /* RFC 7929 */
+ { T_CSYNC, "CSYNC" }, /* RFC 7477 */
+ { T_ZONEMD, "ZONEMD" }, /* RFC 8976 */
+ { T_SVCB, "SVCB" },
+ { T_HTTPS, "HTTPS" },
+ { T_SPF, "SPF" }, /* RFC 7208 */
{ T_UINFO, "UINFO" },
{ T_UID, "UID" },
{ T_GID, "GID" },
{ T_UNSPEC, "UNSPEC" },
- { T_UNSPECA, "UNSPECA" },
+ { T_NID, "NID" }, /* RFC 6742 */
+ { T_L32, "L32" }, /* RFC 6742 */
+ { T_L64, "L64" }, /* RFC 6742 */
+ { T_LP, "LP" }, /* RFC 6742 */
+ { T_EUI48, "EUI48" }, /* RFC 7043 */
+ { T_EUI64, "EUI64" }, /* RFC 7043 */
{ T_TKEY, "TKEY" }, /* RFC 2930 */
- { T_TSIG, "TSIG" }, /* RFC 2845 */
+ { T_TSIG, "TSIG" }, /* RFC 8945 */
{ T_IXFR, "IXFR" }, /* RFC 1995 */
- { T_AXFR, "AXFR" }, /* RFC 1035 */
+ { T_AXFR, "AXFR" }, /* RFC 5936 */
{ T_MAILB, "MAILB" }, /* RFC 1035 */
{ T_MAILA, "MAILA" }, /* RFC 1035 */
- { T_ANY, "ANY" },
+ { T_ANY, "ANY" }, /* RFC 8482 */
{ T_URI, "URI" }, /* RFC 7553 */
+ { T_CAA, "CAA" }, /* RFC 8659 */
+ { T_AVC, "AVC" },
+ { T_DOA, "DOA" },
+ { T_AMTRELAY, "AMTRELAY" }, /* RFC 8777 */
+ { T_TA, "TA" },
+ { T_DLV, "DLV" }, /* RFC 8749 */
{ 0, NULL }
};
{ 0, NULL }
};
+const struct tok edns_opt2str[] = {
+ { E_LLQ, "LLQ" },
+ { E_UL, "UL" },
+ { E_NSID, "NSID" },
+ { E_DAU, "DAU" },
+ { E_DHU, "DHU" },
+ { E_N3U, "N3U" },
+ { E_ECS, "ECS" },
+ { E_EXPIRE, "EXPIRE" },
+ { E_COOKIE, "COOKIE" },
+ { E_KEEPALIVE, "KEEPALIVE" },
+ { E_PADDING, "PADDING" },
+ { E_CHAIN, "CHAIN" },
+ { E_KEYTAG, "KEY-TAG" },
+ { E_CLIENTTAG, "CLIENT-TAG" },
+ { E_SERVERTAG, "SERVER-TAG" },
+ { 0, NULL }
+};
+
+const struct tok dau_alg2str[] = {
+ { A_DELETE, "DELETE" },
+ { A_RSAMD5, "RSAMD5" },
+ { A_DH, "DH" },
+ { A_DSA, "DS" },
+ { A_RSASHA1, "RSASHA1" },
+ { A_DSA_NSEC3_SHA1, "DSA-NSEC3-SHA1" },
+ { A_RSASHA1_NSEC3_SHA1, "RSASHA1-NSEC3-SHA1" },
+ { A_RSASHA256, "RSASHA256" },
+ { A_RSASHA512, "RSASHA512" },
+ { A_ECC_GOST, "ECC-GOST" },
+ { A_ECDSAP256SHA256, "ECDSAP256SHA256" },
+ { A_ECDSAP384SHA384, "ECDSAP384SHA384" },
+ { A_ED25519, "ED25519" },
+ { A_ED448, "ED448" },
+ { A_INDIRECT, "INDIRECT" },
+ { A_PRIVATEDNS, "PRIVATEDNS" },
+ { A_PRIVATEOID, "PRIVATEOID" },
+ { 0, NULL }
+};
+
+const struct tok dhu_alg2str[] = {
+ { DS_SHA1, "SHA-1" },
+ { DS_SHA256,"SHA-256" },
+ { DS_GOST, "GOST_R_34.11-94" },
+ { DS_SHA384,"SHA-384" },
+ { 0, NULL }
+};
+
+const struct tok n3u_alg2str[] = {
+ { NSEC_SHA1,"SHA-1" },
+ { 0, NULL }
+};
+
/* print a query */
static const u_char *
ns_qprint(netdissect_options *ndo,
case T_NS:
case T_CNAME:
case T_PTR:
-#ifdef T_DNAME
case T_DNAME:
-#endif
ND_PRINT(" ");
if (fqdn_print(ndo, cp, bp) == NULL)
return(NULL);
ND_PRINT(" %u(bad plen)", pbit);
break;
} else if (pbit < 128) {
- if (!ND_TTEST_LEN(cp + 1, sizeof(a) - pbyte))
- return(NULL);
memset(a, 0, sizeof(a));
- memcpy(a + pbyte, cp + 1, sizeof(a) - pbyte);
+ GET_CPY_BYTES(a + pbyte, cp + 1, sizeof(a) - pbyte);
ND_PRINT(" %u %s", pbit,
addrtostr6(&a, ntop_buf, sizeof(ntop_buf)));
}
ND_PRINT(" UDPsize=%u", class);
if (opt_flags & 0x8000)
ND_PRINT(" DO");
- break;
-
- case T_UNSPECA: /* One long string */
- if (!ND_TTEST_LEN(cp, len))
- return(NULL);
- if (nd_printn(ndo, cp, len, ndo->ndo_snapend))
- return(NULL);
+ if (cp < rp) {
+ ND_PRINT(" [");
+ while (cp < rp) {
+ cp = eopt_print(ndo, cp);
+ if (cp == NULL)
+ return(NULL);
+ if (cp < rp)
+ ND_PRINT(",");
+ }
+ ND_PRINT("]");
+ }
break;
case T_TSIG:
void
domain_print(netdissect_options *ndo,
- const u_char *bp, u_int length, int is_mdns)
+ const u_char *bp, u_int length, int over_tcp, int is_mdns)
{
const dns_header_t *np;
uint16_t flags, rcode, rdlen, type;
uint16_t b2;
ndo->ndo_protocol = "domain";
+
+ if (over_tcp) {
+ /*
+ * The message is prefixed with a two byte length field
+ * which gives the message length, excluding the two byte
+ * length field. (RFC 1035 - 4.2.2. TCP usage)
+ */
+ if (length < 2) {
+ ND_PRINT(" [DNS over TCP: length %u < 2]", length);
+ nd_print_invalid(ndo);
+ return;
+ } else {
+ length -= 2; /* excluding the two byte length field */
+ if (GET_BE_U_2(bp) != length) {
+ ND_PRINT(" [prefix length(%u) != length(%u)]",
+ GET_BE_U_2(bp), length);
+ nd_print_invalid(ndo);
+ return;
+ } else {
+ bp += 2;
+ /* in over TCP case, we need to prepend a space
+ * (not needed in over UDP case)
+ */
+ ND_PRINT(" ");
+ }
+ }
+ }
+
np = (const dns_header_t *)bp;
if(length < sizeof(*np)) {
if (cp + 1 > ndo->ndo_snapend)
goto print;
if (type == T_OPT) {
- rcode |= (*cp << 4);
+ rcode |= (GET_U_1(cp) << 4);
goto print;
}
cp += 4;
projects / tcpdump / blobdiff