| | |
| |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| |
|
| | """Help for building DNS wire format messages""" |
| |
|
| | import contextlib |
| | import io |
| | import random |
| | import struct |
| | import time |
| |
|
| | import dns.exception |
| | import dns.tsig |
| |
|
| | QUESTION = 0 |
| | ANSWER = 1 |
| | AUTHORITY = 2 |
| | ADDITIONAL = 3 |
| |
|
| |
|
| | @contextlib.contextmanager |
| | def prefixed_length(output, length_length): |
| | output.write(b"\00" * length_length) |
| | start = output.tell() |
| | yield |
| | end = output.tell() |
| | length = end - start |
| | if length > 0: |
| | try: |
| | output.seek(start - length_length) |
| | try: |
| | output.write(length.to_bytes(length_length, "big")) |
| | except OverflowError: |
| | raise dns.exception.FormError |
| | finally: |
| | output.seek(end) |
| |
|
| |
|
| | class Renderer: |
| | """Helper class for building DNS wire-format messages. |
| | |
| | Most applications can use the higher-level L{dns.message.Message} |
| | class and its to_wire() method to generate wire-format messages. |
| | This class is for those applications which need finer control |
| | over the generation of messages. |
| | |
| | Typical use:: |
| | |
| | r = dns.renderer.Renderer(id=1, flags=0x80, max_size=512) |
| | r.add_question(qname, qtype, qclass) |
| | r.add_rrset(dns.renderer.ANSWER, rrset_1) |
| | r.add_rrset(dns.renderer.ANSWER, rrset_2) |
| | r.add_rrset(dns.renderer.AUTHORITY, ns_rrset) |
| | r.add_rrset(dns.renderer.ADDITIONAL, ad_rrset_1) |
| | r.add_rrset(dns.renderer.ADDITIONAL, ad_rrset_2) |
| | r.add_edns(0, 0, 4096) |
| | r.write_header() |
| | r.add_tsig(keyname, secret, 300, 1, 0, '', request_mac) |
| | wire = r.get_wire() |
| | |
| | If padding is going to be used, then the OPT record MUST be |
| | written after everything else in the additional section except for |
| | the TSIG (if any). |
| | |
| | output, an io.BytesIO, where rendering is written |
| | |
| | id: the message id |
| | |
| | flags: the message flags |
| | |
| | max_size: the maximum size of the message |
| | |
| | origin: the origin to use when rendering relative names |
| | |
| | compress: the compression table |
| | |
| | section: an int, the section currently being rendered |
| | |
| | counts: list of the number of RRs in each section |
| | |
| | mac: the MAC of the rendered message (if TSIG was used) |
| | """ |
| |
|
| | def __init__(self, id=None, flags=0, max_size=65535, origin=None): |
| | """Initialize a new renderer.""" |
| |
|
| | self.output = io.BytesIO() |
| | if id is None: |
| | self.id = random.randint(0, 65535) |
| | else: |
| | self.id = id |
| | self.flags = flags |
| | self.max_size = max_size |
| | self.origin = origin |
| | self.compress = {} |
| | self.section = QUESTION |
| | self.counts = [0, 0, 0, 0] |
| | self.output.write(b"\x00" * 12) |
| | self.mac = "" |
| | self.reserved = 0 |
| | self.was_padded = False |
| |
|
| | def _rollback(self, where): |
| | """Truncate the output buffer at offset *where*, and remove any |
| | compression table entries that pointed beyond the truncation |
| | point. |
| | """ |
| |
|
| | self.output.seek(where) |
| | self.output.truncate() |
| | keys_to_delete = [] |
| | for k, v in self.compress.items(): |
| | if v >= where: |
| | keys_to_delete.append(k) |
| | for k in keys_to_delete: |
| | del self.compress[k] |
| |
|
| | def _set_section(self, section): |
| | """Set the renderer's current section. |
| | |
| | Sections must be rendered order: QUESTION, ANSWER, AUTHORITY, |
| | ADDITIONAL. Sections may be empty. |
| | |
| | Raises dns.exception.FormError if an attempt was made to set |
| | a section value less than the current section. |
| | """ |
| |
|
| | if self.section != section: |
| | if self.section > section: |
| | raise dns.exception.FormError |
| | self.section = section |
| |
|
| | @contextlib.contextmanager |
| | def _track_size(self): |
| | start = self.output.tell() |
| | yield start |
| | if self.output.tell() > self.max_size: |
| | self._rollback(start) |
| | raise dns.exception.TooBig |
| |
|
| | @contextlib.contextmanager |
| | def _temporarily_seek_to(self, where): |
| | current = self.output.tell() |
| | try: |
| | self.output.seek(where) |
| | yield |
| | finally: |
| | self.output.seek(current) |
| |
|
| | def add_question(self, qname, rdtype, rdclass=dns.rdataclass.IN): |
| | """Add a question to the message.""" |
| |
|
| | self._set_section(QUESTION) |
| | with self._track_size(): |
| | qname.to_wire(self.output, self.compress, self.origin) |
| | self.output.write(struct.pack("!HH", rdtype, rdclass)) |
| | self.counts[QUESTION] += 1 |
| |
|
| | def add_rrset(self, section, rrset, **kw): |
| | """Add the rrset to the specified section. |
| | |
| | Any keyword arguments are passed on to the rdataset's to_wire() |
| | routine. |
| | """ |
| |
|
| | self._set_section(section) |
| | with self._track_size(): |
| | n = rrset.to_wire(self.output, self.compress, self.origin, **kw) |
| | self.counts[section] += n |
| |
|
| | def add_rdataset(self, section, name, rdataset, **kw): |
| | """Add the rdataset to the specified section, using the specified |
| | name as the owner name. |
| | |
| | Any keyword arguments are passed on to the rdataset's to_wire() |
| | routine. |
| | """ |
| |
|
| | self._set_section(section) |
| | with self._track_size(): |
| | n = rdataset.to_wire(name, self.output, self.compress, self.origin, **kw) |
| | self.counts[section] += n |
| |
|
| | def add_opt(self, opt, pad=0, opt_size=0, tsig_size=0): |
| | """Add *opt* to the additional section, applying padding if desired. The |
| | padding will take the specified precomputed OPT size and TSIG size into |
| | account. |
| | |
| | Note that we don't have reliable way of knowing how big a GSS-TSIG digest |
| | might be, so we we might not get an even multiple of the pad in that case.""" |
| | if pad: |
| | ttl = opt.ttl |
| | assert opt_size >= 11 |
| | opt_rdata = opt[0] |
| | size_without_padding = self.output.tell() + opt_size + tsig_size |
| | remainder = size_without_padding % pad |
| | if remainder: |
| | pad = b"\x00" * (pad - remainder) |
| | else: |
| | pad = b"" |
| | options = list(opt_rdata.options) |
| | options.append(dns.edns.GenericOption(dns.edns.OptionType.PADDING, pad)) |
| | opt = dns.message.Message._make_opt(ttl, opt_rdata.rdclass, options) |
| | self.was_padded = True |
| | self.add_rrset(ADDITIONAL, opt) |
| |
|
| | def add_edns(self, edns, ednsflags, payload, options=None): |
| | """Add an EDNS OPT record to the message.""" |
| |
|
| | |
| | ednsflags &= 0xFF00FFFF |
| | ednsflags |= edns << 16 |
| | opt = dns.message.Message._make_opt(ednsflags, payload, options) |
| | self.add_opt(opt) |
| |
|
| | def add_tsig( |
| | self, |
| | keyname, |
| | secret, |
| | fudge, |
| | id, |
| | tsig_error, |
| | other_data, |
| | request_mac, |
| | algorithm=dns.tsig.default_algorithm, |
| | ): |
| | """Add a TSIG signature to the message.""" |
| |
|
| | s = self.output.getvalue() |
| |
|
| | if isinstance(secret, dns.tsig.Key): |
| | key = secret |
| | else: |
| | key = dns.tsig.Key(keyname, secret, algorithm) |
| | tsig = dns.message.Message._make_tsig( |
| | keyname, algorithm, 0, fudge, b"", id, tsig_error, other_data |
| | ) |
| | (tsig, _) = dns.tsig.sign(s, key, tsig[0], int(time.time()), request_mac) |
| | self._write_tsig(tsig, keyname) |
| |
|
| | def add_multi_tsig( |
| | self, |
| | ctx, |
| | keyname, |
| | secret, |
| | fudge, |
| | id, |
| | tsig_error, |
| | other_data, |
| | request_mac, |
| | algorithm=dns.tsig.default_algorithm, |
| | ): |
| | """Add a TSIG signature to the message. Unlike add_tsig(), this can be |
| | used for a series of consecutive DNS envelopes, e.g. for a zone |
| | transfer over TCP [RFC2845, 4.4]. |
| | |
| | For the first message in the sequence, give ctx=None. For each |
| | subsequent message, give the ctx that was returned from the |
| | add_multi_tsig() call for the previous message.""" |
| |
|
| | s = self.output.getvalue() |
| |
|
| | if isinstance(secret, dns.tsig.Key): |
| | key = secret |
| | else: |
| | key = dns.tsig.Key(keyname, secret, algorithm) |
| | tsig = dns.message.Message._make_tsig( |
| | keyname, algorithm, 0, fudge, b"", id, tsig_error, other_data |
| | ) |
| | (tsig, ctx) = dns.tsig.sign( |
| | s, key, tsig[0], int(time.time()), request_mac, ctx, True |
| | ) |
| | self._write_tsig(tsig, keyname) |
| | return ctx |
| |
|
| | def _write_tsig(self, tsig, keyname): |
| | if self.was_padded: |
| | compress = None |
| | else: |
| | compress = self.compress |
| | self._set_section(ADDITIONAL) |
| | with self._track_size(): |
| | keyname.to_wire(self.output, compress, self.origin) |
| | self.output.write( |
| | struct.pack("!HHI", dns.rdatatype.TSIG, dns.rdataclass.ANY, 0) |
| | ) |
| | with prefixed_length(self.output, 2): |
| | tsig.to_wire(self.output) |
| |
|
| | self.counts[ADDITIONAL] += 1 |
| | with self._temporarily_seek_to(10): |
| | self.output.write(struct.pack("!H", self.counts[ADDITIONAL])) |
| |
|
| | def write_header(self): |
| | """Write the DNS message header. |
| | |
| | Writing the DNS message header is done after all sections |
| | have been rendered, but before the optional TSIG signature |
| | is added. |
| | """ |
| |
|
| | with self._temporarily_seek_to(0): |
| | self.output.write( |
| | struct.pack( |
| | "!HHHHHH", |
| | self.id, |
| | self.flags, |
| | self.counts[0], |
| | self.counts[1], |
| | self.counts[2], |
| | self.counts[3], |
| | ) |
| | ) |
| |
|
| | def get_wire(self): |
| | """Return the wire format message.""" |
| |
|
| | return self.output.getvalue() |
| |
|
| | def reserve(self, size: int) -> None: |
| | """Reserve *size* bytes.""" |
| | if size < 0: |
| | raise ValueError("reserved amount must be non-negative") |
| | if size > self.max_size: |
| | raise ValueError("cannot reserve more than the maximum size") |
| | self.reserved += size |
| | self.max_size -= size |
| |
|
| | def release_reserved(self) -> None: |
| | """Release the reserved bytes.""" |
| | self.max_size += self.reserved |
| | self.reserved = 0 |
| |
|
