Refactor

Author: spevnev

src/dns.cc

@@ -19,7 +19,7 @@ template <std::integral T>
 T random_int() {
     T result;
     if (RAND_bytes(reinterpret_cast<unsigned char *>(&result), sizeof(result)) != 1) {
-        throw std::runtime_error{"Failed to generate random bytes"};
+        throw std::runtime_error("Failed to generate random bytes");
     }
     return result;
 }
@@ -79,40 +79,38 @@ class ResponseReader {
 
         // Read response header.
         auto id = read_u16();
-        if (id != request_id) throw std::runtime_error("Wrong response ID");
-
         auto flags = read_u16();
         bool is_response = (flags >> 15) & 1;
+        auto opcode = static_cast<OpCode>((flags >> 11) & 0b1111);
         response.is_authoritative = (flags >> 10) & 1;
         bool is_truncated = (flags >> 9) & 1;
-        auto opcode = static_cast<OpCode>((flags >> 11) & 0b1111);
         response.rcode = static_cast<RCode>(flags & 0b1111);
-
-        if (!is_response) throw std::runtime_error("Response is a query");
-        if (is_truncated) throw std::runtime_error("Response is truncated");
-        if (opcode != OpCode::Query) throw std::runtime_error("Response has wrong opcode");
-
         auto question_count = read_u16();
-        if (question_count != 1) throw std::runtime_error("Wrong question count");
         auto answer_count = read_u16();
         auto authority_count = read_u16();
         auto additional_count = read_u16();
 
+        // Validate response header.
+        if (id != request_id) throw std::runtime_error("Wrong response ID");
+        if (!is_response) throw std::runtime_error("Response is a query");
+        if (opcode != OpCode::Query) throw std::runtime_error("Response has wrong opcode");
+        if (is_truncated) throw std::runtime_error("Response is truncated");
+        if (question_count != 1) throw std::runtime_error("Wrong question count");
+
         // Validate question.
         if (read_domain() != request_domain) throw std::runtime_error("Wrong question domain");
         if (read_u16<RRType>() != request_rr_type) throw std::runtime_error("Wrong question type");
         if (read_u16<DNSClass>() != DNSClass::Internet) throw std::runtime_error("Unknown DNS class");
 
+        // Read the answer.
         response.answers.reserve(answer_count);
         for (uint16_t i = 0; i < answer_count; i++) response.answers.push_back(read_rr());
-
         response.authority.reserve(authority_count);
         for (uint16_t i = 0; i < authority_count; i++) response.authority.push_back(read_rr());
-
         response.additional.reserve(additional_count);
         for (uint16_t i = 0; i < additional_count; i++) response.additional.push_back(read_rr());
 
-        if (offset != buffer.size()) throw std::runtime_error("Response is too long");
+        if (offset != buffer.size()) throw std::runtime_error("Failed to parse the response");
         return response;
     }
 
@@ -193,7 +191,7 @@ class ResponseReader {
         std::string domain;
         read_domain_rec(allow_compression, domain);
         // Handle root domain.
-        if (domain.empty()) domain.push_back('.');
+        if (domain.empty()) return ".";
         if (domain.size() > MAX_DOMAIN_LENGTH) throw std::runtime_error("Domain is too long");
         return domain;
     }
@@ -280,9 +278,9 @@ class ResponseReader {
         ds.key_tag = read_u16();
         ds.signing_algorithm = read_u8<SigningAlgorithm>();
         ds.digest_algorithm = read_u8<DigestAlgorithm>();
-        read(get_ds_digest_size(ds.digest_algorithm), ds.digest);
+        read(dnssec::get_ds_digest_size(ds.digest_algorithm), ds.digest);
 
-        // Save data to verify the RRSIG later.
+        // Save data to authenticate the RRSIG later.
         ResponseReader data_reader{buffer, data_offset};
         data_reader.read(data_length, ds.data);
 
@@ -306,7 +304,7 @@ class ResponseReader {
         auto signature_length = data_length - (offset - data_offset);
         read(signature_length, rrsig.signature);
 
-        // Save data without signature to verify it later.
+        // Save data without signature to authenticate it later.
         ResponseReader data_reader{buffer, data_offset};
         data_reader.read(data_length - signature_length, rrsig.data);
 
@@ -345,7 +343,7 @@ class ResponseReader {
         auto domain_size = offset - data_offset;
         nsec.types = read_rr_type_bitmap(data_length - domain_size);
 
-        // Save data to verify the RRSIG later.
+        // Save data to authenticate the RRSIG later.
         ResponseReader data_reader{buffer, data_offset};
         data_reader.read(data_length, nsec.data);
 
@@ -369,10 +367,10 @@ class ResponseReader {
         auto key_size = data_length - 4;
         read(key_size, dnskey.key);
 
-        // Save data to verify the RRSIG later.
+        // Save data to authenticate the RRSIG later.
         ResponseReader data_reader{buffer, data_offset};
         data_reader.read(data_length, dnskey.data);
-        dnskey.key_tag = compute_key_tag(dnskey.data);
+        dnskey.key_tag = dnssec::compute_key_tag(dnskey.data);
 
         return dnskey;
     }
@@ -394,7 +392,7 @@ class ResponseReader {
         auto nsec3_data_length = offset - data_offset;
         nsec3.types = read_rr_type_bitmap(data_length - nsec3_data_length);
 
-        // Save data to verify the RRSIG later.
+        // Save data to authenticate the RRSIG later.
         ResponseReader data_reader{buffer, data_offset};
         data_reader.read(data_length, nsec3.data);
 

src/dns.hh

@@ -162,7 +162,7 @@ struct RRSIG {
     uint16_t key_tag;
     std::string signer_name;
     std::vector<uint8_t> signature;
-    // Data does not include the signature since it is only used to verify it.
+    // Data does not include the signature since it is only used to authenticate it.
     std::vector<uint8_t> data;
 };
 
@@ -270,7 +270,7 @@ public:
             case RRType::DS: {
                 const auto &ds = std::get<DS>(rr.data);
                 std::format_to(out, "{} {} {} {}", ds.key_tag, std::to_underlying(ds.signing_algorithm),
-                               std::to_underlying(ds.digest_algorithm), hex_string_encode(ds.digest));
+                               std::to_underlying(ds.digest_algorithm), hex_encode(ds.digest));
             } break;
             case RRType::RRSIG: {
                 const auto &rrsig = std::get<RRSIG>(rr.data);
@@ -293,8 +293,8 @@ public:
             case RRType::NSEC3: {
                 const auto &nsec3 = std::get<NSEC3>(rr.data);
                 std::format_to(out, "{} {} {} {} {} (", std::to_underlying(nsec3.algorithm), nsec3.flags,
-                               nsec3.iterations, nsec3.salt.empty() ? "-" : hex_string_encode(nsec3.salt),
-                               base32_encode(nsec3.next_domain_hash));
+                               nsec3.iterations, nsec3.salt.empty() ? "-" : hex_encode(nsec3.salt),
+                               base32hex_encode(nsec3.next_domain_hash));
                 print_types(out, nsec3.types);
                 std::format_to(out, ")");
             } break;

src/dnssec.cc

@@ -21,14 +21,6 @@
 #include "write.hh"
 
 namespace {
-struct RRWithData {
-    std::reference_wrapper<const RR> rr;
-    std::vector<std::string_view> labels;
-    std::vector<uint8_t> data;
-
-    RRWithData(const RR &rr, std::vector<std::string_view> &&labels) : rr(rr), labels(labels) {}
-};
-
 using EVP_PKEY_unique_ptr = std::unique_ptr<EVP_PKEY, decltype([](auto *pkey) { EVP_PKEY_free(pkey); })>;
 using BIGNUM_unique_ptr = std::unique_ptr<BIGNUM, decltype([](auto *bn) { BN_free(bn); })>;
 using OSSL_PARAM_BLD_unique_ptr
@@ -105,7 +97,7 @@ EVP_PKEY_unique_ptr load_ecdsa_key(const std::vector<uint8_t> &dnskey, const std
 }
 
 EVP_PKEY_unique_ptr load_eddsa_key(const std::vector<uint8_t> &dnskey, int type) {
-    auto *pkey = EVP_PKEY_new_raw_public_key(type, NULL, dnskey.data(), dnskey.size());
+    auto *pkey = EVP_PKEY_new_raw_public_key(type, nullptr, dnskey.data(), dnskey.size());
     if (pkey == nullptr) throw std::runtime_error("Failed to load EdDSA key");
     return EVP_PKEY_unique_ptr{pkey};
 }
@@ -215,6 +207,14 @@ std::vector<std::string_view> domain_to_labels(const std::string_view &domain) {
     return labels;
 }
 
+struct RRWithData {
+    std::reference_wrapper<const RR> rr;
+    std::vector<std::string_view> labels;
+    std::vector<uint8_t> data;
+
+    RRWithData(const RR &rr, std::vector<std::string_view> &&labels) : rr(rr), labels(labels) {}
+};
+
 std::vector<RRWithData> add_data_to_rrset(const std::vector<RR> &rrset) {
     std::vector<RRWithData> result;
     result.reserve(rrset.size());
@@ -359,10 +359,10 @@ int compare_domains(const std::vector<std::string_view> &a, const std::vector<st
     return 0;
 }
 
-bool is_domain_between(const std::string_view &domain, const std::string_view &before, const std::string_view &after) {
+bool is_domain_between(const std::string &domain, const std::string &before, const std::string &after) {
+    auto domain_labels = domain_to_labels(domain);
     auto before_labels = domain_to_labels(before);
     auto after_labels = domain_to_labels(after);
-    auto domain_labels = domain_to_labels(domain);
     return compare_domains(before_labels, domain_labels) < 0 && compare_domains(domain_labels, after_labels) < 0;
 }
 
@@ -394,7 +394,7 @@ std::string get_nsec3_domain(const NSEC3 &nsec3, const std::string_view &domain,
         }
     }
 
-    return base32_encode(digest) + "." + zone_domain;
+    return base32hex_encode(digest) + "." + zone_domain;
 }
 
 std::optional<NSEC3> find_covering_nsec3(const std::vector<RR> &nsec3_rrset, const std::string_view &domain,
@@ -406,7 +406,7 @@ std::optional<NSEC3> find_covering_nsec3(const std::vector<RR> &nsec3_rrset, con
         auto covered_domain = get_nsec3_domain(nsec3, domain, zone_domain);
         for (const auto &nsec3_rr : nsec3_rrset) {
             const auto &nsec3 = std::get<NSEC3>(nsec3_rr.data);
-            auto next_domain = base32_encode(nsec3.next_domain_hash) + "." + zone_domain;
+            auto next_domain = base32hex_encode(nsec3.next_domain_hash) + "." + zone_domain;
             if (is_domain_between(covered_domain, nsec3_rr.domain, next_domain)) return std::get<NSEC3>(nsec3_rr.data);
         }
     } catch (...) {
@@ -463,6 +463,7 @@ std::optional<EncloserProof> verify_closest_encloser_proof(const std::vector<RR>
 }
 }  // namespace
 
+namespace dnssec {
 int get_ds_digest_size(DigestAlgorithm algorithm) {
     auto digest_size = EVP_MD_get_size(get_ds_digest_algorithm(algorithm));
     if (digest_size <= 0) throw std::runtime_error("Failed to get digest size");
@@ -550,10 +551,10 @@ bool authenticate_rrset(const std::vector<RR> &rrset, const std::vector<RRSIG> &
 
 bool authenticate_delegation(const std::vector<RR> &dnskey_rrset, const std::vector<DS> &dss,
                              const std::vector<RRSIG> &rrsigs, const std::string &zone_domain) {
-    if (dnskey_rrset.empty() || dss.empty()) return {};
+    if (dnskey_rrset.empty() || dss.empty()) return false;
 
     EVP_MD_CTX_unique_ptr ctx{EVP_MD_CTX_new()};
-    if (ctx == nullptr) return {};
+    if (ctx == nullptr) return false;
 
     std::vector<uint8_t> canonical_domain;
     std::vector<uint8_t> digest;
@@ -565,7 +566,9 @@ bool authenticate_delegation(const std::vector<RR> &dnskey_rrset, const std::vec
             if (digest_size <= 0) continue;
 
             for (const auto &dnskey_rr : dnskey_rrset) {
+                if (dnskey_rr.type != RRType::DNSKEY) return false;
                 const auto &dnskey = std::get<DNSKEY>(dnskey_rr.data);
+
                 if (dnskey.key_tag != ds.key_tag) continue;
 
                 canonical_domain.clear();
@@ -602,9 +605,10 @@ bool authenticate_name_error(const std::string &domain, const std::vector<RR> &n
         return find_covering_nsec3(nsec3_rrset, wildcard_domain, zone_domain).has_value();
     }
 
-    for (const auto &rr : nsec_rrset) {
-        const auto &nsec = std::get<NSEC>(rr.data);
-        if (is_domain_between(domain, rr.domain, nsec.next_domain)) return true;
+    for (const auto &nsec_rr : nsec_rrset) {
+        if (nsec_rr.type != RRType::NSEC) return false;
+        const auto &nsec = std::get<NSEC>(nsec_rr.data);
+        if (is_domain_between(domain, nsec_rr.domain, nsec.next_domain)) return true;
     }
 
     return false;
@@ -625,9 +629,9 @@ bool authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_
         return encloser_proof.has_value() && encloser_proof->next_closer_opt_out;
     }
 
-    if (!nsec_rr.has_value()) return false;
-
+    if (!nsec_rr.has_value() || nsec_rr->type != RRType::NSEC) return false;
     const auto &nsec = std::get<NSEC>(nsec_rr->data);
+
     if (nsec.types.contains(RRType::DS) || nsec.types.contains(RRType::CNAME)) return false;
 
     return true;
@@ -642,9 +646,9 @@ bool authenticate_no_rrset(RRType rr_type, const std::string &domain, const std:
         return true;
     }
 
-    if (!nsec_rr.has_value()) return false;
-
+    if (!nsec_rr.has_value() || nsec_rr->type != RRType::NSEC) return false;
     const auto &nsec = std::get<NSEC>(nsec_rr->data);
-    if (nsec.types.contains(rr_type) || nsec.types.contains(RRType::CNAME)) return false;
-    return true;
+
+    return !nsec.types.contains(rr_type) && !nsec.types.contains(RRType::CNAME);
 }
+};  // namespace dnssec

src/dnssec.hh

@@ -5,6 +5,7 @@
 #include <vector>
 #include "dns.hh"
 
+namespace dnssec {
 int get_ds_digest_size(DigestAlgorithm algorithm);
 uint16_t compute_key_tag(const std::vector<uint8_t> &data);
 
@@ -18,3 +19,4 @@ bool authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_
                         const std::string &zone_domain);
 bool authenticate_no_rrset(RRType rr_type, const std::string &domain, const std::vector<RR> &nsec3_rrset,
                            const std::optional<RR> &nsec_rr, const std::string &zone_domain);
+};  // namespace dnssec

src/encode.cc

@@ -37,8 +37,7 @@ std::string base64_encode(const std::vector<uint8_t> &src) {
     return output;
 }
 
-// Base 32 Encoding with Extended Hex Alphabet.
-std::string base32_encode(const std::vector<uint8_t> &src) {
+std::string base32hex_encode(const std::vector<uint8_t> &src) {
     std::string output;
     output.reserve(((src.size() + 4) / 5) * 8);
 
@@ -98,7 +97,7 @@ std::string base32_encode(const std::vector<uint8_t> &src) {
     return output;
 }
 
-std::string hex_string_encode(const std::vector<uint8_t> &src) {
+std::string hex_encode(const std::vector<uint8_t> &src) {
     std::string output;
     output.reserve(src.size() * 2);
 

src/encode.hh

@@ -5,5 +5,5 @@
 #include <vector>
 
 std::string base64_encode(const std::vector<uint8_t> &src);
-std::string base32_encode(const std::vector<uint8_t> &src);
-std::string hex_string_encode(const std::vector<uint8_t> &src);
+std::string base32hex_encode(const std::vector<uint8_t> &src);
+std::string hex_encode(const std::vector<uint8_t> &src);

src/main.cc

@@ -70,8 +70,8 @@ int main(int argc, char **argv) {
             ("edns", "EDNS", cxxopts::value<FeatureState>()->default_value("on"))                    //
             ("dnssec", "DNSSEC", cxxopts::value<FeatureState>()->default_value("on"))                //
             ("cookies", "Cookies", cxxopts::value<FeatureState>()->default_value("on"))              //
-            ("use-root", "Load root nameservers", cxxopts::value<bool>()->default_value("true"))     //
-            ("use-resolv-conf", "Load /etc/resolv.conf", cxxopts::value<bool>()->default_value("true"));
+            ("use-root", "Use root nameservers", cxxopts::value<bool>()->default_value("true"))      //
+            ("use-config", "Use nameservers from /etc/resolv.conf", cxxopts::value<bool>()->default_value("true"));
         options.parse_positional({"domain"});
 
         auto result = options.parse(argc, argv);
@@ -84,7 +84,7 @@ int main(int argc, char **argv) {
             .timeout_ms = result["timeout"].as<uint64_t>() * 1000,
             .nameserver = result["server"].as_optional<std::string>(),
             .use_root_nameservers = result["use-root"].as<bool>(),
-            .use_resolve_config = result["use-resolv-conf"].as<bool>(),
+            .use_resolve_config = result["use-config"].as<bool>(),
             .port = result["port"].as<uint16_t>(),
             .verbose = result["verbose"].as<bool>(),
             .enable_rd = result["rdflag"].as<bool>(),