Adding upstream version 2.2.0.

Signed-off-by: Daniel Baumann <daniel@debian.org>

plugins/Makefile.am

@@ -3,4 +3,4 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \
   anonaes128 cryptopan cryptopant eventlog
 
-EXTRA_DIST = template
+EXTRA_DIST = template shared

plugins/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -158,8 +158,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -201,6 +199,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -211,6 +211,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -320,7 +321,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \
   anonaes128 cryptopan cryptopant eventlog
 
-EXTRA_DIST = template
+EXTRA_DIST = template shared
 all: all-recursive
 
 .SUFFIXES:
@@ -459,7 +460,6 @@ cscopelist-am: $(am__tagged_files)
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/anonaes128/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = anonaes128.la

plugins/anonaes128/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,11 +518,12 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out test2.out test3.out \
-	test3.pcap.20181127.155200.414188 test4.tmp
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out test2.out \
+	test3.out test3.pcap.20181127.155200.414188 test4.tmp
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = anonaes128.la
@@ -804,7 +807,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -880,7 +883,6 @@ test4.sh.log: test4.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/anonaes128/anonaes128.c

@@ -42,6 +42,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <netinet/in.h>
 
 #include "dnscap_common.h"
 
@@ -50,12 +51,13 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #define USE_OPENSSL 1
+#include "edns0_ecs.c"
 #endif
 
 static set_iaddr_t anonaes128_set_iaddr = 0;
 
 static logerr_t*     logerr;
-static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0, edns = 0;
 static unsigned char key[16];
 static unsigned char iv[16];
 #ifdef USE_OPENSSL
@@ -86,7 +88,9 @@ void anonaes128_usage()
         "\t-c            Only en/de-crypt clients (port != 53)\n"
         "\t-s            Only en/de-crypt servers (port == 53)\n"
         "\t-p <port>     Set port for -c/-s, default 53\n"
-        "\t-4            Encrypt IPv4 addresses, not default or recommended\n");
+        "\t-4            Encrypt IPv4 addresses, not default or recommended\n"
+        "\t-e            Also en/de-crypt EDNS(0) Client Subnet\n"
+        "\t-E            ONLY en/de-crypt EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void anonaes128_extension(int ext, void* arg)
@@ -104,7 +108,7 @@ void anonaes128_getopt(int* argc, char** argv[])
     unsigned long ul;
     char*         p;
 
-    while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4")) != EOF) {
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4eE")) != EOF) {
         switch (c) {
         case 'k':
             if (strlen(optarg) != 16) {
@@ -174,6 +178,13 @@ void anonaes128_getopt(int* argc, char** argv[])
         case '4':
             encrypt_v4 = 1;
             break;
+        case 'e':
+            if (!edns)
+                edns = 1;
+            break;
+        case 'E':
+            edns = -1;
+            break;
         case '?':
             anonaes128_usage();
             if (!optopt || optopt == '?') {
@@ -242,12 +253,66 @@ int anonaes128_close(my_bpftimeval ts)
     return 0;
 }
 
+#ifdef USE_OPENSSL
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+    unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH] = { 0 };
+    int           outlen                            = 0;
+
+    struct in6_addr in6 = IN6ADDR_ANY_INIT;
+
+    switch (family) {
+    case 1: // IPv4
+        if (len > sizeof(struct in_addr))
+            break;
+        if (encrypt_v4) {
+            memcpy(&in6, buf, len);
+            memcpy(((uint8_t*)&in6) + 4, &in6, 4);
+            memcpy(((uint8_t*)&in6) + 8, &in6, 4);
+            memcpy(((uint8_t*)&in6) + 12, &in6, 4);
+            if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (void*)&in6, 16)) {
+                logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                exit(1);
+            }
+            if (outlen != 16) {
+                logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                exit(1);
+            }
+            memcpy(buf, outbuf, len);
+        }
+        break;
+    case 2: // IPv6
+        if (len > sizeof(struct in6_addr))
+            break;
+        memcpy(&in6, buf, len);
+        if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (void*)&in6, 16)) {
+            logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+            exit(1);
+        }
+        memcpy(buf, outbuf, len);
+        break;
+    default:
+        break;
+    }
+}
+#endif
+
 int anonaes128_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
     unsigned sport, unsigned dport, my_bpftimeval ts,
-    const u_char* pkt_copy, const unsigned olen,
-    const u_char* payload, const unsigned payloadlen)
+    u_char* pkt_copy, const unsigned olen,
+    u_char* payload, const unsigned payloadlen)
 {
 #ifdef USE_OPENSSL
+    if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+        parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+        if (edns < 0)
+            return 0;
+    }
+
     unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
     int           outlen = 0;
 

plugins/anonaes128/test1.gold

@@ -2144,3 +2144,249 @@ anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I)
 	ns3.google.com.,IN,A,157794,216.239.36.10 \
 	ns4.google.com.,IN,A,157794,216.239.38.10
 anonaes128.so usage error: -c and -s options are mutually exclusive
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[123.118.213.76].58541 [29.178.88.193].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[123.118.213.76].58541 [29.178.88.193].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[29.178.88.193].53 [123.118.213.76].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[29.178.88.193].53 [123.118.213.76].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[123.118.213.76].33737 [248.188.142.6].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[248.188.142.6].53 [123.118.213.76].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[123.118.213.76].53174 [29.178.88.193].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[123.118.213.76].53174 [29.178.88.193].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[29.178.88.193].53 [123.118.213.76].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[29.178.88.193].53 [123.118.213.76].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[123.118.213.76].50901 [67.192.17.119].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=34.29.83.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[67.192.17.119].53 [123.118.213.76].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=34.29.83.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[123.118.213.76].35191 [99.195.235.60].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[99.195.235.60].53 [123.118.213.76].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.17.0.6].33737 [198.97.190.53].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.97.190.53].53 [172.17.0.6].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.17.0.6].50901 [192.112.36.4].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=34.29.83.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.112.36.4].53 [172.17.0.6].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=34.29.83.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.17.0.6].35191 [1.1.1.1].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.1.1.1].53 [172.17.0.6].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]

plugins/anonaes128/test1.sh

@@ -16,6 +16,11 @@ ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
 ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -s 2>>test1.out
 ! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c -s 2>>test1.out
 
+ln -fs "$srcdir/../../src/test/edns.pcap" edns.pcap-dist
+
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -e 2>>test1.out
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -E 2>>test1.out
+
 osrel=`uname -s`
 if [ "$osrel" = "OpenBSD" ]; then
     mv test1.out test1.out.old

plugins/anonaes128/test2.sh

@@ -19,12 +19,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test2.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test2.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
-mv test2.new test2.out
-
 diff test2.out "$srcdir/test2.gold"

plugins/anonaes128/test3.sh

@@ -18,12 +18,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test3.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test3.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
-mv test3.new test3.out
-
 diff test3.out "$srcdir/test3.gold"

plugins/anonmask/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS)
 
 pkglib_LTLIBRARIES = anonmask.la

plugins/anonmask/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,10 +518,11 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out test2.out
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out test2.out
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS)
 
 pkglib_LTLIBRARIES = anonmask.la
@@ -803,7 +806,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -872,7 +875,6 @@ test3.sh.log: test3.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/anonmask/anonmask.c

@@ -43,10 +43,12 @@
 
 #include "dnscap_common.h"
 
+#include "edns0_ecs.c"
+
 static set_iaddr_t anonmask_set_iaddr = 0;
 
 static logerr_t*       logerr;
-static int             only_clients = 0, only_servers = 0, mask_port = 53, mask_v4 = 24, mask_v6 = 48;
+static int             only_clients = 0, only_servers = 0, mask_port = 53, mask_v4 = 24, mask_v6 = 48, edns = 0;
 static struct in_addr  in4  = { INADDR_ANY };
 static struct in6_addr in6  = IN6ADDR_ANY_INIT;
 static uint32_t*       in6p = (uint32_t*)&in6;
@@ -71,7 +73,9 @@ void anonmask_usage()
         "\t-s            Only mask servers (port == 53)\n"
         "\t-p <port>     Set port for -c/-s masking, default 53\n"
         "\t-4 <netmask>  The /mask for IPv4 addresses, default /24\n"
-        "\t-6 <netmask>  The /mask for IPv6 addresses, default /48\n");
+        "\t-6 <netmask>  The /mask for IPv6 addresses, default /48\n"
+        "\t-e            Also mask EDNS(0) Client Subnet\n"
+        "\t-E            ONLY mask EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void anonmask_extension(int ext, void* arg)
@@ -89,7 +93,7 @@ void anonmask_getopt(int* argc, char** argv[])
     unsigned long ul;
     char*         p;
 
-    while ((c = getopt(*argc, *argv, "?csp:4:6:")) != EOF) {
+    while ((c = getopt(*argc, *argv, "?csp:4:6:eE")) != EOF) {
         switch (c) {
         case 'c':
             only_clients = 1;
@@ -115,6 +119,13 @@ void anonmask_getopt(int* argc, char** argv[])
                 usage("IPv6 mask must be an integer 0..127");
             mask_v6 = (unsigned)ul;
             break;
+        case 'e':
+            if (!edns)
+                edns = 1;
+            break;
+        case 'E':
+            edns = -1;
+            break;
         case '?':
             anonmask_usage();
             if (!optopt || optopt == '?') {
@@ -173,11 +184,43 @@ int anonmask_close(my_bpftimeval ts)
     return 0;
 }
 
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+    u_char* mask;
+
+    switch (family) {
+    case 1: // IPv4
+        if (len > sizeof(struct in_addr))
+            break;
+        mask = (u_char*)&in4;
+        while (len--) {
+            *buf++ &= *mask++;
+        }
+        break;
+    case 2: // IPv6
+        if (len > sizeof(struct in6_addr))
+            break;
+        mask = (u_char*)&in6;
+        while (len--) {
+            *buf++ &= *mask++;
+        }
+        break;
+    default:
+        break;
+    }
+}
+
 int anonmask_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
     unsigned sport, unsigned dport, my_bpftimeval ts,
-    const u_char* pkt_copy, const unsigned olen,
-    const u_char* payload, const unsigned payloadlen)
+    u_char* pkt_copy, unsigned olen,
+    u_char* payload, unsigned payloadlen)
 {
+    if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+        parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+        if (edns < 0)
+            return 0;
+    }
+
     uint32_t* p6;
 
     for (;;) {

plugins/anonmask/test1.gold

@@ -2855,3 +2855,249 @@
 	ns3.google.com.,IN,A,157794,216.239.36.10 \
 	ns4.google.com.,IN,A,157794,216.239.38.10
 anonmask.so usage error: -c and -s options are mutually exclusive
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.0.0.0].58541 [172.0.0.0].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.0.0.0].58541 [172.0.0.0].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.0.0.0].53 [172.0.0.0].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.0.0.0].53 [172.0.0.0].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.0.0.0].33737 [198.0.0.0].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.0.0.0].53 [172.0.0.0].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.0.0.0].53174 [172.0.0.0].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.0.0.0].53174 [172.0.0.0].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.0.0.0].53 [172.0.0.0].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.0.0.0].53 [172.0.0.0].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.0.0.0].50901 [192.0.0.0].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=172.0.0.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.0.0.0].53 [172.0.0.0].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=172.0.0.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.0.0.0].35191 [1.0.0.0].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.0.0.0].53 [172.0.0.0].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.17.0.6].33737 [198.97.190.53].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.97.190.53].53 [172.17.0.6].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.17.0.6].50901 [192.112.36.4].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=172.0.0.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.112.36.4].53 [172.17.0.6].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=172.0.0.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.17.0.6].35191 [1.1.1.1].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.1.1.1].53 [172.17.0.6].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]

plugins/anonmask/test1.sh

@@ -14,6 +14,11 @@ ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
 ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s 2>>test1.out
 ! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c -s 2>>test1.out
 
+ln -fs "$srcdir/../../src/test/edns.pcap" edns.pcap-dist
+
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -4 8 -e 2>>test1.out
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -4 8 -E 2>>test1.out
+
 osrel=`uname -s`
 if [ "$osrel" = "OpenBSD" ]; then
     mv test1.out test1.out.old

plugins/anonmask/test2.sh

@@ -23,12 +23,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test2.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test2.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
-mv test2.new test2.out
-
 diff test2.out "$srcdir/test2.gold"

plugins/cryptopan/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = cryptopan.la

plugins/cryptopan/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,12 +518,13 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out test2.out test3.out \
-	test3.pcap.20161020.152301.075993 \
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out test2.out \
+	test3.out test3.pcap.20161020.152301.075993 \
 	test3.pcap.20181127.155200.414188 test4.tmp
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = cryptopan.la
@@ -805,7 +808,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -881,7 +884,6 @@ test4.sh.log: test4.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/cryptopan/cryptopan.c

@@ -47,6 +47,10 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <netinet/in.h>
+#ifndef s6_addr32
+#define s6_addr32 __u6_addr.__u6_addr32
+#endif
 
 #include "dnscap_common.h"
 
@@ -55,12 +59,13 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #define USE_OPENSSL 1
+#include "edns0_ecs.c"
 #endif
 
 static set_iaddr_t cryptopan_set_iaddr = 0;
 
 static logerr_t*     logerr;
-static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v6 = 0, decrypt = 0;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v6 = 0, decrypt = 0, edns = 0;
 static unsigned char key[16];
 static unsigned char iv[16];
 static unsigned char pad[16];
@@ -94,7 +99,9 @@ void cryptopan_usage()
         "\t-c            Only en/de-crypt clients (port != 53)\n"
         "\t-s            Only en/de-crypt servers (port == 53)\n"
         "\t-p <port>     Set port for -c/-s, default 53\n"
-        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n"
+        "\t-e            Also en/de-crypt EDNS(0) Client Subnet\n"
+        "\t-E            ONLY en/de-crypt EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void cryptopan_extension(int ext, void* arg)
@@ -112,7 +119,7 @@ void cryptopan_getopt(int* argc, char** argv[])
     unsigned long ul;
     char*         p;
 
-    while ((c = getopt(*argc, *argv, "?k:K:i:I:a:A:Dcsp:6")) != EOF) {
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:a:A:Dcsp:6eE")) != EOF) {
         switch (c) {
         case 'k':
             if (strlen(optarg) != 16) {
@@ -207,6 +214,13 @@ void cryptopan_getopt(int* argc, char** argv[])
         case '6':
             encrypt_v6 = 1;
             break;
+        case 'e':
+            if (!edns)
+                edns = 1;
+            break;
+        case 'E':
+            edns = -1;
+            break;
         case '?':
             cryptopan_usage();
             if (!optopt || optopt == '?') {
@@ -396,12 +410,56 @@ static inline void _decrypt(uint32_t* in)
 }
 #endif
 
+#ifdef USE_OPENSSL
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+    struct in6_addr in6 = IN6ADDR_ANY_INIT;
+
+    switch (family) {
+    case 1: // IPv4
+        if (len > sizeof(struct in_addr))
+            break;
+        memcpy(&in6, buf, len);
+        decrypt ? _decrypt((uint32_t*)&in6) : _encrypt((uint32_t*)&in6);
+        memcpy(buf, &in6, len);
+        break;
+    case 2: // IPv6
+        if (len > sizeof(struct in6_addr))
+            break;
+        if (encrypt_v6) {
+            memcpy(&in6, buf, len);
+            if (decrypt) {
+                _decrypt(&in6.s6_addr32[0]);
+                _decrypt(&in6.s6_addr32[1]);
+                _decrypt(&in6.s6_addr32[2]);
+                _decrypt(&in6.s6_addr32[3]);
+            } else {
+                _encrypt(&in6.s6_addr32[0]);
+                _encrypt(&in6.s6_addr32[1]);
+                _encrypt(&in6.s6_addr32[2]);
+                _encrypt(&in6.s6_addr32[3]);
+            }
+            memcpy(buf, &in6, len);
+        }
+        break;
+    default:
+        break;
+    }
+}
+#endif
+
 int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
     unsigned sport, unsigned dport, my_bpftimeval ts,
-    const u_char* pkt_copy, const unsigned olen,
-    const u_char* payload, const unsigned payloadlen)
+    u_char* pkt_copy, const unsigned olen,
+    u_char* payload, const unsigned payloadlen)
 {
 #ifdef USE_OPENSSL
+    if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+        parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+        if (edns < 0)
+            return 0;
+    }
+
     for (;;) {
         if (only_clients && sport == dns_port) {
             if (sport != dport) {
@@ -421,15 +479,15 @@ int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, u
         case AF_INET6:
             if (encrypt_v6) {
                 if (decrypt) {
-                    _decrypt((uint32_t*)&from->u.a6);
-                    _decrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
-                    _decrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
-                    _decrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(&from->u.a6.s6_addr32[0]);
+                    _decrypt(&from->u.a6.s6_addr32[1]);
+                    _decrypt(&from->u.a6.s6_addr32[2]);
+                    _decrypt(&from->u.a6.s6_addr32[3]);
                 } else {
-                    _encrypt((uint32_t*)&from->u.a6);
-                    _encrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
-                    _encrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
-                    _encrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(&from->u.a6.s6_addr32[0]);
+                    _encrypt(&from->u.a6.s6_addr32[1]);
+                    _encrypt(&from->u.a6.s6_addr32[2]);
+                    _encrypt(&from->u.a6.s6_addr32[3]);
                 }
                 break;
             }
@@ -459,15 +517,15 @@ int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, u
         case AF_INET6:
             if (encrypt_v6) {
                 if (decrypt) {
-                    _decrypt((uint32_t*)&to->u.a6);
-                    _decrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
-                    _decrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
-                    _decrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(&to->u.a6.s6_addr32[0]);
+                    _decrypt(&to->u.a6.s6_addr32[1]);
+                    _decrypt(&to->u.a6.s6_addr32[2]);
+                    _decrypt(&to->u.a6.s6_addr32[3]);
                 } else {
-                    _encrypt((uint32_t*)&to->u.a6);
-                    _encrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
-                    _encrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
-                    _encrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(&to->u.a6.s6_addr32[0]);
+                    _encrypt(&to->u.a6.s6_addr32[1]);
+                    _encrypt(&to->u.a6.s6_addr32[2]);
+                    _encrypt(&to->u.a6.s6_addr32[3]);
                 }
                 break;
             }

plugins/cryptopan/test1.gold

@@ -2145,3 +2145,249 @@ cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A)
 	ns3.google.com.,IN,A,157794,216.239.36.10 \
 	ns4.google.com.,IN,A,157794,216.239.38.10
 cryptopan.so usage error: -c and -s options are mutually exclusive
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[137.205.188.240].58541 [137.205.188.246].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[137.205.188.240].58541 [137.205.188.246].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[137.205.188.246].53 [137.205.188.240].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[137.205.188.246].53 [137.205.188.240].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[137.205.188.240].33737 [242.191.199.152].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[242.191.199.152].53 [137.205.188.240].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[137.205.188.240].53174 [137.205.188.246].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[137.205.188.240].53174 [137.205.188.246].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[137.205.188.246].53 [137.205.188.240].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[137.205.188.246].53 [137.205.188.240].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[137.205.188.240].50901 [245.202.0.100].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=137.205.188.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[245.202.0.100].53 [137.205.188.240].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=137.205.188.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[137.205.188.240].35191 [39.174.37.237].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[39.174.37.237].53 [137.205.188.240].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.17.0.6].33737 [198.97.190.53].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.97.190.53].53 [172.17.0.6].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.17.0.6].50901 [192.112.36.4].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=137.205.188.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.112.36.4].53 [172.17.0.6].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=137.205.188.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.17.0.6].35191 [1.1.1.1].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.1.1.1].53 [172.17.0.6].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]

plugins/cryptopan/test1.sh

@@ -17,6 +17,11 @@ ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
 ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test1.out
 ! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c -s 2>>test1.out
 
+ln -fs "$srcdir/../../src/test/edns.pcap" edns.pcap-dist
+
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -e 2>>test1.out
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -E 2>>test1.out
+
 osrel=`uname -s`
 if [ "$osrel" = "OpenBSD" ]; then
     mv test1.out test1.out.old

plugins/cryptopan/test2.sh

@@ -19,12 +19,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test2.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test2.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
-mv test2.new test2.out
-
 diff test2.out "$srcdir/test2.gold"

plugins/cryptopan/test3.sh

@@ -21,12 +21,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test3.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test3.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
-mv test3.new test3.out
-
 diff test3.out "$srcdir/test3.gold"

plugins/cryptopant/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = cryptopant.la

plugins/cryptopant/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,12 +518,13 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out test2.out test3.out \
-	test3.pcap.20161020.152301.075993 \
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out test2.out \
+	test3.out test3.pcap.20161020.152301.075993 \
 	test3.pcap.20181127.155200.414188
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = cryptopant.la
@@ -805,7 +808,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -881,7 +884,6 @@ test4.sh.log: test4.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/cryptopant/cryptopant.c

@@ -39,18 +39,20 @@
 #include <unistd.h>
 #include <string.h>
 #include <sys/socket.h>
+#include <netinet/in.h>
 
 #include "dnscap_common.h"
 
 #if defined(HAVE_LIBCRYPTOPANT) && defined(HAVE_CRYPTOPANT_H)
 #include <cryptopANT.h>
 #define USE_CRYPTOPANT 1
+#include "edns0_ecs.c"
 #endif
 
 static set_iaddr_t cryptopant_set_iaddr = 0;
 
 static logerr_t* logerr;
-static int       only_clients = 0, only_servers = 0, dns_port = 53, pass4 = 0, pass6 = 0, decrypt = 0;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, pass4 = 0, pass6 = 0, decrypt = 0, edns = 0;
 
 enum plugin_type cryptopant_type()
 {
@@ -74,7 +76,9 @@ void cryptopant_usage()
         "\t-D            Decrypt IP addresses\n"
         "\t-c            Only encrypt clients (port != 53)\n"
         "\t-s            Only encrypt servers (port == 53)\n"
-        "\t-p <port>     Set port for -c/-s, default 53\n");
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-e            Also en/de-crypt EDNS(0) Client Subnet\n"
+        "\t-E            ONLY en/de-crypt EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void cryptopant_extension(int ext, void* arg)
@@ -92,7 +96,7 @@ void cryptopant_getopt(int* argc, char** argv[])
     unsigned long ul;
     char *        p, *keyfile = 0;
 
-    while ((c = getopt(*argc, *argv, "?k:4:6:Dcsp:")) != EOF) {
+    while ((c = getopt(*argc, *argv, "?k:4:6:Dcsp:eE")) != EOF) {
         switch (c) {
         case 'k':
             if (keyfile) {
@@ -127,6 +131,13 @@ void cryptopant_getopt(int* argc, char** argv[])
                 usage("port must be an integer 1..65535");
             dns_port = (unsigned)ul;
             break;
+        case 'e':
+            if (!edns)
+                edns = 1;
+            break;
+        case 'E':
+            edns = -1;
+            break;
         case '?':
             cryptopant_usage();
             if (!optopt || optopt == '?') {
@@ -179,12 +190,48 @@ int cryptopant_close(my_bpftimeval ts)
     return 0;
 }
 
+#ifdef USE_CRYPTOPANT
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+    switch (family) {
+    case 1: // IPv4
+    {
+        if (len > sizeof(struct in_addr))
+            break;
+        struct in_addr in = { INADDR_ANY };
+        memcpy(&in, buf, len);
+        in.s_addr = decrypt ? unscramble_ip4(in.s_addr, pass4) : scramble_ip4(in.s_addr, pass4);
+        memcpy(buf, &in, len);
+        break;
+    }
+    case 2: // IPv6
+    {
+        if (len > sizeof(struct in6_addr))
+            break;
+        struct in6_addr in = IN6ADDR_ANY_INIT;
+        memcpy(&in, buf, len);
+        decrypt ? unscramble_ip6(&in, pass6) : scramble_ip6(&in, pass6);
+        memcpy(buf, &in, len);
+        break;
+    }
+    default:
+        break;
+    }
+}
+#endif
+
 int cryptopant_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
     unsigned sport, unsigned dport, my_bpftimeval ts,
-    const u_char* pkt_copy, const unsigned olen,
-    const u_char* payload, const unsigned payloadlen)
+    u_char* pkt_copy, const unsigned olen,
+    u_char* payload, const unsigned payloadlen)
 {
 #ifdef USE_CRYPTOPANT
+    if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+        parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+        if (edns < 0)
+            return 0;
+    }
+
     for (;;) {
         if (only_clients && sport == dns_port) {
             if (sport != dport) {

plugins/cryptopant/test1.gold

@@ -2856,3 +2856,249 @@ cryptopant.so usage error: must have a -k keyfile
 	ns3.google.com.,IN,A,157794,216.239.36.10 \
 	ns4.google.com.,IN,A,157794,216.239.38.10
 cryptopant.so usage error: -c and -s options are mutually exclusive
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.24.244.221].58541 [172.24.244.218].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.24.244.221].58541 [172.24.244.218].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.24.244.218].53 [172.24.244.221].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.24.244.218].53 [172.24.244.221].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.24.244.221].33737 [198.221.87.229].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.221.87.229].53 [172.24.244.221].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.24.244.221].53174 [172.24.244.218].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.24.244.221].53174 [172.24.244.218].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.24.244.218].53 [172.24.244.221].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.24.244.218].53 [172.24.244.221].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.24.244.221].50901 [192.37.47.233].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=172.24.244.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.37.47.233].53 [172.24.244.221].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=172.24.244.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.24.244.221].35191 [1.183.102.77].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.183.102.77].53 [172.24.244.221].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.17.0.6].33737 [198.97.190.53].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.97.190.53].53 [172.17.0.6].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.17.0.6].50901 [192.112.36.4].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=172.24.244.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.112.36.4].53 [172.17.0.6].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=172.24.244.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.17.0.6].35191 [1.1.1.1].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.1.1.1].53 [172.17.0.6].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]

plugins/cryptopant/test1.sh

@@ -21,6 +21,11 @@ fi
 ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test1.out
 ! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c -s 2>>test1.out
 
+ln -fs "$srcdir/../../src/test/edns.pcap" edns.pcap-dist
+
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -4 8 -e 2>>test1.out
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -4 8 -E 2>>test1.out
+
 osrel=`uname -s`
 if [ "$osrel" = "OpenBSD" ]; then
     mv test1.out test1.out.old

plugins/cryptopant/test2.sh

@@ -26,12 +26,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test2.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test2.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
-mv test2.new test2.out
-
 diff test2.out "$srcdir/test2.gold"

plugins/cryptopant/test3.sh

@@ -27,12 +27,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test3.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test3.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
-mv test3.new test3.out
-
 diff test3.out "$srcdir/test3.gold"

plugins/eventlog/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -13,7 +13,7 @@ eventlog_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += test1.out *.pcap-dist
+CLEANFILES += test1.out
 
 if ENABLE_GCOV
 gcov-local:

plugins/eventlog/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,7 +518,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out *.pcap-dist
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
@@ -804,7 +806,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -859,7 +861,6 @@ test1.sh.log: test1.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/ipcrypt/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS)
 
 pkglib_LTLIBRARIES = ipcrypt.la

plugins/ipcrypt/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,12 +518,13 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out test2.out test3.out \
-	test3.pcap.20161020.152301.075993 \
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out test2.out \
+	test3.out test3.pcap.20161020.152301.075993 \
 	test3.pcap.20181127.155200.414188 test4.tmp
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
+    -I$(top_srcdir)/plugins/shared \
     $(SECCOMPFLAGS)
 
 pkglib_LTLIBRARIES = ipcrypt.la
@@ -805,7 +808,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -881,7 +884,6 @@ test4.sh.log: test4.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/ipcrypt/ipcrypt.c

@@ -42,13 +42,16 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <netinet/in.h>
 
 #include "dnscap_common.h"
 
+#include "edns0_ecs.c"
+
 static set_iaddr_t ipcrypt_set_iaddr = 0;
 
 static logerr_t* logerr;
-static int       only_clients = 0, only_servers = 0, dns_port = 53, iterations = 1, encrypt_v6 = 0, decrypt = 0;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, iterations = 1, encrypt_v6 = 0, decrypt = 0, edns = 0;
 static uint8_t   key[16];
 
 /*
@@ -157,7 +160,9 @@ void ipcrypt_usage()
         "\t-s            Only en/de-crypt servers (port == 53)\n"
         "\t-p <port>     Set port for -c/-s, default 53\n"
         "\t-i <num>      Number of en/de-cryption iterations, default 1\n"
-        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n"
+        "\t-e            Also en/de-crypt EDNS(0) Client Subnet\n"
+        "\t-E            ONLY en/de-crypt EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void ipcrypt_extension(int ext, void* arg)
@@ -175,7 +180,7 @@ void ipcrypt_getopt(int* argc, char** argv[])
     unsigned long ul;
     char*         p;
 
-    while ((c = getopt(*argc, *argv, "?k:f:Dcsp:i:6")) != EOF) {
+    while ((c = getopt(*argc, *argv, "?k:f:Dcsp:i:6eE")) != EOF) {
         switch (c) {
         case 'k':
             if (strlen(optarg) != 16) {
@@ -226,6 +231,13 @@ void ipcrypt_getopt(int* argc, char** argv[])
         case '6':
             encrypt_v6 = 1;
             break;
+        case 'e':
+            if (!edns)
+                edns = 1;
+            break;
+        case 'E':
+            edns = -1;
+            break;
         case '?':
             ipcrypt_usage();
             if (!optopt || optopt == '?') {
@@ -266,11 +278,55 @@ int ipcrypt_close(my_bpftimeval ts)
     return 0;
 }
 
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+    switch (family) {
+    case 1: // IPv4
+    {
+        if (len > sizeof(struct in_addr))
+            break;
+        struct in_addr in = { INADDR_ANY };
+        memcpy(&in, buf, len);
+        decrypt ? _decrypt((uint8_t*)&in) : _encrypt((uint8_t*)&in);
+        memcpy(buf, &in, len);
+        break;
+    }
+    case 2: // IPv6
+        if (len > sizeof(struct in6_addr))
+            break;
+        if (encrypt_v6) {
+            struct in6_addr in = IN6ADDR_ANY_INIT;
+            memcpy(&in, buf, len);
+            if (decrypt) {
+                _decrypt((uint8_t*)&in);
+                _decrypt(((uint8_t*)&in) + 4);
+                _decrypt(((uint8_t*)&in) + 8);
+                _decrypt(((uint8_t*)&in) + 12);
+            } else {
+                _encrypt((uint8_t*)&in);
+                _encrypt(((uint8_t*)&in) + 4);
+                _encrypt(((uint8_t*)&in) + 8);
+                _encrypt(((uint8_t*)&in) + 12);
+            }
+            memcpy(buf, &in, len);
+        }
+        break;
+    default:
+        break;
+    }
+}
+
 int ipcrypt_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
     unsigned sport, unsigned dport, my_bpftimeval ts,
-    const u_char* pkt_copy, const unsigned olen,
-    const u_char* payload, const unsigned payloadlen)
+    u_char* pkt_copy, const unsigned olen,
+    u_char* payload, const unsigned payloadlen)
 {
+    if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+        parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+        if (edns < 0)
+            return 0;
+    }
+
     for (;;) {
         if (only_clients && sport == dns_port) {
             if (sport != dport) {

plugins/ipcrypt/test1.gold

@@ -2142,3 +2142,249 @@ ipcrypt.so usage error: must have -k <key> or -f <file>
 	ns3.google.com.,IN,A,157794,216.239.36.10 \
 	ns4.google.com.,IN,A,157794,216.239.38.10
 ipcrypt.so usage error: -c and -s options are mutually exclusive
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[122.143.39.9].58541 [132.72.37.15].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[122.143.39.9].58541 [132.72.37.15].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[132.72.37.15].53 [122.143.39.9].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[132.72.37.15].53 [122.143.39.9].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[122.143.39.9].33737 [225.150.52.100].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[225.150.52.100].53 [122.143.39.9].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[122.143.39.9].53174 [132.72.37.15].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[122.143.39.9].53174 [132.72.37.15].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[132.72.37.15].53 [122.143.39.9].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[132.72.37.15].53 [122.143.39.9].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[122.143.39.9].50901 [255.236.91.80].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=250.154.229.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[255.236.91.80].53 [122.143.39.9].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=250.154.229.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[122.143.39.9].35191 [214.180.194.165].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[214.180.194.165].53 [122.143.39.9].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]
+[64] 2023-07-05 07:21:38.669836 [#0 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,31428,rd \
+	1 h.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:38.669891 [#1 edns.pcap-dist 4095] \
+	[172.17.0.6].58541 [172.17.0.1].53  \
+	dns QUERY,NOERROR,5824,rd \
+	1 h.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:38.669977 [#2 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,31428,qr|rd|ra \
+	1 h.root-servers.net.,IN,A \
+	1 h.root-servers.net.,IN,A,85098,198.97.190.53 0 0
+[92] 2023-07-05 07:21:38.670010 [#3 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].58541  \
+	dns QUERY,NOERROR,5824,qr|rd|ra \
+	1 h.root-servers.net.,IN,AAAA \
+	1 h.root-servers.net.,IN,AAAA,85098,2001:500:1::53 0 0
+[88] 2023-07-05 07:21:38.670793 [#4 edns.pcap-dist 4095] \
+	[172.17.0.6].33737 [198.97.190.53].53  \
+	dns QUERY,NOERROR,56979,rd|ad \
+	1 ns1.dns.nic.aaa.,IN,NS 0 0 \
+	1 .,4096,4096,0,edns0[len=16,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=0],edns0opt[code=10,codelen=8]
+[464] 2023-07-05 07:21:38.698303 [#5 edns.pcap-dist 4095] \
+	[198.97.190.53].53 [172.17.0.6].33737  \
+	dns QUERY,NOERROR,56979,qr|rd \
+	1 ns1.dns.nic.aaa.,IN,NS 0 \
+	6 aaa.,IN,NS,172800,a.nic.aaa. \
+	aaa.,IN,NS,172800,b.nic.aaa. \
+	aaa.,IN,NS,172800,c.nic.aaa. \
+	aaa.,IN,NS,172800,ns1.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns2.dns.nic.aaa. \
+	aaa.,IN,NS,172800,ns3.dns.nic.aaa. \
+	13 a.nic.aaa.,IN,A,172800,37.209.192.9 \
+	b.nic.aaa.,IN,A,172800,37.209.194.9 \
+	c.nic.aaa.,IN,A,172800,37.209.196.9 \
+	ns1.dns.nic.aaa.,IN,A,172800,156.154.144.2 \
+	ns2.dns.nic.aaa.,IN,A,172800,156.154.145.2 \
+	ns3.dns.nic.aaa.,IN,A,172800,156.154.159.2 \
+	a.nic.aaa.,IN,AAAA,172800,2001:dcd:1::9 \
+	b.nic.aaa.,IN,AAAA,172800,2001:dcd:2::9 \
+	c.nic.aaa.,IN,AAAA,172800,2001:dcd:3::9 \
+	ns1.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1071::2 \
+	ns2.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1072::2 \
+	ns3.dns.nic.aaa.,IN,AAAA,172800,2610:a1:1073::2 \
+	.,1232,1232,0,edns0[len=30,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=3,codelen=26]
+[64] 2023-07-05 07:21:42.739334 [#6 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48648,rd \
+	1 g.root-servers.net.,IN,A 0 0 0
+[64] 2023-07-05 07:21:42.739396 [#7 edns.pcap-dist 4095] \
+	[172.17.0.6].53174 [172.17.0.1].53  \
+	dns QUERY,NOERROR,48141,rd \
+	1 g.root-servers.net.,IN,AAAA 0 0 0
+[80] 2023-07-05 07:21:42.739525 [#8 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48648,qr|rd|ra \
+	1 g.root-servers.net.,IN,A \
+	1 g.root-servers.net.,IN,A,85094,192.112.36.4 0 0
+[92] 2023-07-05 07:21:42.739558 [#9 edns.pcap-dist 4095] \
+	[172.17.0.1].53 [172.17.0.6].53174  \
+	dns QUERY,NOERROR,48141,qr|rd|ra \
+	1 g.root-servers.net.,IN,AAAA \
+	1 g.root-servers.net.,IN,AAAA,85094,2001:500:12::d0d 0 0
+[83] 2023-07-05 07:21:42.740590 [#10 edns.pcap-dist 4095] \
+	[172.17.0.6].50901 [192.112.36.4].53  \
+	dns QUERY,NOERROR,35713,rd|ad \
+	1 net.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=23,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[ECS,family=1,source=24,scope=0,addr=250.154.229.0],edns0opt[code=10,codelen=8]
+[895] 2023-07-05 07:21:42.836816 [#11 edns.pcap-dist 4095] \
+	[192.112.36.4].53 [172.17.0.6].50901  \
+	dns QUERY,NOERROR,35713,qr|rd \
+	1 net.,IN,A 0 \
+	13 net.,IN,NS,172800,j.gtld-servers.net. \
+	net.,IN,NS,172800,b.gtld-servers.net. \
+	net.,IN,NS,172800,a.gtld-servers.net. \
+	net.,IN,NS,172800,h.gtld-servers.net. \
+	net.,IN,NS,172800,d.gtld-servers.net. \
+	net.,IN,NS,172800,c.gtld-servers.net. \
+	net.,IN,NS,172800,i.gtld-servers.net. \
+	net.,IN,NS,172800,e.gtld-servers.net. \
+	net.,IN,NS,172800,m.gtld-servers.net. \
+	net.,IN,NS,172800,f.gtld-servers.net. \
+	net.,IN,NS,172800,k.gtld-servers.net. \
+	net.,IN,NS,172800,l.gtld-servers.net. \
+	net.,IN,NS,172800,g.gtld-servers.net. \
+	27 m.gtld-servers.net.,IN,A,172800,192.55.83.30 \
+	l.gtld-servers.net.,IN,A,172800,192.41.162.30 \
+	k.gtld-servers.net.,IN,A,172800,192.52.178.30 \
+	j.gtld-servers.net.,IN,A,172800,192.48.79.30 \
+	i.gtld-servers.net.,IN,A,172800,192.43.172.30 \
+	h.gtld-servers.net.,IN,A,172800,192.54.112.30 \
+	g.gtld-servers.net.,IN,A,172800,192.42.93.30 \
+	f.gtld-servers.net.,IN,A,172800,192.35.51.30 \
+	e.gtld-servers.net.,IN,A,172800,192.12.94.30 \
+	d.gtld-servers.net.,IN,A,172800,192.31.80.30 \
+	c.gtld-servers.net.,IN,A,172800,192.26.92.30 \
+	b.gtld-servers.net.,IN,A,172800,192.33.14.30 \
+	a.gtld-servers.net.,IN,A,172800,192.5.6.30 \
+	m.gtld-servers.net.,IN,AAAA,172800,2001:501:b1f9::30 \
+	l.gtld-servers.net.,IN,AAAA,172800,2001:500:d937::30 \
+	k.gtld-servers.net.,IN,AAAA,172800,2001:503:d2d::30 \
+	j.gtld-servers.net.,IN,AAAA,172800,2001:502:7094::30 \
+	i.gtld-servers.net.,IN,AAAA,172800,2001:503:39c1::30 \
+	h.gtld-servers.net.,IN,AAAA,172800,2001:502:8cc::30 \
+	g.gtld-servers.net.,IN,AAAA,172800,2001:503:eea3::30 \
+	f.gtld-servers.net.,IN,AAAA,172800,2001:503:d414::30 \
+	e.gtld-servers.net.,IN,AAAA,172800,2001:502:1ca1::30 \
+	d.gtld-servers.net.,IN,AAAA,172800,2001:500:856e::30 \
+	c.gtld-servers.net.,IN,AAAA,172800,2001:503:83eb::30 \
+	b.gtld-servers.net.,IN,AAAA,172800,2001:503:231d::2:30 \
+	a.gtld-servers.net.,IN,AAAA,172800,2001:503:a83e::2:30 \
+	.,1232,1232,0,edns0[len=39,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=24],edns0opt[ECS,family=1,source=24,scope=0,addr=250.154.229.0]
+[86] 2023-07-05 07:21:46.511502 [#12 edns.pcap-dist 4095] \
+	[172.17.0.6].35191 [1.1.1.1].53  \
+	dns QUERY,NOERROR,960,rd|ad \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=12,UDP=4096,ver=0,rcode=0,DO=0,z=0],edns0opt[code=10,codelen=8]
+[131] 2023-07-05 07:21:46.518500 [#13 edns.pcap-dist 4095] \
+	[1.1.1.1].53 [172.17.0.6].35191  \
+	dns QUERY,SERVFAIL,960,qr|rd|ra \
+	1 dnssec-failed.org.,IN,A 0 0 \
+	1 .,1232,1232,0,edns0[len=57,UDP=1232,ver=0,rcode=0,DO=0,z=0],edns0opt[code=15,codelen=53]

plugins/ipcrypt/test1.sh

@@ -14,6 +14,11 @@ ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
 ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -s 2>>test1.out
 ! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c -s 2>>test1.out
 
+ln -fs "$srcdir/../../src/test/edns.pcap" edns.pcap-dist
+
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -e 2>>test1.out
+../../src/dnscap -r edns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -E 2>>test1.out
+
 osrel=`uname -s`
 if [ "$osrel" = "OpenBSD" ]; then
     mv test1.out test1.out.old

plugins/ipcrypt/test2.sh

@@ -19,12 +19,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test2.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test2.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
-mv test2.new test2.out
-
 diff test2.out "$srcdir/test2.gold"

plugins/ipcrypt/test3.sh

@@ -21,12 +21,4 @@ if [ "$osrel" = "OpenBSD" ]; then
     rm test3.out.old
 fi
 
-# TODO: Remove when #133 is fixed
-cat test3.out | \
-  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
-  sed 's%,CLASS512,OPT,%,512,512,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
-  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
-mv test3.new test3.out
-
 diff test3.out "$srcdir/test3.gold"

plugins/pcapdump/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -12,7 +12,7 @@ pcapdump_la_LDFLAGS = -module -avoid-version
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += test1.out* *.pcap-dist
+CLEANFILES += test1.out
 
 if ENABLE_GCOV
 gcov-local:

plugins/pcapdump/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,7 +518,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out* *.pcap-dist
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
@@ -803,7 +805,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -858,7 +860,6 @@ test1.sh.log: test1.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/royparse/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -13,7 +13,7 @@ royparse_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += test1.out* *.pcap-dist
+CLEANFILES += test1.out
 
 if ENABLE_GCOV
 gcov-local:

plugins/royparse/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,7 +518,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out* *.pcap-dist
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
@@ -804,7 +806,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -859,7 +861,6 @@ test1.sh.log: test1.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/rssm/Makefile.am

@@ -1,6 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = $(srcdir)/hashtbl.c \
-    hashtbl.c *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -10,8 +9,6 @@ AM_CFLAGS = -I$(srcdir) \
 
 pkglib_LTLIBRARIES = rssm.la
 rssm_la_SOURCES = rssm.c
-nodist_rssm_la_SOURCES = hashtbl.c
-BUILT_SOURCES = hashtbl.c
 rssm_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh
 EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \
@@ -29,12 +26,6 @@ gcov-local:
 	done
 endif
 
-hashtbl.c: $(top_srcdir)/src/hashtbl.c
-	cp $(top_srcdir)/src/hashtbl.c ./
-
-$(srcdir)/hashtbl.c: $(top_srcdir)/src/hashtbl.c
-	cp $(top_srcdir)/src/hashtbl.c $(srcdir)/
-
 dnscap-rssm-rssac002.1: dnscap-rssm-rssac002.1.in Makefile
 	sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
         -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \

plugins/rssm/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -140,8 +140,7 @@ am__installdirs = "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" \
 LTLIBRARIES = $(pkglib_LTLIBRARIES)
 rssm_la_LIBADD =
 am_rssm_la_OBJECTS = rssm.lo
-nodist_rssm_la_OBJECTS = hashtbl.lo
-rssm_la_OBJECTS = $(am_rssm_la_OBJECTS) $(nodist_rssm_la_OBJECTS)
+rssm_la_OBJECTS = $(am_rssm_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -165,7 +164,7 @@ am__v_at_1 =
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)/src
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/hashtbl.Plo ./$(DEPDIR)/rssm.Plo
+am__depfiles_remade = ./$(DEPDIR)/rssm.Plo
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -185,7 +184,7 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(rssm_la_SOURCES) $(nodist_rssm_la_SOURCES)
+SOURCES = $(rssm_la_SOURCES)
 DIST_SOURCES = $(rssm_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
@@ -213,8 +212,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -370,6 +367,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -393,7 +391,7 @@ TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
 TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
 	$(TEST_LOG_FLAGS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
-	$(top_srcdir)/test-driver
+	$(top_srcdir)/test-driver README.md
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -408,6 +406,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -418,6 +418,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -524,7 +525,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = $(srcdir)/hashtbl.c hashtbl.c *.gcda *.gcno *.gcov \
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist \
 	test1.20161020.152301.075993 test2.out $(man1_MANS) \
 	test3.20181127.155200.414188 test4.*20161020.152301.075993 \
 	test5.20180110.112241.543825
@@ -536,8 +537,6 @@ AM_CFLAGS = -I$(srcdir) \
 
 pkglib_LTLIBRARIES = rssm.la
 rssm_la_SOURCES = rssm.c
-nodist_rssm_la_SOURCES = hashtbl.c
-BUILT_SOURCES = hashtbl.c
 rssm_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh
 EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \
@@ -545,8 +544,7 @@ EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \
 
 dist_bin_SCRIPTS = dnscap-rssm-rssac002
 man1_MANS = dnscap-rssm-rssac002.1
-all: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) all-am
+all: all-am
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs
@@ -659,7 +657,6 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtbl.Plo@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rssm.Plo@am__quote@ # am--include-marker
 
 $(am__depfiles_remade):
@@ -899,7 +896,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -982,7 +979,6 @@ test5.sh.log: test5.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -1018,15 +1014,13 @@ distdir-am: $(DISTFILES)
 	done
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
-check: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) check-am
+check: check-am
 all-am: Makefile $(LTLIBRARIES) $(SCRIPTS) $(MANS)
 installdirs:
 	for dir in "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man1dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) install-am
+install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
@@ -1060,7 +1054,6 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
 	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
 @ENABLE_GCOV_FALSE@gcov-local:
 clean: clean-am
@@ -1069,8 +1062,7 @@ clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \
 	mostlyclean-am
 
 distclean: distclean-am
-		-rm -f ./$(DEPDIR)/hashtbl.Plo
-	-rm -f ./$(DEPDIR)/rssm.Plo
+		-rm -f ./$(DEPDIR)/rssm.Plo
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1120,8 +1112,7 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-		-rm -f ./$(DEPDIR)/hashtbl.Plo
-	-rm -f ./$(DEPDIR)/rssm.Plo
+		-rm -f ./$(DEPDIR)/rssm.Plo
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -1143,7 +1134,7 @@ uninstall-am: uninstall-dist_binSCRIPTS uninstall-man \
 
 uninstall-man: uninstall-man1
 
-.MAKE: all check check-am install install-am install-strip
+.MAKE: check-am install-am install-strip
 
 .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
 	check-am clean clean-generic clean-libtool \
@@ -1171,12 +1162,6 @@ uninstall-man: uninstall-man1
 @ENABLE_GCOV_TRUE@	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
 @ENABLE_GCOV_TRUE@	done
 
-hashtbl.c: $(top_srcdir)/src/hashtbl.c
-	cp $(top_srcdir)/src/hashtbl.c ./
-
-$(srcdir)/hashtbl.c: $(top_srcdir)/src/hashtbl.c
-	cp $(top_srcdir)/src/hashtbl.c $(srcdir)/
-
 dnscap-rssm-rssac002.1: dnscap-rssm-rssac002.1.in Makefile
 	sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
         -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \

plugins/rssm/README.md

@@ -0,0 +1,42 @@
+# Root Server Scaling Measurement (RSSM) plugin
+
+This plugin collects data as described by the [RSSAC002v3 specification](https://www.icann.org/en/system/files/files/rssac-002-measurements-root-06jun16-en.pdf)
+which has been created by [ICANN Root Server System Advisory Committee](https://www.icann.org/groups/rssac) (RSSAC).
+
+## Additions
+
+As the RSSAC002v3 specification states that measurements should be saved per
+24 hours interval, this plugin produces additional metrics that can be used
+to compile the 24 hours measurements allowing for variable time between
+output generation.
+
+Metric `dnscap-rssm-sources` has a hash entry called `sources` which lists
+IP addresses and the number of times they appeared.
+
+Metric `dnscap-rssm-aggregated-sources` has a hash entry called `aggregated-sources`
+which lists the aggregated IPv6 addresses by a /64 net and the number of times
+it has appeared.
+
+## Merge Tool
+
+The Perl script `dnscap-rssm-rssac002` is included and installed with `dnscap`
+and can be used to multiple combine RSSM plugin RSSAC002v3 YAML output files
+into one file.
+
+The script will merge and remove metric specific to this plugin and replace
+others to fill in correct values for the new time period. The earliest
+`start-period` found will be used for all metrics.
+
+**NOTE** no parsing of `start-period` is performed, it is up to the operator
+to only give input files related to the same 24 hour period.
+
+Options:
+- `--no-recompile`: Disabled the combining of metrics and the removal of
+  metrics specific to this plugin
+- `--keep-dnscap-rssm`: Do the combining but keep the metrics specific to
+  this plugin
+- `--sort`: Output will always start with `version:`, `service:`,
+  `start-period:` and `metric:`, rest of the values are not ordered by label.
+  This option enabled sorting of them, which is not required by the
+  specification but may help in debugging and testing cases.
+- `--skip-unsupported`: Skip unsupported RSSAC002 version metrics

plugins/rssm/rssm.c

@@ -60,7 +60,7 @@
 
 #include "dnscap_common.h"
 
-#include "hashtbl.h"
+#include "hashtbl.c"
 
 static logerr_t*     logerr;
 static my_bpftimeval open_ts;

plugins/rzkeychange/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -13,7 +13,6 @@ rzkeychange_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += *.pcap-dist
 
 if ENABLE_GCOV
 gcov-local:

plugins/rzkeychange/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -206,8 +206,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -363,6 +361,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -401,6 +400,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -411,6 +412,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -805,7 +807,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -860,7 +862,6 @@ test1.sh.log: test1.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 

plugins/rzkeychange/rzkeychange.c

@@ -287,7 +287,7 @@ void rzkeychange_submit_counts(void)
 {
     char      qname[256];
     ldns_pkt* pkt;
-    double    elapsed = (double)clos_ts.tv_sec - (double)open_ts.tv_sec + 0.000001 * clos_ts.tv_usec - 0.000001 * open_ts.tv_usec; //NOSONAR
+    double    elapsed = (double)clos_ts.tv_sec - (double)open_ts.tv_sec + 0.000001 * clos_ts.tv_usec - 0.000001 * open_ts.tv_usec; // NOSONAR
     int       k;
 
     k = snprintf(qname, sizeof(qname), "%lu-%u-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 ".%s.%s.%s",

plugins/shared/edns0_ecs.c

@@ -0,0 +1,222 @@
+/*
+ * Copyright (c) 2018-2023, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#define DNS_MSG_HDR_SZ 12
+#define RFC1035_MAXLABELSZ 63
+#define nptohs(p) ((((uint8_t*)(p))[0] << 8) | ((uint8_t*)(p))[1])
+
+static int rfc1035NameSkip(const u_char* buf, size_t sz, off_t* off)
+{
+    unsigned char c;
+    size_t        len;
+    /*
+     * loop_detect[] tracks which position in the DNS message it has
+     * jumped to so it can't jump to the same twice, aka loop
+     */
+    static unsigned char loop_detect[0x3FFF] = { 0 };
+    do {
+        if ((*off) >= sz)
+            break;
+        c = *(buf + (*off));
+        if (c > 191) {
+            /* blasted compression */
+            int            rc;
+            unsigned short s;
+            off_t          ptr, loop_ptr;
+            s = nptohs(buf + (*off));
+            (*off) += sizeof(s);
+            /* Sanity check */
+            if ((*off) >= sz)
+                return 1; /* message too short */
+            ptr = s & 0x3FFF;
+            /* Make sure the pointer is inside this message */
+            if (ptr >= sz)
+                return 2; /* bad compression ptr */
+            if (ptr < DNS_MSG_HDR_SZ)
+                return 2; /* bad compression ptr */
+            if (loop_detect[ptr])
+                return 4; /* compression loop */
+            loop_detect[(loop_ptr = ptr)] = 1;
+
+            rc = rfc1035NameSkip(buf, sz, &ptr);
+
+            loop_detect[loop_ptr] = 0;
+            return rc;
+        } else if (c > RFC1035_MAXLABELSZ) {
+            /*
+             * "(The 10 and 01 combinations are reserved for future use.)"
+             */
+            return 3; /* reserved label/compression flags */
+        } else {
+            (*off)++;
+            len = (size_t)c;
+            if (len == 0)
+                break;
+            if ((*off) + len > sz)
+                return 4; /* message is too short */
+            (*off) += len;
+        }
+    } while (c > 0);
+    return 0;
+}
+
+static off_t skip_question(const u_char* buf, int len, off_t offset)
+{
+    if (rfc1035NameSkip(buf, len, &offset))
+        return 0;
+    if (offset + 4 > len)
+        return 0;
+    offset += 4;
+    return offset;
+}
+
+static off_t skip_rr(const u_char* buf, int len, off_t offset)
+{
+    if (rfc1035NameSkip(buf, len, &offset))
+        return 0;
+    if (offset + 10 > len)
+        return 0;
+    unsigned short us = nptohs(buf + offset + 8);
+    offset += 10;
+    if (offset + us > len)
+        return 0;
+    offset += us;
+    return offset;
+}
+
+#define EDNS0_TYPE_ECS 8
+
+typedef void (*edns0_ecs_cb)(int family, u_char* buf, size_t len);
+
+static void process_edns0_options(u_char* buf, int len, edns0_ecs_cb cb)
+{
+    unsigned short edns0_type;
+    unsigned short edns0_len;
+    off_t          offset = 0;
+
+    while (len >= 4) {
+        edns0_type = nptohs(buf + offset);
+        edns0_len  = nptohs(buf + offset + 2);
+        if (len < 4 + edns0_len)
+            break;
+        if (edns0_type == EDNS0_TYPE_ECS) {
+            if (edns0_len < 5)
+                break;
+            if (cb)
+                cb(nptohs(buf + offset + 4), buf + offset + 8, edns0_len - 4);
+        }
+        offset += 4 + edns0_len;
+        len -= 4 + edns0_len;
+    }
+}
+
+#define T_OPT 41
+
+static off_t grok_additional_for_opt_rr(u_char* buf, int len, off_t offset, edns0_ecs_cb cb)
+{
+    unsigned short us;
+    /*
+     * OPT RR for EDNS0 MUST be 0 (root domain), so if the first byte of
+     * the name is anything it can't be a valid EDNS0 record.
+     */
+    if (*(buf + offset)) {
+        if (rfc1035NameSkip(buf, len, &offset))
+            return 0;
+        if (offset + 10 > len)
+            return 0;
+    } else {
+        offset++;
+        if (offset + 10 > len)
+            return 0;
+        if (nptohs(buf + offset) == T_OPT) {
+            u_char version = *(buf + offset + 5);
+            us             = nptohs(buf + offset + 8); // rd len
+            offset += 10;
+            if (offset + us > len)
+                return 0;
+            if (!version && us > 0)
+                process_edns0_options(buf + offset, us, cb);
+            offset += us;
+            return offset;
+        }
+    }
+    /* get rdlength */
+    us = nptohs(buf + offset + 8);
+    offset += 10;
+    if (offset + us > len)
+        return 0;
+    offset += us;
+    return offset;
+}
+
+static void parse_for_edns0_ecs(u_char* payload, size_t payloadlen, edns0_ecs_cb cb)
+{
+    off_t offset;
+    int   qdcount, ancount, nscount, arcount;
+
+    qdcount = nptohs(payload + 4);
+    ancount = nptohs(payload + 6);
+    nscount = nptohs(payload + 8);
+    arcount = nptohs(payload + 10);
+
+    offset = DNS_MSG_HDR_SZ;
+
+    while (qdcount > 0 && offset < payloadlen) {
+        if (!(offset = skip_question(payload, payloadlen, offset))) {
+            return;
+        }
+        qdcount--;
+    }
+
+    while (ancount > 0 && offset < payloadlen) {
+        if (!(offset = skip_rr(payload, payloadlen, offset))) {
+            return;
+        }
+        ancount--;
+    }
+
+    while (nscount > 0 && offset < payloadlen) {
+        if (!(offset = skip_rr(payload, payloadlen, offset))) {
+            return;
+        }
+        nscount--;
+    }
+
+    while (arcount > 0 && offset < payloadlen) {
+        if (!(offset = grok_additional_for_opt_rr(payload, payloadlen, offset, cb))) {
+            return;
+        }
+        arcount--;
+    }
+}

plugins/template/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -12,7 +12,6 @@ template_la_LDFLAGS = -module -avoid-version
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += *.pcap-dist
 
 if ENABLE_GCOV
 gcov-local:

plugins/txtout/Makefile.am

@@ -1,5 +1,5 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
@@ -12,7 +12,7 @@ txtout_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
 
 TESTS = test1.sh
 EXTRA_DIST = $(TESTS)
-CLEANFILES += test1.out *.pcap-dist
+CLEANFILES += test1.out
 
 if ENABLE_GCOV
 gcov-local:

plugins/txtout/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -205,8 +205,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -362,6 +360,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -400,6 +399,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -410,6 +411,7 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
@@ -516,7 +518,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov test1.out *.pcap-dist
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist test1.out
 AM_CFLAGS = -I$(srcdir) \
     -I$(top_srcdir)/src \
     -I$(top_srcdir)/isc \
@@ -803,7 +805,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -858,7 +860,6 @@ test1.sh.log: test1.sh
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am