From 7cc09e3e2def6558bc4b8ede90816d0808ed7c3f Mon Sep 17 00:00:00 2001
From: Matthew Zipkin <pinheadmz@gmail.com>
Date: Wed, 1 Dec 2021 10:21:27 -0500
Subject: [PATCH] dns: make name_dirty test more like hsd rule.verifyName()

---
 src/dns.c        | 37 +++++++++++++++++++++----------------
 src/ns.c         |  2 +-
 test/hnsd-test.c | 23 +++++++++++++++++++++++
 3 files changed, 45 insertions(+), 17 deletions(-)

diff --git a/src/dns.c b/src/dns.c
index c9fe6394..f30158f8 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -2431,29 +2431,34 @@ hsk_dns_name_alloc(
 
 bool
 hsk_dns_name_dirty(const char *name) {
-  char *s = (char *)name;
+  int len = strlen(name);
+  if (len > HSK_DNS_MAX_LABEL)
+    return false;
 
-  while (*s) {
-    uint8_t c = (uint8_t)*s;
+  for (int i = 0; i < len; i++) {
+    uint8_t c = name[i];
+
+    if (c >= 0x41 && c <= 0x5a)
+      c ^= 0x20;
 
     switch (c) {
-      case 0x28 /*(*/:
-      case 0x29 /*)*/:
-      case 0x3b /*;*/:
-      case 0x20 /* */:
-      case 0x40 /*@*/:
-      case 0x22 /*"*/:
-      case 0x5c /*\\*/:
-        return true;
+      case 0x5f: /* _ */
+      case 0x2d: /* - */
+        if (i == 0 || i == len - 1) {
+          return false;
+        } else {
+          continue;
+        }
     }
 
-    if (c < 0x20 || c > 0x7e)
-      return true;
-
-    s += 1;
+    if (c < 0x30 ||
+       (c > 0x39 && c < 0x61) ||
+        c > 0x7a) {
+      return false;
+    }
   }
 
-  return false;
+  return true;
 }
 
 void
diff --git a/src/ns.c b/src/ns.c
index 71cbe955..6b2f9ef5 100644
--- a/src/ns.c
+++ b/src/ns.c
@@ -302,7 +302,7 @@ hsk_ns_onrecv(
 
   // Send REFUSED if name is dirty
   // (contains escaped byte codes or special characters)
-  if (hsk_dns_name_dirty(req->tld)) {
+  if (!hsk_dns_name_dirty(req->tld)) {
     msg = hsk_resource_to_refused();
 
     if (!msg) {
diff --git a/test/hnsd-test.c b/test/hnsd-test.c
index 5049ec70..5fd1dc64 100644
--- a/test/hnsd-test.c
+++ b/test/hnsd-test.c
@@ -207,6 +207,28 @@ test_prev_name() {
   ) == 0);
 }
 
+void
+test_verify_name() {
+  printf("test_verify_name\n");
+
+  assert(hsk_dns_name_dirty("hello"));
+  assert(hsk_dns_name_dirty("HELLO"));
+  assert(hsk_dns_name_dirty("heLLo"));
+  assert(hsk_dns_name_dirty("HeLl0"));
+  assert(hsk_dns_name_dirty("hel-lo"));
+  assert(hsk_dns_name_dirty("1"));
+  assert(hsk_dns_name_dirty("000_000"));
+  assert(hsk_dns_name_dirty("this-domain-name-has-sixty-three-octets-taking-max-label-length"));
+  assert(!hsk_dns_name_dirty("hel!lo"));
+  assert(!hsk_dns_name_dirty("-hello"));
+  assert(!hsk_dns_name_dirty("hello_"));
+  assert(!hsk_dns_name_dirty("1@1"));
+  assert(!hsk_dns_name_dirty("x\\000y"));
+  assert(!hsk_dns_name_dirty("H&ELLO"));
+  assert(!hsk_dns_name_dirty("3 3"));
+  assert(!hsk_dns_name_dirty("this-domain-name-has-sixtyfour-octets-exceeding-max-label-length"));
+}
+
 /*
  * TEST RUNNER
  */
@@ -220,6 +242,7 @@ main() {
   test_decode_resource();
   test_next_name();
   test_prev_name();
+  test_verify_name();
 
   printf("ok\n");