src - OpenBSD base system

diff options


context:
space:
mode:

author	Stuart Henderson <sthen@cvs.openbsd.org>	2023-09-05 11:07:50 +0000
committer	Stuart Henderson <sthen@cvs.openbsd.org>	2023-09-05 11:07:50 +0000
commit	65023e51352b4beeaa4af0238ec090b306289d66 (patch)
tree	d3f6a24b3382284c9bf89a5f93f5ff76d6666e02 /usr.sbin/unbound/util
parent	c1b43d4e7957a063ae5ffed673d4ba1ecf2dbb6d (diff)

import unbound 1.18.0, ok florian

Diffstat (limited to 'usr.sbin/unbound/util')

-rw-r--r--

usr.sbin/unbound/util/data/msgencode.h

-rw-r--r--

usr.sbin/unbound/util/edns.c

-rw-r--r--

usr.sbin/unbound/util/edns.h

-rw-r--r--

usr.sbin/unbound/util/regional.c

-rw-r--r--

usr.sbin/unbound/util/rfc_1982.c

-rw-r--r--

usr.sbin/unbound/util/rfc_1982.h

-rw-r--r--

usr.sbin/unbound/util/siphash.c

187

-rw-r--r--

usr.sbin/unbound/util/siphash.h

-rw-r--r--

usr.sbin/unbound/util/timeval_func.c

113

-rw-r--r--

usr.sbin/unbound/util/timeval_func.h

10 files changed, 692 insertions, 3 deletions

diff --git a/usr.sbin/unbound/util/data/msgencode.h b/usr.sbin/unbound/util/data/msgencode.h
index 30dc515cbe5..6aff06099ee 100644
--- a/usr.sbin/unbound/util/data/msgencode.h
+++ b/usr.sbin/unbound/util/data/msgencode.h

@@ -109,6 +109,27 @@ void qinfo_query_encode(struct sldns_buffer* pkt, struct query_info* qinfo);

uint16_t calc_edns_field_size(struct edns_data* edns);

/**

+ * Calculate the size of a specific EDNS option in packet.

+ * @param edns: edns data or NULL.

+ * @param code: the opt code to get the size of.

+ * @return octets the option will take up.

+ */

+uint16_t calc_edns_option_size(struct edns_data* edns, uint16_t code);

+/**

+ * Calculate the size of the EDE option(s) in packet. Also calculate seperately

+ * the size of the EXTRA-TEXT field(s) in case we can trim them to fit.

+ * In this case include any LDNS_EDE_OTHER options in their entirety since they

+ * are useless without extra text.

+ * @param edns: edns data or NULL.

+ * @param txt_size: the size of the EXTRA-TEXT field(s); this includes

+ * LDNS_EDE_OTHER in their entirety since they are useless without

+ * extra text.

+ * @return octets the option will take up.

+ */

+uint16_t calc_ede_option_size(struct edns_data* edns, uint16_t* txt_size);

+/**

* Attach EDNS record to buffer. Buffer has complete packet. There must

* be enough room left for the EDNS record.

* @param pkt: packet added to.

@@ -116,11 +137,11 @@ uint16_t calc_edns_field_size(struct edns_data* edns);

void attach_edns_record(struct sldns_buffer* pkt, struct edns_data* edns);

-/**

+/**

* Encode an error. With QR and RA set.

* @param pkt: where to store the packet.

- * @param r: RCODE value to encode.

+ * @param r: RCODE value to encode (may contain extra flags).

* @param qinfo: if not NULL, the query is included.

* @param qid: query ID to set in packet. network order.

* @param qflags: original query flags (to copy RD and CD bits). host order.

@@ -130,4 +151,21 @@ void attach_edns_record(struct sldns_buffer* pkt, struct edns_data* edns);

void error_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,

uint16_t qid, uint16_t qflags, struct edns_data* edns);

+/**

+ * Encode an extended error. With QR and RA set.

+ *

+ * @param pkt: where to store the packet.

+ * @param rcode: Extended RCODE value to encode.

+ * @param qinfo: if not NULL, the query is included.

+ * @param qid: query ID to set in packet. network order.

+ * @param qflags: original query flags (to copy RD and CD bits). host order.

+ * @param xflags: extra flags to set (such as for example BIT_AA and/or BIT_TC)

+ * @param edns: if not NULL, this is the query edns info,

+ * and an edns reply is attached. Only attached if EDNS record fits reply.

+ * Without edns extended errors (i.e. > 15) will not be conveyed.

+ */

+void extended_error_encode(struct sldns_buffer* pkt, uint16_t rcode,

+ struct query_info* qinfo, uint16_t qid, uint16_t qflags,

+ uint16_t xflags, struct edns_data* edns);

#endif /* UTIL_DATA_MSGENCODE_H */

diff --git a/usr.sbin/unbound/util/edns.c b/usr.sbin/unbound/util/edns.c
index f55dcb97e75..2b4047f0b60 100644
--- a/usr.sbin/unbound/util/edns.c
+++ b/usr.sbin/unbound/util/edns.c

@@ -45,8 +45,11 @@

#include "util/netevent.h"

#include "util/net_help.h"

#include "util/regional.h"

+#include "util/rfc_1982.h"

+#include "util/siphash.h"

#include "util/data/msgparse.h"

#include "util/data/msgreply.h"

+#include "sldns/sbuffer.h"

struct edns_strings* edns_strings_create(void)

{

@@ -128,3 +131,59 @@ edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,

return (struct edns_string_addr*)addr_tree_lookup(tree, addr, addrlen);

}

+uint8_t*

+edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret, int v4,

+ uint8_t* hash)

+ v4?siphash(in, 20, secret, hash, 8):siphash(in, 32, secret, hash, 8);

+ return hash;

+void

+edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,

+ uint32_t timestamp)

+ uint8_t hash[8];

+ buf[ 8] = 1; /* Version */

+ buf[ 9] = 0; /* Reserved */

+ buf[10] = 0; /* Reserved */

+ buf[11] = 0; /* Reserved */

+ sldns_write_uint32(buf + 12, timestamp);

+ (void)edns_cookie_server_hash(buf, secret, v4, hash);

+ memcpy(buf + 16, hash, 8);

+enum edns_cookie_val_status

+edns_cookie_server_validate(const uint8_t* cookie, size_t cookie_len,

+ const uint8_t* secret, size_t secret_len, int v4,

+ const uint8_t* hash_input, uint32_t now)

+ uint8_t hash[8];

+ uint32_t timestamp;

+ uint32_t subt_1982 = 0; /* Initialize for the compiler; unused value */

+ int comp_1982;

+ if(cookie_len != 24)

+ /* RFC9018 cookies are 24 bytes long */

+ return COOKIE_STATUS_CLIENT_ONLY;

+ if(secret_len != 16 || /* RFC9018 cookies have 16 byte secrets */

+ cookie[8] != 1) /* RFC9018 cookies are cookie version 1 */

+ return COOKIE_STATUS_INVALID;

+ timestamp = sldns_read_uint32(cookie + 12);

+ if((comp_1982 = compare_1982(now, timestamp)) > 0

+ && (subt_1982 = subtract_1982(timestamp, now)) > 3600)

+ /* Cookie is older than 1 hour (see RFC9018 Section 4.3.) */

+ return COOKIE_STATUS_EXPIRED;

+ if(comp_1982 <= 0 && subtract_1982(now, timestamp) > 300)

+ /* Cookie time is more than 5 minutes in the future.

+ * (see RFC9018 Section 4.3.) */

+ return COOKIE_STATUS_FUTURE;

+ if(memcmp(edns_cookie_server_hash(hash_input, secret, v4, hash),

+ cookie + 16, 8) != 0)

+ /* Hashes do not match */

+ return COOKIE_STATUS_INVALID;

+ if(comp_1982 > 0 && subt_1982 > 1800)

+ /* Valid cookie but older than 30 minutes, so create a new one

+ * anyway */

+ return COOKIE_STATUS_VALID_RENEW;

+ return COOKIE_STATUS_VALID;

diff --git a/usr.sbin/unbound/util/edns.h b/usr.sbin/unbound/util/edns.h
index d9ded0b84dc..5da0ecb290a 100644
--- a/usr.sbin/unbound/util/edns.h
+++ b/usr.sbin/unbound/util/edns.h

@@ -75,6 +75,15 @@ struct edns_string_addr {

size_t string_len;

};

+enum edns_cookie_val_status {

+ COOKIE_STATUS_CLIENT_ONLY = -3,

+ COOKIE_STATUS_FUTURE = -2,

+ COOKIE_STATUS_EXPIRED = -1,

+ COOKIE_STATUS_INVALID = 0,

+ COOKIE_STATUS_VALID = 1,

+ COOKIE_STATUS_VALID_RENEW = 2,

+};

/**

* Create structure to hold EDNS strings

* @return: newly created edns_strings, NULL on alloc failure.

@@ -106,4 +115,54 @@ struct edns_string_addr*

edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,

socklen_t addrlen);

+/**

+ * Compute the interoperable DNS cookie (RFC9018) hash.

+ * @param in: buffer input for the hash generation. It needs to be:

+ * Client Cookie | Version | Reserved | Timestamp | Client-IP

+ * @param secret: the server secret; implicit length of 16 octets.

+ * @param v4: if the client IP is v4 or v6.

+ * @param hash: buffer to write the hash to.

+ * return a pointer to the hash.

+ */

+uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret,

+ int v4, uint8_t* hash);

+/**

+ * Write an interoperable DNS server cookie (RFC9018).

+ * @param buf: buffer to write to. It should have a size of at least 32 octets

+ * as it doubles as the output buffer and the hash input buffer.

+ * The first 8 octets are expected to be the Client Cookie and will be

+ * left untouched.

+ * The next 8 octets will be written with Version | Reserved | Timestamp.

+ * The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address

+ * based on the v4 flag.

+ * Thus the first 20 or 32 octets, based on the v4 flag, will be used as

+ * the hash input.

+ * The server hash (8 octets) will be written after the first 16 octets;

+ * overwriting the address information.

+ * The caller expects a complete, 24 octet long cookie in the buffer.

+ * @param secret: the server secret; implicit length of 16 octets.

+ * @param v4: if the client IP is v4 or v6.

+ * @param timestamp: the timestamp to use.

+ */

+void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,

+ uint32_t timestamp);

+/**

+ * Validate an interoperable DNS cookie (RFC9018).

+ * @param cookie: pointer to the cookie data.

+ * @param cookie_len: the length of the cookie data.

+ * @param secret: pointer to the server secret.

+ * @param secret_len: the length of the secret.

+ * @param v4: if the client IP is v4 or v6.

+ * @param hash_input: pointer to the hash input for validation. It needs to be:

+ * Client Cookie | Version | Reserved | Timestamp | Client-IP

+ * @param now: the current time.

+ * return edns_cookie_val_status with the cookie validation status i.e.,

+ * <=0 for invalid, else valid.

+ */

+enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie,

+ size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4,

+ const uint8_t* hash_input, uint32_t now);

#endif

diff --git a/usr.sbin/unbound/util/regional.c b/usr.sbin/unbound/util/regional.c
index 93e911c5ec1..44aee68b202 100644
--- a/usr.sbin/unbound/util/regional.c
+++ b/usr.sbin/unbound/util/regional.c

@@ -186,7 +186,7 @@ regional_alloc_init(struct regional* r, const void *init, size_t size)

{

void *s = regional_alloc(r, size);

if(!s) return NULL;

- memcpy(s, init, size);

+ memmove(s, init, size);

return s;

}

diff --git a/usr.sbin/unbound/util/rfc_1982.c b/usr.sbin/unbound/util/rfc_1982.c
new file mode 100644
index 00000000000..c28deded606
--- /dev/null
+++ b/usr.sbin/unbound/util/rfc_1982.c

@@ -0,0 +1,74 @@

+/*

+ * util/rfc_1982.c - RFC 1982 Serial Number Arithmetic

+ *

+ * This software is open source.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ *

+ * Redistributions of source code must retain the above copyright notice,

+ * this list of conditions and the following disclaimer.

+ *

+ * Redistributions in binary form must reproduce the above copyright notice,

+ * this list of conditions and the following disclaimer in the documentation

+ * and/or other materials provided with the distribution.

+ *

+ * Neither the name of the NLNET LABS nor the names of its contributors may

+ * be used to endorse or promote products derived from this software without

+ * specific prior written permission.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED

+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+/**

+ * \file

+ *

+ * This file contains functions for RFC 1982 serial number arithmetic.

+ */

+#include "config.h"

+int

+compare_1982(uint32_t a, uint32_t b)

+ /* for 32 bit values */

+ const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));

+ if (a == b) {

+ return 0;

+ } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {

+ return -1;

+ } else {

+ return 1;

+ }

+uint32_t

+subtract_1982(uint32_t a, uint32_t b)

+ /* for 32 bit values */

+ const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));

+ if(a == b)

+ return 0;

+ if(a < b && b - a < cutoff) {

+ return b-a;

+ }

+ if(a > b && a - b > cutoff) {

+ return ((uint32_t)0xffffffff) - (a-b-1);

+ }

+ /* wrong case, b smaller than a */

+ return 0;

diff --git a/usr.sbin/unbound/util/rfc_1982.h b/usr.sbin/unbound/util/rfc_1982.h
new file mode 100644
index 00000000000..bae383d0e01
--- /dev/null
+++ b/usr.sbin/unbound/util/rfc_1982.h

@@ -0,0 +1,63 @@

+/*

+ * util/rfc_1982.h - RFC 1982 Serial Number Arithmetic