"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "edns.c" between
nsd-4.3.6.tar.gz and nsd-4.3.7.tar.gz

About: NSD is an authoritative only, high performance, simple name server daemon.

edns.c  (nsd-4.3.6):edns.c  (nsd-4.3.7)
skipping to change at line 13 skipping to change at line 13
* *
* Copyright (c) 2001-2006, NLnet Labs. All rights reserved. * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
* *
* See LICENSE for the license. * See LICENSE for the license.
* *
*/ */
#include "config.h" #include "config.h"
#include <string.h> #include <string.h>
#ifdef HAVE_SSL
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#endif
#include "dns.h" #include "dns.h"
#include "edns.h" #include "edns.h"
#include "nsd.h" #include "nsd.h"
#include "query.h" #include "query.h"
void void
edns_init_data(edns_data_type *data, uint16_t max_length) edns_init_data(edns_data_type *data, uint16_t max_length)
{ {
memset(data, 0, sizeof(edns_data_type)); memset(data, 0, sizeof(edns_data_type));
skipping to change at line 35 skipping to change at line 39
data->ok[2] = TYPE_OPT & 0x00ff; /* type_lo */ data->ok[2] = TYPE_OPT & 0x00ff; /* type_lo */
/* udp payload size */ /* udp payload size */
data->ok[3] = (max_length & 0xff00) >> 8; /* size_hi */ data->ok[3] = (max_length & 0xff00) >> 8; /* size_hi */
data->ok[4] = max_length & 0x00ff; /* size_lo */ data->ok[4] = max_length & 0x00ff; /* size_lo */
data->error[1] = (TYPE_OPT & 0xff00) >> 8; /* type_hi */ data->error[1] = (TYPE_OPT & 0xff00) >> 8; /* type_hi */
data->error[2] = TYPE_OPT & 0x00ff; /* type_lo */ data->error[2] = TYPE_OPT & 0x00ff; /* type_lo */
data->error[3] = (max_length & 0xff00) >> 8; /* size_hi */ data->error[3] = (max_length & 0xff00) >> 8; /* size_hi */
data->error[4] = max_length & 0x00ff; /* size_lo */ data->error[4] = max_length & 0x00ff; /* size_lo */
data->error[5] = 1; /* XXX Extended RCODE=BAD VERS */ data->error[5] = 1; /* XXX Extended RCODE=BAD VERS */
/* COOKIE OPT HDR */
data->cookie[0] = (COOKIE_CODE & 0xff00) >> 8;
data->cookie[1] = (COOKIE_CODE & 0x00ff);
data->cookie[2] = (24 & 0xff00) >> 8;
data->cookie[3] = (24 & 0x00ff);
} }
void void
edns_init_nsid(edns_data_type *data, uint16_t nsid_len) edns_init_nsid(edns_data_type *data, uint16_t nsid_len)
{ {
/* add nsid length bytes */
data->rdata_nsid[0] = ((OPT_HDR + nsid_len) & 0xff00) >> 8; /* length_hi
*/
data->rdata_nsid[1] = ((OPT_HDR + nsid_len) & 0x00ff); /* length_lo
*/
/* NSID OPT HDR */ /* NSID OPT HDR */
data->nsid[0] = (NSID_CODE & 0xff00) >> 8; data->nsid[0] = (NSID_CODE & 0xff00) >> 8;
data->nsid[1] = (NSID_CODE & 0x00ff); data->nsid[1] = (NSID_CODE & 0x00ff);
data->nsid[2] = (nsid_len & 0xff00) >> 8; data->nsid[2] = (nsid_len & 0xff00) >> 8;
data->nsid[3] = (nsid_len & 0x00ff); data->nsid[3] = (nsid_len & 0x00ff);
} }
void void
edns_init_record(edns_record_type *edns) edns_init_record(edns_record_type *edns)
{ {
edns->status = EDNS_NOT_PRESENT; edns->status = EDNS_NOT_PRESENT;
edns->position = 0; edns->position = 0;
edns->maxlen = 0; edns->maxlen = 0;
edns->opt_reserved_space = 0; edns->opt_reserved_space = 0;
edns->dnssec_ok = 0; edns->dnssec_ok = 0;
edns->nsid = 0; edns->nsid = 0;
edns->cookie_status = COOKIE_NOT_PRESENT;
edns->cookie_len = 0;
edns->ede = -1; /* -1 means no Extended DNS Error */ edns->ede = -1; /* -1 means no Extended DNS Error */
edns->ede_text = NULL; edns->ede_text = NULL;
edns->ede_text_len = 0; edns->ede_text_len = 0;
} }
/** handle a single edns option in the query */ /** handle a single edns option in the query */
static int static int
edns_handle_option(uint16_t optcode, uint16_t optlen, buffer_type* packet, edns_handle_option(uint16_t optcode, uint16_t optlen, buffer_type* packet,
edns_record_type* edns, struct query* query, nsd_type* nsd) edns_record_type* edns, struct query* query, nsd_type* nsd)
{ {
skipping to change at line 86 skipping to change at line 94
edns->nsid = 1; edns->nsid = 1;
/* we have to check optlen, and move the buffer along */ /* we have to check optlen, and move the buffer along */
buffer_skip(packet, optlen); buffer_skip(packet, optlen);
/* in the reply we need space for optcode+optlen+nsid_byt es */ /* in the reply we need space for optcode+optlen+nsid_byt es */
edns->opt_reserved_space += OPT_HDR + nsd->nsid_len; edns->opt_reserved_space += OPT_HDR + nsd->nsid_len;
} else { } else {
/* ignore option */ /* ignore option */
buffer_skip(packet, optlen); buffer_skip(packet, optlen);
} }
break; break;
case COOKIE_CODE:
/* Cookies enabled? */
if(nsd->do_answer_cookie) {
if (optlen == 8)
edns->cookie_status = COOKIE_INVALID;
else if (optlen < 16 || optlen > 40)
return 0; /* FORMERR */
else
edns->cookie_status = COOKIE_UNVERIFIED;
edns->cookie_len = optlen;
memcpy(edns->cookie, buffer_current(packet), optlen);
buffer_skip(packet, optlen);
edns->opt_reserved_space += OPT_HDR + 24;
} else {
buffer_skip(packet, optlen);
}
break;
default: default:
buffer_skip(packet, optlen); buffer_skip(packet, optlen);
break; break;
} }
return 1; return 1;
} }
int int
edns_parse_record(edns_record_type *edns, buffer_type *packet, edns_parse_record(edns_record_type *edns, buffer_type *packet,
query_type* query, nsd_type* nsd) query_type* query, nsd_type* nsd)
skipping to change at line 164 skipping to change at line 190
return 1; return 1;
} }
size_t size_t
edns_reserved_space(edns_record_type *edns) edns_reserved_space(edns_record_type *edns)
{ {
/* MIEK; when a pkt is too large?? */ /* MIEK; when a pkt is too large?? */
return edns->status == EDNS_NOT_PRESENT ? 0 return edns->status == EDNS_NOT_PRESENT ? 0
: (OPT_LEN + OPT_RDATA + edns->opt_reserved_space); : (OPT_LEN + OPT_RDATA + edns->opt_reserved_space);
} }
int siphash(const uint8_t *in, const size_t inlen,
const uint8_t *k, uint8_t *out, const size_t outlen);
/** RFC 1982 comparison, uses unsigned integers, and tries to avoid
* compiler optimization (eg. by avoiding a-b<0 comparisons),
* this routine matches compare_serial(), for SOA serial number checks */
static int
compare_1982(uint32_t a, uint32_t b)
{
/* for 32 bit values */
const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));
if (a == b) {
return 0;
} else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {
return -1;
} else {
return 1;
}
}
/** if we know that b is larger than a, return the difference between them,
* that is the distance between them. in RFC1982 arith */
static uint32_t
subtract_1982(uint32_t a, uint32_t b)
{
/* for 32 bit values */
const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));
if(a == b)
return 0;
if(a < b && b - a < cutoff) {
return b-a;
}
if(a > b && a - b > cutoff) {
return ((uint32_t)0xffffffff) - (a-b-1);
}
/* wrong case, b smaller than a */
return 0;
}
void cookie_verify(query_type *q, struct nsd* nsd, uint32_t *now_p) {
uint8_t hash[8], hash2verify[8];
uint32_t cookie_time, now_uint32;
size_t verify_size;
int i;
/* We support only draft-sury-toorop-dnsop-server-cookies sizes */
if(q->edns.cookie_len != 24)
return;
if(q->edns.cookie[8] != 1)
return;
q->edns.cookie_status = COOKIE_INVALID;
cookie_time = (q->edns.cookie[12] << 24)
| (q->edns.cookie[13] << 16)
| (q->edns.cookie[14] << 8)
| q->edns.cookie[15];
now_uint32 = *now_p ? *now_p : (*now_p = (uint32_t)time(NULL));
if(compare_1982(now_uint32, cookie_time) > 0) {
/* ignore cookies > 1 hour in past */
if (subtract_1982(cookie_time, now_uint32) > 3600)
return;
} else if (subtract_1982(now_uint32, cookie_time) > 300) {
/* ignore cookies > 5 minutes in future */
return;
}
memcpy(hash2verify, q->edns.cookie + 16, 8);
#ifdef INET6
if(q->addr.ss_family == AF_INET6) {
memcpy(q->edns.cookie + 16, &((struct sockaddr_in6 *)&q->addr)->s
in6_addr, 16);
verify_size = 32;
} else {
memcpy(q->edns.cookie + 16, &((struct sockaddr_in *)&q->addr)->si
n_addr, 4);
verify_size = 20;
}
#else
memcpy( q->edns.cookie + 16, &q->addr.sin_addr, 4);
verify_size = 20;
#endif
q->edns.cookie_status = COOKIE_INVALID;
siphash(q->edns.cookie, verify_size,
nsd->cookie_secrets[0].cookie_secret, hash, 8);
if(CRYPTO_memcmp(hash2verify, hash, 8) == 0 ) {
if (subtract_1982(cookie_time, now_uint32) < 1800) {
q->edns.cookie_status = COOKIE_VALID_REUSE;
memcpy(q->edns.cookie + 16, hash, 8);
} else
q->edns.cookie_status = COOKIE_VALID;
return;
}
for(i = 1;
i < (int)nsd->cookie_count && i < NSD_COOKIE_HISTORY_SIZE;
i++) {
siphash(q->edns.cookie, verify_size,
nsd->cookie_secrets[i].cookie_secret, hash, 8);
if(CRYPTO_memcmp(hash2verify, hash, 8) == 0 ) {
q->edns.cookie_status = COOKIE_VALID;
return;
}
}
}
void cookie_create(query_type *q, struct nsd* nsd, uint32_t *now_p)
{
uint8_t hash[8];
uint32_t now_uint32;
if (q->edns.cookie_status == COOKIE_VALID_REUSE)
return;
now_uint32 = *now_p ? *now_p : (*now_p = (uint32_t)time(NULL));
q->edns.cookie[ 8] = 1;
q->edns.cookie[ 9] = 0;
q->edns.cookie[10] = 0;
q->edns.cookie[11] = 0;
q->edns.cookie[12] = (now_uint32 & 0xFF000000) >> 24;
q->edns.cookie[13] = (now_uint32 & 0x00FF0000) >> 16;
q->edns.cookie[14] = (now_uint32 & 0x0000FF00) >> 8;
q->edns.cookie[15] = now_uint32 & 0x000000FF;
#ifdef INET6
if (q->addr.ss_family == AF_INET6) {
memcpy( q->edns.cookie + 16
, &((struct sockaddr_in6 *)&q->addr)->sin6_addr, 16);
siphash(q->edns.cookie, 32, nsd->cookie_secrets[0].cookie_secret,
hash, 8);
} else {
memcpy( q->edns.cookie + 16
, &((struct sockaddr_in *)&q->addr)->sin_addr, 4);
siphash(q->edns.cookie, 20, nsd->cookie_secrets[0].cookie_secret,
hash, 8);
}
#else
memcpy( q->edns.cookie + 16, &q->addr.sin_addr, 4);
siphash(q->edns.cookie, 20, nsd->cookie_secrets[0].cookie_secret, hash, 8
);
#endif
memcpy(q->edns.cookie + 16, hash, 8);
}
 End of changes. 6 change blocks. 
6 lines changed or deleted 30 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)