1 /* 2 * util/edns.h - handle base EDNS options. 3 * 4 * Copyright (c) 2018, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains functions for base EDNS options. 40 */ 41 42 #ifndef UTIL_EDNS_H 43 #define UTIL_EDNS_H 44 45 #include "util/storage/dnstree.h" 46 #include "util/locks.h" 47 48 struct edns_data; 49 struct config_file; 50 struct comm_point; 51 struct regional; 52 53 /** 54 * Structure containing all EDNS strings. 55 */ 56 struct edns_strings { 57 /** Tree of EDNS client strings to use in upstream queries, per address 58 * prefix. Contains nodes of type edns_string_addr. */ 59 rbtree_type client_strings; 60 /** EDNS opcode to use for client strings */ 61 uint16_t client_string_opcode; 62 /** region to allocate tree nodes in */ 63 struct regional* region; 64 }; 65 66 /** 67 * EDNS string. Node of rbtree, containing string and prefix. 68 */ 69 struct edns_string_addr { 70 /** node in address tree, used for tree lookups. Need to be the first 71 * member of this struct. */ 72 struct addr_tree_node node; 73 /** string, ascii format */ 74 uint8_t* string; 75 /** length of string */ 76 size_t string_len; 77 }; 78 79 #define UNBOUND_COOKIE_HISTORY_SIZE 2 80 #define UNBOUND_COOKIE_SECRET_SIZE 16 81 82 typedef struct cookie_secret cookie_secret_type; 83 struct cookie_secret { 84 /** cookie secret */ 85 uint8_t cookie_secret[UNBOUND_COOKIE_SECRET_SIZE]; 86 }; 87 88 /** 89 * The cookie secrets from the cookie-secret-file. 90 */ 91 struct cookie_secrets { 92 /** lock on the structure, in case there are modifications 93 * from remote control, this avoids race conditions. */ 94 lock_basic_type lock; 95 96 /** how many cookies are there in the cookies array */ 97 size_t cookie_count; 98 99 /* keep track of the last `UNBOUND_COOKIE_HISTORY_SIZE` 100 * cookies as per rfc requirement .*/ 101 cookie_secret_type cookie_secrets[UNBOUND_COOKIE_HISTORY_SIZE]; 102 }; 103 104 enum edns_cookie_val_status { 105 COOKIE_STATUS_CLIENT_ONLY = -3, 106 COOKIE_STATUS_FUTURE = -2, 107 COOKIE_STATUS_EXPIRED = -1, 108 COOKIE_STATUS_INVALID = 0, 109 COOKIE_STATUS_VALID = 1, 110 COOKIE_STATUS_VALID_RENEW = 2, 111 }; 112 113 /** 114 * Create structure to hold EDNS strings 115 * @return: newly created edns_strings, NULL on alloc failure. 116 */ 117 struct edns_strings* edns_strings_create(void); 118 119 /** Delete EDNS strings structure 120 * @param edns_strings: struct to delete 121 */ 122 void edns_strings_delete(struct edns_strings* edns_strings); 123 124 /** 125 * Add configured EDNS strings 126 * @param edns_strings: edns strings to apply config to 127 * @param config: struct containing EDNS strings configuration 128 * @return 0 on error 129 */ 130 int edns_strings_apply_cfg(struct edns_strings* edns_strings, 131 struct config_file* config); 132 133 /** 134 * Find string for address. 135 * @param tree: tree containing EDNS strings per address prefix. 136 * @param addr: address to use for tree lookup 137 * @param addrlen: length of address 138 * @return: matching tree node, NULL otherwise 139 */ 140 struct edns_string_addr* 141 edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr, 142 socklen_t addrlen); 143 144 /** 145 * Compute the interoperable DNS cookie (RFC9018) hash. 146 * @param in: buffer input for the hash generation. It needs to be: 147 * Client Cookie | Version | Reserved | Timestamp | Client-IP 148 * @param secret: the server secret; implicit length of 16 octets. 149 * @param v4: if the client IP is v4 or v6. 150 * @param hash: buffer to write the hash to. 151 * return a pointer to the hash. 152 */ 153 uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret, 154 int v4, uint8_t* hash); 155 156 /** 157 * Write an interoperable DNS server cookie (RFC9018). 158 * @param buf: buffer to write to. It should have a size of at least 32 octets 159 * as it doubles as the output buffer and the hash input buffer. 160 * The first 8 octets are expected to be the Client Cookie and will be 161 * left untouched. 162 * The next 8 octets will be written with Version | Reserved | Timestamp. 163 * The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address 164 * based on the v4 flag. 165 * Thus the first 20 or 32 octets, based on the v4 flag, will be used as 166 * the hash input. 167 * The server hash (8 octets) will be written after the first 16 octets; 168 * overwriting the address information. 169 * The caller expects a complete, 24 octet long cookie in the buffer. 170 * @param secret: the server secret; implicit length of 16 octets. 171 * @param v4: if the client IP is v4 or v6. 172 * @param timestamp: the timestamp to use. 173 */ 174 void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4, 175 uint32_t timestamp); 176 177 /** 178 * Validate an interoperable DNS cookie (RFC9018). 179 * @param cookie: pointer to the cookie data. 180 * @param cookie_len: the length of the cookie data. 181 * @param secret: pointer to the server secret. 182 * @param secret_len: the length of the secret. 183 * @param v4: if the client IP is v4 or v6. 184 * @param hash_input: pointer to the hash input for validation. It needs to be: 185 * Client Cookie | Version | Reserved | Timestamp | Client-IP 186 * @param now: the current time. 187 * return edns_cookie_val_status with the cookie validation status i.e., 188 * <=0 for invalid, else valid. 189 */ 190 enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie, 191 size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4, 192 const uint8_t* hash_input, uint32_t now); 193 194 /** 195 * Create the cookie secrets structure. 196 * @return the structure or NULL on failure. 197 */ 198 struct cookie_secrets* cookie_secrets_create(void); 199 200 /** 201 * Delete the cookie secrets. 202 * @param cookie_secrets: the cookie secrets. 203 */ 204 void cookie_secrets_delete(struct cookie_secrets* cookie_secrets); 205 206 /** 207 * Apply configuration to cookie secrets, read them from file. 208 * @param cookie_secrets: the cookie secrets structure. 209 * @param cookie_secret_file: the file name, it is read. 210 * @return false on failure. 211 */ 212 int cookie_secrets_apply_cfg(struct cookie_secrets* cookie_secrets, 213 char* cookie_secret_file); 214 215 /** 216 * Validate the cookie secrets, try all of them. 217 * @param cookie: pointer to the cookie data. 218 * @param cookie_len: the length of the cookie data. 219 * @param cookie_secrets: struct of cookie secrets. 220 * @param v4: if the client IP is v4 or v6. 221 * @param hash_input: pointer to the hash input for validation. It needs to be: 222 * Client Cookie | Version | Reserved | Timestamp | Client-IP 223 * @param now: the current time. 224 * return edns_cookie_val_status with the cookie validation status i.e., 225 * <=0 for invalid, else valid. 226 */ 227 enum edns_cookie_val_status cookie_secrets_server_validate( 228 const uint8_t* cookie, size_t cookie_len, 229 struct cookie_secrets* cookie_secrets, int v4, 230 const uint8_t* hash_input, uint32_t now); 231 232 /** 233 * Add a cookie secret. If there are no secrets yet, the secret will become 234 * the active secret. Otherwise it will become the staging secret. 235 * Active secrets are used to both verify and create new DNS Cookies. 236 * Staging secrets are only used to verify DNS Cookies. Caller has to lock. 237 */ 238 void add_cookie_secret(struct cookie_secrets* cookie_secrets, uint8_t* secret, 239 size_t secret_len); 240 241 /** 242 * Makes the staging cookie secret active and the active secret staging. 243 * Caller has to lock. 244 */ 245 void activate_cookie_secret(struct cookie_secrets* cookie_secrets); 246 247 /** 248 * Drop a cookie secret. Drops the staging secret. An active secret will not 249 * be dropped. Caller has to lock. 250 */ 251 void drop_cookie_secret(struct cookie_secrets* cookie_secrets); 252 253 #endif 254