xref: /freebsd/contrib/unbound/util/edns.h (revision 7937bfbc0ca53fe7cdd0d54414f9296e273a518e)
1 /*
2  * util/edns.h - handle base EDNS options.
3  *
4  * Copyright (c) 2018, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains functions for base EDNS options.
40  */
41 
42 #ifndef UTIL_EDNS_H
43 #define UTIL_EDNS_H
44 
45 #include "util/storage/dnstree.h"
46 #include "util/locks.h"
47 
48 struct edns_data;
49 struct config_file;
50 struct comm_point;
51 struct regional;
52 
53 /**
54  * Structure containing all EDNS strings.
55  */
56 struct edns_strings {
57 	/** Tree of EDNS client strings to use in upstream queries, per address
58 	 * prefix. Contains nodes of type edns_string_addr. */
59 	rbtree_type client_strings;
60 	/** EDNS opcode to use for client strings */
61 	uint16_t client_string_opcode;
62 	/** region to allocate tree nodes in */
63 	struct regional* region;
64 };
65 
66 /**
67  * EDNS string. Node of rbtree, containing string and prefix.
68  */
69 struct edns_string_addr {
70 	/** node in address tree, used for tree lookups. Need to be the first
71 	 * member of this struct. */
72 	struct addr_tree_node node;
73 	/** string, ascii format */
74 	uint8_t* string;
75 	/** length of string */
76 	size_t string_len;
77 };
78 
79 #define UNBOUND_COOKIE_HISTORY_SIZE 2
80 #define UNBOUND_COOKIE_SECRET_SIZE 16
81 
82 typedef struct cookie_secret cookie_secret_type;
83 struct cookie_secret {
84 	/** cookie secret */
85 	uint8_t cookie_secret[UNBOUND_COOKIE_SECRET_SIZE];
86 };
87 
88 /**
89  * The cookie secrets from the cookie-secret-file.
90  */
91 struct cookie_secrets {
92 	/** lock on the structure, in case there are modifications
93 	 * from remote control, this avoids race conditions. */
94 	lock_basic_type lock;
95 
96 	/** how many cookies are there in the cookies array */
97 	size_t cookie_count;
98 
99 	/* keep track of the last `UNBOUND_COOKIE_HISTORY_SIZE`
100 	 * cookies as per rfc requirement .*/
101 	cookie_secret_type cookie_secrets[UNBOUND_COOKIE_HISTORY_SIZE];
102 };
103 
104 enum edns_cookie_val_status {
105 	COOKIE_STATUS_CLIENT_ONLY = -3,
106 	COOKIE_STATUS_FUTURE = -2,
107 	COOKIE_STATUS_EXPIRED = -1,
108 	COOKIE_STATUS_INVALID = 0,
109 	COOKIE_STATUS_VALID = 1,
110 	COOKIE_STATUS_VALID_RENEW = 2,
111 };
112 
113 /**
114  * Create structure to hold EDNS strings
115  * @return: newly created edns_strings, NULL on alloc failure.
116  */
117 struct edns_strings* edns_strings_create(void);
118 
119 /** Delete EDNS strings structure
120  * @param edns_strings: struct to delete
121  */
122 void edns_strings_delete(struct edns_strings* edns_strings);
123 
124 /**
125  * Add configured EDNS strings
126  * @param edns_strings: edns strings to apply config to
127  * @param config: struct containing EDNS strings configuration
128  * @return 0 on error
129  */
130 int edns_strings_apply_cfg(struct edns_strings* edns_strings,
131 	struct config_file* config);
132 
133 /**
134  * Find string for address.
135  * @param tree: tree containing EDNS strings per address prefix.
136  * @param addr: address to use for tree lookup
137  * @param addrlen: length of address
138  * @return: matching tree node, NULL otherwise
139  */
140 struct edns_string_addr*
141 edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
142 	socklen_t addrlen);
143 
144 /**
145  * Compute the interoperable DNS cookie (RFC9018) hash.
146  * @param in: buffer input for the hash generation. It needs to be:
147  *	Client Cookie | Version | Reserved | Timestamp | Client-IP
148  * @param secret: the server secret; implicit length of 16 octets.
149  * @param v4: if the client IP is v4 or v6.
150  * @param hash: buffer to write the hash to.
151  * return a pointer to the hash.
152  */
153 uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret,
154 	int v4, uint8_t* hash);
155 
156 /**
157  * Write an interoperable DNS server cookie (RFC9018).
158  * @param buf: buffer to write to. It should have a size of at least 32 octets
159  *	as it doubles as the output buffer and the hash input buffer.
160  *	The first 8 octets are expected to be the Client Cookie and will be
161  *		left untouched.
162  *	The next 8 octets will be written with Version | Reserved | Timestamp.
163  *	The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address
164  *		based on the v4 flag.
165  *	Thus the first 20 or 32 octets, based on the v4 flag, will be used as
166  *		the hash input.
167  *	The server hash (8 octets) will be written after the first 16 octets;
168  *		overwriting the address information.
169  *	The caller expects a complete, 24 octet long cookie in the buffer.
170  * @param secret: the server secret; implicit length of 16 octets.
171  * @param v4: if the client IP is v4 or v6.
172  * @param timestamp: the timestamp to use.
173  */
174 void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,
175 	uint32_t timestamp);
176 
177 /**
178  * Validate an interoperable DNS cookie (RFC9018).
179  * @param cookie: pointer to the cookie data.
180  * @param cookie_len: the length of the cookie data.
181  * @param secret: pointer to the server secret.
182  * @param secret_len: the length of the secret.
183  * @param v4: if the client IP is v4 or v6.
184  * @param hash_input: pointer to the hash input for validation. It needs to be:
185  *	Client Cookie | Version | Reserved | Timestamp | Client-IP
186  * @param now: the current time.
187  * return edns_cookie_val_status with the cookie validation status i.e.,
188  *	<=0 for invalid, else valid.
189  */
190 enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie,
191 	size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4,
192 	const uint8_t* hash_input, uint32_t now);
193 
194 /**
195  * Create the cookie secrets structure.
196  * @return the structure or NULL on failure.
197  */
198 struct cookie_secrets* cookie_secrets_create(void);
199 
200 /**
201  * Delete the cookie secrets.
202  * @param cookie_secrets: the cookie secrets.
203  */
204 void cookie_secrets_delete(struct cookie_secrets* cookie_secrets);
205 
206 /**
207  * Apply configuration to cookie secrets, read them from file.
208  * @param cookie_secrets: the cookie secrets structure.
209  * @param cookie_secret_file: the file name, it is read.
210  * @return false on failure.
211  */
212 int cookie_secrets_apply_cfg(struct cookie_secrets* cookie_secrets,
213 	char* cookie_secret_file);
214 
215 /**
216  * Validate the cookie secrets, try all of them.
217  * @param cookie: pointer to the cookie data.
218  * @param cookie_len: the length of the cookie data.
219  * @param cookie_secrets: struct of cookie secrets.
220  * @param v4: if the client IP is v4 or v6.
221  * @param hash_input: pointer to the hash input for validation. It needs to be:
222  *	Client Cookie | Version | Reserved | Timestamp | Client-IP
223  * @param now: the current time.
224  * return edns_cookie_val_status with the cookie validation status i.e.,
225  *	<=0 for invalid, else valid.
226  */
227 enum edns_cookie_val_status cookie_secrets_server_validate(
228 	const uint8_t* cookie, size_t cookie_len,
229 	struct cookie_secrets* cookie_secrets, int v4,
230 	const uint8_t* hash_input, uint32_t now);
231 
232 /**
233  * Add a cookie secret. If there are no secrets yet, the secret will become
234  * the active secret. Otherwise it will become the staging secret.
235  * Active secrets are used to both verify and create new DNS Cookies.
236  * Staging secrets are only used to verify DNS Cookies. Caller has to lock.
237  */
238 void add_cookie_secret(struct cookie_secrets* cookie_secrets, uint8_t* secret,
239 	size_t secret_len);
240 
241 /**
242  * Makes the staging cookie secret active and the active secret staging.
243  * Caller has to lock.
244  */
245 void activate_cookie_secret(struct cookie_secrets* cookie_secrets);
246 
247 /**
248  * Drop a cookie secret. Drops the staging secret. An active secret will not
249  * be dropped. Caller has to lock.
250  */
251 void drop_cookie_secret(struct cookie_secrets* cookie_secrets);
252 
253 #endif
254