edns.h revision 1.1.1.4.4.1 1 /*
2 * util/edns.h - handle base EDNS options.
3 *
4 * Copyright (c) 2018, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains functions for base EDNS options.
40 */
41
42 #ifndef UTIL_EDNS_H
43 #define UTIL_EDNS_H
44
45 #include "util/storage/dnstree.h"
46 #include "util/locks.h"
47
48 struct edns_data;
49 struct config_file;
50 struct comm_point;
51 struct regional;
52
53 /**
54 * Structure containing all EDNS strings.
55 */
56 struct edns_strings {
57 /** Tree of EDNS client strings to use in upstream queries, per address
58 * prefix. Contains nodes of type edns_string_addr. */
59 rbtree_type client_strings;
60 /** EDNS opcode to use for client strings */
61 uint16_t client_string_opcode;
62 /** region to allocate tree nodes in */
63 struct regional* region;
64 };
65
66 /**
67 * EDNS string. Node of rbtree, containing string and prefix.
68 */
69 struct edns_string_addr {
70 /** node in address tree, used for tree lookups. Need to be the first
71 * member of this struct. */
72 struct addr_tree_node node;
73 /** string, ascii format */
74 uint8_t* string;
75 /** length of string */
76 size_t string_len;
77 };
78
79 #define UNBOUND_COOKIE_HISTORY_SIZE 2
80 #define UNBOUND_COOKIE_SECRET_SIZE 16
81
82 typedef struct cookie_secret cookie_secret_type;
83 struct cookie_secret {
84 /** cookie secret */
85 uint8_t cookie_secret[UNBOUND_COOKIE_SECRET_SIZE];
86 };
87
88 /**
89 * The cookie secrets from the cookie-secret-file.
90 */
91 struct cookie_secrets {
92 /** lock on the structure, in case there are modifications
93 * from remote control, this avoids race conditions. */
94 lock_basic_type lock;
95
96 /** how many cookies are there in the cookies array */
97 size_t cookie_count;
98
99 /* keep track of the last `UNBOUND_COOKIE_HISTORY_SIZE`
100 * cookies as per rfc requirement .*/
101 cookie_secret_type cookie_secrets[UNBOUND_COOKIE_HISTORY_SIZE];
102 };
103
104 enum edns_cookie_val_status {
105 COOKIE_STATUS_CLIENT_ONLY = -3,
106 COOKIE_STATUS_FUTURE = -2,
107 COOKIE_STATUS_EXPIRED = -1,
108 COOKIE_STATUS_INVALID = 0,
109 COOKIE_STATUS_VALID = 1,
110 COOKIE_STATUS_VALID_RENEW = 2,
111 };
112
113 /**
114 * Create structure to hold EDNS strings
115 * @return: newly created edns_strings, NULL on alloc failure.
116 */
117 struct edns_strings* edns_strings_create(void);
118
119 /** Delete EDNS strings structure
120 * @param edns_strings: struct to delete
121 */
122 void edns_strings_delete(struct edns_strings* edns_strings);
123
124 /**
125 * Add configured EDNS strings
126 * @param edns_strings: edns strings to apply config to
127 * @param config: struct containing EDNS strings configuration
128 * @return 0 on error
129 */
130 int edns_strings_apply_cfg(struct edns_strings* edns_strings,
131 struct config_file* config);
132
133 /**
134 * Find string for address.
135 * @param tree: tree containing EDNS strings per address prefix.
136 * @param addr: address to use for tree lookup
137 * @param addrlen: length of address
138 * @return: matching tree node, NULL otherwise
139 */
140 struct edns_string_addr*
141 edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
142 socklen_t addrlen);
143
144 /**
145 * Get memory usage of edns strings.
146 * @param edns_strings: the edns strings
147 * @return memory usage
148 */
149 size_t edns_strings_get_mem(struct edns_strings* edns_strings);
150
151 /**
152 * Swap internal tree with preallocated entries.
153 * @param edns_strings: the edns strings structure.
154 * @param data: the data structure used to take elements from. This contains
155 * the old elements on return.
156 */
157 void edns_strings_swap_tree(struct edns_strings* edns_strings,
158 struct edns_strings* data);
159
160 /**
161 * Compute the interoperable DNS cookie (RFC9018) hash.
162 * @param in: buffer input for the hash generation. It needs to be:
163 * Client Cookie | Version | Reserved | Timestamp | Client-IP
164 * @param secret: the server secret; implicit length of 16 octets.
165 * @param v4: if the client IP is v4 or v6.
166 * @param hash: buffer to write the hash to.
167 * return a pointer to the hash.
168 */
169 uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret,
170 int v4, uint8_t* hash);
171
172 /**
173 * Write an interoperable DNS server cookie (RFC9018).
174 * @param buf: buffer to write to. It should have a size of at least 32 octets
175 * as it doubles as the output buffer and the hash input buffer.
176 * The first 8 octets are expected to be the Client Cookie and will be
177 * left untouched.
178 * The next 8 octets will be written with Version | Reserved | Timestamp.
179 * The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address
180 * based on the v4 flag.
181 * Thus the first 20 or 32 octets, based on the v4 flag, will be used as
182 * the hash input.
183 * The server hash (8 octets) will be written after the first 16 octets;
184 * overwriting the address information.
185 * The caller expects a complete, 24 octet long cookie in the buffer.
186 * @param secret: the server secret; implicit length of 16 octets.
187 * @param v4: if the client IP is v4 or v6.
188 * @param timestamp: the timestamp to use.
189 */
190 void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,
191 uint32_t timestamp);
192
193 /**
194 * Validate an interoperable DNS cookie (RFC9018).
195 * @param cookie: pointer to the cookie data.
196 * @param cookie_len: the length of the cookie data.
197 * @param secret: pointer to the server secret.
198 * @param secret_len: the length of the secret.
199 * @param v4: if the client IP is v4 or v6.
200 * @param hash_input: pointer to the hash input for validation. It needs to be:
201 * Client Cookie | Version | Reserved | Timestamp | Client-IP
202 * @param now: the current time.
203 * return edns_cookie_val_status with the cookie validation status i.e.,
204 * <=0 for invalid, else valid.
205 */
206 enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie,
207 size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4,
208 const uint8_t* hash_input, uint32_t now);
209
210 /**
211 * Create the cookie secrets structure.
212 * @return the structure or NULL on failure.
213 */
214 struct cookie_secrets* cookie_secrets_create(void);
215
216 /**
217 * Delete the cookie secrets.
218 * @param cookie_secrets: the cookie secrets.
219 */
220 void cookie_secrets_delete(struct cookie_secrets* cookie_secrets);
221
222 /**
223 * Apply configuration to cookie secrets, read them from file.
224 * @param cookie_secrets: the cookie secrets structure.
225 * @param cookie_secret_file: the file name, it is read.
226 * @return false on failure.
227 */
228 int cookie_secrets_apply_cfg(struct cookie_secrets* cookie_secrets,
229 char* cookie_secret_file);
230
231 /**
232 * Validate the cookie secrets, try all of them.
233 * @param cookie: pointer to the cookie data.
234 * @param cookie_len: the length of the cookie data.
235 * @param cookie_secrets: struct of cookie secrets.
236 * @param v4: if the client IP is v4 or v6.
237 * @param hash_input: pointer to the hash input for validation. It needs to be:
238 * Client Cookie | Version | Reserved | Timestamp | Client-IP
239 * @param now: the current time.
240 * return edns_cookie_val_status with the cookie validation status i.e.,
241 * <=0 for invalid, else valid.
242 */
243 enum edns_cookie_val_status cookie_secrets_server_validate(
244 const uint8_t* cookie, size_t cookie_len,
245 struct cookie_secrets* cookie_secrets, int v4,
246 const uint8_t* hash_input, uint32_t now);
247
248 /**
249 * Add a cookie secret. If there are no secrets yet, the secret will become
250 * the active secret. Otherwise it will become the staging secret.
251 * Active secrets are used to both verify and create new DNS Cookies.
252 * Staging secrets are only used to verify DNS Cookies. Caller has to lock.
253 */
254 void add_cookie_secret(struct cookie_secrets* cookie_secrets, uint8_t* secret,
255 size_t secret_len);
256
257 /**
258 * Makes the staging cookie secret active and the active secret staging.
259 * Caller has to lock.
260 */
261 void activate_cookie_secret(struct cookie_secrets* cookie_secrets);
262
263 /**
264 * Drop a cookie secret. Drops the staging secret. An active secret will not
265 * be dropped. Caller has to lock.
266 */
267 void drop_cookie_secret(struct cookie_secrets* cookie_secrets);
268
269 #endif
270