edns.h revision 1.1.1.4.4.1
1 /* 2 * util/edns.h - handle base EDNS options. 3 * 4 * Copyright (c) 2018, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains functions for base EDNS options. 40 */ 41 42 #ifndef UTIL_EDNS_H 43 #define UTIL_EDNS_H 44 45 #include "util/storage/dnstree.h" 46 #include "util/locks.h" 47 48 struct edns_data; 49 struct config_file; 50 struct comm_point; 51 struct regional; 52 53 /** 54 * Structure containing all EDNS strings. 55 */ 56 struct edns_strings { 57 /** Tree of EDNS client strings to use in upstream queries, per address 58 * prefix. Contains nodes of type edns_string_addr. */ 59 rbtree_type client_strings; 60 /** EDNS opcode to use for client strings */ 61 uint16_t client_string_opcode; 62 /** region to allocate tree nodes in */ 63 struct regional* region; 64 }; 65 66 /** 67 * EDNS string. Node of rbtree, containing string and prefix. 68 */ 69 struct edns_string_addr { 70 /** node in address tree, used for tree lookups. Need to be the first 71 * member of this struct. */ 72 struct addr_tree_node node; 73 /** string, ascii format */ 74 uint8_t* string; 75 /** length of string */ 76 size_t string_len; 77 }; 78 79 #define UNBOUND_COOKIE_HISTORY_SIZE 2 80 #define UNBOUND_COOKIE_SECRET_SIZE 16 81 82 typedef struct cookie_secret cookie_secret_type; 83 struct cookie_secret { 84 /** cookie secret */ 85 uint8_t cookie_secret[UNBOUND_COOKIE_SECRET_SIZE]; 86 }; 87 88 /** 89 * The cookie secrets from the cookie-secret-file. 90 */ 91 struct cookie_secrets { 92 /** lock on the structure, in case there are modifications 93 * from remote control, this avoids race conditions. */ 94 lock_basic_type lock; 95 96 /** how many cookies are there in the cookies array */ 97 size_t cookie_count; 98 99 /* keep track of the last `UNBOUND_COOKIE_HISTORY_SIZE` 100 * cookies as per rfc requirement .*/ 101 cookie_secret_type cookie_secrets[UNBOUND_COOKIE_HISTORY_SIZE]; 102 }; 103 104 enum edns_cookie_val_status { 105 COOKIE_STATUS_CLIENT_ONLY = -3, 106 COOKIE_STATUS_FUTURE = -2, 107 COOKIE_STATUS_EXPIRED = -1, 108 COOKIE_STATUS_INVALID = 0, 109 COOKIE_STATUS_VALID = 1, 110 COOKIE_STATUS_VALID_RENEW = 2, 111 }; 112 113 /** 114 * Create structure to hold EDNS strings 115 * @return: newly created edns_strings, NULL on alloc failure. 116 */ 117 struct edns_strings* edns_strings_create(void); 118 119 /** Delete EDNS strings structure 120 * @param edns_strings: struct to delete 121 */ 122 void edns_strings_delete(struct edns_strings* edns_strings); 123 124 /** 125 * Add configured EDNS strings 126 * @param edns_strings: edns strings to apply config to 127 * @param config: struct containing EDNS strings configuration 128 * @return 0 on error 129 */ 130 int edns_strings_apply_cfg(struct edns_strings* edns_strings, 131 struct config_file* config); 132 133 /** 134 * Find string for address. 135 * @param tree: tree containing EDNS strings per address prefix. 136 * @param addr: address to use for tree lookup 137 * @param addrlen: length of address 138 * @return: matching tree node, NULL otherwise 139 */ 140 struct edns_string_addr* 141 edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr, 142 socklen_t addrlen); 143 144 /** 145 * Get memory usage of edns strings. 146 * @param edns_strings: the edns strings 147 * @return memory usage 148 */ 149 size_t edns_strings_get_mem(struct edns_strings* edns_strings); 150 151 /** 152 * Swap internal tree with preallocated entries. 153 * @param edns_strings: the edns strings structure. 154 * @param data: the data structure used to take elements from. This contains 155 * the old elements on return. 156 */ 157 void edns_strings_swap_tree(struct edns_strings* edns_strings, 158 struct edns_strings* data); 159 160 /** 161 * Compute the interoperable DNS cookie (RFC9018) hash. 162 * @param in: buffer input for the hash generation. It needs to be: 163 * Client Cookie | Version | Reserved | Timestamp | Client-IP 164 * @param secret: the server secret; implicit length of 16 octets. 165 * @param v4: if the client IP is v4 or v6. 166 * @param hash: buffer to write the hash to. 167 * return a pointer to the hash. 168 */ 169 uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret, 170 int v4, uint8_t* hash); 171 172 /** 173 * Write an interoperable DNS server cookie (RFC9018). 174 * @param buf: buffer to write to. It should have a size of at least 32 octets 175 * as it doubles as the output buffer and the hash input buffer. 176 * The first 8 octets are expected to be the Client Cookie and will be 177 * left untouched. 178 * The next 8 octets will be written with Version | Reserved | Timestamp. 179 * The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address 180 * based on the v4 flag. 181 * Thus the first 20 or 32 octets, based on the v4 flag, will be used as 182 * the hash input. 183 * The server hash (8 octets) will be written after the first 16 octets; 184 * overwriting the address information. 185 * The caller expects a complete, 24 octet long cookie in the buffer. 186 * @param secret: the server secret; implicit length of 16 octets. 187 * @param v4: if the client IP is v4 or v6. 188 * @param timestamp: the timestamp to use. 189 */ 190 void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4, 191 uint32_t timestamp); 192 193 /** 194 * Validate an interoperable DNS cookie (RFC9018). 195 * @param cookie: pointer to the cookie data. 196 * @param cookie_len: the length of the cookie data. 197 * @param secret: pointer to the server secret. 198 * @param secret_len: the length of the secret. 199 * @param v4: if the client IP is v4 or v6. 200 * @param hash_input: pointer to the hash input for validation. It needs to be: 201 * Client Cookie | Version | Reserved | Timestamp | Client-IP 202 * @param now: the current time. 203 * return edns_cookie_val_status with the cookie validation status i.e., 204 * <=0 for invalid, else valid. 205 */ 206 enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie, 207 size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4, 208 const uint8_t* hash_input, uint32_t now); 209 210 /** 211 * Create the cookie secrets structure. 212 * @return the structure or NULL on failure. 213 */ 214 struct cookie_secrets* cookie_secrets_create(void); 215 216 /** 217 * Delete the cookie secrets. 218 * @param cookie_secrets: the cookie secrets. 219 */ 220 void cookie_secrets_delete(struct cookie_secrets* cookie_secrets); 221 222 /** 223 * Apply configuration to cookie secrets, read them from file. 224 * @param cookie_secrets: the cookie secrets structure. 225 * @param cookie_secret_file: the file name, it is read. 226 * @return false on failure. 227 */ 228 int cookie_secrets_apply_cfg(struct cookie_secrets* cookie_secrets, 229 char* cookie_secret_file); 230 231 /** 232 * Validate the cookie secrets, try all of them. 233 * @param cookie: pointer to the cookie data. 234 * @param cookie_len: the length of the cookie data. 235 * @param cookie_secrets: struct of cookie secrets. 236 * @param v4: if the client IP is v4 or v6. 237 * @param hash_input: pointer to the hash input for validation. It needs to be: 238 * Client Cookie | Version | Reserved | Timestamp | Client-IP 239 * @param now: the current time. 240 * return edns_cookie_val_status with the cookie validation status i.e., 241 * <=0 for invalid, else valid. 242 */ 243 enum edns_cookie_val_status cookie_secrets_server_validate( 244 const uint8_t* cookie, size_t cookie_len, 245 struct cookie_secrets* cookie_secrets, int v4, 246 const uint8_t* hash_input, uint32_t now); 247 248 /** 249 * Add a cookie secret. If there are no secrets yet, the secret will become 250 * the active secret. Otherwise it will become the staging secret. 251 * Active secrets are used to both verify and create new DNS Cookies. 252 * Staging secrets are only used to verify DNS Cookies. Caller has to lock. 253 */ 254 void add_cookie_secret(struct cookie_secrets* cookie_secrets, uint8_t* secret, 255 size_t secret_len); 256 257 /** 258 * Makes the staging cookie secret active and the active secret staging. 259 * Caller has to lock. 260 */ 261 void activate_cookie_secret(struct cookie_secrets* cookie_secrets); 262 263 /** 264 * Drop a cookie secret. Drops the staging secret. An active secret will not 265 * be dropped. Caller has to lock. 266 */ 267 void drop_cookie_secret(struct cookie_secrets* cookie_secrets); 268 269 #endif 270
Indexes created Sat Feb 28 05:31:39 UTC 2026