162ac0c33Sjakob /*
262ac0c33Sjakob * edns.c -- EDNS definitions (RFC 2671).
362ac0c33Sjakob *
4d3fecca9Ssthen * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
562ac0c33Sjakob *
662ac0c33Sjakob * See LICENSE for the license.
762ac0c33Sjakob *
862ac0c33Sjakob */
962ac0c33Sjakob
1062ac0c33Sjakob
11aee1b7aaSsthen #include "config.h"
1262ac0c33Sjakob
1362ac0c33Sjakob #include <string.h>
14063644e9Sflorian #ifdef HAVE_SSL
15063644e9Sflorian #include <openssl/opensslv.h>
16063644e9Sflorian #include <openssl/evp.h>
17063644e9Sflorian #endif
1862ac0c33Sjakob
1962ac0c33Sjakob #include "dns.h"
2062ac0c33Sjakob #include "edns.h"
21c1e73312Sflorian #include "nsd.h"
22c1e73312Sflorian #include "query.h"
2362ac0c33Sjakob
24bc6311d7Sflorian #if !defined(HAVE_SSL) || !defined(HAVE_CRYPTO_MEMCMP)
25bc6311d7Sflorian /* we need fixed time compare, pull it in from tsig.c */
26bc6311d7Sflorian #define CRYPTO_memcmp memcmp_fixedtime
27bc6311d7Sflorian int memcmp_fixedtime(const void *s1, const void *s2, size_t n);
28bc6311d7Sflorian #endif
29bc6311d7Sflorian
3062ac0c33Sjakob void
edns_init_data(edns_data_type * data,uint16_t max_length)3162ac0c33Sjakob edns_init_data(edns_data_type *data, uint16_t max_length)
3262ac0c33Sjakob {
3362ac0c33Sjakob memset(data, 0, sizeof(edns_data_type));
3462ac0c33Sjakob /* record type: OPT */
3562ac0c33Sjakob data->ok[1] = (TYPE_OPT & 0xff00) >> 8; /* type_hi */
3662ac0c33Sjakob data->ok[2] = TYPE_OPT & 0x00ff; /* type_lo */
3762ac0c33Sjakob /* udp payload size */
3862ac0c33Sjakob data->ok[3] = (max_length & 0xff00) >> 8; /* size_hi */
3962ac0c33Sjakob data->ok[4] = max_length & 0x00ff; /* size_lo */
4062ac0c33Sjakob
4162ac0c33Sjakob data->error[1] = (TYPE_OPT & 0xff00) >> 8; /* type_hi */
4262ac0c33Sjakob data->error[2] = TYPE_OPT & 0x00ff; /* type_lo */
4362ac0c33Sjakob data->error[3] = (max_length & 0xff00) >> 8; /* size_hi */
4462ac0c33Sjakob data->error[4] = max_length & 0x00ff; /* size_lo */
4562ac0c33Sjakob data->error[5] = 1; /* XXX Extended RCODE=BAD VERS */
46063644e9Sflorian
47063644e9Sflorian /* COOKIE OPT HDR */
48063644e9Sflorian data->cookie[0] = (COOKIE_CODE & 0xff00) >> 8;
49063644e9Sflorian data->cookie[1] = (COOKIE_CODE & 0x00ff);
50063644e9Sflorian data->cookie[2] = (24 & 0xff00) >> 8;
51063644e9Sflorian data->cookie[3] = (24 & 0x00ff);
5262ac0c33Sjakob }
5362ac0c33Sjakob
5462ac0c33Sjakob void
edns_init_nsid(edns_data_type * data,uint16_t nsid_len)5562ac0c33Sjakob edns_init_nsid(edns_data_type *data, uint16_t nsid_len)
5662ac0c33Sjakob {
5762ac0c33Sjakob /* NSID OPT HDR */
5862ac0c33Sjakob data->nsid[0] = (NSID_CODE & 0xff00) >> 8;
5962ac0c33Sjakob data->nsid[1] = (NSID_CODE & 0x00ff);
6062ac0c33Sjakob data->nsid[2] = (nsid_len & 0xff00) >> 8;
6162ac0c33Sjakob data->nsid[3] = (nsid_len & 0x00ff);
6262ac0c33Sjakob }
6362ac0c33Sjakob
6462ac0c33Sjakob void
edns_init_record(edns_record_type * edns)6562ac0c33Sjakob edns_init_record(edns_record_type *edns)
6662ac0c33Sjakob {
6762ac0c33Sjakob edns->status = EDNS_NOT_PRESENT;
6862ac0c33Sjakob edns->position = 0;
6962ac0c33Sjakob edns->maxlen = 0;
70c1e73312Sflorian edns->opt_reserved_space = 0;
7162ac0c33Sjakob edns->dnssec_ok = 0;
7262ac0c33Sjakob edns->nsid = 0;
73063644e9Sflorian edns->cookie_status = COOKIE_NOT_PRESENT;
74063644e9Sflorian edns->cookie_len = 0;
758d298c9fSsthen edns->ede = -1; /* -1 means no Extended DNS Error */
768d298c9fSsthen edns->ede_text = NULL;
778d298c9fSsthen edns->ede_text_len = 0;
7862ac0c33Sjakob }
7962ac0c33Sjakob
80c1e73312Sflorian /** handle a single edns option in the query */
81c1e73312Sflorian static int
edns_handle_option(uint16_t optcode,uint16_t optlen,buffer_type * packet,edns_record_type * edns,struct query * query,nsd_type * nsd)82c1e73312Sflorian edns_handle_option(uint16_t optcode, uint16_t optlen, buffer_type* packet,
83c1e73312Sflorian edns_record_type* edns, struct query* query, nsd_type* nsd)
84c1e73312Sflorian {
85c1e73312Sflorian (void) query; /* in case edns options need the query structure */
86c1e73312Sflorian /* handle opt code and read the optlen bytes from the packet */
87c1e73312Sflorian switch(optcode) {
88c1e73312Sflorian case NSID_CODE:
89c1e73312Sflorian /* is NSID enabled? */
90c1e73312Sflorian if(nsd->nsid_len > 0) {
91c1e73312Sflorian edns->nsid = 1;
92c1e73312Sflorian /* we have to check optlen, and move the buffer along */
93c1e73312Sflorian buffer_skip(packet, optlen);
94c1e73312Sflorian /* in the reply we need space for optcode+optlen+nsid_bytes */
95c1e73312Sflorian edns->opt_reserved_space += OPT_HDR + nsd->nsid_len;
96c1e73312Sflorian } else {
97c1e73312Sflorian /* ignore option */
98c1e73312Sflorian buffer_skip(packet, optlen);
99c1e73312Sflorian }
100c1e73312Sflorian break;
101063644e9Sflorian case COOKIE_CODE:
102063644e9Sflorian /* Cookies enabled? */
103063644e9Sflorian if(nsd->do_answer_cookie) {
104063644e9Sflorian if (optlen == 8)
105063644e9Sflorian edns->cookie_status = COOKIE_INVALID;
106063644e9Sflorian else if (optlen < 16 || optlen > 40)
107063644e9Sflorian return 0; /* FORMERR */
108063644e9Sflorian else
109063644e9Sflorian edns->cookie_status = COOKIE_UNVERIFIED;
110063644e9Sflorian
111063644e9Sflorian edns->cookie_len = optlen;
112063644e9Sflorian memcpy(edns->cookie, buffer_current(packet), optlen);
113063644e9Sflorian buffer_skip(packet, optlen);
114063644e9Sflorian edns->opt_reserved_space += OPT_HDR + 24;
115063644e9Sflorian } else {
116063644e9Sflorian buffer_skip(packet, optlen);
117063644e9Sflorian }
118063644e9Sflorian break;
119c1e73312Sflorian default:
120c1e73312Sflorian buffer_skip(packet, optlen);
121c1e73312Sflorian break;
122c1e73312Sflorian }
123c1e73312Sflorian return 1;
124c1e73312Sflorian }
125c1e73312Sflorian
12662ac0c33Sjakob int
edns_parse_record(edns_record_type * edns,buffer_type * packet,query_type * query,nsd_type * nsd)127c1e73312Sflorian edns_parse_record(edns_record_type *edns, buffer_type *packet,
128c1e73312Sflorian query_type* query, nsd_type* nsd)
12962ac0c33Sjakob {
13062ac0c33Sjakob /* OPT record type... */
13162ac0c33Sjakob uint8_t opt_owner;
13262ac0c33Sjakob uint16_t opt_type;
13362ac0c33Sjakob uint16_t opt_class;
13462ac0c33Sjakob uint8_t opt_version;
13562ac0c33Sjakob uint16_t opt_flags;
13662ac0c33Sjakob uint16_t opt_rdlen;
13762ac0c33Sjakob
13862ac0c33Sjakob edns->position = buffer_position(packet);
13962ac0c33Sjakob
14062ac0c33Sjakob if (!buffer_available(packet, (OPT_LEN + OPT_RDATA)))
14162ac0c33Sjakob return 0;
14262ac0c33Sjakob
14362ac0c33Sjakob opt_owner = buffer_read_u8(packet);
14462ac0c33Sjakob opt_type = buffer_read_u16(packet);
14562ac0c33Sjakob if (opt_owner != 0 || opt_type != TYPE_OPT) {
14662ac0c33Sjakob /* Not EDNS. */
14762ac0c33Sjakob buffer_set_position(packet, edns->position);
14862ac0c33Sjakob return 0;
14962ac0c33Sjakob }
15062ac0c33Sjakob
15162ac0c33Sjakob opt_class = buffer_read_u16(packet);
152044f85deSsthen (void)buffer_read_u8(packet); /* opt_extended_rcode */
15362ac0c33Sjakob opt_version = buffer_read_u8(packet);
15462ac0c33Sjakob opt_flags = buffer_read_u16(packet);
15562ac0c33Sjakob opt_rdlen = buffer_read_u16(packet);
15662ac0c33Sjakob
15762ac0c33Sjakob if (opt_version != 0) {
158aee1b7aaSsthen /* The only error is VERSION not implemented */
15962ac0c33Sjakob edns->status = EDNS_ERROR;
16062ac0c33Sjakob return 1;
16162ac0c33Sjakob }
16262ac0c33Sjakob
16362ac0c33Sjakob if (opt_rdlen > 0) {
1641345ce21Sflorian if(!buffer_available(packet, opt_rdlen))
1651345ce21Sflorian return 0;
166308d2509Sflorian if(opt_rdlen > 65530)
167308d2509Sflorian return 0;
168c1e73312Sflorian /* there is more to come, read opt code */
169c1e73312Sflorian while(opt_rdlen >= 4) {
170c1e73312Sflorian uint16_t optcode = buffer_read_u16(packet);
171c1e73312Sflorian uint16_t optlen = buffer_read_u16(packet);
172308d2509Sflorian opt_rdlen -= 4;
173308d2509Sflorian if(opt_rdlen < optlen)
174c1e73312Sflorian return 0; /* opt too long, formerr */
175308d2509Sflorian opt_rdlen -= optlen;
176c1e73312Sflorian if(!edns_handle_option(optcode, optlen, packet,
177c1e73312Sflorian edns, query, nsd))
1781345ce21Sflorian return 0;
179c1e73312Sflorian }
180c1e73312Sflorian if(opt_rdlen != 0)
181c1e73312Sflorian return 0;
18262ac0c33Sjakob }
18362ac0c33Sjakob
18462ac0c33Sjakob edns->status = EDNS_OK;
18562ac0c33Sjakob edns->maxlen = opt_class;
18662ac0c33Sjakob edns->dnssec_ok = opt_flags & DNSSEC_OK_MASK;
18762ac0c33Sjakob return 1;
18862ac0c33Sjakob }
18962ac0c33Sjakob
19062ac0c33Sjakob size_t
edns_reserved_space(edns_record_type * edns)19162ac0c33Sjakob edns_reserved_space(edns_record_type *edns)
19262ac0c33Sjakob {
19362ac0c33Sjakob /* MIEK; when a pkt is too large?? */
1948d298c9fSsthen return edns->status == EDNS_NOT_PRESENT ? 0
1958d298c9fSsthen : (OPT_LEN + OPT_RDATA + edns->opt_reserved_space);
19662ac0c33Sjakob }
197063644e9Sflorian
198063644e9Sflorian int siphash(const uint8_t *in, const size_t inlen,
199063644e9Sflorian const uint8_t *k, uint8_t *out, const size_t outlen);
200063644e9Sflorian
201063644e9Sflorian /** RFC 1982 comparison, uses unsigned integers, and tries to avoid
202063644e9Sflorian * compiler optimization (eg. by avoiding a-b<0 comparisons),
203063644e9Sflorian * this routine matches compare_serial(), for SOA serial number checks */
204063644e9Sflorian static int
compare_1982(uint32_t a,uint32_t b)205063644e9Sflorian compare_1982(uint32_t a, uint32_t b)
206063644e9Sflorian {
207063644e9Sflorian /* for 32 bit values */
208063644e9Sflorian const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));
209063644e9Sflorian
210063644e9Sflorian if (a == b) {
211063644e9Sflorian return 0;
212063644e9Sflorian } else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {
213063644e9Sflorian return -1;
214063644e9Sflorian } else {
215063644e9Sflorian return 1;
216063644e9Sflorian }
217063644e9Sflorian }
218063644e9Sflorian
219063644e9Sflorian /** if we know that b is larger than a, return the difference between them,
220063644e9Sflorian * that is the distance between them. in RFC1982 arith */
221063644e9Sflorian static uint32_t
subtract_1982(uint32_t a,uint32_t b)222063644e9Sflorian subtract_1982(uint32_t a, uint32_t b)
223063644e9Sflorian {
224063644e9Sflorian /* for 32 bit values */
225063644e9Sflorian const uint32_t cutoff = ((uint32_t) 1 << (32 - 1));
226063644e9Sflorian
227063644e9Sflorian if(a == b)
228063644e9Sflorian return 0;
229063644e9Sflorian if(a < b && b - a < cutoff) {
230063644e9Sflorian return b-a;
231063644e9Sflorian }
232063644e9Sflorian if(a > b && a - b > cutoff) {
233063644e9Sflorian return ((uint32_t)0xffffffff) - (a-b-1);
234063644e9Sflorian }
235063644e9Sflorian /* wrong case, b smaller than a */
236063644e9Sflorian return 0;
237063644e9Sflorian }
238063644e9Sflorian
cookie_verify(query_type * q,struct nsd * nsd,uint32_t * now_p)239063644e9Sflorian void cookie_verify(query_type *q, struct nsd* nsd, uint32_t *now_p) {
240063644e9Sflorian uint8_t hash[8], hash2verify[8];
241063644e9Sflorian uint32_t cookie_time, now_uint32;
242063644e9Sflorian size_t verify_size;
243063644e9Sflorian int i;
244063644e9Sflorian
245063644e9Sflorian /* We support only draft-sury-toorop-dnsop-server-cookies sizes */
246063644e9Sflorian if(q->edns.cookie_len != 24)
247063644e9Sflorian return;
248063644e9Sflorian
249063644e9Sflorian if(q->edns.cookie[8] != 1)
250063644e9Sflorian return;
251063644e9Sflorian
252063644e9Sflorian q->edns.cookie_status = COOKIE_INVALID;
253063644e9Sflorian
254063644e9Sflorian cookie_time = (q->edns.cookie[12] << 24)
255063644e9Sflorian | (q->edns.cookie[13] << 16)
256063644e9Sflorian | (q->edns.cookie[14] << 8)
257063644e9Sflorian | q->edns.cookie[15];
258063644e9Sflorian
259063644e9Sflorian now_uint32 = *now_p ? *now_p : (*now_p = (uint32_t)time(NULL));
260063644e9Sflorian
261063644e9Sflorian if(compare_1982(now_uint32, cookie_time) > 0) {
262063644e9Sflorian /* ignore cookies > 1 hour in past */
263063644e9Sflorian if (subtract_1982(cookie_time, now_uint32) > 3600)
264063644e9Sflorian return;
265063644e9Sflorian } else if (subtract_1982(now_uint32, cookie_time) > 300) {
266063644e9Sflorian /* ignore cookies > 5 minutes in future */
267063644e9Sflorian return;
268063644e9Sflorian }
269063644e9Sflorian
270063644e9Sflorian memcpy(hash2verify, q->edns.cookie + 16, 8);
271063644e9Sflorian
272063644e9Sflorian #ifdef INET6
273*b71395eaSflorian if(q->client_addr.ss_family == AF_INET6) {
274*b71395eaSflorian memcpy(q->edns.cookie + 16, &((struct sockaddr_in6 *)&q->client_addr)->sin6_addr, 16);
275063644e9Sflorian verify_size = 32;
276063644e9Sflorian } else {
277*b71395eaSflorian memcpy(q->edns.cookie + 16, &((struct sockaddr_in *)&q->client_addr)->sin_addr, 4);
278063644e9Sflorian verify_size = 20;
279063644e9Sflorian }
280063644e9Sflorian #else
281*b71395eaSflorian memcpy( q->edns.cookie + 16, &q->client_addr.sin_addr, 4);
282063644e9Sflorian verify_size = 20;
283063644e9Sflorian #endif
284063644e9Sflorian
285063644e9Sflorian q->edns.cookie_status = COOKIE_INVALID;
286063644e9Sflorian siphash(q->edns.cookie, verify_size,
287063644e9Sflorian nsd->cookie_secrets[0].cookie_secret, hash, 8);
288063644e9Sflorian if(CRYPTO_memcmp(hash2verify, hash, 8) == 0 ) {
289063644e9Sflorian if (subtract_1982(cookie_time, now_uint32) < 1800) {
290063644e9Sflorian q->edns.cookie_status = COOKIE_VALID_REUSE;
291063644e9Sflorian memcpy(q->edns.cookie + 16, hash, 8);
292063644e9Sflorian } else
293063644e9Sflorian q->edns.cookie_status = COOKIE_VALID;
294063644e9Sflorian return;
295063644e9Sflorian }
296063644e9Sflorian for(i = 1;
297063644e9Sflorian i < (int)nsd->cookie_count && i < NSD_COOKIE_HISTORY_SIZE;
298063644e9Sflorian i++) {
299063644e9Sflorian siphash(q->edns.cookie, verify_size,
300063644e9Sflorian nsd->cookie_secrets[i].cookie_secret, hash, 8);
301063644e9Sflorian if(CRYPTO_memcmp(hash2verify, hash, 8) == 0 ) {
302063644e9Sflorian q->edns.cookie_status = COOKIE_VALID;
303063644e9Sflorian return;
304063644e9Sflorian }
305063644e9Sflorian }
306063644e9Sflorian }
307063644e9Sflorian
cookie_create(query_type * q,struct nsd * nsd,uint32_t * now_p)308063644e9Sflorian void cookie_create(query_type *q, struct nsd* nsd, uint32_t *now_p)
309063644e9Sflorian {
310063644e9Sflorian uint8_t hash[8];
311063644e9Sflorian uint32_t now_uint32;
312063644e9Sflorian
313063644e9Sflorian if (q->edns.cookie_status == COOKIE_VALID_REUSE)
314063644e9Sflorian return;
315063644e9Sflorian
316063644e9Sflorian now_uint32 = *now_p ? *now_p : (*now_p = (uint32_t)time(NULL));
317063644e9Sflorian q->edns.cookie[ 8] = 1;
318063644e9Sflorian q->edns.cookie[ 9] = 0;
319063644e9Sflorian q->edns.cookie[10] = 0;
320063644e9Sflorian q->edns.cookie[11] = 0;
321063644e9Sflorian q->edns.cookie[12] = (now_uint32 & 0xFF000000) >> 24;
322063644e9Sflorian q->edns.cookie[13] = (now_uint32 & 0x00FF0000) >> 16;
323063644e9Sflorian q->edns.cookie[14] = (now_uint32 & 0x0000FF00) >> 8;
324063644e9Sflorian q->edns.cookie[15] = now_uint32 & 0x000000FF;
325063644e9Sflorian #ifdef INET6
326*b71395eaSflorian if (q->client_addr.ss_family == AF_INET6) {
327063644e9Sflorian memcpy( q->edns.cookie + 16
328*b71395eaSflorian , &((struct sockaddr_in6 *)&q->client_addr)->sin6_addr, 16);
329063644e9Sflorian siphash(q->edns.cookie, 32, nsd->cookie_secrets[0].cookie_secret, hash, 8);
330063644e9Sflorian } else {
331063644e9Sflorian memcpy( q->edns.cookie + 16
332*b71395eaSflorian , &((struct sockaddr_in *)&q->client_addr)->sin_addr, 4);
333063644e9Sflorian siphash(q->edns.cookie, 20, nsd->cookie_secrets[0].cookie_secret, hash, 8);
334063644e9Sflorian }
335063644e9Sflorian #else
336*b71395eaSflorian memcpy( q->edns.cookie + 16, &q->client_addr.sin_addr, 4);
337063644e9Sflorian siphash(q->edns.cookie, 20, nsd->cookie_secrets[0].cookie_secret, hash, 8);
338063644e9Sflorian #endif
339063644e9Sflorian memcpy(q->edns.cookie + 16, hash, 8);
340063644e9Sflorian }
341063644e9Sflorian
342