2018-07-31 03:48:58 -04:00
|
|
|
/*
|
|
|
|
|
* util/edns.h - handle base EDNS options.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2018, NLnet Labs. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* This software is open source.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
*
|
|
|
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
|
|
|
* this list of conditions and the following disclaimer.
|
|
|
|
|
*
|
|
|
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
|
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
|
|
|
* and/or other materials provided with the distribution.
|
|
|
|
|
*
|
|
|
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
|
|
|
* be used to endorse or promote products derived from this software without
|
|
|
|
|
* specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
|
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
|
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
|
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
|
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
|
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
|
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* This file contains functions for base EDNS options.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef UTIL_EDNS_H
|
|
|
|
|
#define UTIL_EDNS_H
|
|
|
|
|
|
2020-07-23 11:17:44 -04:00
|
|
|
#include "util/storage/dnstree.h"
|
Cookie secret file (#1090)
* - cookie-secret-file, define struct.
* - cookie-secret-file, add config option, create, read and delete struct.
* - cookie-secret-file, check cookie secrets for cookie validation.
* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
activate_cookie_secret and print_cookie_secrets.
* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
staging cookies get a fresh cookie and spelling in error message.
* - cookie-secret-file, remove unused variable from cookie file unit test.
* Remove unshare and faketime dependencies for cookie_file test; documentation nits.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
2024-08-02 07:32:08 -04:00
|
|
|
#include "util/locks.h"
|
2020-07-23 11:17:44 -04:00
|
|
|
|
2018-07-31 03:48:58 -04:00
|
|
|
struct edns_data;
|
|
|
|
|
struct config_file;
|
|
|
|
|
struct comm_point;
|
|
|
|
|
struct regional;
|
|
|
|
|
|
2020-07-23 11:17:44 -04:00
|
|
|
/**
|
2020-09-30 17:17:53 -04:00
|
|
|
* Structure containing all EDNS strings.
|
2020-07-23 11:17:44 -04:00
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
struct edns_strings {
|
|
|
|
|
/** Tree of EDNS client strings to use in upstream queries, per address
|
|
|
|
|
* prefix. Contains nodes of type edns_string_addr. */
|
|
|
|
|
rbtree_type client_strings;
|
|
|
|
|
/** EDNS opcode to use for client strings */
|
|
|
|
|
uint16_t client_string_opcode;
|
2020-07-23 11:17:44 -04:00
|
|
|
/** region to allocate tree nodes in */
|
|
|
|
|
struct regional* region;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2020-09-30 17:17:53 -04:00
|
|
|
* EDNS string. Node of rbtree, containing string and prefix.
|
2020-07-23 11:17:44 -04:00
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
struct edns_string_addr {
|
2020-07-23 11:17:44 -04:00
|
|
|
/** node in address tree, used for tree lookups. Need to be the first
|
|
|
|
|
* member of this struct. */
|
|
|
|
|
struct addr_tree_node node;
|
2020-09-30 17:17:53 -04:00
|
|
|
/** string, ascii format */
|
|
|
|
|
uint8_t* string;
|
|
|
|
|
/** length of string */
|
|
|
|
|
size_t string_len;
|
2020-07-23 11:17:44 -04:00
|
|
|
};
|
|
|
|
|
|
Cookie secret file (#1090)
* - cookie-secret-file, define struct.
* - cookie-secret-file, add config option, create, read and delete struct.
* - cookie-secret-file, check cookie secrets for cookie validation.
* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
activate_cookie_secret and print_cookie_secrets.
* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
staging cookies get a fresh cookie and spelling in error message.
* - cookie-secret-file, remove unused variable from cookie file unit test.
* Remove unshare and faketime dependencies for cookie_file test; documentation nits.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
2024-08-02 07:32:08 -04:00
|
|
|
#define UNBOUND_COOKIE_HISTORY_SIZE 2
|
|
|
|
|
#define UNBOUND_COOKIE_SECRET_SIZE 16
|
|
|
|
|
|
|
|
|
|
typedef struct cookie_secret cookie_secret_type;
|
|
|
|
|
struct cookie_secret {
|
|
|
|
|
/** cookie secret */
|
|
|
|
|
uint8_t cookie_secret[UNBOUND_COOKIE_SECRET_SIZE];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* The cookie secrets from the cookie-secret-file.
|
|
|
|
|
*/
|
|
|
|
|
struct cookie_secrets {
|
|
|
|
|
/** lock on the structure, in case there are modifications
|
|
|
|
|
* from remote control, this avoids race conditions. */
|
|
|
|
|
lock_basic_type lock;
|
|
|
|
|
|
|
|
|
|
/** how many cookies are there in the cookies array */
|
|
|
|
|
size_t cookie_count;
|
|
|
|
|
|
|
|
|
|
/* keep track of the last `UNBOUND_COOKIE_HISTORY_SIZE`
|
|
|
|
|
* cookies as per rfc requirement .*/
|
|
|
|
|
cookie_secret_type cookie_secrets[UNBOUND_COOKIE_HISTORY_SIZE];
|
|
|
|
|
};
|
|
|
|
|
|
2023-08-08 09:19:56 -04:00
|
|
|
enum edns_cookie_val_status {
|
|
|
|
|
COOKIE_STATUS_CLIENT_ONLY = -3,
|
|
|
|
|
COOKIE_STATUS_FUTURE = -2,
|
|
|
|
|
COOKIE_STATUS_EXPIRED = -1,
|
|
|
|
|
COOKIE_STATUS_INVALID = 0,
|
|
|
|
|
COOKIE_STATUS_VALID = 1,
|
|
|
|
|
COOKIE_STATUS_VALID_RENEW = 2,
|
|
|
|
|
};
|
|
|
|
|
|
2020-07-23 11:17:44 -04:00
|
|
|
/**
|
2020-09-30 17:17:53 -04:00
|
|
|
* Create structure to hold EDNS strings
|
|
|
|
|
* @return: newly created edns_strings, NULL on alloc failure.
|
2020-07-23 11:17:44 -04:00
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
struct edns_strings* edns_strings_create(void);
|
2020-07-23 11:17:44 -04:00
|
|
|
|
2020-09-30 17:17:53 -04:00
|
|
|
/** Delete EDNS strings structure
|
|
|
|
|
* @param edns_strings: struct to delete
|
2020-07-23 11:17:44 -04:00
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
void edns_strings_delete(struct edns_strings* edns_strings);
|
2020-07-23 11:17:44 -04:00
|
|
|
|
|
|
|
|
/**
|
2020-09-30 17:17:53 -04:00
|
|
|
* Add configured EDNS strings
|
|
|
|
|
* @param edns_strings: edns strings to apply config to
|
|
|
|
|
* @param config: struct containing EDNS strings configuration
|
2020-07-23 11:17:44 -04:00
|
|
|
* @return 0 on error
|
|
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
int edns_strings_apply_cfg(struct edns_strings* edns_strings,
|
2020-07-23 11:17:44 -04:00
|
|
|
struct config_file* config);
|
|
|
|
|
|
|
|
|
|
/**
|
2020-09-30 17:17:53 -04:00
|
|
|
* Find string for address.
|
|
|
|
|
* @param tree: tree containing EDNS strings per address prefix.
|
2020-07-23 11:17:44 -04:00
|
|
|
* @param addr: address to use for tree lookup
|
|
|
|
|
* @param addrlen: length of address
|
|
|
|
|
* @return: matching tree node, NULL otherwise
|
|
|
|
|
*/
|
2020-09-30 17:17:53 -04:00
|
|
|
struct edns_string_addr*
|
|
|
|
|
edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
|
2020-07-23 11:17:44 -04:00
|
|
|
socklen_t addrlen);
|
|
|
|
|
|
Fast Reload Option (#1042)
* - fast-reload, add unbound-control fast_reload
* - fast-reload, make a thread to service the unbound-control command.
* - fast-reload, communication sockets for information transfer.
* - fast-reload, fix compile for unbound-dnstap-socket.
* - fast-reload, set nonblocking communication to keep the server thread
responding to DNS requests.
* - fast-reload, poll routine to test for readiness, timeout fails connection.
* - fast-reload, detect loop in sock_poll_timeout routine.
* - fast-reload, send done and exited notification.
* - fast-reload, defines for constants in ipc.
* - fast-reload, ipc socket recv and send resists partial reads and writes and
can continue byte by byte. Also it can continue after an interrupt.
* - fast-reload, send exit command to thread when done.
* - fast-reload, output strings for client on string list.
* - fast-reload, add newline to terminal output.
* - fast-reload, send client string to remote client.
* - fast-reload, better debug output.
* - fast-reload, print queue structure, for output to the remote client.
* - fast-reload, move print items to print queue from fast_reload_thread struct.
* - fast-reload, keep list of pending print queue items in daemon struct.
* - fast-reload, comment explains in_list for printq to print remainder.
* - fast-reload, unit test testdata/fast_reload_thread.tdir that tests the
thread output.
* - fast-reload, fix test link for fast_reload_printq_list_delete function.
* - fast-reload, reread config file from disk.
* - fast-reload, unshare forwards, making the structure locked, with an rwlock.
* - fast-reload, for nonthreaded, the unbound-control commands forward,
forward_add and forward_delete should be distributed to other processes,
but when threaded, they should not be distributed to other threads because
the structure is not thread specific any more.
* - fast-reload, unshared stub hints, making the structure locked, with an rwlock.
* - fast-reload, helpful comments for hints lookup function return value.
* - fast-reload, fix bug in fast reload printout, the strlist appendlist routine,
and printout time statistics after the reload is done.
* - fast-reload, keep track of reloadtime and deletestime and print them.
* - fast-reload, keep track of constructtime and print it.
* - fast-reload, construct new items.
* - fast-reload, better comment.
* - fast-reload, reload the config and swap trees for forwards and stub hints.
* - fast-reload, in forwards_swap_tree set protection of trees with locks.
* - fast-reload, in hints_swap_tree also swap the node count of the trees.
* - fast-reload, reload ipc to stop and start threads.
* - fast-reload, unused forward declarations removed.
* - fast-reload, unit test that fast reload works with forwards and stubs.
* - fast-reload, fix clang analyzer warnings.
* - fast-reload, small documentation entry in unbound-control -h output.
* - fast-reload, printout memory use by fast reload, in bytes.
* - fast-reload, compile without threads.
* - fast-reload, document fast_reload in man page.
* - fast-reload, print ok when done successfully.
* - fast-reload, option for fast-reload commandline, +v verbosity option,
with timing and memory use output.
* - fast-reload, option for fast-reload commandline, +p does not pause threads.
* - fast-reload, option for fast-reload commandline, +d drops mesh queries.
* - fast-reload, fix to poll every thread with nopause to make certain that
resources are not held by the threads and can be deleted.
* - fast-reload, fix to use atomic store for config variables with nopause.
* - fast-reload, reload views.
* - fast-reload, when tag defines are different, it drops the queries.
* - fast-reload, fix tag define check.
* - fast-reload, document that tag change causes drop of queries.
* - fast-reload, fix space in documentation man page.
* - fast-reload, copy respip client information to query state, put views tree
in module env for lookup.
* - fast-reload, nicer respip view comparison.
* - fast-reload, respip global set is in module env.
* - fast-reload, document that respip_client_info acl info is copied.
* - fast-reload, reload the respip_set.
* - fast-reload, document no pause and pick up of use_response_ip boolean.
* - fast-reload, fix test compile.
* - fast-reload, reload local zones.
* Update locking management for iter_fwd and iter_hints methods. (#1054)
fast reload, move most of the locking management to iter_fwd and
iter_hints methods. The caller still has the ability to handle its
own locking, if desired, for atomic operations on sets of different
structs.
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
* - fast-reload, reload access-control.
* - fast-reload, reload access control interface, such as interface-action.
* - fast-reload, reload tcp-connection-limit.
* - fast-reload, improve comments on acl_list and tcl_list swap tree.
* - fast-reload, fixup references to old tcp connection limits in open tcp
connections.
* - fast-reload, fixup to clean tcp connection also for different linked order.
* - fast-reload, if no tcp connection limits existed, no need to remove
references for that.
* - fast-reload, document more options that work and do not work.
* - fast-reload, reload auth_zone and rpz data.
* - fast-reload, fix auth_zones_get_mem.
* - fast-reload, fix compilation of testbound for the new comm_timer_get_mem
reference in remote control.
* - fast-reload, change use_rpz with reload.
* - fast-reload, list changes in auth zones and stop zonemd callbacks for
deleted auth zones.
* - fast-reload, note xtree is not swapped, and why it is not swapped.
* - fast-reload, for added auth zones, pick up zone transfer and zonemd tasks.
* - fast-reload, unlock xfr when done with transfer pick up.
* - fast-reload, unlock z when picking up the xfr for it during transfer task
pick up.
* - fast-reload, pick up task changes for added, deleted and modified auth zones.
* - fast-reload, remove xfr of auth zone deletion without tasks.
* - fast-reload, pick up zone transfer config.
* - fast-reload, the main worker thread picks up the transfer tasks and also
performs setup of the xfer struct.
* - fast-reload, keep writelock on newzone when auth zone changes.
* - fast-reload, change cachedb_enabled setting.
* - fast-reload, pick up edns-strings config.
* - fast-reload, note that settings are not updated.
* - fast-reload, pick up dnstap config.
* - fast-reload, dnstap options that need to be loaded without +p.
* - fast-reload, fix auth zone reload
* - fast-reload, remove debug for auth zone test.
* - fast-reload, fix auth zone reload with zone transfer.
* - fast-reload, fix auth zone reload lock order.
* - fast-reload, remove debug from fast reload test.
* - fast-reload, remove unused function.
* - fast-reload, fix the worker trust anchor probe timer lock acquisition in
the probe answer callback routine for trust anchor probes.
* - fast-reload, reload trust anchors.
* - fast-reload, fix trust anchor reload lock on autr global data and test
for trust anchor reload.
* - fast-reload, adjust cache sizes.
* - fast-reload, reload cache sizes when changed.
* - fast-reload, reload validator env changes.
* - fast-reload, reload mesh changes.
* - fast-reload, check for incompatible changes.
* - fast-reload, improve error text for incompatible change.
* - fast-reload, fix check config option compatibility.
* - fast-reload, improve error text for nopause change.
* - fast-reload, fix spelling of incompatible options.
* - fast-reload, reload target-fetch-policy, outbound-msg-retry, max-sent-count
and max-query-restarts.
* - fast-reload, check nopause config change for target-fetch-policy.
* - fast-reload, reload do-not-query-address, private-address and capt-exempt.
* - fast-reload, check nopause config change for do-not-query-address,
private-address and capt-exempt.
* - fast-reload, check fast reload not possible due to interface and
outgoing-interface changes.
* - fast-reload, reload nat64 settings.
* - fast-reload, reload settings stored in the infra structure.
* - fast-reload, fix modstack lookup and remove outgoing-range check.
* - fast-reload, more explanation for config parse failure.
* - fast-reload, reload worker outside network changes.
* - fast-reload, detect incompatible changes in network settings.
* fast-reload, commit test files.
* - fast-reload, fix warnings for call types in windows compile.
* - fast-reload, fix warnings and comm_point_internal for tcp wouldblock calls.
* - fast-reload, extend lock checks for repeat thread ids.
* - fast-reload, additional test cases, cache change and tag changes.
* - fast-reload, fix documentation for auth_zone_verify_zonemd_with_key.
* - fast-reload, fix copy_cfg type casts and memory leak on config parse failure.
* - fast-reload, fix use of WSAPoll.
* Review comments for the fast reload feature (#1259)
* - fast-reload review, respip set can be null from a view.
* - fast-reload review, typos.
* - fast-reload review, keep clang static analyzer happy.
* - fast-reload review, don't forget to copy tag_actions.
* - fast-reload review, less indentation.
* - fast-reload review, don't leak respip_actions when reloading.
* - fast-reload review, protect NULL pointer dereference in get_mem
functions.
* - fast-reload review, add fast_reload_most_options.tdir to test most
options with high verbosity when fast reloading.
* - fast-reload review, don't skip new line on long error printouts.
* - fast-reload review, typo.
* - fast-reload review, use new_z for consistency.
* - fast-reload review, nit for unlock ordering to make eye comparison
with the lock counterpart easier.
* - fast-reload review, in case of error the sockets are already closed.
* - fast-reload review, identation.
* - fast-reload review, add static keywords.
* - fast-reload review, update unbound-control usage text.
* - fast-reload review, updates to the man page.
* - fast-reload, the fast-reload command is experimental.
* - fast-reload, fix compile of doqclient for fast reload functions.
* Changelog comment for #1042
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
2025-03-31 09:25:24 -04:00
|
|
|
/**
|
|
|
|
|
* Get memory usage of edns strings.
|
|
|
|
|
* @param edns_strings: the edns strings
|
|
|
|
|
* @return memory usage
|
|
|
|
|
*/
|
|
|
|
|
size_t edns_strings_get_mem(struct edns_strings* edns_strings);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Swap internal tree with preallocated entries.
|
|
|
|
|
* @param edns_strings: the edns strings structure.
|
|
|
|
|
* @param data: the data structure used to take elements from. This contains
|
|
|
|
|
* the old elements on return.
|
|
|
|
|
*/
|
|
|
|
|
void edns_strings_swap_tree(struct edns_strings* edns_strings,
|
|
|
|
|
struct edns_strings* data);
|
|
|
|
|
|
2023-08-04 08:26:08 -04:00
|
|
|
/**
|
2023-08-05 14:00:37 -04:00
|
|
|
* Compute the interoperable DNS cookie (RFC9018) hash.
|
2023-08-04 08:26:08 -04:00
|
|
|
* @param in: buffer input for the hash generation. It needs to be:
|
|
|
|
|
* Client Cookie | Version | Reserved | Timestamp | Client-IP
|
|
|
|
|
* @param secret: the server secret; implicit length of 16 octets.
|
|
|
|
|
* @param v4: if the client IP is v4 or v6.
|
|
|
|
|
* @param hash: buffer to write the hash to.
|
|
|
|
|
* return a pointer to the hash.
|
|
|
|
|
*/
|
|
|
|
|
uint8_t* edns_cookie_server_hash(const uint8_t* in, const uint8_t* secret,
|
|
|
|
|
int v4, uint8_t* hash);
|
|
|
|
|
|
|
|
|
|
/**
|
2023-08-05 14:00:37 -04:00
|
|
|
* Write an interoperable DNS server cookie (RFC9018).
|
2023-08-04 08:26:08 -04:00
|
|
|
* @param buf: buffer to write to. It should have a size of at least 32 octets
|
|
|
|
|
* as it doubles as the output buffer and the hash input buffer.
|
|
|
|
|
* The first 8 octets are expected to be the Client Cookie and will be
|
|
|
|
|
* left untouched.
|
|
|
|
|
* The next 8 octets will be written with Version | Reserved | Timestamp.
|
|
|
|
|
* The next 4 or 16 octets are expected to be the IPv4 or the IPv6 address
|
|
|
|
|
* based on the v4 flag.
|
|
|
|
|
* Thus the first 20 or 32 octets, based on the v4 flag, will be used as
|
|
|
|
|
* the hash input.
|
|
|
|
|
* The server hash (8 octets) will be written after the first 16 octets;
|
|
|
|
|
* overwriting the address information.
|
|
|
|
|
* The caller expects a complete, 24 octet long cookie in the buffer.
|
|
|
|
|
* @param secret: the server secret; implicit length of 16 octets.
|
|
|
|
|
* @param v4: if the client IP is v4 or v6.
|
|
|
|
|
* @param timestamp: the timestamp to use.
|
|
|
|
|
*/
|
|
|
|
|
void edns_cookie_server_write(uint8_t* buf, const uint8_t* secret, int v4,
|
|
|
|
|
uint32_t timestamp);
|
|
|
|
|
|
|
|
|
|
/**
|
2023-08-05 14:00:37 -04:00
|
|
|
* Validate an interoperable DNS cookie (RFC9018).
|
2023-08-04 08:26:08 -04:00
|
|
|
* @param cookie: pointer to the cookie data.
|
|
|
|
|
* @param cookie_len: the length of the cookie data.
|
|
|
|
|
* @param secret: pointer to the server secret.
|
|
|
|
|
* @param secret_len: the length of the secret.
|
|
|
|
|
* @param v4: if the client IP is v4 or v6.
|
|
|
|
|
* @param hash_input: pointer to the hash input for validation. It needs to be:
|
|
|
|
|
* Client Cookie | Version | Reserved | Timestamp | Client-IP
|
|
|
|
|
* @param now: the current time.
|
2023-08-08 09:19:56 -04:00
|
|
|
* return edns_cookie_val_status with the cookie validation status i.e.,
|
|
|
|
|
* <=0 for invalid, else valid.
|
2023-08-04 08:26:08 -04:00
|
|
|
*/
|
2023-08-08 09:19:56 -04:00
|
|
|
enum edns_cookie_val_status edns_cookie_server_validate(const uint8_t* cookie,
|
|
|
|
|
size_t cookie_len, const uint8_t* secret, size_t secret_len, int v4,
|
2023-08-04 08:26:08 -04:00
|
|
|
const uint8_t* hash_input, uint32_t now);
|
|
|
|
|
|
Cookie secret file (#1090)
* - cookie-secret-file, define struct.
* - cookie-secret-file, add config option, create, read and delete struct.
* - cookie-secret-file, check cookie secrets for cookie validation.
* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
activate_cookie_secret and print_cookie_secrets.
* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
staging cookies get a fresh cookie and spelling in error message.
* - cookie-secret-file, remove unused variable from cookie file unit test.
* Remove unshare and faketime dependencies for cookie_file test; documentation nits.
---------
Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
2024-08-02 07:32:08 -04:00
|
|
|
/**
|
|
|
|
|
* Create the cookie secrets structure.
|
|
|
|
|
* @return the structure or NULL on failure.
|
|
|
|
|
*/
|
|
|
|
|
struct cookie_secrets* cookie_secrets_create(void);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Delete the cookie secrets.
|
|
|
|
|
* @param cookie_secrets: the cookie secrets.
|
|
|
|
|
*/
|
|
|
|
|
void cookie_secrets_delete(struct cookie_secrets* cookie_secrets);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Apply configuration to cookie secrets, read them from file.
|
|
|
|
|
* @param cookie_secrets: the cookie secrets structure.
|
|
|
|
|
* @param cookie_secret_file: the file name, it is read.
|
|
|
|
|
* @return false on failure.
|
|
|
|
|
*/
|
|
|
|
|
int cookie_secrets_apply_cfg(struct cookie_secrets* cookie_secrets,
|
|
|
|
|
char* cookie_secret_file);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Validate the cookie secrets, try all of them.
|
|
|
|
|
* @param cookie: pointer to the cookie data.
|
|
|
|
|
* @param cookie_len: the length of the cookie data.
|
|
|
|
|
* @param cookie_secrets: struct of cookie secrets.
|
|
|
|
|
* @param v4: if the client IP is v4 or v6.
|
|
|
|
|
* @param hash_input: pointer to the hash input for validation. It needs to be:
|
|
|
|
|
* Client Cookie | Version | Reserved | Timestamp | Client-IP
|
|
|
|
|
* @param now: the current time.
|
|
|
|
|
* return edns_cookie_val_status with the cookie validation status i.e.,
|
|
|
|
|
* <=0 for invalid, else valid.
|
|
|
|
|
*/
|
|
|
|
|
enum edns_cookie_val_status cookie_secrets_server_validate(
|
|
|
|
|
const uint8_t* cookie, size_t cookie_len,
|
|
|
|
|
struct cookie_secrets* cookie_secrets, int v4,
|
|
|
|
|
const uint8_t* hash_input, uint32_t now);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Add a cookie secret. If there are no secrets yet, the secret will become
|
|
|
|
|
* the active secret. Otherwise it will become the staging secret.
|
|
|
|
|
* Active secrets are used to both verify and create new DNS Cookies.
|
|
|
|
|
* Staging secrets are only used to verify DNS Cookies. Caller has to lock.
|
|
|
|
|
*/
|
|
|
|
|
void add_cookie_secret(struct cookie_secrets* cookie_secrets, uint8_t* secret,
|
|
|
|
|
size_t secret_len);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Makes the staging cookie secret active and the active secret staging.
|
|
|
|
|
* Caller has to lock.
|
|
|
|
|
*/
|
|
|
|
|
void activate_cookie_secret(struct cookie_secrets* cookie_secrets);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Drop a cookie secret. Drops the staging secret. An active secret will not
|
|
|
|
|
* be dropped. Caller has to lock.
|
|
|
|
|
*/
|
|
|
|
|
void drop_cookie_secret(struct cookie_secrets* cookie_secrets);
|
|
|
|
|
|
2018-07-31 03:48:58 -04:00
|
|
|
#endif
|
