From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 23 Dec 2016 10:52:43 +0000 (+0100)
Subject: dnsdist: Merge the client and server nonces to prevent replay attacks
X-Git-Tag: rec-4.1.0-alpha1~323^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F4815%2Fhead;p=thirdparty%2Fpdns.git

dnsdist: Merge the client and server nonces to prevent replay attacks

Instead of using the local nonce to send messages (and so the remote
one for received ones), split and merge the local and remote nonces
to create two new nonces, one for client to server and one for server
to client.
---

diff --git a/pdns/dnsdist-console.cc b/pdns/dnsdist-console.cc
index 45052f08db..ad9c4bb3c6 100644
--- a/pdns/dnsdist-console.cc
+++ b/pdns/dnsdist-console.cc
@@ -56,14 +56,16 @@ void doClient(ComboAddress server, const std::string& command)
   }
   SConnect(fd, server);
   setTCPNoDelay(fd);
-  SodiumNonce theirs, ours;
+  SodiumNonce theirs, ours, readingNonce, writingNonce;
   ours.init();
 
   writen2(fd, (const char*)ours.value, sizeof(ours.value));
   readn2(fd, (char*)theirs.value, sizeof(theirs.value));
+  readingNonce.merge(ours, theirs);
+  writingNonce.merge(theirs, ours);
 
   if(!command.empty()) {
-    string msg=sodEncryptSym(command, g_key, ours);
+    string msg=sodEncryptSym(command, g_key, writingNonce);
     putMsgLen32(fd, (uint32_t) msg.length());
     if(!msg.empty())
       writen2(fd, msg);
@@ -73,7 +75,7 @@ void doClient(ComboAddress server, const std::string& command)
         boost::scoped_array<char> resp(new char[len]);
         readn2(fd, resp.get(), len);
         msg.assign(resp.get(), len);
-        msg=sodDecryptSym(msg, g_key, theirs);
+        msg=sodDecryptSym(msg, g_key, readingNonce);
         cout<<msg;
         cout.flush();
       }
@@ -116,7 +118,7 @@ void doClient(ComboAddress server, const std::string& command)
     if(line.empty())
       continue;
 
-    string msg=sodEncryptSym(line, g_key, ours);
+    string msg=sodEncryptSym(line, g_key, writingNonce);
     putMsgLen32(fd, (uint32_t) msg.length());
     writen2(fd, msg);
     uint32_t len;
@@ -129,7 +131,7 @@ void doClient(ComboAddress server, const std::string& command)
       boost::scoped_array<char> resp(new char[len]);
       readn2(fd, resp.get(), len);
       msg.assign(resp.get(), len);
-      msg=sodDecryptSym(msg, g_key, theirs);
+      msg=sodDecryptSym(msg, g_key, readingNonce);
       cout<<msg;
       cout.flush();
     }
@@ -417,11 +419,12 @@ void controlClientThread(int fd, ComboAddress client)
 try
 {
   setTCPNoDelay(fd);
-  SodiumNonce theirs;
-  readn2(fd, (char*)theirs.value, sizeof(theirs.value));
-  SodiumNonce ours;
+  SodiumNonce theirs, ours, readingNonce, writingNonce;
   ours.init();
+  readn2(fd, (char*)theirs.value, sizeof(theirs.value));
   writen2(fd, (char*)ours.value, sizeof(ours.value));
+  readingNonce.merge(ours, theirs);
+  writingNonce.merge(theirs, ours);
 
   for(;;) {
     uint32_t len;
@@ -439,7 +442,7 @@ try
     readn2(fd, msg.get(), len);
     
     string line(msg.get(), len);
-    line = sodDecryptSym(line, g_key, theirs);
+    line = sodDecryptSym(line, g_key, readingNonce);
     //    cerr<<"Have decrypted line: "<<line<<endl;
     string response;
     try {
@@ -512,7 +515,7 @@ try
     catch(const LuaContext::SyntaxErrorException& e) {
       response = "Error: " + string(e.what()) + ": ";
     }
-    response = sodEncryptSym(response, g_key, ours);
+    response = sodEncryptSym(response, g_key, writingNonce);
     putMsgLen32(fd, response.length());
     writen2(fd, response.c_str(), response.length());
   }
diff --git a/pdns/sodcrypto.hh b/pdns/sodcrypto.hh
index fce2164cea..86d52b2f0c 100644
--- a/pdns/sodcrypto.hh
+++ b/pdns/sodcrypto.hh
@@ -29,9 +29,10 @@
 #ifndef HAVE_LIBSODIUM
 struct SodiumNonce
 {
-	void init(){};
-	void increment(){};
-	unsigned char value[1];
+  void init(){};
+  void merge(const SodiumNonce& lower, const SodiumNonce& higher) {};
+  void increment(){};
+  unsigned char value[1];
 };
 #else
 #include <sodium.h>
@@ -42,7 +43,14 @@ struct SodiumNonce
   {
     randombytes_buf(value, sizeof value);
   }
-  
+
+  void merge(const SodiumNonce& lower, const SodiumNonce& higher)
+  {
+    static const size_t halfSize = (sizeof value) / 2;
+    memcpy(value, lower.value, halfSize);
+    memcpy(value + halfSize, higher.value + halfSize, halfSize);
+  }
+
   void increment()
   {
     uint32_t* p = (uint32_t*)value;
diff --git a/regression-tests.dnsdist/dnsdisttests.py b/regression-tests.dnsdist/dnsdisttests.py
index d04c247803..9a649c583d 100644
--- a/regression-tests.dnsdist/dnsdisttests.py
+++ b/regression-tests.dnsdist/dnsdisttests.py
@@ -371,11 +371,15 @@ class DNSDistTest(unittest.TestCase):
         sock.send(ourNonce)
         theirNonce = sock.recv(len(ourNonce))
 
-        msg = cls._encryptConsole(command, ourNonce)
+        halfNonceSize = len(ourNonce) / 2
+        readingNonce = ourNonce[0:halfNonceSize] + theirNonce[halfNonceSize:]
+        writingNonce = theirNonce[0:halfNonceSize] + ourNonce[halfNonceSize:]
+
+        msg = cls._encryptConsole(command, writingNonce)
         sock.send(struct.pack("!I", len(msg)))
         sock.send(msg)
         data = sock.recv(4)
         (responseLen,) = struct.unpack("!I", data)
         data = sock.recv(responseLen)
-        response = cls._decryptConsole(data, theirNonce)
+        response = cls._decryptConsole(data, readingNonce)
         return response