Implement -T cookiealwaysvalid

When -T cookiealwaysvalid is passed to named, DNS cookie checks for
the incoming queries always pass, given they are structurally correct.

(cherry picked from commit 807ef8545d2e06c77826f3b2ac3f1cb7a7413dad)

diff --git a/bin/named/main.c b/bin/named/main.c
index 18a310334e6c48676f5e8fefba8a619b25a82ab7..03d4dec5d73c2bdcca1429ff851ad7b0a0da977e 100644 (file)
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -125,6 +125,7 @@ static int maxudp = 0;
 /*
  * -T options:
  */
+static bool cookiealwaysvalid = false;
 static bool dropedns = false;
 static bool ednsformerr = false;
 static bool ednsnotimp = false;
@@ -723,7 +724,9 @@ parse_T_opt(char *option) {
         * force the server to behave (or misbehave) in
         * specified ways for testing purposes.
         */
-       if (!strcmp(option, "dropedns")) {
+       if (!strcmp(option, "cookiealwaysvalid")) {
+               cookiealwaysvalid = true;
+       } else if (!strcmp(option, "dropedns")) {
                dropedns = true;
        } else if (!strcmp(option, "ednsformerr")) {
                ednsformerr = true;
@@ -1344,6 +1347,9 @@ setup(void) {
        /*
         * Modify server context according to command line options
         */
+       if (cookiealwaysvalid) {
+               ns_server_setoption(sctx, NS_SERVER_COOKIEALWAYSVALID, true);
+       }
        if (disable4) {
                ns_server_setoption(sctx, NS_SERVER_DISABLE4, true);
        }

diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index a7380757e6befe4c9115601d9b2cc0e0a82721bb..1d45901a8900049f6fb07bc5a68c1e96d593e3d7 100755 (executable)
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -265,7 +265,8 @@ sub construct_ns_command {
 
                foreach my $t_option(
                        "dropedns", "ednsformerr", "ednsnotimp", "ednsrefused",
-                       "noaa", "noedns", "nosoa", "maxudp512", "maxudp1460",
+                       "cookiealwaysvalid", "noaa", "noedns", "nosoa",
+                       "maxudp512", "maxudp1460",
                    ) {
                        if (-e "$testdir/$server/named.$t_option") {
                                $command .= "-T $t_option "

diff --git a/lib/ns/client.c b/lib/ns/client.c
index d8cd84bc5f23f1803409f3c9a99d3d51921ace04..0ad54f35d9614c8dce815d0cfbd56e7d904407b0 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1321,6 +1321,7 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
        uint32_t when;
        uint32_t nonce;
        isc_buffer_t db;
+       bool alwaysvalid;
 
        /*
         * If we have already seen a cookie option skip this cookie option.
@@ -1364,14 +1365,25 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
        when = isc_buffer_getuint32(buf);
        isc_buffer_forward(buf, 8);
 
+       /*
+        * For '-T cookiealwaysvalid' still process everything to not skew any
+        * performance tests involving cookies, but make sure that the cookie
+        * check passes in the end, given the cookie was structurally correct.
+        */
+       alwaysvalid = ns_server_getoption(client->manager->sctx,
+                                         NS_SERVER_COOKIEALWAYSVALID);
+
        /*
         * Allow for a 5 minute clock skew between servers sharing a secret.
         * Only accept COOKIE if we have talked to the client in the last hour.
         */
        isc_stdtime_get(&now);
-       if (isc_serial_gt(when, (now + 300)) || /* In the future. */
-           isc_serial_lt(when, (now - 3600)))
-       { /* In the past. */
+       if (alwaysvalid) {
+               now = when;
+       }
+       if (isc_serial_gt(when, (now + 300)) /* In the future. */ ||
+           isc_serial_lt(when, (now - 3600)) /* In the past. */)
+       {
                ns_stats_increment(client->sctx->nsstats,
                                   ns_statscounter_cookiebadtime);
                return;
@@ -1380,7 +1392,7 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
        isc_buffer_init(&db, dbuf, sizeof(dbuf));
        compute_cookie(client, when, nonce, client->sctx->secret, &db);
 
-       if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+       if (isc_safe_memequal(old, dbuf, COOKIE_SIZE) || alwaysvalid) {
                ns_stats_increment(client->sctx->nsstats,
                                   ns_statscounter_cookiematch);
                client->attributes |= NS_CLIENTATTR_HAVECOOKIE;

diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index 6e4309b000cee8428ed941c2e13cb589d74d826f..9e16860888089e56a49d8a9631352c1825e5b4a0 100644 (file)
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -32,23 +32,24 @@
 #include <ns/events.h>
 #include <ns/types.h>
 
-#define NS_SERVER_LOGQUERIES    0x00000001U /*%< log queries */
-#define NS_SERVER_NOAA          0x00000002U /*%< -T noaa */
-#define NS_SERVER_NOSOA                 0x00000004U /*%< -T nosoa */
-#define NS_SERVER_NONEAREST     0x00000008U /*%< -T nonearest */
-#define NS_SERVER_NOEDNS        0x00000020U /*%< -T noedns */
-#define NS_SERVER_DROPEDNS      0x00000040U /*%< -T dropedns */
-#define NS_SERVER_NOTCP                 0x00000080U /*%< -T notcp */
-#define NS_SERVER_DISABLE4      0x00000100U /*%< -6 */
-#define NS_SERVER_DISABLE6      0x00000200U /*%< -4 */
-#define NS_SERVER_FIXEDLOCAL    0x00000400U /*%< -T fixedlocal */
-#define NS_SERVER_SIGVALINSECS  0x00000800U /*%< -T sigvalinsecs */
-#define NS_SERVER_EDNSFORMERR   0x00001000U /*%< -T ednsformerr (STD13) */
-#define NS_SERVER_EDNSNOTIMP    0x00002000U /*%< -T ednsnotimp */
-#define NS_SERVER_EDNSREFUSED   0x00004000U /*%< -T ednsrefused */
-#define NS_SERVER_TRANSFERINSECS 0x00008000U /*%< -T transferinsecs */
-#define NS_SERVER_TRANSFERSLOWLY 0x00010000U /*%< -T transferslowly */
-#define NS_SERVER_TRANSFERSTUCK         0x00020000U /*%< -T transferstuck */
+#define NS_SERVER_LOGQUERIES       0x00000001U /*%< log queries */
+#define NS_SERVER_NOAA             0x00000002U /*%< -T noaa */
+#define NS_SERVER_NOSOA                    0x00000004U /*%< -T nosoa */
+#define NS_SERVER_NONEAREST        0x00000008U /*%< -T nonearest */
+#define NS_SERVER_NOEDNS           0x00000020U /*%< -T noedns */
+#define NS_SERVER_DROPEDNS         0x00000040U /*%< -T dropedns */
+#define NS_SERVER_NOTCP                    0x00000080U /*%< -T notcp */
+#define NS_SERVER_DISABLE4         0x00000100U /*%< -6 */
+#define NS_SERVER_DISABLE6         0x00000200U /*%< -4 */
+#define NS_SERVER_FIXEDLOCAL       0x00000400U /*%< -T fixedlocal */
+#define NS_SERVER_SIGVALINSECS     0x00000800U /*%< -T sigvalinsecs */
+#define NS_SERVER_EDNSFORMERR      0x00001000U /*%< -T ednsformerr (STD13) */
+#define NS_SERVER_EDNSNOTIMP       0x00002000U /*%< -T ednsnotimp */
+#define NS_SERVER_EDNSREFUSED      0x00004000U /*%< -T ednsrefused */
+#define NS_SERVER_TRANSFERINSECS    0x00008000U /*%< -T transferinsecs */
+#define NS_SERVER_TRANSFERSLOWLY    0x00010000U /*%< -T transferslowly */
+#define NS_SERVER_TRANSFERSTUCK            0x00020000U /*%< -T transferstuck */
+#define NS_SERVER_COOKIEALWAYSVALID 0x00080000U /*%< -T cookiealwaysvalid */
 
 /*%
  * Type for callback function to get hostname.