From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sun, 16 Mar 2008 14:58:19 +0000 (+0000)
Subject: move to a real CSRNG, plus hooks for 'dns-0x20'.
X-Git-Tag: rec-3.1.7.1~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51e2144e4478ceefa398e6bcaea7fa3e216ec0c9;p=thirdparty%2Fpdns.git

move to a real CSRNG, plus hooks for 'dns-0x20'.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1160 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/Makefile-recursor b/pdns/Makefile-recursor
index f3486c712c..c6b4b555df 100644
--- a/pdns/Makefile-recursor
+++ b/pdns/Makefile-recursor
@@ -13,7 +13,9 @@ CC?=gcc
 PDNS_RECURSOR_OBJECTS=syncres.o  misc.o unix_utility.o qtype.o logger.o  \
 arguments.o lwres.o pdns_recursor.o recursor_cache.o dnsparser.o \
 dnswriter.o dnsrecords.o rcpgenerator.o base64.o zoneparser-tng.o \
-rec_channel.o rec_channel_rec.o malloc.o selectmplexer.o sillyrecords.o
+rec_channel.o rec_channel_rec.o malloc.o selectmplexer.o sillyrecords.o \
+dns_random.o aescrypt.o aeskey.o aes_modes.o aestab.o
+
 
 REC_CONTROL_OBJECTS=rec_channel.o rec_control.o arguments.o 
 
@@ -68,7 +70,7 @@ clean:
 	-rm -f dep *.o *~ pdns_recursor rec_control optional/*.o
 	
 dep:
-	$(CXX) $(CXXFLAGS) -MM -MG *.cc *.hh > $@
+	$(CXX) $(CXXFLAGS) -MM -MG *.cc *.c *.hh > $@
 
 -include dep
 
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 6da07781b2..fecfb9d693 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -38,7 +38,8 @@ backends/gsql/gsqlbackend.cc \
 backends/gsql/gsqlbackend.hh backends/gsql/ssql.hh \
 base64.cc sillyrecords.cc \
 base64.hh zoneparser-tng.cc dnsrecords.cc dnswriter.cc \
-rcpgenerator.cc	 dnsparser.cc
+rcpgenerator.cc	dnsparser.cc \
+aes/dns_random.cc aes/aescrypt.c aes/aeskey.c aes/aestab.c aes/aes_modes.c
 
 #
 pdns_server_LDFLAGS= @moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@
@@ -110,11 +111,6 @@ dnsdemog_SOURCES=dnsdemog.cc misc.cc unix_utility.cc qtype.cc \
 	base64.cc base64.hh dnswriter.cc dnswriter.hh rcpgenerator.cc rcpgenerator.hh \
 	utility.hh dnsparser.hh sillyrecords.cc
 
-
-
-
-# INCLUDES=-I/usr/include/mysql
-
 rec_control_SOURCES=rec_channel.cc rec_channel.hh rec_control.cc arguments.cc arguments.hh
 
 pdns_recursor_SOURCES=syncres.cc resolver.hh misc.cc unix_utility.cc qtype.cc \
@@ -122,7 +118,8 @@ logger.cc statbag.cc arguments.cc  lwres.cc pdns_recursor.cc lwres.hh \
 mtasker.hh syncres.hh recursor_cache.cc recursor_cache.hh dnsparser.cc \
 dnswriter.cc dnswriter.hh dnsrecords.cc dnsrecords.hh rcpgenerator.cc rcpgenerator.hh \
 base64.cc base64.hh zoneparser-tng.cc zoneparser-tng.hh rec_channel.cc rec_channel.hh \
-rec_channel_rec.cc selectmplexer.cc epollmplexer.cc sillyrecords.cc htimer.cc htimer.hh
+rec_channel_rec.cc selectmplexer.cc epollmplexer.cc sillyrecords.cc htimer.cc htimer.hh \
+aes/dns_random.cc aes/aescrypt.c aes/aeskey.c aes/aestab.c aes/aes_modes.c
 
 if NEDMALLOC
 pdns_recursor_SOURCES += ext/nedmalloc/malloc.c
diff --git a/pdns/dist-recursor b/pdns/dist-recursor
index 64952965c8..b089c93d13 100755
--- a/pdns/dist-recursor
+++ b/pdns/dist-recursor
@@ -5,7 +5,7 @@ rcpgenerator.hh lock.hh dnswriter.hh  dnsrecords.hh dnsparser.hh utility.hh \
 recursor_cache.hh rec_channel.hh qtype.hh misc.hh dns.hh syncres.hh \
 sstuff.hh mtasker.hh mtasker.cc lwres.hh logger.hh ahuexception.hh \
 mplexer.hh win32_mtasker.hh win32_utility.cc ntservice.hh singleton.hh \
-recursorservice.hh"
+recursorservice.hh dns_random.hh"
 
 CFILES="syncres.cc  misc.cc unix_utility.cc qtype.cc \
 logger.cc arguments.cc  lwres.cc pdns_recursor.cc  \
@@ -31,6 +31,7 @@ cp config-recursor.h $DIRNAME/config.h
 mkdir $DIRNAME/rrd
 cp tools/rrd/{create,update,makegraphs,index.html} $DIRNAME/rrd
 cp ext/dlmalloc/malloc.{c,h} $DIRNAME
+cp aes/*.{c,cc,h} $DIRNAME
 cp pdns-recursor.init.d $DIRNAME
 cp docs/pdns_recursor.1 docs/rec_control.1 $DIRNAME
 cp configure-recursor $DIRNAME/configure
diff --git a/pdns/lwres.cc b/pdns/lwres.cc
index 50f8f6a890..da59506b1a 100644
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -1,6 +1,6 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002 - 2007 PowerDNS.COM BV
+    Copyright (C) 2002 - 2008 PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License version 2 as 
@@ -36,7 +36,21 @@
 #include "dnswriter.hh"
 #include "dnsparser.hh"
 #include "logger.hh"
+#include "dns_random.hh"
 #include <boost/scoped_array.hpp>
+#include <boost/algorithm/string.hpp>
+
+string dns0x20(const std::string& in)
+{
+  string ret(in);
+  string::size_type len=ret.size();
+  for(string::size_type pos = 0 ; pos < len; ++pos) {
+    if(isalpha(in[pos]) && dns_random(2))
+      ret[pos]^=0x20;
+  }
+  //  cerr<<"'"<<in<<"' -> '"<<ret<<"'\n";
+  return ret;
+}
 
 //! returns -2 for OS limits error, -1 for permanent error that has to do with remote, 0 for timeout, 1 for success
 /** Never throws! */
@@ -46,10 +60,11 @@ int asyncresolve(const ComboAddress& ip, const string& domain, int type, bool do
   int bufsize=1500;
   scoped_array<unsigned char> buf(new unsigned char[bufsize]);
   vector<uint8_t> vpacket;
+  //  string mapped0x20=dns0x20(domain);
   DNSPacketWriter pw(vpacket, domain, type);
 
   pw.getHeader()->rd=0;
-  pw.getHeader()->id=Utility::random();
+  pw.getHeader()->id=dns_random(0xffff);
 
   if(doEDNS0 && !doTCP) {
     pw.addOpt(1200, 0, 0); // 1200 bytes answer size
@@ -140,11 +155,17 @@ int asyncresolve(const ComboAddress& ip, const string& domain, int type, bool do
       }
       goto out;
     }
-    
+
     for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {          
       DNSResourceRecord rr;
       rr.qtype=i->first.d_type;
       rr.qname=i->first.d_label;
+      /* 
+      if(i->first.d_label == mapped0x20)
+	rr.qname=domain;
+      else
+	rr.qname=i->first.d_label;
+      */
       rr.ttl=i->first.d_ttl;
       rr.content=i->first.d_content->getZoneRepresentation();  // this should be the serialised form
       rr.d_place=(DNSResourceRecord::Place) i->first.d_place;
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 464e682e3d..91f820344c 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -25,6 +25,7 @@
 #endif // WIN32
 
 #include "utility.hh" 
+#include "dns_random.hh"
 #include <iostream>
 #include <errno.h>
 #include <map>
@@ -1590,6 +1591,8 @@ void parseAuthAndForwards()
   }
 }
 
+void seedRandom(const string& source);
+
 int serviceMain(int argc, char*argv[])
 {
   L.setName("pdns_recursor");
@@ -1604,7 +1607,7 @@ int serviceMain(int argc, char*argv[])
       L<<Logger::Error<<"Unknown logging facility "<<::arg().asNum("logging-facility") <<endl;
   }
 
-  L<<Logger::Warning<<"PowerDNS recursor "<<VERSION<<" (C) 2001-2007 PowerDNS.COM BV ("<<__DATE__", "__TIME__;
+  L<<Logger::Warning<<"PowerDNS recursor "<<VERSION<<" (C) 2001-2008 PowerDNS.COM BV ("<<__DATE__", "__TIME__;
 #ifdef __GNUC__
   L<<", gcc "__VERSION__;
 #endif // add other compilers here
@@ -1618,6 +1621,8 @@ int serviceMain(int argc, char*argv[])
     "according to the terms of the GPL version 2."<<endl;
   
   L<<Logger::Warning<<"Operating in "<<(sizeof(unsigned long)*8) <<" bits mode"<<endl;
+  
+  seedRandom(::arg()["entropy-source"]);
 
   if(!::arg()["allow-from-file"].empty()) {
     string line;
@@ -1823,6 +1828,36 @@ void doWindowsServiceArguments(RecursorService& recursor)
 }
 #endif
 
+void seedRandom(const string& source)
+{
+  L<<Logger::Warning<<"Reading random entropy from '"<<source<<"'"<<endl;
+
+  int fd=open(source.c_str(), O_RDONLY);
+  if(fd < 0) {
+    L<<Logger::Error<<"Unable to open source of random '"<<source<<"': "<<stringerror()<<endl;
+    exit(EXIT_FAILURE);
+  }
+  char seed[128];
+  int ret;
+  int pos=0;
+  while(pos!=sizeof(seed)) {
+    ret = read(fd, seed+pos, sizeof(seed)-pos);
+    if(ret < 0) { 
+      L<<Logger::Error<<"Unable to read random seed from "<<source<<": "<<stringerror()<<endl;
+      close(fd);
+      exit(EXIT_FAILURE);
+    }
+    if(!ret) {
+      L<<Logger::Error<<"Unable to read random seed from "<<source<<": end of file"<<endl;
+      close(fd);
+      exit(EXIT_FAILURE);
+    }
+    pos+=ret;
+  }
+  close(fd);
+  dns_random_init(seed);
+}
+
 int main(int argc, char **argv) 
 {
   //  HTimer mtimer("main");
@@ -1842,7 +1877,6 @@ int main(int argc, char **argv)
 #endif // WIN32
 
   try {
-    Utility::srandom(time(0));
     ::arg().set("stack-size","stack size per mthread")="200000";
     ::arg().set("soa-minimum-ttl","Don't change")="0";
     ::arg().set("soa-serial-offset","Don't change")="0";
@@ -1883,6 +1917,7 @@ int main(int argc, char **argv)
     ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Recursor "VERSION" $Id$";
     ::arg().set("allow-from", "If set, only allow these comma separated netmasks to recurse")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
     ::arg().set("allow-from-file", "If set, load allowed netmasks from this file")="";
+    ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
     ::arg().set("dont-query", "If set, do not query these netmasks for DNS data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
     ::arg().set("max-tcp-per-client", "If set, maximum number of TCP sessions per client (IP address)")="0";
     ::arg().set("fork", "If set, fork the daemon for possible double performance")="no";
@@ -1927,6 +1962,7 @@ int main(int argc, char **argv)
       exit(0);
     }
 
+
 #ifndef WIN32
     serviceMain(argc, argv);
 #else
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 7010beae0e..97a552ed64 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -34,6 +34,7 @@
 #include "lwres.hh"
 #include "recursor_cache.hh"
 #include "dnsparser.hh"
+#include "dns_random.hh"
 
 extern MemRecursorCache RC;
 
@@ -276,7 +277,7 @@ vector<ComboAddress> SyncRes::getAs(const string &qname, int depth, set<GetBestN
   }
   
   if(ret.size() > 1) {
-    random_shuffle(ret.begin(), ret.end());
+    random_shuffle(ret.begin(), ret.end(), dns_random);
 
     // move 'best' address for this nameserver name up front
     nsspeeds_t::iterator best = s_nsSpeeds.find(qname);  
@@ -542,7 +543,7 @@ inline vector<string> SyncRes::shuffleInSpeedOrder(set<string, CIStringCompare>
     rnameservers.push_back(*i);
     speeds[*i]=s_nsSpeeds[*i].get(&d_now);
   }
-  random_shuffle(rnameservers.begin(),rnameservers.end());
+  random_shuffle(rnameservers.begin(),rnameservers.end(), dns_random);
   speedOrder so(speeds);
   stable_sort(rnameservers.begin(),rnameservers.end(), so);