From: Aram Sargsyan <aram@isc.org>
Date: Tue, 11 Mar 2025 14:03:56 +0000 (+0000)
Subject: Implement -T cookiealwaysvalid
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9114bf86a786832e5312431b7e932a2447d09438;p=thirdparty%2Fbind9.git

Implement -T cookiealwaysvalid

When -T cookiealwaysvalid is passed to named, DNS cookie checks for
the incoming queries always pass, given they are structurally correct.

(cherry picked from commit 807ef8545d2e06c77826f3b2ac3f1cb7a7413dad)
---

diff --git a/bin/named/client.c b/bin/named/client.c
index 761d72a9b2a..f6986cf3425 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -2185,6 +2185,9 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 	 * Only accept COOKIE if we have talked to the client in the last hour.
 	 */
 	isc_stdtime_get(&now);
+	if (ns_g_cookiealwaysvalid) {
+		now = when;
+	}
 	if (isc_serial_gt(when, (now + 300)) ||		/* In the future. */
 	    isc_serial_lt(when, (now - 3600))) {	/* In the past. */
 		isc_stats_increment(ns_g_server->nsstats,
@@ -2195,7 +2198,8 @@ process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
 	compute_cookie(client, when, nonce, ns_g_server->secret, &db);
 
-	if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+	if (isc_safe_memequal(old, dbuf, COOKIE_SIZE) || ns_g_cookiealwaysvalid)
+	{
 		isc_stats_increment(ns_g_server->nsstats,
 				    dns_nsstatscounter_cookiematch);
 		client->attributes |= NS_CLIENTATTR_HAVECOOKIE;
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 0d96a799756..518d7506bff 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -163,6 +163,7 @@ EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_time_t		ns_g_configtime;
 EXTERN bool			ns_g_memstatistics	INIT(false);
 EXTERN bool			ns_g_clienttest		INIT(false);
+EXTERN bool			ns_g_cookiealwaysvalid	INIT(false);
 EXTERN bool			ns_g_dropedns		INIT(false);
 EXTERN bool			ns_g_ednsformerr	INIT(false);
 EXTERN bool			ns_g_ednsnotimp		INIT(false);
diff --git a/bin/named/main.c b/bin/named/main.c
index d9127cdb560..98ed3abe8e6 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -596,6 +596,8 @@ parse_T_opt(char *option) {
 	 */
 	if (!strcmp(option, "clienttest")) {
 		ns_g_clienttest = true;
+	} else if (!strcmp(option, "cookiealwaysvalid")) {
+		ns_g_cookiealwaysvalid = true;
 	} else if (!strncmp(option, "delay=", 6)) {
 		ns_g_delay = atoi(option + 6);
 	} else if (!strcmp(option, "dropedns")) {
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 7738fa310ff..a9cd098d8c3 100755
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -270,7 +270,8 @@ sub construct_ns_command {
 
 		foreach my $t_option(
 			"dropedns", "ednsformerr", "ednsnotimp", "ednsrefused",
-			"noaa", "noedns", "nosoa", "maxudp512", "maxudp1460",
+			"cookiealwaysvalid", "noaa", "noedns", "nosoa",
+			"maxudp512", "maxudp1460",
 		    ) {
 			if (-e "$testdir/$server/named.$t_option") {
 				$command .= "-T $t_option "