#include <isc/random.h>
#include <isc/safe.h>
#include <isc/serial.h>
+#include <isc/siphash.h>
#include <isc/stats.h>
#include <isc/stdio.h>
#include <isc/string.h>
const unsigned char *secret, isc_buffer_t *buf)
{
switch (ns_g_server->cookiealg) {
+ case ns_cookiealg_siphash24: {
+ unsigned char digest[ISC_SIPHASH24_TAG_LENGTH] = { 0 };
+ unsigned char input[16 + 16] = { 0 };
+ size_t inputlen = 0;
+ isc_netaddr_t netaddr;
+ unsigned char *cp;
+
+ cp = isc_buffer_used(buf);
+ isc_buffer_putmem(buf, client->cookie, 8);
+ isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1);
+ isc_buffer_putuint24(buf, 0); /* Reserved */
+ isc_buffer_putuint32(buf, when);
+
+ memmove(input, cp, 16);
+
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+ switch (netaddr.family) {
+ case AF_INET:
+ cp = (unsigned char *)&netaddr.type.in;
+ memmove(input + 16, cp, 4);
+ inputlen = 20;
+ break;
+ case AF_INET6:
+ cp = (unsigned char *)&netaddr.type.in6;
+ memmove(input + 16, cp, 16);
+ inputlen = 32;
+ break;
+ default:
+ INSIST(0);
+ ISC_UNREACHABLE();
+ }
+
+ isc_siphash24(secret, input, inputlen, digest);
+ isc_buffer_putmem(buf, digest, 8);
+ break;
+ }
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
case ns_cookiealg_aes: {
unsigned char digest[ISC_AES_BLOCK_LENGTH];
unsigned char *cp;
unsigned int i;
- memset(input, 0, sizeof(input));
cp = isc_buffer_used(buf);
isc_buffer_putmem(buf, client->cookie, 8);
isc_buffer_putuint32(buf, nonce);
isc_buffer_putuint32(buf, when);
memmove(input, cp, 16);
isc_aes128_crypt(secret, input, digest);
- for (i = 0; i < 8; i++)
+ for (i = 0; i < 8; i++) {
input[i] = digest[i] ^ digest[i + 8];
+ }
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
switch (netaddr.family) {
case AF_INET:
cp = (unsigned char *)&netaddr.type.in6;
memmove(input + 8, cp, 16);
isc_aes128_crypt(secret, input, digest);
- for (i = 0; i < 8; i++)
+ for (i = 0; i < 8; i++) {
input[i + 8] = digest[i] ^ digest[i + 8];
+ }
isc_aes128_crypt(ns_g_server->secret, input + 8,
digest);
break;
+ default:
+ INSIST(0);
+ ISC_UNREACHABLE();
}
- for (i = 0; i < 8; i++)
+ for (i = 0; i < 8; i++) {
digest[i] ^= digest[i + 8];
+ }
isc_buffer_putmem(buf, digest, 8);
break;
}
typedef enum {
ns_cookiealg_aes,
ns_cookiealg_sha1,
- ns_cookiealg_sha256
+ ns_cookiealg_sha256,
+ ns_cookiealg_siphash24
} ns_cookiealg_t;
+#define NS_COOKIE_VERSION_1 1
+
#endif /* NAMED_TYPES_H */
check-wildcard <replaceable>boolean</replaceable>;
cleaning-interval <replaceable>integer</replaceable>;
clients-per-query <replaceable>integer</replaceable>;
- cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-algorithm ( aes | sha1 | sha256 | siphash24 );
cookie-secret <replaceable>string</replaceable>;
coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
#include <isc/refcount.h>
#include <isc/resource.h>
#include <isc/sha2.h>
+#include <isc/siphash.h>
#include <isc/socket.h>
#include <isc/stat.h>
#include <isc/stats.h>
obj = NULL;
result = ns_config_get(maps, "cookie-algorithm", &obj);
INSIST(result == ISC_R_SUCCESS);
- if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
+ if (strcasecmp(cfg_obj_asstring(obj), "siphash24") == 0) {
+ server->cookiealg = ns_cookiealg_siphash24;
+ } else if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
server->cookiealg = ns_cookiealg_aes;
#else
usedlength = isc_buffer_usedlength(&b);
switch (server->cookiealg) {
+ case ns_cookiealg_siphash24:
+ if (usedlength != ISC_SIPHASH24_KEY_LENGTH) {
+ CHECKM(ISC_R_RANGE,
+ "SipHash-2-4 cookie-secret must be 128 bits");
+ }
+ break;
case ns_cookiealg_aes:
if (usedlength != ISC_AES128_KEYLENGTH) {
CHECKM(ISC_R_RANGE,
- "AES cookie-secret must be "
- "128 bits");
+ "AES cookie-secret must be 128 bits");
}
break;
case ns_cookiealg_sha1:
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ cookie-algorithm aes;
+ cookie-secret "ebc7701beabb4a40c57d140eeb6733faaa"; // 136 bits
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ cookie-algorithm siphash24;
+ cookie-secret "ebc7701beabb4a40c57d140eeb6733faaabbccdd"; // 160 bits
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ cookie-algorithm aes;
+ cookie-secret "ebc7701beabb4a40c57d140eeb6733fa"; // 128 bits
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ cookie-algorithm siphash24;
+ cookie-secret "ebc7701beabb4a40c57d140eeb6733fa"; // 128 bits
+};
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
- cookie-algorithm sha1;
- cookie-secret "569d36a6cc27d6bf55502183302ba352745255a2";
+ cookie-algorithm siphash24;
+ cookie-secret "569d36a6cc27d6bf55502183302ba352";
require-server-cookie yes;
};
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
- cookie-algorithm sha1;
- cookie-secret "569d36a6cc27d6bf55502183302ba352745255a2";
- cookie-secret "6b300e27a0db46d4b046e4189790fa7db3c1ffb3";
+ cookie-algorithm siphash24;
+ cookie-secret "569d36a6cc27d6bf55502183302ba352";
+ cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
require-server-cookie yes;
};
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
- cookie-algorithm sha1;
- cookie-secret "6b300e27a0db46d4b046e4189790fa7db3c1ffb3";
+ cookie-algorithm siphash24;
+ cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
require-server-cookie yes;
};
#
# Test shared cookie-secret support.
#
-# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352745255a2";
+# NS4 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
#
-# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352745255a2";
-# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7db3c1ffb3"; (alternate)
+# NS5 has cookie-secret "569d36a6cc27d6bf55502183302ba352";
+# NS5 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d"; (alternate)
#
-# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7db3c1ffb3";
+# NS6 has cookie-secret "6b300e27a0db46d4b046e4189790fa7d";
#
# Server cookies from NS4 are accepted by NS5 and not NS6
# Server cookies from NS5 are accepted by NS4 and not NS6
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
-/* Use AES for Client Cookie generation */
-#undef AES_CC
-
/* Define to enable the "filter-aaaa-on-v4" and "filter-aaaa-on-v6" options.
*/
#undef ALLOW_FILTER_AAAA
/* Define if zlib was found */
#undef HAVE_ZLIB
-/* Use HMAC-SHA1 for Client Cookie generation */
-#undef HMAC_SHA1_CC
-
-/* Use HMAC-SHA256 for Client Cookie generation */
-#undef HMAC_SHA256_CC
-
/* return type of gai_strerror */
#undef IRS_GAISTRERROR_RETURN_T
/* HMAC_*() return ints */
@HMAC_RETURN_INT@
-/* Use AES for Client Cookie generation */
-@AES_CC@
-
-/* Use HMAC-SHA1 for Client Cookie generation */
-@HMAC_SHA1_CC@
-
-/* Use HMAC-SHA256 for Client Cookie generation */
-@HMAC_SHA256_CC@
-
/* Define to 1 if you have the `readline' function. */
@HAVE_READLINE@
--with-gost Crypto GOST [yes|no|raw|asn1].
--with-eddsa Crypto EDDSA [yes|all|no].
--with-aes Crypto AES
- --with-cc-alg=ALG choose the algorithm for Client Cookie
- [aes|sha1|sha256]
+ --with-cc-alg=ALG deprecated
--with-lmdb=PATH build with LMDB library [yes|no|path]
--with-libxml2=PATH build with libxml2 library [yes|no|path]
--with-libjson=PATH build with libjson0 library [yes|no|path]
if test "${with_aes+set}" = set; then :
withval=$with_aes; with_aes="$withval"
else
- with_aes="checkcc"
+ with_aes="yes"
fi
fi
-#
-# Client Cookie algorithm choice
-#
-
-# Check whether --with-cc-alg was given.
-if test "${with_cc_alg+set}" = set; then :
- withval=$with_cc_alg; with_cc_alg="$withval"
-else
- with_cc_alg="auto"
-fi
-
-
-case $with_cc_alg in
- *1)
- with_cc_alg="sha1"
- ;;
- *2*)
- with_cc_alg="sha256"
- ;;
- auto)
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
- *)
- with_cc_alg="aes"
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
-esac
-if test "checkcc" = "with_aes"
-then
- with_aes="no"
-fi
-
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
$as_echo_n "checking for OpenSSL library... " >&6; }
OPENSSL_WARNING=
# Choose Client Cookie algorithm
#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the Algorithm for Client Cookie" >&5
-$as_echo_n "checking for the Algorithm for Client Cookie... " >&6; }
-if test "auto" = "$with_cc_alg"
-then
- if test "yes" = "$with_aes"
- then
- with_cc_alg="aes"
- else
- with_cc_alg="sha256"
- fi
+# Check whether --with-cc-alg was given.
+if test "${with_cc_alg+set}" = set; then :
+ withval=$with_cc_alg; :
+else
+ with_cc_alg="siphash24"
fi
-case $with_cc_alg in
- sha1)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5
-$as_echo "sha1" >&6; }
- if test "X$CRYPTO" = "X-DOPENSSL"
- then
- if test "checkcc" = "$want_openssl_hash"
- then
- want_openssl_hash="yes"
- fi
- fi
-
-$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h
-
- ;;
- sha256)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5
-$as_echo "sha256" >&6; }
- if test "X$CRYPTO" = "X-DOPENSSL"
- then
- if test "checkcc" = "$want_openssl_hash"
- then
- want_openssl_hash="yes"
- fi
- fi
-$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h
- ;;
- aes)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
-$as_echo "aes" >&6; }
- if test "yes" != "$with_aes"
- then
- as_fn_error $? "\"Client Cookie wants to use unavailable AES\"" "$LINENO" 5;
- fi
-
-$as_echo "#define AES_CC 1" >>confdefs.h
-
- ;;
+case $with_cc_alg in #(
+ siphash24) :
+ : ;; #(
+ *) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: The Client Cookie is always SipHash 2-4 based" >&5
+$as_echo "$as_me: WARNING: The Client Cookie is always SipHash 2-4 based" >&2;} ;;
esac
+
if test "checkcc" = "$want_openssl_hash"
then
want_openssl_hash="no"
AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
with_eddsa="$withval", with_eddsa="auto")
AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
- with_aes="$withval", with_aes="checkcc")
+ with_aes="$withval", with_aes="yes")
#
# was --enable-openssl-hash specified?
[use OpenSSL for hash functions [default=no]]),
want_openssl_hash="$enableval", want_openssl_hash="checkcc")
-#
-# Client Cookie algorithm choice
-#
-AC_ARG_WITH(cc-alg,
- AS_HELP_STRING([--with-cc-alg=ALG],
- [choose the algorithm for Client Cookie
- [aes|sha1|sha256]]),
- with_cc_alg="$withval", with_cc_alg="auto")
-
-case $with_cc_alg in
- *1)
- with_cc_alg="sha1"
- ;;
- *2*)
- with_cc_alg="sha256"
- ;;
- auto)
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
- *)
- with_cc_alg="aes"
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
-esac
-if test "checkcc" = "with_aes"
-then
- with_aes="no"
-fi
-
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
#
# Choose Client Cookie algorithm
#
+AC_ARG_WITH([cc-alg],
+ [AS_HELP_STRING([--with-cc-alg=ALG], [deprecated])],
+ [:], [with_cc_alg="siphash24"])
+
+AS_CASE([$with_cc_alg],
+ [siphash24],[:],
+ [AC_MSG_WARN([The Client Cookie is always SipHash 2-4 based])])
-AC_MSG_CHECKING(for the Algorithm for Client Cookie)
-if test "auto" = "$with_cc_alg"
-then
- if test "yes" = "$with_aes"
- then
- with_cc_alg="aes"
- else
- with_cc_alg="sha256"
- fi
-fi
-case $with_cc_alg in
- sha1)
- AC_MSG_RESULT(sha1)
- if test "X$CRYPTO" = "X-DOPENSSL"
- then
- if test "checkcc" = "$want_openssl_hash"
- then
- want_openssl_hash="yes"
- fi
- fi
- AC_DEFINE(HMAC_SHA1_CC, 1,
- [Use HMAC-SHA1 for Client Cookie generation])
- ;;
- sha256)
- AC_MSG_RESULT(sha256)
- if test "X$CRYPTO" = "X-DOPENSSL"
- then
- if test "checkcc" = "$want_openssl_hash"
- then
- want_openssl_hash="yes"
- fi
- fi
- AC_DEFINE(HMAC_SHA256_CC, 1,
- [Use HMAC-SHA256 for Client Cookie generation])
- ;;
- aes)
- AC_MSG_RESULT(aes)
- if test "yes" != "$with_aes"
- then
- AC_MSG_ERROR("Client Cookie wants to use unavailable AES");
- fi
- AC_DEFINE(AES_CC, 1,
- [Use AES for Client Cookie generation])
- ;;
-esac
if test "checkcc" = "$want_openssl_hash"
then
want_openssl_hash="no"
check-wildcard <boolean>;
cleaning-interval <integer>;
clients-per-query <integer>;
- cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-algorithm ( aes | sha1 | sha256 | siphash24 );
cookie-secret <string>; // may occur multiple times
coresize ( default | unlimited | <sizeval> );
datasize ( default | unlimited | <sizeval> );
#include <isc/result.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
+#include <isc/siphash.h>
#include <isc/sockaddr.h>
#include <isc/string.h>
#include <isc/symtab.h>
if (strcasecmp(ccalg, "aes") == 0 &&
usedlength != ISC_AES128_KEYLENGTH) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "AES cookie-secret must be "
- "128 bits");
+ "AES cookie-secret must be 128 bits");
+ if (result == ISC_R_SUCCESS)
+ result = ISC_R_RANGE;
+ }
+ if (strcasecmp(ccalg, "siphash24") == 0 &&
+ usedlength != ISC_SIPHASH24_KEY_LENGTH) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "SipHash-2-4 cookie-secret must be 128 bits");
if (result == ISC_R_SUCCESS)
result = ISC_R_RANGE;
}
#include <isc/print.h>
#include <isc/string.h>
#include <isc/random.h>
+#include <isc/siphash.h>
#include <isc/socket.h>
#include <isc/stats.h>
#include <isc/task.h>
#include <isc/timer.h>
#include <isc/util.h>
-#ifdef AES_CC
-#include <isc/aes.h>
-#else
-#include <isc/hmacsha.h>
-#endif
-
#include <dns/acl.h>
#include <dns/adb.h>
#include <dns/badcache.h>
isc_mem_t * mctx;
dns_dispatchmgr_t * dispatchmgr;
dns_dispatch_t * dispatch;
- bool exclusivesocket;
+ bool exclusivesocket;
dns_adbaddrinfo_t * addrinfo;
isc_socket_t * tcpsocket;
isc_time_t start;
dns_tsigkey_t *tsigkey;
isc_socketevent_t sendevent;
isc_dscp_t dscp;
- int ednsversion;
+ int ednsversion;
unsigned int options;
unsigned int attributes;
unsigned int sends;
ISC_LIST_INITANDAPPEND(fctx->edns512, tried, link);
}
-static void
-compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
-#ifdef AES_CC
- unsigned char digest[ISC_AES_BLOCK_LENGTH];
- unsigned char input[16];
+static inline size_t
+addr2buf(void *buf, const size_t bufsize, const isc_sockaddr_t *sockaddr) {
isc_netaddr_t netaddr;
- unsigned int i;
-
- INSIST(len >= 8U);
-
- isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
+ isc_netaddr_fromsockaddr(&netaddr, sockaddr);
switch (netaddr.family) {
case AF_INET:
- memmove(input, (unsigned char *)&netaddr.type.in, 4);
- memset(input + 4, 0, 12);
- break;
+ INSIST(bufsize >= 4);
+ memmove(buf, &netaddr.type.in, 4);
+ return (4);
case AF_INET6:
- memmove(input, (unsigned char *)&netaddr.type.in6, 16);
- break;
+ INSIST(bufsize >= 16);
+ memmove(buf, &netaddr.type.in6, 16);
+ return (16);
+ default:
+ INSIST(0);
+ ISC_UNREACHABLE();
}
- isc_aes128_crypt(query->fctx->res->view->secret, input, digest);
- for (i = 0; i < 8; i++)
- digest[i] ^= digest[i + 8];
- memmove(cookie, digest, 8);
-#endif
-#ifdef HMAC_SHA1_CC
- unsigned char digest[ISC_SHA1_DIGESTLENGTH];
- isc_netaddr_t netaddr;
- isc_hmacsha1_t hmacsha1;
+ return (0);
+}
- INSIST(len >= 8U);
+static inline size_t
+add_serveraddr(uint8_t *buf, const size_t bufsize, const resquery_t *query)
+{
+ return (addr2buf(buf, bufsize, &query->addrinfo->sockaddr));
+}
- isc_hmacsha1_init(&hmacsha1, query->fctx->res->view->secret,
- ISC_SHA1_DIGESTLENGTH);
- isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
- switch (netaddr.family) {
- case AF_INET:
- isc_hmacsha1_update(&hmacsha1,
- (unsigned char *)&netaddr.type.in, 4);
- break;
- case AF_INET6:
- isc_hmacsha1_update(&hmacsha1,
- (unsigned char *)&netaddr.type.in6, 16);
- break;
- }
- isc_hmacsha1_sign(&hmacsha1, digest, sizeof(digest));
- memmove(cookie, digest, 8);
- isc_hmacsha1_invalidate(&hmacsha1);
-#endif
-#ifdef HMAC_SHA256_CC
- unsigned char digest[ISC_SHA256_DIGESTLENGTH];
- isc_netaddr_t netaddr;
- isc_hmacsha256_t hmacsha256;
+#define CLIENT_COOKIE_SIZE 8U
- INSIST(len >= 8U);
+static void
+compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) {
+ INSIST(len >= CLIENT_COOKIE_SIZE);
+ INSIST(sizeof(query->fctx->res->view->secret)
+ >= ISC_SIPHASH24_KEY_LENGTH);
- isc_hmacsha256_init(&hmacsha256, query->fctx->res->view->secret,
- ISC_SHA256_DIGESTLENGTH);
- isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
- switch (netaddr.family) {
- case AF_INET:
- isc_hmacsha256_update(&hmacsha256,
- (unsigned char *)&netaddr.type.in, 4);
- break;
- case AF_INET6:
- isc_hmacsha256_update(&hmacsha256,
- (unsigned char *)&netaddr.type.in6, 16);
- break;
- }
- isc_hmacsha256_sign(&hmacsha256, digest, sizeof(digest));
- memmove(cookie, digest, 8);
- isc_hmacsha256_invalidate(&hmacsha256);
-#endif
+ uint8_t buf[16] = { 0 };
+ size_t buflen = add_serveraddr(buf, sizeof(buf), query);
+
+ uint8_t digest[ISC_SIPHASH24_TAG_LENGTH] = { 0 };
+ isc_siphash24(query->fctx->res->view->secret, buf, buflen, digest);
+ memmove(cookie, digest, CLIENT_COOKIE_SIZE);
}
static isc_result_t
*/
dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
- if (query->exclusivesocket)
+ if (query->exclusivesocket) {
sock = dns_dispatch_getentrysocket(query->dispentry);
- else
+ } else {
sock = dns_dispatch_getsocket(query->dispatch);
+ }
+
/*
* Send the query!
*/
REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
valarg = event->ev_arg;
fctx = valarg->fctx;
+ REQUIRE(VALID_FCTX(fctx));
res = fctx->res;
addrinfo = valarg->addrinfo;
- REQUIRE(VALID_FCTX(fctx));
REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
vevent = (dns_validatorevent_t *)event;
&cfg_rep_list, &cfg_type_portrange
};
-static const char *cookiealg_enums[] = { "aes", "sha1", "sha256", NULL };
+static const char *cookiealg_enums[] = { "aes", "sha1", "sha256", "siphash24", NULL };
static cfg_type_t cfg_type_cookiealg = {
"cookiealg", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
&cfg_rep_string, &cookiealg_enums
./bin/tests/system/common/root.hint ZONE 2000,2001,2004,2007,2016,2018,2019
./bin/tests/system/conf.sh.in SH 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/tests/system/conf.sh.win32 SH 2016,2017,2018,2019
+./bin/tests/system/cookie/bad-cookie-badaes.conf X 2019
./bin/tests/system/cookie/bad-cookie-badhex.conf CONF-C 2014,2015,2016,2018,2019
./bin/tests/system/cookie/bad-cookie-badsha1.conf CONF-C 2017,2018,2019
./bin/tests/system/cookie/bad-cookie-badsha256.conf CONF-C 2017,2018,2019
+./bin/tests/system/cookie/bad-cookie-badsiphash24.conf X 2019
./bin/tests/system/cookie/bad-cookie-toolong.conf CONF-C 2014,2015,2016,2018,2019
./bin/tests/system/cookie/clean.sh SH 2014,2015,2016,2018,2019
+./bin/tests/system/cookie/good-cookie-aes.conf X 2019
./bin/tests/system/cookie/good-cookie-sha1.conf CONF-C 2017,2018,2019
./bin/tests/system/cookie/good-cookie-sha256.conf CONF-C 2017,2018,2019
+./bin/tests/system/cookie/good-cookie-siphash24.conf X 2019
./bin/tests/system/cookie/ns1/example.db ZONE 2014,2015,2016,2018,2019
./bin/tests/system/cookie/ns1/named.conf.in CONF-C 2018,2019
./bin/tests/system/cookie/ns1/root.hint ZONE 2014,2015,2016,2018,2019
./lib/isc/include/isc/counter.h C 2014,2016,2018,2019
./lib/isc/include/isc/crc64.h C 2013,2016,2018,2019
./lib/isc/include/isc/deprecated.h C 2017,2018,2019
-./lib/isc/include/isc/entropy.h C 2000,2001,2004,2005,2006,2007,2009,2016,2018,2019
./lib/isc/include/isc/endian.h C 2019
+./lib/isc/include/isc/entropy.h C 2000,2001,2004,2005,2006,2007,2009,2016,2018,2019
./lib/isc/include/isc/errno.h C 2016,2018,2019
./lib/isc/include/isc/error.h C 1998,1999,2000,2001,2004,2005,2006,2007,2009,2016,2017,2018,2019
./lib/isc/include/isc/event.h C 1998,1999,2000,2001,2002,2004,2005,2006,2007,2014,2016,2017,2018,2019
my %configdefh;
-my @substdefh = ("AES_CC",
- "ALLOW_FILTER_AAAA",
+my @substdefh = ("ALLOW_FILTER_AAAA",
"CONFIGARGS",
"DNS_RDATASET_FIXED",
"ENABLE_RPZ_NSDNAME",
"HAVE_PKCS11_GOST",
"HAVE_READLINE",
"HAVE_ZLIB",
- "HMAC_SHA1_CC",
- "HMAC_SHA256_CC",
"ISC_LIST_CHECKINIT",
"PREFER_GOSTASN1",
"TUNE_LARGE",
$configcond{"AES"} = 1;
}
-# with-cc-alg
-if ($cookie_algorithm eq "aes") {
- if ($use_aes ne "yes") {
- $cookie_algorithm = "sha256";
- } else {
- $configdefh{"AES_CC"} = 1;
- }
-}
-if ($cookie_algorithm eq "sha1") {
- $configdefh{"HMAC_SHA1_CC"} = 1;
-} elsif ($cookie_algorithm eq "sha256") {
- $configdefh{"HMAC_SHA256_CC"} = 1;
-} elsif ($cookie_algorithm ne "aes") {
- die "Unrecognized cookie algorithm: $cookie_algorithm\n";
-}
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
projects / thirdparty / bind9.git / commitdiff
