mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH v2] net: dns: Generate and verify transaction ID
@ 2022-05-12 14:37 Jules Maselbas
  2022-05-16  8:27 ` Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Jules Maselbas @ 2022-05-12 14:37 UTC (permalink / raw)
  To: barebox; +Cc: Jules Maselbas

The transaction ID wasn't verified on received DNS responses, plus the
ID needs to be difficult to predict in order to avoid MitM (man in the
middle) being able to easily forge responses.

The ID is generated from the time of the request, probably not strongly
unpredictable, this what musl does and it is considered to be enough.

Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
---
v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
    is received, drop uses of the random32.

 net/dns.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/dns.c b/net/dns.c
index 78588b96f..8b5e8d59e 100644
--- a/net/dns.c
+++ b/net/dns.c
@@ -58,6 +58,7 @@ struct header {
 
 static struct net_connection *dns_con;
 static uint64_t dns_timer_start;
+static uint16_t dns_req_id;
 static int dns_state;
 static IPaddr_t dns_ip;
 
@@ -70,9 +71,12 @@ static int dns_send(const char *name)
 	unsigned char *p, *s, *fullname, *dotptr;
 	const unsigned char *domain;
 
+	/* generate "difficult" to predict transaction id */
+	dns_req_id = dns_timer_start + (dns_timer_start >> 16);
+
 	/* Prepare DNS packet header */
 	header           = (struct header *)packet;
-	header->tid      = 1;
+	header->tid      = htons(dns_req_id);
 	header->flags    = htons(0x100);	/* standard query */
 	header->nqueries = htons(1);		/* Just one query */
 	header->nanswers = 0;
@@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
 
 	pr_debug("%s\n", __func__);
 
+	/* Only accept responses with the expected request id */
+	if (ntohs(header->tid) != dns_req_id) {
+		pr_debug("DNS response with incorrect id\n");
+		return;
+	}
+
 	/* We sent 1 query. We want to see more that 1 answer. */
 	if (ntohs(header->nqueries) != 1)
 		return;
-- 
2.17.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] net: dns: Generate and verify transaction ID
  2022-05-12 14:37 [PATCH v2] net: dns: Generate and verify transaction ID Jules Maselbas
@ 2022-05-16  8:27 ` Sascha Hauer
  0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2022-05-16  8:27 UTC (permalink / raw)
  To: Jules Maselbas; +Cc: barebox

On Thu, May 12, 2022 at 04:37:26PM +0200, Jules Maselbas wrote:
> The transaction ID wasn't verified on received DNS responses, plus the
> ID needs to be difficult to predict in order to avoid MitM (man in the
> middle) being able to easily forge responses.
> 
> The ID is generated from the time of the request, probably not strongly
> unpredictable, this what musl does and it is considered to be enough.
> 
> Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
> ---
> v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
>     is received, drop uses of the random32.
> 
>  net/dns.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

Applied, thanks

Sascha

> 
> diff --git a/net/dns.c b/net/dns.c
> index 78588b96f..8b5e8d59e 100644
> --- a/net/dns.c
> +++ b/net/dns.c
> @@ -58,6 +58,7 @@ struct header {
>  
>  static struct net_connection *dns_con;
>  static uint64_t dns_timer_start;
> +static uint16_t dns_req_id;
>  static int dns_state;
>  static IPaddr_t dns_ip;
>  
> @@ -70,9 +71,12 @@ static int dns_send(const char *name)
>  	unsigned char *p, *s, *fullname, *dotptr;
>  	const unsigned char *domain;
>  
> +	/* generate "difficult" to predict transaction id */
> +	dns_req_id = dns_timer_start + (dns_timer_start >> 16);
> +
>  	/* Prepare DNS packet header */
>  	header           = (struct header *)packet;
> -	header->tid      = 1;
> +	header->tid      = htons(dns_req_id);
>  	header->flags    = htons(0x100);	/* standard query */
>  	header->nqueries = htons(1);		/* Just one query */
>  	header->nanswers = 0;
> @@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
>  
>  	pr_debug("%s\n", __func__);
>  
> +	/* Only accept responses with the expected request id */
> +	if (ntohs(header->tid) != dns_req_id) {
> +		pr_debug("DNS response with incorrect id\n");
> +		return;
> +	}
> +
>  	/* We sent 1 query. We want to see more that 1 answer. */
>  	if (ntohs(header->nqueries) != 1)
>  		return;
> -- 
> 2.17.1
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-05-16  8:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-12 14:37 [PATCH v2] net: dns: Generate and verify transaction ID Jules Maselbas
2022-05-16  8:27 ` Sascha Hauer

mail archive of the barebox mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lore.barebox.org/barebox/0 barebox/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 barebox barebox/ https://lore.barebox.org/barebox \
		barebox@lists.infradead.org barebox@lists.infradead.org
	public-inbox-index barebox

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git