From: Sascha Hauer <sha@pengutronix.de>
To: Jules Maselbas <jmaselbas@kalray.eu>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH v2] net: dns: Generate and verify transaction ID
Date: Mon, 16 May 2022 10:27:18 +0200 [thread overview]
Message-ID: <20220516082718.GJ25578@pengutronix.de> (raw)
In-Reply-To: <20220512143726.21614-1-jmaselbas@kalray.eu>
On Thu, May 12, 2022 at 04:37:26PM +0200, Jules Maselbas wrote:
> The transaction ID wasn't verified on received DNS responses, plus the
> ID needs to be difficult to predict in order to avoid MitM (man in the
> middle) being able to easily forge responses.
>
> The ID is generated from the time of the request, probably not strongly
> unpredictable, this what musl does and it is considered to be enough.
>
> Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
> ---
> v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
> is received, drop uses of the random32.
>
> net/dns.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
Applied, thanks
Sascha
>
> diff --git a/net/dns.c b/net/dns.c
> index 78588b96f..8b5e8d59e 100644
> --- a/net/dns.c
> +++ b/net/dns.c
> @@ -58,6 +58,7 @@ struct header {
>
> static struct net_connection *dns_con;
> static uint64_t dns_timer_start;
> +static uint16_t dns_req_id;
> static int dns_state;
> static IPaddr_t dns_ip;
>
> @@ -70,9 +71,12 @@ static int dns_send(const char *name)
> unsigned char *p, *s, *fullname, *dotptr;
> const unsigned char *domain;
>
> + /* generate "difficult" to predict transaction id */
> + dns_req_id = dns_timer_start + (dns_timer_start >> 16);
> +
> /* Prepare DNS packet header */
> header = (struct header *)packet;
> - header->tid = 1;
> + header->tid = htons(dns_req_id);
> header->flags = htons(0x100); /* standard query */
> header->nqueries = htons(1); /* Just one query */
> header->nanswers = 0;
> @@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
>
> pr_debug("%s\n", __func__);
>
> + /* Only accept responses with the expected request id */
> + if (ntohs(header->tid) != dns_req_id) {
> + pr_debug("DNS response with incorrect id\n");
> + return;
> + }
> +
> /* We sent 1 query. We want to see more that 1 answer. */
> if (ntohs(header->nqueries) != 1)
> return;
> --
> 2.17.1
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
prev parent reply other threads:[~2022-05-16 8:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 14:37 Jules Maselbas
2022-05-16 8:27 ` Sascha Hauer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516082718.GJ25578@pengutronix.de \
--to=sha@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=jmaselbas@kalray.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox