summaryrefslogtreecommitdiffstats
path: root/modules/experimental_dot_auth
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 00:55:53 +0000
commit3d0386f27ca66379acf50199e1d1298386eeeeb8 (patch)
treef87bd4a126b3a843858eb447e8fd5893c3ee3882 /modules/experimental_dot_auth
parentInitial commit. (diff)
downloadknot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.tar.xz
knot-resolver-3d0386f27ca66379acf50199e1d1298386eeeeb8.zip
Adding upstream version 3.2.1.upstream/3.2.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--modules/experimental_dot_auth/README.rst84
-rw-r--r--modules/experimental_dot_auth/basexx.lua320
-rw-r--r--modules/experimental_dot_auth/experimental_dot_auth.lua122
-rw-r--r--modules/experimental_dot_auth/experimental_dot_auth.mk2
4 files changed, 528 insertions, 0 deletions
diff --git a/modules/experimental_dot_auth/README.rst b/modules/experimental_dot_auth/README.rst
new file mode 100644
index 0000000..79c963b
--- /dev/null
+++ b/modules/experimental_dot_auth/README.rst
@@ -0,0 +1,84 @@
+.. _mod-experimental_dot_auth:
+
+Experimental DNS-over-TLS Auto-discovery
+----------------------------------------
+
+This experimental module provides automatic discovery of authoritative servers' supporting DNS-over-TLS.
+The module uses magic NS names to detect SPKI_ fingerprint which is very similar to `dnscurve`_ mechanism.
+
+.. warning:: This protocol and module is experimental and can be changed or removed at any time. Use at own risk, security properties were not analyzed!
+
+How it works
+^^^^^^^^^^^^
+
+The module will look for NS target names formatted as:
+``dot-{base32(sha256(SPKI))}....``
+
+For instance, Knot Resolver will detect NS names formatted like this
+
+.. code-block:: none
+
+ example.com NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com
+
+and automatically discover that example.com NS supports DoT with the base64-encoded SPKI digest of ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=``
+and will associate it with the IPs of ``dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.example.com``.
+
+In that example, the base32 encoded (no padding) version of the sha256 PIN is ``tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a``, which when
+converted to base64 translates to ``m+12GgMFIiheEhKvUcOynjbn3WYQUp5tVGDh7Snwj/Q=``.
+
+Generating NS target names
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To generate the NS target name, use the following command to generate the base32 encoded string of the SPKI fingerprint:
+
+.. code-block:: bash
+
+ openssl x509 -in /path/to/cert.pem -pubkey -noout | \
+ openssl pkey -pubin -outform der | \
+ openssl dgst -sha256 -binary | \
+ base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'
+ tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a
+
+Then add a target to your NS with: ``dot-${b32}.a.example.com``
+
+Finally, map ``dot-${b32}.a.example.com`` to the right set of IPs.
+
+.. code-block:: bash
+
+ ...
+ ...
+ ;; QUESTION SECTION:
+ ;example.com. IN NS
+
+ ;; AUTHORITY SECTION:
+ example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com.
+ example.com. 3600 IN NS dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com.
+
+ ;; ADDITIONAL SECTION:
+ dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.a.example.com. 3600 IN A 192.0.2.1
+ dot-tpwxmgqdaurcqxqsckxvdq5sty3opxlgcbjj43kumdq62kpqr72a.b.example.com. 3600 IN AAAA 2001:DB8::1
+ ...
+ ...
+
+Example configuration
+^^^^^^^^^^^^^^^^^^^^^
+
+To enable the module, add this snippet to your config:
+
+.. code-block:: lua
+
+ -- Start an experiment, use with caution
+ modules.load('experimental_dot_auth')
+
+This module requires standard ``basexx`` Lua library which is typically provided by ``lua-basexx`` package.
+
+Caveats
+^^^^^^^
+
+The module relies on seeing the reply of the NS query and as such will not work
+if Knot Resolver uses data from its cache. You may need to delete the cache before starting ``kresd`` to work around this.
+
+The module also assumes that the NS query answer will return both the NS targets in the Authority section as well as the glue records in the Additional section.
+
+.. _dnscurve: https://dnscurve.org/
+.. _SPKI: https://en.wikipedia.org/wiki/Simple_public-key_infrastructure
diff --git a/modules/experimental_dot_auth/basexx.lua b/modules/experimental_dot_auth/basexx.lua
new file mode 100644
index 0000000..86ac996
--- /dev/null
+++ b/modules/experimental_dot_auth/basexx.lua
@@ -0,0 +1,320 @@
+-- The MIT License (MIT)
+--
+-- Copyright (c) 2013 aiq
+--
+-- Permission is hereby granted, free of charge, to any person obtaining a copy of
+-- this software and associated documentation files (the "Software"), to deal in
+-- the Software without restriction, including without limitation the rights to
+-- use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+-- the Software, and to permit persons to whom the Software is furnished to do so,
+-- subject to the following conditions:
+--
+-- The above copyright notice and this permission notice shall be included in all
+-- copies or substantial portions of the Software.
+--
+-- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+-- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+-- FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+-- COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+-- IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+-- CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+--
+--
+--
+--------------------------------------------------------------------------------
+-- util functions
+--------------------------------------------------------------------------------
+
+local function divide_string( str, max )
+ local result = {}
+
+ local start = 1
+ for i = 1, #str do
+ if i % max == 0 then
+ table.insert( result, str:sub( start, i ) )
+ start = i + 1
+ elseif i == #str then
+ table.insert( result, str:sub( start, i ) )
+ end
+ end
+
+ return result
+end
+
+local function number_to_bit( num, length )
+ local bits = {}
+
+ while num > 0 do
+ local rest = math.floor( math.fmod( num, 2 ) )
+ table.insert( bits, rest )
+ num = ( num - rest ) / 2
+ end
+
+ while #bits < length do
+ table.insert( bits, "0" )
+ end
+
+ return string.reverse( table.concat( bits ) )
+end
+
+local function ignore_set( str, set )
+ if set then
+ str = str:gsub( "["..set.."]", "" )
+ end
+ return str
+end
+
+local function pure_from_bit( str )
+ return ( str:gsub( '........', function ( cc )
+ return string.char( tonumber( cc, 2 ) )
+ end ) )
+end
+
+local function unexpected_char_error( str, pos )
+ local c = string.sub( str, pos, pos )
+ return string.format( "unexpected character at position %d: '%s'", pos, c )
+end
+
+--------------------------------------------------------------------------------
+
+local basexx = {}
+
+--------------------------------------------------------------------------------
+-- base2(bitfield) decode and encode function
+--------------------------------------------------------------------------------
+
+local bitMap = { o = "0", i = "1", l = "1" }
+
+function basexx.from_bit( str, ignore )
+ str = ignore_set( str, ignore )
+ str = string.lower( str )
+ str = str:gsub( '[ilo]', function( c ) return bitMap[ c ] end )
+ local pos = string.find( str, "[^01]" )
+ if pos then return nil, unexpected_char_error( str, pos ) end
+
+ return pure_from_bit( str )
+end
+
+function basexx.to_bit( str )
+ return ( str:gsub( '.', function ( c )
+ local byte = string.byte( c )
+ local bits = {}
+ for _ = 1,8 do
+ table.insert( bits, byte % 2 )
+ byte = math.floor( byte / 2 )
+ end
+ return table.concat( bits ):reverse()
+ end ) )
+end
+
+--------------------------------------------------------------------------------
+-- base16(hex) decode and encode function
+--------------------------------------------------------------------------------
+
+function basexx.from_hex( str, ignore )
+ str = ignore_set( str, ignore )
+ local pos = string.find( str, "[^%x]" )
+ if pos then return nil, unexpected_char_error( str, pos ) end
+
+ return ( str:gsub( '..', function ( cc )
+ return string.char( tonumber( cc, 16 ) )
+ end ) )
+end
+
+function basexx.to_hex( str )
+ return ( str:gsub( '.', function ( c )
+ return string.format('%02X', string.byte( c ) )
+ end ) )
+end
+
+--------------------------------------------------------------------------------
+-- generic function to decode and encode base32/base64
+--------------------------------------------------------------------------------
+
+local function from_basexx( str, alphabet, bits )
+ local result = {}
+ for i = 1, #str do
+ local c = string.sub( str, i, i )
+ if c ~= '=' then
+ local index = string.find( alphabet, c, 1, true )
+ if not index then
+ return nil, unexpected_char_error( str, i )
+ end
+ table.insert( result, number_to_bit( index - 1, bits ) )
+ end
+ end
+
+ local value = table.concat( result )
+ local pad = #value % 8
+ return pure_from_bit( string.sub( value, 1, #value - pad ) )
+end
+
+local function to_basexx( str, alphabet, bits, pad )
+ local bitString = basexx.to_bit( str )
+
+ local chunks = divide_string( bitString, bits )
+ local result = {}
+ for _,value in ipairs( chunks ) do
+ if ( #value < bits ) then
+ value = value .. string.rep( '0', bits - #value )
+ end
+ local pos = tonumber( value, 2 ) + 1
+ table.insert( result, alphabet:sub( pos, pos ) )
+ end
+
+ table.insert( result, pad )
+ return table.concat( result )
+end
+
+--------------------------------------------------------------------------------
+-- rfc 3548: http://www.rfc-editor.org/rfc/rfc3548.txt
+--------------------------------------------------------------------------------
+
+local base32Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
+local base32PadMap = { "", "======", "====", "===", "=" }
+
+function basexx.from_base32( str, ignore )
+ str = ignore_set( str, ignore )
+ return from_basexx( string.upper( str ), base32Alphabet, 5 )
+end
+
+function basexx.to_base32( str )
+ return to_basexx( str, base32Alphabet, 5, base32PadMap[ #str % 5 + 1 ] )
+end
+
+--------------------------------------------------------------------------------
+-- crockford: http://www.crockford.com/wrmg/base32.html
+--------------------------------------------------------------------------------
+
+local crockfordAlphabet = "0123456789ABCDEFGHJKMNPQRSTVWXYZ"
+local crockfordMap = { O = "0", I = "1", L = "1" }
+
+function basexx.from_crockford( str, ignore )
+ str = ignore_set( str, ignore )
+ str = string.upper( str )
+ str = str:gsub( '[ILOU]', function( c ) return crockfordMap[ c ] end )
+ return from_basexx( str, crockfordAlphabet, 5 )
+end
+
+function basexx.to_crockford( str )
+ return to_basexx( str, crockfordAlphabet, 5, "" )
+end
+
+--------------------------------------------------------------------------------
+-- base64 decode and encode function
+--------------------------------------------------------------------------------
+
+local base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+ "abcdefghijklmnopqrstuvwxyz"..
+ "0123456789+/"
+local base64PadMap = { "", "==", "=" }
+
+function basexx.from_base64( str, ignore )
+ str = ignore_set( str, ignore )
+ return from_basexx( str, base64Alphabet, 6 )
+end
+
+function basexx.to_base64( str )
+ return to_basexx( str, base64Alphabet, 6, base64PadMap[ #str % 3 + 1 ] )
+end
+
+--------------------------------------------------------------------------------
+-- URL safe base64 decode and encode function
+--------------------------------------------------------------------------------
+
+local url64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+ "abcdefghijklmnopqrstuvwxyz"..
+ "0123456789-_"
+
+function basexx.from_url64( str, ignore )
+ str = ignore_set( str, ignore )
+ return from_basexx( str, url64Alphabet, 6 )
+end
+
+function basexx.to_url64( str )
+ return to_basexx( str, url64Alphabet, 6, "" )
+end
+
+--------------------------------------------------------------------------------
+--
+--------------------------------------------------------------------------------
+
+local function length_error( len, d )
+ return string.format( "invalid length: %d - must be a multiple of %d", len, d )
+end
+
+local z85Decoder = { 0x00, 0x44, 0x00, 0x54, 0x53, 0x52, 0x48, 0x00,
+ 0x4B, 0x4C, 0x46, 0x41, 0x00, 0x3F, 0x3E, 0x45,
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x40, 0x00, 0x49, 0x42, 0x4A, 0x47,
+ 0x51, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A,
+ 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32,
+ 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A,
+ 0x3B, 0x3C, 0x3D, 0x4D, 0x00, 0x4E, 0x43, 0x00,
+ 0x00, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20,
+ 0x21, 0x22, 0x23, 0x4F, 0x00, 0x50, 0x00, 0x00 }
+
+function basexx.from_z85( str, ignore )
+ str = ignore_set( str, ignore )
+ if ( #str % 5 ) ~= 0 then
+ return nil, length_error( #str, 5 )
+ end
+
+ local result = {}
+
+ local value = 0
+ for i = 1, #str do
+ local index = string.byte( str, i ) - 31
+ if index < 1 or index >= #z85Decoder then
+ return nil, unexpected_char_error( str, i )
+ end
+ value = ( value * 85 ) + z85Decoder[ index ]
+ if ( i % 5 ) == 0 then
+ local divisor = 256 * 256 * 256
+ while divisor ~= 0 do
+ local b = math.floor( value / divisor ) % 256
+ table.insert( result, string.char( b ) )
+ divisor = math.floor( divisor / 256 )
+ end
+ value = 0
+ end
+ end
+
+ return table.concat( result )
+end
+
+local z85Encoder = "0123456789"..
+ "abcdefghijklmnopqrstuvwxyz"..
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ"..
+ ".-:+=^!/*?&<>()[]{}@%$#"
+
+function basexx.to_z85( str )
+ if ( #str % 4 ) ~= 0 then
+ return nil, length_error( #str, 4 )
+ end
+
+ local result = {}
+
+ local value = 0
+ for i = 1, #str do
+ local b = string.byte( str, i )
+ value = ( value * 256 ) + b
+ if ( i % 4 ) == 0 then
+ local divisor = 85 * 85 * 85 * 85
+ while divisor ~= 0 do
+ local index = ( math.floor( value / divisor ) % 85 ) + 1
+ table.insert( result, z85Encoder:sub( index, index ) )
+ divisor = math.floor( divisor / 85 )
+ end
+ value = 0
+ end
+ end
+
+ return table.concat( result )
+end
+
+--------------------------------------------------------------------------------
+
+return basexx
diff --git a/modules/experimental_dot_auth/experimental_dot_auth.lua b/modules/experimental_dot_auth/experimental_dot_auth.lua
new file mode 100644
index 0000000..f5ab6be
--- /dev/null
+++ b/modules/experimental_dot_auth/experimental_dot_auth.lua
@@ -0,0 +1,122 @@
+-- Module interface
+
+local ffi = require('ffi')
+local basexx = require('basexx')
+local C = ffi.C
+
+-- Export module interface
+local M = {}
+M.layer = {}
+local base32 = {}
+local str = {}
+local AF_INET = 2
+local AF_INET6 = 10
+local INET_ADDRSTRLEN = 16
+local INET6_ADDRSTRLEN = 46
+
+ffi.cdef[[
+/*
+ * Data structures
+ */
+typedef int socklen_t;
+ struct sockaddr_storage{
+ unsigned short int ss_family;
+ unsigned long int __ss_align;
+ char __ss_padding[128 - (2 *sizeof(unsigned long int))];
+ };
+ struct in_addr{
+ unsigned char s_addr[4];
+ };
+ struct in6_addr{
+ unsigned char s6_addr[16];
+ };
+ struct sockaddr_in{
+ short sin_family;
+ unsigned short sin_port;
+ struct in_addr sin_addr;
+ char sin_zero[8];
+ } __attribute__ ((__packed__));
+ struct sockaddr_in6{
+ unsigned short sin6_family;
+ unsigned short sin6_port;
+ unsigned int sin6_flowinfo;
+ struct in6_addr sin6_addr;
+ unsigned int sin6_scope_id;
+ };
+ typedef unsigned short sa_family_t;
+ struct sockaddr_un {
+ sa_family_t sun_family;
+ char sun_path[108];
+ };
+ const char *inet_ntop(
+ int af,
+ const void *cp,
+ char *buf,
+ socklen_t len);
+]]
+
+function base32.pad(b32)
+ local m = #b32 % 8
+ if m ~= 0 then
+ b32 = b32 .. string.rep("=", 8 - m)
+ end
+ return b32
+end
+
+function str.starts(String,Start)
+ return string.sub(String,1,string.len(Start))==Start
+end
+
+-- Handle DoT signalling NS domains.
+function M.layer.consume(state, _, pkt)
+ if state == kres.FAIL then return state end
+ -- Only successful answers
+ pkt = kres.pkt_t(pkt)
+ -- log("%s", pkt:tostring())
+ local authority = pkt:section(kres.section.AUTHORITY)
+ local additional = pkt:section(kres.section.ADDITIONAL)
+ for _, rr in ipairs(authority) do
+ --log("%d %s", rr.type, kres.dname2str(rr.rdata))
+ if rr.type == kres.type.NS then
+ local name = kres.dname2str(rr.rdata):upper()
+ -- log("NS %d", name:len())
+ if name:len() > 56 and str.starts(name, "DOT-") then
+ local k = basexx.to_base64(
+ basexx.from_base32(
+ base32.pad(string.sub(name, 5, string.find(name, '[.]') - 1))
+ )
+ )
+ for _, rr_add in ipairs(additional) do
+ if rr_add.type == kres.type.A or rr_add.type == kres.type.AAAA then
+ local name_add = kres.dname2str(rr_add.owner):upper()
+ if name == name_add then
+ local addrbuf
+ if rr_add.type == kres.type.A then
+ local ns_addr = ffi.new("struct sockaddr_in")
+ ns_addr.sin_family = AF_INET
+
+ ns_addr.sin_addr.s_addr = rr_add.rdata
+ addrbuf = ffi.new("char[?]", INET_ADDRSTRLEN)
+ C.inet_ntop(AF_INET, ns_addr.sin_addr, addrbuf, INET_ADDRSTRLEN)
+ else
+ local ns_addr = ffi.new("struct sockaddr_in6")
+ ns_addr.sin6_family = AF_INET6
+
+ ns_addr.sin6_addr.s6_addr = rr_add.rdata
+ addrbuf = ffi.new("char[?]", INET6_ADDRSTRLEN)
+ C.inet_ntop(AF_INET6, ns_addr.sin6_addr, addrbuf, INET6_ADDRSTRLEN)
+ end
+ net.tls_client(ffi.string(addrbuf).."@853", {k})
+ log("Adding %s IP %s %s", name_add, ffi.string(addrbuf).."@853", k)
+ end
+ end
+ end
+ end
+ end
+ end
+
+ return state
+
+end
+
+return M
diff --git a/modules/experimental_dot_auth/experimental_dot_auth.mk b/modules/experimental_dot_auth/experimental_dot_auth.mk
new file mode 100644
index 0000000..6f93fcd
--- /dev/null
+++ b/modules/experimental_dot_auth/experimental_dot_auth.mk
@@ -0,0 +1,2 @@
+experimental_dot_auth_SOURCES := experimental_dot_auth.lua basexx.lua
+$(call make_lua_module,experimental_dot_auth)