summaryrefslogtreecommitdiffstats
path: root/src/lib/dhcp/option4_dnr.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/dhcp/option4_dnr.cc')
-rw-r--r--src/lib/dhcp/option4_dnr.cc489
1 files changed, 489 insertions, 0 deletions
diff --git a/src/lib/dhcp/option4_dnr.cc b/src/lib/dhcp/option4_dnr.cc
new file mode 100644
index 0000000..f1b50cb
--- /dev/null
+++ b/src/lib/dhcp/option4_dnr.cc
@@ -0,0 +1,489 @@
+// Copyright (C) 2023 Internet Systems Consortium, Inc. ("ISC")
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#include <config.h>
+
+#include <dhcp/option4_dnr.h>
+#include <dns/labelsequence.h>
+#include <util/strutil.h>
+
+using namespace isc::asiolink;
+using namespace isc::util;
+
+namespace isc {
+namespace dhcp {
+
+Option4Dnr::Option4Dnr(OptionBufferConstIter begin, OptionBufferConstIter end)
+ : Option(V4, DHO_V4_DNR) {
+ unpack(begin, end);
+}
+
+OptionPtr
+Option4Dnr::clone() const {
+ return (cloneInternal<Option4Dnr>());
+}
+
+void
+Option4Dnr::pack(OutputBuffer& buf, bool check) const {
+ packHeader(buf, check);
+ for (const DnrInstance& dnr_instance : dnr_instances_) {
+ buf.writeUint16(dnr_instance.getDnrInstanceDataLength());
+ buf.writeUint16(dnr_instance.getServicePriority());
+ buf.writeUint8(dnr_instance.getAdnLength());
+ dnr_instance.packAdn(buf);
+ if (dnr_instance.isAdnOnlyMode()) {
+ continue;
+ }
+
+ buf.writeUint8(dnr_instance.getAddrLength());
+ dnr_instance.packAddresses(buf);
+ dnr_instance.packSvcParams(buf);
+ }
+}
+
+void
+Option4Dnr::unpack(OptionBufferConstIter begin, OptionBufferConstIter end) {
+ setData(begin, end);
+ while (begin != end) {
+ DnrInstance dnr_instance(V4);
+ if (std::distance(begin, end) < dnr_instance.getMinimalLength()) {
+ isc_throw(OutOfRange, dnr_instance.getLogPrefix()
+ << "DNR instance data truncated to size "
+ << std::distance(begin, end));
+ }
+
+ // Unpack DnrInstanceDataLength.
+ dnr_instance.unpackDnrInstanceDataLength(begin, end);
+
+ const OptionBufferConstIter dnr_instance_end = begin +
+ dnr_instance.getDnrInstanceDataLength();
+
+ // Unpack Service priority.
+ dnr_instance.unpackServicePriority(begin);
+
+ // Unpack ADN len + ADN.
+ dnr_instance.unpackAdn(begin, dnr_instance_end);
+
+ if (begin == dnr_instance_end) {
+ // ADN only mode, other fields are not included.
+ addDnrInstance(dnr_instance);
+ continue;
+ }
+
+ dnr_instance.setAdnOnlyMode(false);
+
+ // Unpack Addr Len + IPv4 Address(es).
+ dnr_instance.unpackAddresses(begin, dnr_instance_end);
+
+ // SvcParams (variable length) field is last.
+ dnr_instance.unpackSvcParams(begin, dnr_instance_end);
+
+ addDnrInstance(dnr_instance);
+ }
+}
+
+std::string
+Option4Dnr::toText(int indent) const {
+ std::ostringstream stream;
+ std::string in(indent, ' '); // base indentation
+ stream << in << "type=" << type_ << "(V4_DNR), "
+ << "len=" << (len() - getHeaderLen());
+ int i = 0;
+ for (const DnrInstance& dnr_instance : dnr_instances_) {
+ stream << ", DNR Instance " << ++i
+ << "(Instance len=" << dnr_instance.getDnrInstanceDataLength() << ", "
+ << dnr_instance.getDnrInstanceAsText() << ")";
+ }
+
+ return (stream.str());
+}
+
+uint16_t
+Option4Dnr::len() const {
+ uint16_t len = OPTION4_HDR_LEN;
+ for (const DnrInstance& dnr_instance : dnr_instances_) {
+ len += dnr_instance.getDnrInstanceDataLength() +
+ dnr_instance.getDnrInstanceDataLengthSize();
+ }
+
+ return (len);
+}
+
+void
+Option4Dnr::addDnrInstance(DnrInstance& dnr_instance) {
+ dnr_instances_.push_back(dnr_instance);
+}
+
+const std::unordered_set<std::string> DnrInstance::FORBIDDEN_SVC_PARAMS = {"ipv4hint", "ipv6hint"};
+
+DnrInstance::DnrInstance(Option::Universe universe)
+ : universe_(universe), dnr_instance_data_length_(0), service_priority_(0),
+ adn_length_(0), addr_length_(0), svc_params_length_(0),
+ adn_only_mode_(true), dnr_instance_data_length_size_(0),
+ adn_length_size_(0), addr_length_size_(0), minimal_length_(0) {
+ initMembers();
+}
+
+DnrInstance::DnrInstance(Option::Universe universe,
+ const uint16_t service_priority,
+ const std::string& adn,
+ const DnrInstance::AddressContainer& ip_addresses,
+ const std::string& svc_params)
+ : universe_(universe), dnr_instance_data_length_(0),
+ service_priority_(service_priority), adn_length_(0),
+ addr_length_(0), ip_addresses_(ip_addresses), svc_params_length_(0),
+ adn_only_mode_(true), svc_params_(svc_params),
+ dnr_instance_data_length_size_(0), adn_length_size_(0),
+ addr_length_size_(0), minimal_length_(0) {
+ initMembers();
+ setAdn(adn);
+ checkFields();
+}
+
+DnrInstance::DnrInstance(Option::Universe universe,
+ const uint16_t service_priority,
+ const std::string& adn)
+ : universe_(universe), dnr_instance_data_length_(0),
+ service_priority_(service_priority), adn_length_(0),
+ addr_length_(0), svc_params_length_(0), adn_only_mode_(true),
+ dnr_instance_data_length_size_(0), adn_length_size_(0),
+ addr_length_size_(0), minimal_length_(0) {
+ initMembers();
+ setAdn(adn);
+}
+
+void
+DnrInstance::packAdn(OutputBuffer& buf) const {
+ if (!adn_) {
+ // This should not happen since Encrypted DNS options are designed
+ // to always include an authentication domain name.
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix()
+ << "Mandatory Authentication Domain Name fully "
+ "qualified domain-name is missing");
+ }
+
+ isc::dns::LabelSequence label_sequence(*adn_);
+ if (label_sequence.getDataLength() > 0) {
+ size_t data_length = 0;
+ const uint8_t* data = label_sequence.getData(&data_length);
+ buf.writeData(data, data_length);
+ }
+}
+
+void
+DnrInstance::packAddresses(OutputBuffer& buf) const {
+ AddressContainer::const_iterator address = ip_addresses_.begin();
+ while (address != ip_addresses_.end()) {
+ buf.writeUint32(address->toUint32());
+ ++address;
+ }
+}
+
+void
+DnrInstance::packSvcParams(OutputBuffer& buf) const {
+ if (svc_params_length_ > 0) {
+ buf.writeData(&(*svc_params_.begin()), svc_params_length_);
+ }
+}
+
+std::string
+DnrInstance::getAdnAsText() const {
+ return (adn_) ? (adn_->toText()) : ("");
+}
+
+void
+DnrInstance::setAdn(const std::string& adn) {
+ std::string trimmed_adn = str::trim(adn);
+ if (trimmed_adn.empty()) {
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix()
+ << "Mandatory Authentication Domain Name fully "
+ "qualified domain-name must not be empty");
+ }
+
+ try {
+ adn_.reset(new isc::dns::Name(trimmed_adn, true));
+ } catch (const Exception& ex) {
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix()
+ << "Failed to parse "
+ "fully qualified domain-name from string - "
+ << ex.what());
+ }
+
+ size_t adn_len = 0;
+ isc::dns::LabelSequence label_sequence(*adn_);
+ label_sequence.getData(&adn_len);
+ if (adn_len > std::numeric_limits<uint16_t>::max()) {
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix() << "Given ADN FQDN length " << adn_len
+ << " is bigger than uint_16 MAX");
+ }
+
+ adn_length_ = adn_len;
+ if (universe_ == Option::V4) {
+ dnr_instance_data_length_ = dnrInstanceLen();
+ }
+}
+
+void
+DnrInstance::unpackAdn(OptionBufferConstIter& begin, OptionBufferConstIter end) {
+ OpaqueDataTuple::LengthFieldType lft = OptionDataTypeUtil::getTupleLenFieldType(universe_);
+ OpaqueDataTuple adn_tuple(lft);
+ try {
+ adn_tuple.unpack(begin, end);
+ } catch (const Exception& ex) {
+ isc_throw(BadValue, getLogPrefix() << "failed to unpack ADN data"
+ << " - " << ex.what());
+ }
+
+ adn_length_ = adn_tuple.getLength();
+
+ // Encrypted DNS options are designed to always include an authentication domain name,
+ // so when there is no FQDN included, we shall throw an exception.
+ if (adn_length_ == 0) {
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix()
+ << "Mandatory Authentication Domain Name fully "
+ "qualified domain-name is missing");
+ }
+
+ InputBuffer name_buf(adn_tuple.getData().data(), adn_length_);
+ try {
+ adn_.reset(new isc::dns::Name(name_buf, true));
+ } catch (const Exception& ex) {
+ isc_throw(InvalidOptionDnrDomainName, getLogPrefix()
+ << "Failed to parse "
+ "fully qualified domain-name from wire format "
+ "- " << ex.what());
+ }
+
+ begin += adn_length_ + getAdnLengthSize();
+}
+
+void
+DnrInstance::checkSvcParams(bool from_wire_data) {
+ std::string svc_params = str::trim(svc_params_);
+ if (svc_params.empty()) {
+ isc_throw(InvalidOptionDnrSvcParams, getLogPrefix()
+ << "Provided Svc Params field is empty");
+ }
+
+ if (!from_wire_data) {
+ // If Service Params field was not parsed from on-wire data,
+ // but actually was provided with ctor, let's calculate svc_params_length_.
+ auto svc_params_len = svc_params.length();
+ if (svc_params_len > std::numeric_limits<uint16_t>::max()) {
+ isc_throw(InvalidOptionDnrSvcParams, getLogPrefix()
+ << "Given Svc Params length " << svc_params_len
+ << " is bigger than uint_16 MAX");
+ }
+
+ svc_params_length_ = svc_params_len;
+ // If Service Params field was not parsed from on-wire data,
+ // but actually was provided with ctor, let's replace it with trimmed value.
+ svc_params_ = svc_params;
+ }
+
+ // SvcParams are a whitespace-separated list, with each SvcParam
+ // consisting of a SvcParamKey=SvcParamValue pair or a standalone SvcParamKey.
+ // SvcParams in presentation format MAY appear in any order, but keys MUST NOT be repeated.
+
+ // Let's put all elements of a whitespace-separated list into a vector.
+ std::vector<std::string> tokens = str::tokens(svc_params, " ");
+
+ // Set of keys used to check if a key is not repeated.
+ std::unordered_set<std::string> keys;
+ // String sanitizer is used to check keys syntax.
+ str::StringSanitizerPtr sanitizer;
+ // SvcParamKeys are lower-case alphanumeric strings. Key names
+ // contain 1-63 characters from the ranges "a"-"z", "0"-"9", and "-".
+ std::string regex = "[^a-z0-9-]";
+ sanitizer.reset(new str::StringSanitizer(regex, ""));
+
+ // Now let's check each SvcParamKey=SvcParamValue pair.
+ for (const std::string& token : tokens) {
+ std::vector<std::string> key_val = str::tokens(token, "=");
+ if (key_val.size() > 2) {
+ isc_throw(InvalidOptionDnrSvcParams,
+ getLogPrefix() << "Wrong Svc Params syntax - more than one "
+ "equals sign found in SvcParamKey=SvcParamValue pair");
+ }
+
+ // SvcParam Key related checks come below.
+ std::string key = key_val[0];
+ if (key.length() > 63) {
+ isc_throw(InvalidOptionDnrSvcParams,
+ getLogPrefix() << "Wrong Svc Params syntax - key had more than 63 "
+ "characters - " << key);
+ }
+
+ if (FORBIDDEN_SVC_PARAMS.find(key) != FORBIDDEN_SVC_PARAMS.end()) {
+ isc_throw(InvalidOptionDnrSvcParams, getLogPrefix() << "Wrong Svc Params syntax - key "
+ << key << " must not be used");
+ }
+
+ auto insert_res = keys.insert(key);
+ if (!insert_res.second) {
+ isc_throw(InvalidOptionDnrSvcParams, getLogPrefix() << "Wrong Svc Params syntax - key "
+ << key << " was duplicated");
+ }
+
+ std::string sanitized_key = sanitizer->scrub(key);
+ if (sanitized_key.size() < key.size()) {
+ isc_throw(InvalidOptionDnrSvcParams,
+ getLogPrefix()
+ << "Wrong Svc Params syntax - invalid character used in key - " << key);
+ }
+ }
+}
+
+void
+DnrInstance::checkFields() {
+ if (svc_params_.empty() && ip_addresses_.empty()) {
+ // ADN only mode, nothing more to do.
+ return;
+ }
+
+ if (!svc_params_.empty() && ip_addresses_.empty()) {
+ // As per draft-ietf-add-dnr 3.1.8:
+ // If additional data is supplied (i.e. not ADN only mode),
+ // the option includes at least one valid IP address.
+ isc_throw(OutOfRange, getLogPrefix() << "No IP address given. Since this is not ADN only "
+ "mode, at least one valid IP address must "
+ "be included");
+ }
+
+ if (!svc_params_.empty()) {
+ checkSvcParams(false);
+ }
+
+ adn_only_mode_ = false;
+ const uint8_t addr_field_len = (universe_ == Option::V4) ? V4ADDRESS_LEN : V6ADDRESS_LEN;
+ const uint16_t max_addr_len = (universe_ == Option::V4) ? std::numeric_limits<uint8_t>::max() :
+ std::numeric_limits<uint16_t>::max();
+ auto addr_len = ip_addresses_.size() * addr_field_len;
+ if (addr_len > max_addr_len) {
+ isc_throw(OutOfRange, getLogPrefix() << "Given IP addresses length " << addr_len
+ << " is bigger than MAX " << max_addr_len);
+ }
+
+ addr_length_ = addr_len;
+ if (universe_ == Option::V4) {
+ dnr_instance_data_length_ = dnrInstanceLen();
+ }
+}
+
+std::string
+DnrInstance::getDnrInstanceAsText() const {
+ std::ostringstream stream;
+ stream << "service_priority=" << service_priority_ << ", adn_length=" << adn_length_ << ", "
+ << "adn='" << getAdnAsText() << "'";
+ if (!adn_only_mode_) {
+ stream << ", addr_length=" << addr_length_ << ", address(es):";
+ for (const auto& address : ip_addresses_) {
+ stream << " " << address.toText();
+ }
+
+ if (svc_params_length_ > 0) {
+ stream << ", svc_params='" + svc_params_ + "'";
+ }
+ }
+
+ return (stream.str());
+}
+
+uint16_t
+DnrInstance::dnrInstanceLen() const {
+ uint16_t len = SERVICE_PRIORITY_SIZE + adn_length_ + getAdnLengthSize();
+ if (!adn_only_mode_) {
+ len += addr_length_ + getAddrLengthSize() + svc_params_length_;
+ }
+
+ return (len);
+}
+
+void
+DnrInstance::addIpAddress(const IOAddress& ip_address) {
+ ip_addresses_.push_back(ip_address);
+}
+
+void
+DnrInstance::unpackDnrInstanceDataLength(OptionBufferConstIter& begin, OptionBufferConstIter end) {
+ dnr_instance_data_length_ = readUint16(&*begin, getDnrInstanceDataLengthSize());
+ begin += getDnrInstanceDataLengthSize();
+ if (std::distance(begin, end) < dnr_instance_data_length_) {
+ isc_throw(OutOfRange, getLogPrefix()
+ << "DNR instance data truncated to size "
+ << std::distance(begin, end) << " but it was supposed to be "
+ << dnr_instance_data_length_);
+ }
+}
+
+void
+DnrInstance::unpackServicePriority(OptionBufferConstIter& begin) {
+ service_priority_ = readUint16(&*begin, SERVICE_PRIORITY_SIZE);
+ begin += SERVICE_PRIORITY_SIZE;
+}
+
+void
+DnrInstance::unpackAddresses(OptionBufferConstIter& begin, const OptionBufferConstIter end) {
+ OpaqueDataTuple addr_tuple(OpaqueDataTuple::LENGTH_1_BYTE);
+ try {
+ addr_tuple.unpack(begin, end);
+ } catch (const Exception& ex) {
+ isc_throw(BadValue, getLogPrefix() << "failed to unpack IP Addresses data"
+ << " - " << ex.what());
+ }
+
+ addr_length_ = addr_tuple.getLength();
+ // It MUST be a multiple of 4.
+ if ((addr_length_ % V4ADDRESS_LEN) != 0) {
+ isc_throw(OutOfRange, getLogPrefix()
+ << "Addr Len=" << addr_length_ << " is not divisible by 4");
+ }
+
+ // As per draft-ietf-add-dnr 3.1.8:
+ // If additional data is supplied (i.e. not ADN only mode),
+ // the option includes at least one valid IP address.
+ if (addr_length_ == 0) {
+ isc_throw(OutOfRange, getLogPrefix()
+ << "Addr Len=" << addr_length_
+ << " but it must contain at least one valid IP address");
+ }
+
+ begin += getAddrLengthSize();
+ OptionBufferConstIter addr_begin = begin;
+ OptionBufferConstIter addr_end = addr_begin + addr_length_;
+
+ while (addr_begin != addr_end) {
+ const uint8_t* ptr = &(*addr_begin);
+ addIpAddress(IOAddress(readUint32(ptr, std::distance(addr_begin, addr_end))));
+ addr_begin += V4ADDRESS_LEN;
+ begin += V4ADDRESS_LEN;
+ }
+}
+
+void
+DnrInstance::unpackSvcParams(OptionBufferConstIter& begin, OptionBufferConstIter end) {
+ svc_params_length_ = std::distance(begin, end);
+ if (svc_params_length_ > 0) {
+ svc_params_.assign(begin, end);
+ checkSvcParams();
+ begin += svc_params_length_;
+ }
+}
+
+void
+DnrInstance::initMembers() {
+ dnr_instance_data_length_size_ = (universe_ == Option::V6) ? 0 : 2;
+ adn_length_size_ = (universe_ == Option::V6) ? 2 : 1;
+ addr_length_size_ = (universe_ == Option::V6) ? 2 : 1;
+ minimal_length_ = dnr_instance_data_length_size_ + SERVICE_PRIORITY_SIZE + adn_length_size_;
+ log_prefix_ =
+ (universe_ == Option::V4) ?
+ ("DHCPv4 Encrypted DNS Option (" + std::to_string(DHO_V4_DNR) + ") malformed: ") :
+ ("DHCPv6 Encrypted DNS Option (" + std::to_string(D6O_V6_DNR) + ") malformed: ");
+}
+
+} // namespace dhcp
+} // namespace isc