diff options
Diffstat (limited to 'modules/cookies/cookiectl.c')
| -rw-r--r-- | modules/cookies/cookiectl.c | 689 |
1 files changed, 689 insertions, 0 deletions
diff --git a/modules/cookies/cookiectl.c b/modules/cookies/cookiectl.c new file mode 100644 index 0000000..f1ab80a --- /dev/null +++ b/modules/cookies/cookiectl.c @@ -0,0 +1,689 @@ +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#include <ccan/json/json.h> +#include <ctype.h> +#include <libknot/rrtype/opt-cookie.h> +#include <libknot/db/db_lmdb.h> +#include <stdlib.h> +#include <string.h> + +#include "lib/cookies/alg_containers.h" +#include "modules/cookies/cookiectl.h" + +#define NAME_CLIENT_ENABLED "client_enabled" +#define NAME_CLIENT_SECRET "client_secret" +#define NAME_CLIENT_COOKIE_ALG "client_cookie_alg" +#define NAME_AVAILABLE_CLIENT_COOKIE_ALGS "available_client_cookie_algs" + +#define NAME_SERVER_ENABLED "server_enabled" +#define NAME_SERVER_SECRET "server_secret" +#define NAME_SERVER_COOKIE_ALG "server_cookie_alg" +#define NAME_AVAILABLE_SERVER_COOKIE_ALGS "available_server_cookie_algs" + +/** + * @brief Initialises cookie control context. + * @param ctx cookie control context + */ +static void kr_cookie_ctx_init(struct kr_cookie_ctx *ctx) +{ + if (!ctx) { + return; + } + + memset(ctx, 0, sizeof(*ctx)); + + ctx->clnt.current.alg_id = ctx->clnt.recent.alg_id = -1; + ctx->srvr.current.alg_id = ctx->srvr.recent.alg_id = -1; +} + +/** + * @brief Check whether node holds proper 'enabled' value. + * @param node JSON node holding the value + * @return true if value OK + */ +static bool enabled_ok(const JsonNode *node) +{ + if (kr_fails_assert(node)) + return false; + + return node->tag == JSON_BOOL; +} + +/** + * @brief Check whether node holds proper 'secret' value. + * @param node JSON node holding the value + * @return true if value OK + */ +static bool secret_ok(const JsonNode *node) +{ + if (kr_fails_assert(node)) + return false; + + if (node->tag != JSON_STRING) { + return false; + } + + const char *hexstr = node->string_; + + size_t len = strlen(hexstr); + if ((len % 2) != 0) { + return false; + } + /* A check for minimal required length could also be performed. */ + + for (size_t i = 0; i < len; ++i) { + if (!isxdigit(tolower(hexstr[i]))) { + return false; + } + } + + return true; +} + +/** + * @brief Find hash function with given name. + * @param node JSON node holding the value + * @param table lookup table with algorithm names + * @return pointer to table entry or NULL on error if does not exist + */ +static const knot_lookup_t *hash_func_lookup(const JsonNode *node, + const knot_lookup_t table[]) +{ + if (!node || node->tag != JSON_STRING) { + return NULL; + } + + return knot_lookup_by_name(table, node->string_); +} + +/** + * @brief Creates a cookie secret structure. + * @param size size of the actual secret + * @param zero set to true if value should be cleared + * @return pointer to new structure, NULL on failure or if @size is zero + */ +static struct kr_cookie_secret *new_cookie_secret(size_t size, bool zero) +{ + if (size == 0) { + return NULL; + } + + struct kr_cookie_secret *sq = malloc(sizeof(*sq) + size); + if (!sq) { + return NULL; + } + + sq->size = size; + if (zero) { + memset(sq->data, 0, size); + } + return sq; +} + +/** + * @brief Clone a cookie secret. + * @param sec secret to be cloned + * @return pointer to new structure, NULL on failure or if @size is zero + */ +static struct kr_cookie_secret *clone_cookie_secret(const struct kr_cookie_secret *sec) +{ + if (!sec || sec->size == 0) { + return NULL; + } + + struct kr_cookie_secret *sq = malloc(sizeof(*sq) + sec->size); + if (!sq) { + return NULL; + } + + sq->size = sec->size; + memcpy(sq->data, sec->data, sq->size); + return sq; +} + +static int hexchar2val(int d) +{ + if (('0' <= d) && (d <= '9')) { + return d - '0'; + } else if (('a' <= d) && (d <= 'f')) { + return d - 'a' + 0x0a; + } else { + return -1; + } +} + +static int hexval2char(int i) +{ + if ((0 <= i) && (i <= 9)) { + return i + '0'; + } else if ((0x0a <= i) && (i <= 0x0f)) { + return i - 0x0a + 'A'; + } else { + return -1; + } +} + +/** + * @brief Converts string containing two-digit hexadecimal number into int. + * @param hexstr hexadecimal string + * @return -1 on error, value from 0 to 255 else. + */ +static int hexbyte2int(const char *hexstr) +{ + if (!hexstr) { + return -1; + } + + int dhi = tolower(hexstr[0]); + if (!isxdigit(dhi)) { + /* Exit also on empty string. */ + return -1; + } + int dlo = tolower(hexstr[1]); + if (!isxdigit(dlo)) { + return -1; + } + + dhi = hexchar2val(dhi); + if (kr_fails_assert(dhi != -1)) + return -1; + dlo = hexchar2val(dlo); + if (kr_fails_assert(dlo != -1)) + return -1; + + return (dhi << 4) | dlo; +} + +/** + * @brief Writes two hexadecimal digits (two byes) into given memory location. + * @param tgt target location + * @param i number from 0 to 255 + * @return 0 on success, -1 on failure + */ +static int int2hexbyte(char *tgt, int i) +{ + if (!tgt || i < 0x00 || i > 0xff) { + return -1; + } + + int ilo = hexval2char(i & 0x0f); + if (kr_fails_assert(ilo != -1)) + return -1; + int ihi = hexval2char((i >> 4) & 0x0f); + if (kr_fails_assert(ihi != -1)) + return -1; + + tgt[0] = ihi; + tgt[1] = ilo; + + return 0; +} + +/** + * @brief Reads a string containing hexadecimal values. + * @note String must consist of hexadecimal digits only and must have even + * non-zero length. + */ +static struct kr_cookie_secret *new_sq_from_hexstr(const char *hexstr) +{ + if (!hexstr) { + return NULL; + } + + size_t len = strlen(hexstr); + if ((len % 2) != 0) { + return NULL; + } + + struct kr_cookie_secret *sq = new_cookie_secret(len / 2, false); + if (!sq) { + return NULL; + } + + uint8_t *data = sq->data; + for (size_t i = 0; i < len; i += 2) { + int num = hexbyte2int(hexstr + i); + if (num == -1) { + free(sq); + return NULL; + } + if (kr_fails_assert(0x00 <= num && num <= 0xff)) { + free(sq); + return NULL; + } + *data = num; + ++data; + } + + return sq; +} + +/** + * @brief Creates new secret. + * @param node JSON node holding the secret value + * @return pointer to newly allocated secret, NULL on error + */ +static struct kr_cookie_secret *create_secret(const JsonNode *node) +{ + if (!node) { + return NULL; + } + + if (node->tag != JSON_STRING) { + return NULL; + } + + return new_sq_from_hexstr(node->string_); +} + +/** + * @brief Check whether configuration node contains valid values. + */ +static bool configuration_node_ok(const JsonNode *node) +{ + if (kr_fails_assert(node)) + return false; + + if (!node->key) { + /* All top most nodes must have names. */ + return false; + } + + if (strcmp(node->key, NAME_CLIENT_ENABLED) == 0) { + return enabled_ok(node); + } else if (strcmp(node->key, NAME_CLIENT_SECRET) == 0) { + return secret_ok(node); + } else if (strcmp(node->key, NAME_CLIENT_COOKIE_ALG) == 0) { + return hash_func_lookup(node, kr_cc_alg_names) != NULL; + } else if (strcmp(node->key, NAME_SERVER_ENABLED) == 0) { + return enabled_ok(node); + } else if (strcmp(node->key, NAME_SERVER_SECRET) == 0) { + return secret_ok(node); + } else if (strcmp(node->key, NAME_SERVER_COOKIE_ALG) == 0) { + return hash_func_lookup(node, kr_sc_alg_names) != NULL; + } + + return false; +} + +/** + * @brief Creates a new string from secret quantity. + * @param sq secret quantity + * @return newly allocated string or NULL on error + */ +static char *new_hexstr_from_sq(const struct kr_cookie_secret *sq) +{ + if (!sq) { + return NULL; + } + + char *new_str = malloc((sq->size * 2) + 1); + if (!new_str) { + return NULL; + } + + char *tgt = new_str; + for (size_t i = 0; i < sq->size; ++i) { + if (0 != int2hexbyte(tgt, sq->data[i])) { + free(new_str); + return NULL; + } + tgt += 2; + } + + *tgt = '\0'; + return new_str; +} + +static bool read_secret(JsonNode *root, const char *node_name, + const struct kr_cookie_secret *secret) +{ + if (kr_fails_assert(root && node_name && secret)) + return false; + + char *secret_str = new_hexstr_from_sq(secret); + if (!secret_str) { + return false; + } + + JsonNode *str_node = json_mkstring(secret_str); + if (!str_node) { + free(secret_str); + return false; + } + + json_append_member(root, node_name, str_node); + + free(secret_str); + return true; +} + +static bool read_available_hashes(JsonNode *root, const char *root_name, + const knot_lookup_t table[]) +{ + if (kr_fails_assert(root && root_name && table)) + return false; + + JsonNode *array = json_mkarray(); + if (!array) { + return false; + } + + const knot_lookup_t *aux_ptr = table; + while (aux_ptr && (aux_ptr->id >= 0) && aux_ptr->name) { + JsonNode *element = json_mkstring(aux_ptr->name); + if (!element) { + goto fail; + } + json_append_element(array, element); + ++aux_ptr; + } + + json_append_member(root, root_name, array); + + return true; + +fail: + if (array) { + json_delete(array); + } + return false; +} + +/** + * @brief Check whether new settings are different from the old ones. + */ +static bool is_modified(const struct kr_cookie_comp *running, + struct kr_cookie_secret *secr, + const knot_lookup_t *alg_lookup) +{ + if (kr_fails_assert(running)) + return false; + + if (alg_lookup && alg_lookup->id >= 0) { + if (running->alg_id != alg_lookup->id) { + return true; + } + } + + if (secr) { + if (kr_fails_assert(secr->size > 0)) + return false; + if (running->secr->size != secr->size || + 0 != memcmp(running->secr->data, secr->data, + running->secr->size)) { + return true; + } + } + + return false; +} + +/** + * @brief Returns newly allocated secret via pointer argument. + */ +static bool obtain_secret(JsonNode *root_node, struct kr_cookie_secret **secret, + const char *name) +{ + if (kr_fails_assert(secret && name)) + return false; + + const JsonNode *node; + if ((node = json_find_member(root_node, name)) != NULL) { + *secret = create_secret(node); + if (!*secret) { + return false; + } + } + + return true; +} + +/** + * @brief Updates the current configuration and moves current to recent. + */ +static void update_running(struct kr_cookie_settings *running, + struct kr_cookie_secret **secret, + const knot_lookup_t *alg_lookup) +{ + if (kr_fails_assert(running && secret) || kr_fails_assert(*secret || alg_lookup)) + return; + + running->recent.alg_id = -1; + free(running->recent.secr); + running->recent.secr = NULL; + + running->recent.alg_id = running->current.alg_id; + if (alg_lookup) { + if (kr_fails_assert(alg_lookup->id >= 0)) + return; + running->current.alg_id = alg_lookup->id; + } + + if (*secret) { + running->recent.secr = running->current.secr; + running->current.secr = *secret; + *secret = NULL; + } else { + running->recent.secr = clone_cookie_secret(running->current.secr); + } +} + +/** + * @brief Applies modification onto client/server running configuration. + * @note The @a secret is going to be consumed. + * @param secret pointer to new secret + * @param alg_lookup new algorithm + * @param enabled JSON node holding boolean value + */ +static void apply_changes(struct kr_cookie_settings *running, + struct kr_cookie_secret **secret, + const knot_lookup_t *alg_lookup, + const JsonNode *enabled) +{ + if (kr_fails_assert(running && secret)) + return; + + if (is_modified(&running->current, *secret, alg_lookup)) { + update_running(running, secret, alg_lookup); + } + + if (enabled) { + kr_assert(enabled->tag == JSON_BOOL); + running->enabled = enabled->bool_; + } +} + +/** + * @brief Applies configuration. + * + * @note The function must be called after the input values have been checked + * for validity. Only first found values are applied. + * + * @param ctx cookie configuration context + * @param root_node JSON root node + * @return true if changes were applied + */ +static bool config_apply_json(struct kr_cookie_ctx *ctx, JsonNode *root_node) +{ + if (kr_fails_assert(ctx && root_node)) + return; + + /* + * These must be allocated before actual change. Allocation failure + * should not leave configuration in inconsistent state. + */ + struct kr_cookie_secret *new_clnt_secret = NULL; + struct kr_cookie_secret *new_srvr_secret = NULL; + if (!obtain_secret(root_node, &new_clnt_secret, NAME_CLIENT_SECRET)) { + return false; + } + if (!obtain_secret(root_node, &new_srvr_secret, NAME_SERVER_SECRET)) { + free(new_clnt_secret); + return false; + } + + /* Algorithm pointers. */ + const knot_lookup_t *clnt_lookup = hash_func_lookup(json_find_member(root_node, NAME_CLIENT_COOKIE_ALG), kr_cc_alg_names); + const knot_lookup_t *srvr_lookup = hash_func_lookup(json_find_member(root_node, NAME_SERVER_COOKIE_ALG), kr_sc_alg_names); + + const JsonNode *clnt_enabled_node = json_find_member(root_node, NAME_CLIENT_ENABLED); + const JsonNode *srvr_enabled_node = json_find_member(root_node, NAME_SERVER_ENABLED); + + apply_changes(&ctx->clnt, &new_clnt_secret, clnt_lookup, clnt_enabled_node); + apply_changes(&ctx->srvr, &new_srvr_secret, srvr_lookup, srvr_enabled_node); + + /* + * Allocated secrets should be already consumed. There is no need to + * free them. + */ + + return true; +} + +bool config_apply(struct kr_cookie_ctx *ctx, const char *args) +{ + if (!ctx) { + return false; + } + + if (!args || !strlen(args)) { + return true; + } + + if (!args || !strlen(args)) { + return true; + } + + bool success = false; + + /* Check whether all supplied data are valid. */ + JsonNode *root_node = json_decode(args); + if (!root_node) { + return false; + } + JsonNode *node; + json_foreach (node, root_node) { + success = configuration_node_ok(node); + if (!success) { + break; + } + } + + /* Apply configuration if values seem to be OK. */ + if (success) { + success = config_apply_json(ctx, root_node); + } + + json_delete(root_node); + + return success; +} + +char *config_read(struct kr_cookie_ctx *ctx) +{ + if (!ctx) { + return NULL; + } + + const knot_lookup_t *lookup; + char *result; + JsonNode *root_node = json_mkobject(); + if (!root_node) { + return NULL; + } + + json_append_member(root_node, NAME_CLIENT_ENABLED, + json_mkbool(ctx->clnt.enabled)); + + read_secret(root_node, NAME_CLIENT_SECRET, ctx->clnt.current.secr); + + lookup = knot_lookup_by_id(kr_cc_alg_names, ctx->clnt.current.alg_id); + if (lookup) { + json_append_member(root_node, NAME_CLIENT_COOKIE_ALG, + json_mkstring(lookup->name)); + } + + read_available_hashes(root_node, NAME_AVAILABLE_CLIENT_COOKIE_ALGS, + kr_cc_alg_names); + + json_append_member(root_node, NAME_SERVER_ENABLED, + json_mkbool(ctx->srvr.enabled)); + + read_secret(root_node, NAME_SERVER_SECRET, ctx->srvr.current.secr); + + lookup = knot_lookup_by_id(kr_sc_alg_names, ctx->srvr.current.alg_id); + if (lookup) { + json_append_member(root_node, NAME_SERVER_COOKIE_ALG, + json_mkstring(lookup->name)); + } + + read_available_hashes(root_node, NAME_AVAILABLE_SERVER_COOKIE_ALGS, + kr_sc_alg_names); + + result = json_encode(root_node); + json_delete(root_node); + return result; +} + +int config_init(struct kr_cookie_ctx *ctx) +{ + if (!ctx) { + return kr_error(EINVAL); + } + + kr_cookie_ctx_init(ctx); + + struct kr_cookie_secret *cs = new_cookie_secret(KNOT_OPT_COOKIE_CLNT, + true); + struct kr_cookie_secret *ss = new_cookie_secret(KNOT_OPT_COOKIE_CLNT, + true); + if (!cs || !ss) { + free(cs); + free(ss); + return kr_error(ENOMEM); + } + + const knot_lookup_t *clookup = knot_lookup_by_name(kr_cc_alg_names, + "FNV-64"); + const knot_lookup_t *slookup = knot_lookup_by_name(kr_sc_alg_names, + "FNV-64"); + if (!clookup || !slookup) { + free(cs); + free(ss); + return kr_error(ENOENT); + } + + ctx->clnt.current.secr = cs; + ctx->clnt.current.alg_id = clookup->id; + + ctx->srvr.current.secr = ss; + ctx->srvr.current.alg_id = slookup->id; + + return kr_ok(); +} + +void config_deinit(struct kr_cookie_ctx *ctx) +{ + if (!ctx) { + return; + } + + ctx->clnt.enabled = false; + + free(ctx->clnt.recent.secr); + ctx->clnt.recent.secr = NULL; + + free(ctx->clnt.current.secr); + ctx->clnt.current.secr = NULL; + + ctx->srvr.enabled = false; + + free(ctx->srvr.recent.secr); + ctx->srvr.recent.secr = NULL; + + free(ctx->srvr.current.secr); + ctx->srvr.current.secr = NULL; +} |