Skip to content
Snippets Groups Projects
Commit c3469d94 authored by Karel Slaný's avatar Karel Slaný Committed by Ondřej Surý
Browse files

Removed code for guessing source address using NS reputation mechanism.

parent b1935113
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/cookies/cookiemonster.c
+ 20
88
View file @ c3469d94
...@@ -53,48 +53,6 @@ static const struct sockaddr *passed_server_sockaddr(const struct kr_request *re ...@@ -53,48 +53,6 @@ static const struct sockaddr *passed_server_sockaddr(const struct kr_request *re
return NULL; return NULL;
} }
/**
* Tries to guess the name server address from the reputation mechanism.
* @param nsrep name server reputation context
* @param cc client cookie data
* @param cc_len client cookie size
* @param csecr client secret
* @param cc_alg client cookie algorithm
* @return pointer to address if a matching found, NULL if none matches
*/
static const struct sockaddr *guess_server_addr(const struct kr_nsrep *nsrep,
const uint8_t *cc, uint16_t cc_len,
const struct kr_cookie_secret *csecr,
const struct knot_cc_alg *cc_alg)
{
assert(nsrep && cc && cc_len && csecr && cc_alg);
const struct sockaddr *sockaddr = NULL;
struct knot_cc_input input = {
.clnt_sockaddr = NULL, /* Not supported yet. */
.srvr_sockaddr = NULL,
.secret_data = csecr->data,
.secret_len = csecr->size
};
/* Abusing name server reputation mechanism to obtain IP addresses. */
for (int i = 0; i < KR_NSREP_MAXADDR; ++i) {
if (nsrep->addr[i].ip.sa_family == AF_UNSPEC) {
break;
}
input.srvr_sockaddr = (struct sockaddr *)&nsrep->addr[i];
int ret = knot_cc_check(cc, cc_len, &input, cc_alg);
if (ret == KNOT_EOK) {
sockaddr = (struct sockaddr *)&nsrep->addr[i];
break;
}
}
return sockaddr;
}
/** /**
* Obtain pointer to server socket address that matches obtained cookie. * Obtain pointer to server socket address that matches obtained cookie.
* @param sockaddr pointer to socket address to be set * @param sockaddr pointer to socket address to be set
...@@ -112,66 +70,40 @@ static int srvr_sockaddr_cc_check(const struct sockaddr **sockaddr, ...@@ -112,66 +70,40 @@ static int srvr_sockaddr_cc_check(const struct sockaddr **sockaddr,
{ {
assert(sockaddr && is_current && req && cc && cc_len && clnt_sett); assert(sockaddr && is_current && req && cc && cc_len && clnt_sett);
struct kr_query *qry = req->current_query;
const struct sockaddr *tmp_sockaddr = passed_server_sockaddr(req); const struct sockaddr *tmp_sockaddr = passed_server_sockaddr(req);
if (!tmp_sockaddr) {
/* Server did not provide information about source address. */
return kr_error(EINVAL);
}
const struct knot_cc_alg *cc_alg = NULL; const struct knot_cc_alg *cc_alg = NULL;
/* The address must correspond with the client cookie. */ assert(clnt_sett->current.secr);
if (tmp_sockaddr) {
assert(clnt_sett->current.secr);
struct knot_cc_input input = {
.clnt_sockaddr = NULL, /* Not supported yet. */
.srvr_sockaddr = tmp_sockaddr,
.secret_data = clnt_sett->current.secr->data,
.secret_len = clnt_sett->current.secr->size
};
cc_alg = kr_cc_alg_get(clnt_sett->current.alg_id);
if (!cc_alg) {
kr_error(EINVAL);
}
int ret = knot_cc_check(cc, cc_len, &input, cc_alg);
bool have_current = (ret == KNOT_EOK);
cc_alg = kr_cc_alg_get(clnt_sett->recent.alg_id);
if ((ret != KNOT_EOK) && clnt_sett->recent.secr && cc_alg) {
input.secret_data = clnt_sett->recent.secr->data;
input.secret_len = clnt_sett->recent.secr->size;
ret = knot_cc_check(cc, cc_len, &input, cc_alg);
}
if (ret == KNOT_EOK) {
*sockaddr = tmp_sockaddr;
*is_current = have_current;
}
return (ret == KNOT_EOK) ? kr_ok() : kr_error(EINVAL);
}
DEBUG_MSG(NULL, "%s\n",
"guessing response address from ns reputation");
/* Abusing name server reputation mechanism to guess IP addresses. */ /* The address must correspond with the client cookie. */
struct knot_cc_input input = {
.clnt_sockaddr = NULL, /* Not supported yet. */
.srvr_sockaddr = tmp_sockaddr,
.secret_data = clnt_sett->current.secr->data,
.secret_len = clnt_sett->current.secr->size
};
cc_alg = kr_cc_alg_get(clnt_sett->current.alg_id); cc_alg = kr_cc_alg_get(clnt_sett->current.alg_id);
if (!cc_alg) { if (!cc_alg) {
kr_error(EINVAL); kr_error(EINVAL);
} }
const struct kr_nsrep *ns = &qry->ns; int ret = knot_cc_check(cc, cc_len, &input, cc_alg);
tmp_sockaddr = guess_server_addr(ns, cc, cc_len, bool have_current = (ret == KNOT_EOK);
clnt_sett->current.secr, cc_alg);
bool have_current = (tmp_sockaddr != NULL);
cc_alg = kr_cc_alg_get(clnt_sett->recent.alg_id); cc_alg = kr_cc_alg_get(clnt_sett->recent.alg_id);
if (!tmp_sockaddr && clnt_sett->recent.secr && cc_alg) { if ((ret != KNOT_EOK) && clnt_sett->recent.secr && cc_alg) {
/* Try recent client secret to check obtained cookie. */ input.secret_data = clnt_sett->recent.secr->data;
tmp_sockaddr = guess_server_addr(ns, cc, cc_len, input.secret_len = clnt_sett->recent.secr->size;
clnt_sett->recent.secr, ret = knot_cc_check(cc, cc_len, &input, cc_alg);
cc_alg);
} }
if (tmp_sockaddr) { if (ret == KNOT_EOK) {
*sockaddr = tmp_sockaddr; *sockaddr = tmp_sockaddr;
*is_current = have_current; *is_current = have_current;
} }
return (ret == KNOT_EOK) ? kr_ok() : kr_error(EINVAL);
return tmp_sockaddr ? kr_ok() : kr_error(EINVAL);
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment