Re: [PATCH v2] net: dns: Generate and verify transaction ID

Mon, 16 May 2022 01:29:21 -0700 

On Thu, May 12, 2022 at 04:37:26PM +0200, Jules Maselbas wrote:
> The transaction ID wasn't verified on received DNS responses, plus the
> ID needs to be difficult to predict in order to avoid MitM (man in the
> middle) being able to easily forge responses.
> 
> The ID is generated from the time of the request, probably not strongly
> unpredictable, this what musl does and it is considered to be enough.
> 
> Signed-off-by: Jules Maselbas <[email protected]>
> ---
> v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
>     is received, drop uses of the random32.
> 
>  net/dns.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

Applied, thanks

Sascha

> 
> diff --git a/net/dns.c b/net/dns.c
> index 78588b96f..8b5e8d59e 100644
> --- a/net/dns.c
> +++ b/net/dns.c
> @@ -58,6 +58,7 @@ struct header {
>  
>  static struct net_connection *dns_con;
>  static uint64_t dns_timer_start;
> +static uint16_t dns_req_id;
>  static int dns_state;
>  static IPaddr_t dns_ip;
>  
> @@ -70,9 +71,12 @@ static int dns_send(const char *name)
>       unsigned char *p, *s, *fullname, *dotptr;
>       const unsigned char *domain;
>  
> +     /* generate "difficult" to predict transaction id */
> +     dns_req_id = dns_timer_start + (dns_timer_start >> 16);
> +
>       /* Prepare DNS packet header */
>       header           = (struct header *)packet;
> -     header->tid      = 1;
> +     header->tid      = htons(dns_req_id);
>       header->flags    = htons(0x100);        /* standard query */
>       header->nqueries = htons(1);            /* Just one query */
>       header->nanswers = 0;
> @@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
>  
>       pr_debug("%s\n", __func__);
>  
> +     /* Only accept responses with the expected request id */
> +     if (ntohs(header->tid) != dns_req_id) {
> +             pr_debug("DNS response with incorrect id\n");
> +             return;
> +     }
> +
>       /* We sent 1 query. We want to see more that 1 answer. */
>       if (ntohs(header->nqueries) != 1)
>               return;
> -- 
> 2.17.1
> 
> 
> _______________________________________________
> barebox mailing list
> [email protected]
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/barebox

Reply via email to