Re: [PATCH v2] net: dns: Generate and verify transaction ID

Sascha Hauer <sha@xxxxxxxxxxxxxx> · Mon, 16 May 2022 10:27:18 +0200



On Thu, May 12, 2022 at 04:37:26PM +0200, Jules Maselbas wrote:
> The transaction ID wasn't verified on received DNS responses, plus the
> ID needs to be difficult to predict in order to avoid MitM (man in the
> middle) being able to easily forge responses.
> 
> The ID is generated from the time of the request, probably not strongly
> unpredictable, this what musl does and it is considered to be enough.
> 
> Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx>
> ---
> v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
>     is received, drop uses of the random32.
> 
>  net/dns.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)

Applied, thanks

Sascha

> 
> diff --git a/net/dns.c b/net/dns.c
> index 78588b96f..8b5e8d59e 100644
> --- a/net/dns.c
> +++ b/net/dns.c
> @@ -58,6 +58,7 @@ struct header {
>  
>  static struct net_connection *dns_con;
>  static uint64_t dns_timer_start;
> +static uint16_t dns_req_id;
>  static int dns_state;
>  static IPaddr_t dns_ip;
>  
> @@ -70,9 +71,12 @@ static int dns_send(const char *name)
>  	unsigned char *p, *s, *fullname, *dotptr;
>  	const unsigned char *domain;
>  
> +	/* generate "difficult" to predict transaction id */
> +	dns_req_id = dns_timer_start + (dns_timer_start >> 16);
> +
>  	/* Prepare DNS packet header */
>  	header           = (struct header *)packet;
> -	header->tid      = 1;
> +	header->tid      = htons(dns_req_id);
>  	header->flags    = htons(0x100);	/* standard query */
>  	header->nqueries = htons(1);		/* Just one query */
>  	header->nanswers = 0;
> @@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
>  
>  	pr_debug("%s\n", __func__);
>  
> +	/* Only accept responses with the expected request id */
> +	if (ntohs(header->tid) != dns_req_id) {
> +		pr_debug("DNS response with incorrect id\n");
> +		return;
> +	}
> +
>  	/* We sent 1 query. We want to see more that 1 answer. */
>  	if (ntohs(header->nqueries) != 1)
>  		return;
> -- 
> 2.17.1
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox