Automatic migration of cookie secrets

from the old to the new default location
NLnetLabs · Aug 28, 2024 · efe4cf6 · efe4cf6
1 parent 65a5d64
commit efe4cf6
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 17 deletions.
diff --git a/remote.c b/remote.c
@@ -2402,15 +2402,17 @@ do_del_tsig(RES* ssl, xfrd_state_type* xfrd, char* arg) {
 /* returns `0` on failure */
 static int
 cookie_secret_file_dump(RES* ssl, nsd_type* const nsd) {
-	char const* secret_file = nsd->options->cookie_secret_file;
+	char const* secret_file = nsd->options->cookie_secret_file
+	                        ? nsd->options->cookie_secret_file
+				: COOKIESECRETSFILE;
 	char secret_hex[NSD_COOKIE_SECRET_SIZE * 2 + 1];
 	FILE* f;
 	size_t i;
 	assert( secret_file != NULL );
 
 	/* open write only and truncate */
 	if((f = fopen(secret_file, "w")) == NULL ) {
-		(void)ssl_printf(ssl, "unable to open cookie secret file %s: %s",
+		(void)ssl_printf(ssl, "unable to open cookie secret file %s: %s\n",
 		                 secret_file, strerror(errno));
 		return 0;
 	}
@@ -2456,8 +2458,10 @@ do_activate_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
 	      , sizeof(cookie_secrets_type));
 	activate_cookie_secret(nsd);
 	if(!cookie_secret_file_dump(ssl, nsd)) {
-		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
-				nsd->options->cookie_secret_file);
+		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n"
+		                , nsd->options->cookie_secret_file
+		                ? nsd->options->cookie_secret_file
+		                : COOKIESECRETSFILE);
 		memcpy( nsd->cookie_secrets, backup_cookie_secrets
 		      , sizeof(cookie_secrets_type));
 		nsd->cookie_count = backup_cookie_count;
@@ -2498,8 +2502,10 @@ do_drop_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
 	      , sizeof(cookie_secrets_type));
 	drop_cookie_secret(nsd);
 	if(!cookie_secret_file_dump(ssl, nsd)) {
-		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
-				nsd->options->cookie_secret_file);
+		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n"
+		                , nsd->options->cookie_secret_file
+		                ? nsd->options->cookie_secret_file
+		                : COOKIESECRETSFILE);
 		memcpy( nsd->cookie_secrets, backup_cookie_secrets
 		      , sizeof(cookie_secrets_type));
 		nsd->cookie_count = backup_cookie_count;
@@ -2560,8 +2566,10 @@ do_add_cookie_secret(RES* ssl, xfrd_state_type* xrfd, char* arg) {
 	explicit_bzero(secret, NSD_COOKIE_SECRET_SIZE);
 	if(!cookie_secret_file_dump(ssl, nsd)) {
 		explicit_bzero(arg, strlen(arg));
-		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n",
-				nsd->options->cookie_secret_file);
+		(void)ssl_printf(ssl, "error: writing to cookie secret file: \"%s\"\n"
+		                , nsd->options->cookie_secret_file
+		                ? nsd->options->cookie_secret_file
+		                : COOKIESECRETSFILE);
 		memcpy( nsd->cookie_secrets, backup_cookie_secrets
 		      , sizeof(cookie_secrets_type));
 		nsd->cookie_count = backup_cookie_count;

diff --git a/tpkg/dns-cookies.tdir/dns-cookies.defaults.conf b/tpkg/dns-cookies.tdir/dns-cookies.defaults.conf
@@ -0,0 +1,7 @@
+server:
+    username: ""
+    answer-cookie: yes
+    ip-address: lo
+
+remote-control:
+    control-enable: yes
diff --git a/tpkg/dns-cookies.tdir/dns-cookies.test b/tpkg/dns-cookies.tdir/dns-cookies.test
@@ -29,4 +29,6 @@ unshare -rUn bash dns-cookies.test.A4 || exit 1
 echo "Starting test C1"
 unshare -rUn bash dns-cookies.test.C1 || exit 1
 
+echo "Starting test C2"
+unshare -mrUn bash dns-cookies.test.C2 || exit 1
 
diff --git a/tpkg/dns-cookies.tdir/dns-cookies.test.C2 b/tpkg/dns-cookies.tdir/dns-cookies.test.C2
@@ -0,0 +1,89 @@
+# #-- dns-cookies.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+
+mkdir -p var/db/nsd
+mkdir -p var/run
+mkdir -p var/log
+mkdir -p etc/nsd
+
+mount --bind var /var
+mount --bind etc /etc
+
+cp -p dns-cookies.nsd_control.key /etc/nsd/nsd_control.key
+cp -p dns-cookies.nsd_control.pem /etc/nsd/nsd_control.pem
+cp -p dns-cookies.nsd_server.key /etc/nsd/nsd_server.key
+cp -p dns-cookies.nsd_server.pem /etc/nsd/nsd_server.pem
+
+cat << EOF > /etc/nsd/nsd_cookiesecrets.txt
+dd3bdf9344b678b185a6f5cb60fca715
+445536bcd2513298075a5d379663c962
+EOF
+
+# set environment interfaces
+ip address add 198.51.100.100 dev lo
+ip link set dev lo up
+
+# set NSD environment variables
+PRE="../.."
+TPKG_NSD_PID=`grep '^#define PIDFILE ' ../../config.h | sed -e 's/^[^"]*"//g' -e 's/"[^"]*$//g'`
+TPKG_NSD="$PRE/nsd"
+TPKG_NSD_CONTROL="$PRE/nsd-control"
+
+
+# start nsd with faketime
+TZ=UTC faketime -f '2024-08-28 14:49:05' $TPKG_NSD -c dns-cookies.defaults.conf &
+sleep .1
+
+echo "faketime nsd instance C2 running"
+
+dig @198.51.100.100 +cookie=2464c4abcf10c957 > dig.output.c2.1
+
+$TPKG_NSD_CONTROL -c dns-cookies.defaults.conf activate_cookie_secret
+
+sleep .1
+
+dig @198.51.100.100 +cookie=2464c4abcf10c957 > dig.output.c2.2
+
+kill `cat /var/run/nsd.pid`
+sleep .1
+
+TZ=UTC faketime -f '2024-08-28 14:49:05' $TPKG_NSD -c dns-cookies.defaults.conf &
+sleep .1
+
+dig @198.51.100.100 +cookie=2464c4abcf10c957 > dig.output.c2.3
+
+kill `cat /var/run/nsd.pid`
+sleep .1
+rm -fr etc
+rm -fr var
+ERRORS=0
+
+if grep -q "2464c4abcf10c9570100000066cf38e136666f01c0260ed1" dig.output.c2.1
+then
+	echo "C.2.1 Old location cookie matched"
+else
+	echo "C.2.1 Old location cookie failed to match"
+	cat dig.output.c2.1
+	ERRORS=1
+fi
+if grep -q "2464c4abcf10c9570100000066cf38e1a75842528f29e33d" dig.output.c2.2
+then
+	echo "C.2.2 Automatic cookie secret file migration worked"
+else
+	echo "C.2.2 Automatic cookie secret file migration did not worked"
+	cat dig.output.c2.2
+	ERRORS=1
+fi
+if grep -q "2464c4abcf10c9570100000066cf38e1a75842528f29e33d" dig.output.c2.3
+then
+	echo "C.2.3 Restart read cookies from new default secret file location"
+else
+	echo "C.2.3 Restart did not read cookies from new default secret file location"
+	cat dig.output.c2.3
+	ERRORS=1
+fi
+exit $ERRORS
diff --git a/util.c b/util.c
@@ -1161,7 +1161,19 @@ int cookie_secret_file_read(nsd_type* nsd, const char* cookie_secret_file) {
 
 	f = fopen(file, "r");
 	/* a non-existing cookie file is not an error */
-	if( f == NULL ) { return errno != EPERM; }
+	if(f != NULL)
+		; /* pass */
+
+	else if(errno != ENOENT) {
+		log_msg( LOG_ERR
+		       , "error reading cookie secret file \"%s\": \"%s\""
+		       , file, strerror(errno));
+		return 0;
+	}
+	else if(cookie_secret_file != NULL
+	     ||!(f = fopen((file = CONFIGDIR"/nsd_cookiesecrets.txt"), "r")))
+		return 1;
+
 	/* cookie secret file exists and is readable */
 	for( count = 0; count < NSD_COOKIE_HISTORY_SIZE; count++ ) {
 		size_t secret_len = 0;
@@ -1173,6 +1185,9 @@ int cookie_secret_file_read(nsd_type* nsd, const char* cookie_secret_file) {
 		secret_len = secret[secret_len - 1] == '\n' ? secret_len - 1 : secret_len;
 		if( secret_len != NSD_COOKIE_SECRET_SIZE * 2 ) {
 			fclose(f);
+			log_msg( LOG_ERR
+			       , "error parsing cookie secret file \"%s\""
+			       , file);
 			return 0;
 		}
 		/* needed for `hex_pton`; stripping potential `\n` */
@@ -1181,6 +1196,9 @@ int cookie_secret_file_read(nsd_type* nsd, const char* cookie_secret_file) {
 		                       NSD_COOKIE_SECRET_SIZE);
 		if( decoded_len != NSD_COOKIE_SECRET_SIZE ) {
 			fclose(f);
+			log_msg( LOG_ERR
+			       , "error parsing cookie secret file \"%s\""
+			       , file);
 			return 0;
 		}
 	}
@@ -1189,6 +1207,7 @@ int cookie_secret_file_read(nsd_type* nsd, const char* cookie_secret_file) {
 		nsd->cookie_count = count;
 		memcpy(nsd->cookie_secrets, cookie_secrets, sizeof(cookie_secrets));
 		nsd->cookie_secrets_source = COOKIE_SECRETS_FROM_FILE;
+
 	}
 	return 1;
 }
@@ -1230,14 +1249,8 @@ void reconfig_cookies(struct nsd* nsd, struct nsd_options* options)
 		}
 		nsd->cookie_count = 1;
 		nsd->cookie_secrets_source = COOKIE_SECRETS_GENERATED;
-		if((!options->cookie_secret_file || options->cookie_secret_file[0])
-		&&  !cookie_secret_file_read(nsd, options->cookie_secret_file)) {
-			log_msg( LOG_ERR, "cookie secret file \"%s\" corrupt "
-			                  "or not readable"
-			       , options->cookie_secret_file
-		               ? options->cookie_secret_file
-			       : COOKIESECRETSFILE);
-		}
+		if((!options->cookie_secret_file || options->cookie_secret_file[0]))
+			(void)cookie_secret_file_read(nsd, options->cookie_secret_file);
 	}
 }