Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 27dd91514797a657d79efe3b902a1ff97bcc5546^! / . / libc
commit27dd91514797a657d79efe3b902a1ff97bcc5546[log] [tgz]
authorBen Schwartz <bemasc@google.com>Mon Feb 05 17:54:06 2018 -0500
committerErik Kline <ek@google.com>Mon Apr 02 05:28:16 2018 +0000
tree200995a5b03d00e6cde441727ed744031ef894ff
parenta9419d89879889f14fe4cdf6aeb90e26fc1c1bd8 [diff]
Pad queries when EDNS0 is enabled.

Behavior is compliant with
https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-04

EDNS0 is only enabled when the netcontext requests it, i.e. in DNS-over-TLS
mode.

Bug: 69623036
Bug: 64133961
Test: Wireshark verified. Integration tests echo padding and pass.
Change-Id: I5ef600e02a572d281441e890cc981614f150629b

diff --git a/libc/dns/include/resolv_params.h b/libc/dns/include/resolv_params.h
index 1b9d433..3c07d8a 100644
--- a/libc/dns/include/resolv_params.h
+++ b/libc/dns/include/resolv_params.h

@@ -34,6 +34,10 @@
 					 * servers.
 					 */
 
+/* If EDNS0_PADDING is defined, queries will be padded to a multiple of this length
+when EDNS0 is active. */
+#define EDNS0_PADDING	128
+
 /* per-netid configuration parameters passed from netd to the resolver */
 struct __res_params {
     uint16_t sample_validity; // sample lifetime in s

diff --git a/libc/dns/resolv/res_mkquery.c b/libc/dns/resolv/res_mkquery.c
index c73d588..1b4c4af 100644
--- a/libc/dns/resolv/res_mkquery.c
+++ b/libc/dns/resolv/res_mkquery.c

@@ -269,8 +269,28 @@
 	}
 	ns_put16(flags, cp);
 	cp += INT16SZ;
+#ifdef EDNS0_PADDING
+	{
+		u_int16_t minlen = (cp - buf) + 3 * INT16SZ;
+		u_int16_t extra = minlen % EDNS0_PADDING;
+		u_int16_t padlen = (EDNS0_PADDING - extra) % EDNS0_PADDING;
+		if (minlen > buflen) {
+			return (-1);
+		}
+		padlen = MIN(padlen, buflen - minlen);
+		ns_put16(padlen + 2 * INT16SZ, cp);	/* RDLEN */
+		cp += INT16SZ;
+		ns_put16(NS_OPT_PADDING, cp);	/* OPTION-CODE */
+		cp += INT16SZ;
+		ns_put16(padlen, cp);	/* OPTION-LENGTH */
+		cp += INT16SZ;
+		memset(cp, 0, padlen);
+		cp += padlen;
+	}
+#else
 	ns_put16(0, cp);	/* RDLEN */
 	cp += INT16SZ;
+#endif
 	hp->arcount = htons(ntohs(hp->arcount) + 1);
 
 	return (cp - buf);

diff --git a/libc/include/arpa/nameser.h b/libc/include/arpa/nameser.h
index ffb5250..e0b5c45 100644
--- a/libc/include/arpa/nameser.h
+++ b/libc/include/arpa/nameser.h

@@ -474,6 +474,7 @@
  */
 #define NS_OPT_DNSSEC_OK	0x8000U
 #define NS_OPT_NSID             3
+#define NS_OPT_PADDING          12
 
 /*
  * Inline versions of get/put short/long.  Pointer is advanced.