Bug 1689474 - Update ODoH to draft-04 and make CNAME work r=necko-reviewers,valentin

Differential Revision: https://phabricator.services.mozilla.com/D103816
2024-11-24 21:31:04 +00:00 · 2021-02-04 08:05:45 +00:00 · 2021-02-04 08:05:45 +00:00 · a3582caf5e
commit a3582caf5e
parent b6cdc22e2b
6 changed files with 43 additions and 22 deletions
--- a/netwerk/dns/DNS.h
+++ b/netwerk/dns/DNS.h
@ -151,7 +151,7 @@ union NetAddr {
  bool ToStringBuffer(char* buf, uint32_t bufSize) const;
 };

-#define ODOH_VERSION 0xff03
+#define ODOH_VERSION 0xff04
 static const char kODoHQuery[] = "odoh query";
 static const char hODoHConfigID[] = "odoh key id";
 static const char kODoHSecret[] = "odoh secret";
--- a/netwerk/dns/DNSPacket.cpp
+++ b/netwerk/dns/DNSPacket.cpp
@ -1139,6 +1139,8 @@ bool ODoHDNSPacket::ParseODoHConfigs(const nsCString& aRawODoHConfig,
            static_cast<HpkeKdfId>(config.mContents.mKdfId),
            static_cast<HpkeAeadId>(config.mContents.mAeadId)) == SECSuccess) {
      result.AppendElement(std::move(config));
+    } else {
+      LOG(("ODoHDNSPacket::ParseODoHConfigs got an invalid config"));
    }
  }

@ -1164,7 +1166,8 @@ nsresult ODoHDNSPacket::EncodeRequest(nsCString& aBody, const nsACString& aHost,
  const ObliviousDoHConfig& config = (*gODoHService->ODoHConfigs())[0];

  ObliviousDoHMessage message;
-  if (!EncryptDNSQuery(queryBody, 2, config, message)) {
+  // The spec didn't recommand padding length for encryption, let's use 0 here.
+  if (!EncryptDNSQuery(queryBody, 0, config, message)) {
    return NS_ERROR_FAILURE;
  }

@ -1285,29 +1288,40 @@ nsresult ODoHDNSPacket::Decode(
    TypeRecordResultType& aTypeResult,
    nsClassHashtable<nsCStringHashKey, DOHresp>& aAdditionalRecords,
    uint32_t& aTTL) {
-  if (!DecryptDNSResponse()) {
-    return NS_ERROR_FAILURE;
-  }
+  // This function could be called multiple times when we are checking CNAME
+  // records, but we only need to decrypt the response once.
+  if (!mDecryptedResponseRange) {
+    if (!DecryptDNSResponse()) {
+      return NS_ERROR_FAILURE;
+    }

-  uint32_t index = 0;
-  uint16_t responseLength = get16bit(mResponse, index);
-  index += 2;
+    uint32_t index = 0;
+    uint16_t responseLength = get16bit(mResponse, index);
+    index += 2;

-  if (mBodySize < (index + responseLength)) {
-    return NS_ERROR_ILLEGAL_VALUE;
-  }
-  unsigned char* plainResponse = &mResponse[index];
-  index += responseLength;
+    if (mBodySize < (index + responseLength)) {
+      return NS_ERROR_ILLEGAL_VALUE;
+    }

-  uint16_t paddingLen = get16bit(mResponse, index);
+    DecryptedResponseRange range;
+    range.mStart = index;
+    range.mLength = responseLength;

-  if (static_cast<unsigned int>(4 + responseLength + paddingLen) != mBodySize) {
-    return NS_ERROR_ILLEGAL_VALUE;
+    index += responseLength;
+    uint16_t paddingLen = get16bit(mResponse, index);
+
+    if (static_cast<unsigned int>(4 + responseLength + paddingLen) !=
+        mBodySize) {
+      return NS_ERROR_ILLEGAL_VALUE;
+    }
+
+    mDecryptedResponseRange.emplace(range);
  }

  return DecodeInternal(aHost, aType, aCname, aAllowRFC1918, aReason, aResp,
-                        aTypeResult, aAdditionalRecords, aTTL, plainResponse,
-                        responseLength);
+                        aTypeResult, aAdditionalRecords, aTTL,
+                        &mResponse[mDecryptedResponseRange->mStart],
+                        mDecryptedResponseRange->mLength);
 }

 static bool CreateObliviousDoHMessage(const unsigned char* aData,
@ -1395,7 +1409,7 @@ static SECStatus HKDFExpand(PK11SymKey* aPrk, const SECItem* aInfo,
 bool ODoHDNSPacket::DecryptDNSResponse() {
  ObliviousDoHMessage message;
  if (!CreateObliviousDoHMessage(mResponse, mBodySize, message)) {
-    LOG(("ODoHDNSPacket::DecryptDNSResponse invalid responce"));
+    LOG(("ODoHDNSPacket::DecryptDNSResponse invalid response"));
    return false;
  }

--- a/netwerk/dns/DNSPacket.h
+++ b/netwerk/dns/DNSPacket.h
@ -5,6 +5,7 @@
 #ifndef mozilla_net_DNSPacket_h__
 #define mozilla_net_DNSPacket_h__

+#include "mozilla/Maybe.h"
 #include "mozilla/Result.h"
 #include "nsHostResolver.h"
 #include "pk11pub.h"
@ -80,7 +81,7 @@ class DNSPacket {

 class ODoHDNSPacket final : public DNSPacket {
 public:
-  ODoHDNSPacket() {}
+  ODoHDNSPacket() = default;
  virtual ~ODoHDNSPacket();

  static bool ParseODoHConfigs(const nsCString& aRawODoHConfig,
@ -104,6 +105,12 @@ class ODoHDNSPacket final : public DNSPacket {

  HpkeContext* mContext = nullptr;
  UniqueSECItem mPlainQuery;
+  // This struct indicates the range of decrypted responses stored in mResponse.
+  struct DecryptedResponseRange {
+    uint16_t mStart = 0;
+    uint16_t mLength = 0;
+  };
+  Maybe<DecryptedResponseRange> mDecryptedResponseRange;
 };

 }  // namespace net
--- a/testing/xpcshell/odoh-wasm/Cargo.toml
+++ b/testing/xpcshell/odoh-wasm/Cargo.toml
@ -14,7 +14,7 @@ default = ["console_error_panic_hook"]

 [dependencies]
 wasm-bindgen = "0.2.63"
-odoh-rs = "=0.1.6"
+odoh-rs = "=0.1.8"
 hpke = "0.4.3"
 js-sys = "0.3"
 hex = "0.4"
--- a/testing/xpcshell/odoh-wasm/pkg/odoh_wasm_bg.wasm
+++ b/testing/xpcshell/odoh-wasm/pkg/odoh_wasm_bg.wasm
--- a/testing/xpcshell/odoh-wasm/src/lib.rs
+++ b/testing/xpcshell/odoh-wasm/src/lib.rs
@ -70,7 +70,7 @@ pub fn get_odoh_config() -> js_sys::Uint8Array {
    let public_key_bytes = key_pair.public_key.public_key;
    let length_bytes = (public_key_bytes.len() as u16).to_be_bytes();
    let odoh_config_length = 12 + public_key_bytes.len();
-    let version = 0xff03;
+    let version = 0xff04;
    let odoh_contents_length = 8 + public_key_bytes.len();
    let kem_id = 0x0020; // DHKEM(X25519, HKDF-SHA256)
    let kdf_id = 0x0001; // KDF(SHA-256)