Merge pull request #302 from jelu/release/2.2.0

Release/2.2.0

CHANGES

@@ -1,3 +1,27 @@
+2023-08-23 Jerry Lundström
+
+ Release 2.2.0
+
+ This release adds anonymization of EDNS Client Subnet to all
+ anonymizer plugins and improves TCP state handling by adding a hash
+ table for lookup rather than walking a list.
+
+ Plugins that anonymize can now take two new options:
+ - `-e`: also anonymize EDNS Client Subnet
+ - `-E`: only anonymize EDNS Client Subnet
+
+ Other changes:
+ - Cleanup and improvements to building and testing
+ - Mention PowerTools repository for building on CentOS etc
+ - Remove old workarounds in tests before #133
+
+ d4e0b2c TCP state hash table
+ 1ea8d3f Doc
+ 12ea061 EDNS Client Subnet anonymization
+ c9ed7be pcap-dist
+ b76f745 Cleanup
+ 7682d41 hashtbl
+
 2023-06-27 Jerry Lundström
 
  Release 2.1.3

README.md

@@ -39,7 +39,7 @@ To install the dependencies under Debian/Ubuntu:
 apt-get install -y libpcap-dev libldns-dev zlib1g-dev libyaml-perl libssl-dev
 ```
 
-To install the dependencies under CentOS (with EPEL enabled):
+To install the dependencies under CentOS (with EPEL/PowerTools enabled):
 ```
 yum install -y libpcap-devel ldns-devel openssl-devel zlib-devel perl-YAML
 ```

configure.ac

@@ -33,7 +33,7 @@
 # POSSIBILITY OF SUCH DAMAGE.
 
 AC_PREREQ(2.61)
-AC_INIT([dnscap], [2.1.3], [[email protected]], [dnscap], [https://github.com/DNS-OARC/dnscap/issues])
+AC_INIT([dnscap], [2.2.0], [[email protected]], [dnscap], [https://github.com/DNS-OARC/dnscap/issues])
 AM_INIT_AUTOMAKE([-Wall -Werror foreign subdir-objects])
 AC_CONFIG_SRCDIR([src/dnscap.c])
 AC_CONFIG_HEADER([src/config.h])

debian/changelog

@@ -1,3 +1,29 @@
+dnscap (2.2.0-1~unstable+1) unstable; urgency=low
+
+ * Release 2.2.0
+
+ This release adds anonymization of EDNS Client Subnet to all
+ anonymizer plugins and improves TCP state handling by adding a hash
+ table for lookup rather than walking a list.
+
+ Plugins that anonymize can now take two new options:
+ - `-e`: also anonymize EDNS Client Subnet
+ - `-E`: only anonymize EDNS Client Subnet
+
+ Other changes:
+ - Cleanup and improvements to building and testing
+ - Mention PowerTools repository for building on CentOS etc
+ - Remove old workarounds in tests before #133
+
+ d4e0b2c TCP state hash table
+ 1ea8d3f Doc
+ 12ea061 EDNS Client Subnet anonymization
+ c9ed7be pcap-dist
+ b76f745 Cleanup
+ 7682d41 hashtbl
+
+ -- Jerry Lundström <[email protected]> Wed, 23 Aug 2023 13:59:21 +0200
+
 dnscap (2.1.3-1~unstable+1) unstable; urgency=low
 
  * Release 2.1.3

debian/copyright

@@ -23,6 +23,10 @@ Files: m4/*
 Copyright: 2011 Free Software Foundation, Inc.
 License: FSF
 
+Files: src/ext/lookup3.c
+Copyright: 2006 Bob Jenkins
+License: Public Domain
+
 License: ISC
  Permission to use, copy, modify, and/or distribute this software for any
  purpose with or without fee is hereby granted, provided that the above
@@ -89,3 +93,6 @@ License: FSF
  This file is free software; the Free Software Foundation gives
  unlimited permission to copy and/or distribute it, with or without
  modifications, as long as this notice is preserved.
+
+License: Public Domain
+ Public Domain.

plugins/Makefile.am

@@ -3,4 +3,4 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \
  anonaes128 cryptopan cryptopant eventlog
 
-EXTRA_DIST = template
+EXTRA_DIST = template shared

plugins/anonaes128/Makefile.am

@@ -1,9 +1,10 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-CLEANFILES = *.gcda *.gcno *.gcov
+CLEANFILES = *.gcda *.gcno *.gcov *.pcap-dist
 
 AM_CFLAGS = -I$(srcdir) \
  -I$(top_srcdir)/src \
  -I$(top_srcdir)/isc \
+ -I$(top_srcdir)/plugins/shared \
  $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
 
 pkglib_LTLIBRARIES = anonaes128.la

plugins/anonaes128/anonaes128.c

@@ -42,6 +42,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <netinet/in.h>
 
 #include "dnscap_common.h"
 
@@ -50,12 +51,13 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #define USE_OPENSSL 1
+#include "edns0_ecs.c"
 #endif
 
 static set_iaddr_t anonaes128_set_iaddr = 0;
 
 static logerr_t* logerr;
-static int only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0;
+static int only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0, edns = 0;
 static unsigned char key[16];
 static unsigned char iv[16];
 #ifdef USE_OPENSSL
@@ -86,7 +88,9 @@ void anonaes128_usage()
  "\t-c Only en/de-crypt clients (port != 53)\n"
  "\t-s Only en/de-crypt servers (port == 53)\n"
  "\t-p <port> Set port for -c/-s, default 53\n"
- "\t-4 Encrypt IPv4 addresses, not default or recommended\n");
+ "\t-4 Encrypt IPv4 addresses, not default or recommended\n"
+ "\t-e Also en/de-crypt EDNS(0) Client Subnet\n"
+ "\t-E ONLY en/de-crypt EDNS(0) Client Subnet, not IP addresses\n");
 }
 
 void anonaes128_extension(int ext, void* arg)
@@ -104,7 +108,7 @@ void anonaes128_getopt(int* argc, char** argv[])
  unsigned long ul;
  char* p;
 
- while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4")) != EOF) {
+ while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4eE")) != EOF) {
  switch (c) {
  case 'k':
  if (strlen(optarg) != 16) {
@@ -174,6 +178,13 @@ void anonaes128_getopt(int* argc, char** argv[])
  case '4':
  encrypt_v4 = 1;
  break;
+ case 'e':
+ if (!edns)
+ edns = 1;
+ break;
+ case 'E':
+ edns = -1;
+ break;
  case '?':
  anonaes128_usage();
  if (!optopt || optopt == '?') {
@@ -242,12 +253,66 @@ int anonaes128_close(my_bpftimeval ts)
  return 0;
 }
 
+#ifdef USE_OPENSSL
+void ecs_callback(int family, u_char* buf, size_t len)
+{
+ unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH] = { 0 };
+ int outlen = 0;
+
+ struct in6_addr in6 = IN6ADDR_ANY_INIT;
+
+ switch (family) {
+ case 1: // IPv4
+ if (len > sizeof(struct in_addr))
+ break;
+ if (encrypt_v4) {
+ memcpy(&in6, buf, len);
+ memcpy(((uint8_t*)&in6) + 4, &in6, 4);
+ memcpy(((uint8_t*)&in6) + 8, &in6, 4);
+ memcpy(((uint8_t*)&in6) + 12, &in6, 4);
+ if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (void*)&in6, 16)) {
+ logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+ exit(1);
+ }
+ if (outlen != 16) {
+ logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+ exit(1);
+ }
+ memcpy(buf, outbuf, len);
+ }
+ break;
+ case 2: // IPv6
+ if (len > sizeof(struct in6_addr))
+ break;
+ memcpy(&in6, buf, len);
+ if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (void*)&in6, 16)) {
+ logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+ exit(1);
+ }
+ if (outlen != 16) {
+ logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+ exit(1);
+ }
+ memcpy(buf, outbuf, len);
+ break;
+ default:
+ break;
+ }
+}
+#endif
+
 int anonaes128_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
  unsigned sport, unsigned dport, my_bpftimeval ts,
- const u_char* pkt_copy, const unsigned olen,
- const u_char* payload, const unsigned payloadlen)
+ u_char* pkt_copy, const unsigned olen,
+ u_char* payload, const unsigned payloadlen)
 {
 #ifdef USE_OPENSSL
+ if (edns && flags & DNSCAP_OUTPUT_ISDNS && payload && payloadlen > DNS_MSG_HDR_SZ) {
+ parse_for_edns0_ecs(payload, payloadlen, ecs_callback);
+ if (edns < 0)
+ return 0;
+ }
+
  unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
  int outlen = 0;