From b3128652f469e7ca8b95436711c4ef911882e89b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 1 Nov 2015 13:51:46 +0900
Subject: [PATCH] add tls_query_padding_blocksize property for getdns_context

This is a parameter to the getdns_context that tells the context how
much to pad queries that go out over TLS.

It is not yet functional in this commit, but the idea is to pad each
outbound query over TLS to a multiple of the requested blocksize.

Because we only have a set amount of pre-allocated space for dynamic
options (MAXIMUM_UPSTREAM_OPTION_SPACE), we limit the maximum
padding blocksize.

This is a simplistic padding policy.  Suggestions for improved padding
policies are welcome!
---
 src/context.c                                 | 29 +++++++++++++++++++
 src/context.h                                 |  1 +
 src/getdns/getdns_extra.h.in                  |  7 +++++
 src/libgetdns.symbols                         |  2 ++
 ...tdns_context_set_context_update_callback.h | 25 ++++++++++++++++
 5 files changed, 64 insertions(+)

diff --git a/src/context.c b/src/context.c
index 549c604b..9dd7661e 100644
--- a/src/context.c
+++ b/src/context.c
@@ -882,6 +882,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->edns_version = 0;
 	result->edns_do_bit = 0;
 	result->edns_client_subnet_private = 0;
+	result->tls_query_padding_blocksize = 1; /* default is to not try to pad */
 	result-> tls_ctx = NULL;
 
 	result->extension = &result->mini_event.loop;
@@ -1918,6 +1919,26 @@ getdns_context_set_edns_client_subnet_private(struct getdns_context *context, ui
     return GETDNS_RETURN_GOOD;
 }               /* getdns_context_set_edns_client_subnet_private */
 
+/*
+ * getdns_context_set_tls_query_padding_blocksize
+ *
+ */
+getdns_return_t
+getdns_context_set_tls_query_padding_blocksize(struct getdns_context *context, uint16_t value)
+{
+    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
+    /* only allow values between 0 and MAXIMUM_UPSTREAM_OPTION_SPACE - 4
+       (4 is for the overhead of the option itself) */
+    if (value > MAXIMUM_UPSTREAM_OPTION_SPACE - 4) {
+        return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
+    }
+
+    context->tls_query_padding_blocksize = value;
+
+    dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE);
+
+    return GETDNS_RETURN_GOOD;
+}               /* getdns_context_set_tls_query_padding_blocksize */
 /*
  * getdns_context_set_extended_memory_functions
  *
@@ -2995,4 +3016,12 @@ getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t*
     return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value) {
+    RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER);
+    RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER);
+    *value = context->tls_query_padding_blocksize;
+    return GETDNS_RETURN_GOOD;
+}
+
 /* context.c */
diff --git a/src/context.h b/src/context.h
index 5b6620e5..1e489d2d 100644
--- a/src/context.h
+++ b/src/context.h
@@ -158,6 +158,7 @@ struct getdns_context {
 	uint8_t edns_do_bit;
 	int edns_maximum_udp_payload_size; /* -1 is unset */
 	uint8_t edns_client_subnet_private;
+	uint16_t tls_query_padding_blocksize;
 	SSL_CTX* tls_ctx;
 
 	getdns_update_callback  update_callback;
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 141dcc58..919d6b05 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -199,6 +199,11 @@ getdns_context_set_edns_client_subnet_private(getdns_context *context, uint8_t v
 getdns_return_t
 getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t* value);
 
+getdns_return_t
+getdns_context_set_tls_query_padding_blocksize(getdns_context *context, uint16_t value);
+getdns_return_t
+getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value);
+
 
 /**
  * Pretty print the getdns_dict in a given buffer snprintf style.
@@ -373,6 +378,8 @@ typedef enum getdns_tls_authentication_t {
 #define GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION_TEXT "Change related to getdns_context_set_tls_authentication"
 #define GETDNS_CONTEXT_CODE_EDNS_CLIENT_SUBNET_PRIVATE 619
 #define GETDNS_CONTEXT_CODE_EDNS_CLIENT_SUBNET_PRIVATE_TEXT "Change related to getdns_context_set_edns_client_subnet_private"
+#define GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE 620
+#define GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE_TEXT "Change related to getdns_context_set_tls_query_padding_blocksize"
 
 getdns_return_t
 getdns_context_set_tls_authentication(
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 9991f010..39226295 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -26,6 +26,7 @@ getdns_context_get_num_pending_requests
 getdns_context_get_resolution_type
 getdns_context_get_suffix
 getdns_context_get_timeout
+getdns_context_get_tls_query_padding_blocksize
 getdns_context_get_update_callback
 getdns_context_get_upstream_recursive_servers
 getdns_context_process_async
@@ -54,6 +55,7 @@ getdns_context_set_return_dnssec_status
 getdns_context_set_suffix
 getdns_context_set_timeout
 getdns_context_set_tls_authentication
+getdns_context_set_tls_query_padding_blocksize
 getdns_context_set_update_callback
 getdns_context_set_upstream_recursive_servers
 getdns_context_set_use_threads
diff --git a/src/test/check_getdns_context_set_context_update_callback.h b/src/test/check_getdns_context_set_context_update_callback.h
index 6cfef0df..2b5e6674 100644
--- a/src/test/check_getdns_context_set_context_update_callback.h
+++ b/src/test/check_getdns_context_set_context_update_callback.h
@@ -389,6 +389,30 @@
     }
     END_TEST
 
+    START_TEST (getdns_context_set_context_update_callback_21)
+    {
+      /*
+      *  Create a context by calling getdns_context_create()
+      *  Define a callback routine for context changes and call getdns_context_set_context_update_callback() so that it gets called when there are context changes
+      *  Call getdns_context_set_edns_client_subnet_private() setting to 1
+      *  expect:  GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE
+      */ 
+      struct getdns_context *context = NULL;
+      CONTEXT_CREATE(TRUE);
+
+      ASSERT_RC(getdns_context_set_context_update_callback(context, update_callbackfn),
+        GETDNS_RETURN_GOOD, "Return code from getdns_context_set_context_update_callback()");
+
+      expected_changed_item = GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE;
+
+      ASSERT_RC(getdns_context_set_tls_query_padding_blocksize(context, 1400),
+        GETDNS_RETURN_GOOD, "Return code from getdns_context_set_tls_query_padding_blocksize()");
+
+      CONTEXT_DESTROY;
+       
+    }
+    END_TEST
+
     
     
     Suite *
@@ -416,6 +440,7 @@
       tcase_add_test(tc_pos, getdns_context_set_context_update_callback_18);
       tcase_add_test(tc_pos, getdns_context_set_context_update_callback_19);
       tcase_add_test(tc_pos, getdns_context_set_context_update_callback_20);
+      tcase_add_test(tc_pos, getdns_context_set_context_update_callback_21);
       suite_add_tcase(s, tc_pos);
 
        return s;