1238106Sdes/* 2238106Sdes * iterator/iter_priv.c - iterative resolver private address and domain store 3238106Sdes * 4238106Sdes * Copyright (c) 2008, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24269257Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25269257Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26269257Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27269257Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28269257Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29269257Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30269257Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31269257Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32269257Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33269257Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * 39238106Sdes * This file contains functions to assist the iterator module. 40238106Sdes * Keep track of the private addresses and lookup fast. 41238106Sdes */ 42238106Sdes 43238106Sdes#include "config.h" 44238106Sdes#include "iterator/iter_priv.h" 45238106Sdes#include "util/regional.h" 46238106Sdes#include "util/log.h" 47238106Sdes#include "util/config_file.h" 48238106Sdes#include "util/data/dname.h" 49238106Sdes#include "util/data/msgparse.h" 50238106Sdes#include "util/net_help.h" 51238106Sdes#include "util/storage/dnstree.h" 52291767Sdes#include "sldns/str2wire.h" 53291767Sdes#include "sldns/sbuffer.h" 54238106Sdes 55238106Sdesstruct iter_priv* priv_create(void) 56238106Sdes{ 57238106Sdes struct iter_priv* priv = (struct iter_priv*)calloc(1, sizeof(*priv)); 58238106Sdes if(!priv) 59238106Sdes return NULL; 60238106Sdes priv->region = regional_create(); 61238106Sdes if(!priv->region) { 62238106Sdes priv_delete(priv); 63238106Sdes return NULL; 64238106Sdes } 65238106Sdes addr_tree_init(&priv->a); 66238106Sdes name_tree_init(&priv->n); 67238106Sdes return priv; 68238106Sdes} 69238106Sdes 70238106Sdesvoid priv_delete(struct iter_priv* priv) 71238106Sdes{ 72238106Sdes if(!priv) return; 73238106Sdes regional_destroy(priv->region); 74238106Sdes free(priv); 75238106Sdes} 76238106Sdes 77238106Sdes/** Read private-addr declarations from config */ 78238106Sdesstatic int read_addrs(struct iter_priv* priv, struct config_file* cfg) 79238106Sdes{ 80238106Sdes /* parse addresses, report errors, insert into tree */ 81238106Sdes struct config_strlist* p; 82238106Sdes struct addr_tree_node* n; 83238106Sdes struct sockaddr_storage addr; 84238106Sdes int net; 85238106Sdes socklen_t addrlen; 86238106Sdes 87238106Sdes for(p = cfg->private_address; p; p = p->next) { 88238106Sdes log_assert(p->str); 89238106Sdes if(!netblockstrtoaddr(p->str, UNBOUND_DNS_PORT, &addr, 90238106Sdes &addrlen, &net)) { 91238106Sdes log_err("cannot parse private-address: %s", p->str); 92238106Sdes return 0; 93238106Sdes } 94238106Sdes n = (struct addr_tree_node*)regional_alloc(priv->region, 95238106Sdes sizeof(*n)); 96238106Sdes if(!n) { 97238106Sdes log_err("out of memory"); 98238106Sdes return 0; 99238106Sdes } 100238106Sdes if(!addr_tree_insert(&priv->a, n, &addr, addrlen, net)) { 101238106Sdes verbose(VERB_QUERY, "ignoring duplicate " 102238106Sdes "private-address: %s", p->str); 103238106Sdes } 104238106Sdes } 105238106Sdes return 1; 106238106Sdes} 107238106Sdes 108238106Sdes/** Read private-domain declarations from config */ 109238106Sdesstatic int read_names(struct iter_priv* priv, struct config_file* cfg) 110238106Sdes{ 111238106Sdes /* parse names, report errors, insert into tree */ 112238106Sdes struct config_strlist* p; 113238106Sdes struct name_tree_node* n; 114269257Sdes uint8_t* nm, *nmr; 115238106Sdes size_t nm_len; 116238106Sdes int nm_labs; 117238106Sdes 118238106Sdes for(p = cfg->private_domain; p; p = p->next) { 119238106Sdes log_assert(p->str); 120269257Sdes nm = sldns_str2wire_dname(p->str, &nm_len); 121269257Sdes if(!nm) { 122238106Sdes log_err("cannot parse private-domain: %s", p->str); 123238106Sdes return 0; 124238106Sdes } 125238106Sdes nm_labs = dname_count_size_labels(nm, &nm_len); 126269257Sdes nmr = (uint8_t*)regional_alloc_init(priv->region, nm, nm_len); 127269257Sdes free(nm); 128269257Sdes if(!nmr) { 129238106Sdes log_err("out of memory"); 130238106Sdes return 0; 131238106Sdes } 132238106Sdes n = (struct name_tree_node*)regional_alloc(priv->region, 133238106Sdes sizeof(*n)); 134238106Sdes if(!n) { 135238106Sdes log_err("out of memory"); 136238106Sdes return 0; 137238106Sdes } 138269257Sdes if(!name_tree_insert(&priv->n, n, nmr, nm_len, nm_labs, 139238106Sdes LDNS_RR_CLASS_IN)) { 140238106Sdes verbose(VERB_QUERY, "ignoring duplicate " 141238106Sdes "private-domain: %s", p->str); 142238106Sdes } 143238106Sdes } 144238106Sdes return 1; 145238106Sdes} 146238106Sdes 147238106Sdesint priv_apply_cfg(struct iter_priv* priv, struct config_file* cfg) 148238106Sdes{ 149238106Sdes /* empty the current contents */ 150238106Sdes regional_free_all(priv->region); 151238106Sdes addr_tree_init(&priv->a); 152238106Sdes name_tree_init(&priv->n); 153238106Sdes 154238106Sdes /* read new contents */ 155238106Sdes if(!read_addrs(priv, cfg)) 156238106Sdes return 0; 157238106Sdes if(!read_names(priv, cfg)) 158238106Sdes return 0; 159238106Sdes 160238106Sdes /* prepare for lookups */ 161238106Sdes addr_tree_init_parents(&priv->a); 162238106Sdes name_tree_init_parents(&priv->n); 163238106Sdes return 1; 164238106Sdes} 165238106Sdes 166238106Sdes/** 167238106Sdes * See if an address is blocked. 168238106Sdes * @param priv: structure for address storage. 169238106Sdes * @param addr: address to check 170238106Sdes * @param addrlen: length of addr. 171238106Sdes * @return: true if the address must not be queried. false if unlisted. 172238106Sdes */ 173238106Sdesstatic int 174238106Sdespriv_lookup_addr(struct iter_priv* priv, struct sockaddr_storage* addr, 175238106Sdes socklen_t addrlen) 176238106Sdes{ 177238106Sdes return addr_tree_lookup(&priv->a, addr, addrlen) != NULL; 178238106Sdes} 179238106Sdes 180238106Sdes/** 181238106Sdes * See if a name is whitelisted. 182238106Sdes * @param priv: structure for address storage. 183238106Sdes * @param pkt: the packet (for compression ptrs). 184238106Sdes * @param name: name to check. 185238106Sdes * @param name_len: uncompressed length of the name to check. 186238106Sdes * @param dclass: class to check. 187238106Sdes * @return: true if the name is OK. false if unlisted. 188238106Sdes */ 189238106Sdesstatic int 190269257Sdespriv_lookup_name(struct iter_priv* priv, sldns_buffer* pkt, 191238106Sdes uint8_t* name, size_t name_len, uint16_t dclass) 192238106Sdes{ 193238106Sdes size_t len; 194238106Sdes uint8_t decomp[256]; 195238106Sdes int labs; 196238106Sdes if(name_len >= sizeof(decomp)) 197238106Sdes return 0; 198238106Sdes dname_pkt_copy(pkt, decomp, name); 199238106Sdes labs = dname_count_size_labels(decomp, &len); 200238106Sdes log_assert(name_len == len); 201238106Sdes return name_tree_lookup(&priv->n, decomp, len, labs, dclass) != NULL; 202238106Sdes} 203238106Sdes 204238106Sdessize_t priv_get_mem(struct iter_priv* priv) 205238106Sdes{ 206238106Sdes if(!priv) return 0; 207238106Sdes return sizeof(*priv) + regional_get_mem(priv->region); 208238106Sdes} 209238106Sdes 210269257Sdes/** remove RR from msgparse RRset, return true if rrset is entirely bad */ 211269257Sdesstatic int 212269257Sdesremove_rr(const char* str, sldns_buffer* pkt, struct rrset_parse* rrset, 213269257Sdes struct rr_parse* prev, struct rr_parse** rr, struct sockaddr_storage* addr, socklen_t addrlen) 214269257Sdes{ 215269257Sdes if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN && str) { 216269257Sdes uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 217269257Sdes dname_pkt_copy(pkt, buf, rrset->dname); 218269257Sdes log_name_addr(VERB_QUERY, str, buf, addr, addrlen); 219269257Sdes } 220269257Sdes if(prev) 221269257Sdes prev->next = (*rr)->next; 222269257Sdes else rrset->rr_first = (*rr)->next; 223269257Sdes if(rrset->rr_last == *rr) 224269257Sdes rrset->rr_last = prev; 225269257Sdes rrset->rr_count --; 226269257Sdes rrset->size -= (*rr)->size; 227269257Sdes /* rr struct still exists, but is unlinked, so that in the for loop 228269257Sdes * the rr->next works fine to continue. */ 229269257Sdes return rrset->rr_count == 0; 230269257Sdes} 231269257Sdes 232269257Sdesint priv_rrset_bad(struct iter_priv* priv, sldns_buffer* pkt, 233238106Sdes struct rrset_parse* rrset) 234238106Sdes{ 235238106Sdes if(priv->a.count == 0) 236238106Sdes return 0; /* there are no blocked addresses */ 237238106Sdes 238238106Sdes /* see if it is a private name, that is allowed to have any */ 239238106Sdes if(priv_lookup_name(priv, pkt, rrset->dname, rrset->dname_len, 240238106Sdes ntohs(rrset->rrset_class))) { 241238106Sdes return 0; 242238106Sdes } else { 243238106Sdes /* so its a public name, check the address */ 244238106Sdes socklen_t len; 245269257Sdes struct rr_parse* rr, *prev = NULL; 246238106Sdes if(rrset->type == LDNS_RR_TYPE_A) { 247238106Sdes struct sockaddr_storage addr; 248238106Sdes struct sockaddr_in sa; 249238106Sdes 250238106Sdes len = (socklen_t)sizeof(sa); 251238106Sdes memset(&sa, 0, len); 252238106Sdes sa.sin_family = AF_INET; 253238106Sdes sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); 254238106Sdes for(rr = rrset->rr_first; rr; rr = rr->next) { 255269257Sdes if(sldns_read_uint16(rr->ttl_data+4) 256269257Sdes != INET_SIZE) { 257269257Sdes prev = rr; 258238106Sdes continue; 259269257Sdes } 260238106Sdes memmove(&sa.sin_addr, rr->ttl_data+4+2, 261238106Sdes INET_SIZE); 262238106Sdes memmove(&addr, &sa, len); 263269257Sdes if(priv_lookup_addr(priv, &addr, len)) { 264269257Sdes if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len)) 265269257Sdes return 1; 266269257Sdes continue; 267269257Sdes } 268269257Sdes prev = rr; 269238106Sdes } 270238106Sdes } else if(rrset->type == LDNS_RR_TYPE_AAAA) { 271238106Sdes struct sockaddr_storage addr; 272238106Sdes struct sockaddr_in6 sa; 273238106Sdes len = (socklen_t)sizeof(sa); 274238106Sdes memset(&sa, 0, len); 275238106Sdes sa.sin6_family = AF_INET6; 276238106Sdes sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); 277238106Sdes for(rr = rrset->rr_first; rr; rr = rr->next) { 278269257Sdes if(sldns_read_uint16(rr->ttl_data+4) 279269257Sdes != INET6_SIZE) { 280269257Sdes prev = rr; 281238106Sdes continue; 282269257Sdes } 283238106Sdes memmove(&sa.sin6_addr, rr->ttl_data+4+2, 284238106Sdes INET6_SIZE); 285238106Sdes memmove(&addr, &sa, len); 286269257Sdes if(priv_lookup_addr(priv, &addr, len)) { 287269257Sdes if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len)) 288269257Sdes return 1; 289269257Sdes continue; 290269257Sdes } 291269257Sdes prev = rr; 292238106Sdes } 293238106Sdes } 294238106Sdes } 295238106Sdes return 0; 296238106Sdes} 297