xref: /freebsd/contrib/unbound/dns64/dns64.c (revision 46d2f61818f594174cafe31ee338c6e083fa1876)
1 /*
2  * dns64/dns64.c - DNS64 module
3  *
4  * Copyright (c) 2009, Viagénie. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of Viagénie nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains a module that performs DNS64 query processing.
40  */
41 
42 #include "config.h"
43 #include "dns64/dns64.h"
44 #include "services/cache/dns.h"
45 #include "services/cache/rrset.h"
46 #include "util/config_file.h"
47 #include "util/data/msgreply.h"
48 #include "util/fptr_wlist.h"
49 #include "util/net_help.h"
50 #include "util/regional.h"
51 #include "util/storage/dnstree.h"
52 #include "util/data/dname.h"
53 #include "sldns/str2wire.h"
54 
55 /******************************************************************************
56  *                                                                            *
57  *                             STATIC CONSTANTS                               *
58  *                                                                            *
59  ******************************************************************************/
60 
61 /**
62  * This is the default DNS64 prefix that is used when the dns64 module is listed
63  * in module-config but when the dns64-prefix variable is not present.
64  */
65 static const char DEFAULT_DNS64_PREFIX[] = "64:ff9b::/96";
66 
67 /**
68  * Maximum length of a domain name in a PTR query in the .in-addr.arpa tree.
69  */
70 #define MAX_PTR_QNAME_IPV4 30
71 
72 /**
73  * State of DNS64 processing for a query.
74  */
75 enum dns64_state {
76     DNS64_INTERNAL_QUERY,    /**< Internally-generated query, no DNS64
77                                   processing. */
78     DNS64_NEW_QUERY,         /**< Query for which we're the first module in
79                                   line. */
80     DNS64_SUBQUERY_FINISHED  /**< Query for which we generated a sub-query, and
81                                   for which this sub-query is finished. */
82 };
83 
84 /**
85  * Per-query module-specific state.  For the DNS64 module.
86  */
87 struct dns64_qstate {
88 	/** State of the DNS64 module. */
89 	enum dns64_state state;
90 	/** If the dns64 module started with no_cache bool set in the qstate,
91 	 * a message to tell it to not modify the cache contents, then this
92 	 * is true.  The dns64 module is then free to modify that flag for
93 	 * its own purposes.
94 	 * Otherwise, it is false, the dns64 module was not told to no_cache */
95 	int started_no_cache_store;
96 };
97 
98 /******************************************************************************
99  *                                                                            *
100  *                                 STRUCTURES                                 *
101  *                                                                            *
102  ******************************************************************************/
103 
104 /**
105  * This structure contains module configuration information. One instance of
106  * this structure exists per instance of the module. Normally there is only one
107  * instance of the module.
108  */
109 struct dns64_env {
110     /**
111      * DNS64 prefix address. We're using a full sockaddr instead of just an
112      * in6_addr because we can reuse Unbound's generic string parsing functions.
113      * It will always contain a sockaddr_in6, and only the sin6_addr member will
114      * ever be used.
115      */
116     struct sockaddr_storage prefix_addr;
117 
118     /**
119      * This is always sizeof(sockaddr_in6).
120      */
121     socklen_t prefix_addrlen;
122 
123     /**
124      * This is the CIDR length of the prefix. It needs to be between 0 and 96.
125      */
126     int prefix_net;
127 
128     /**
129      * Tree of names for which AAAA is ignored. always synthesize from A.
130      */
131     rbtree_type ignore_aaaa;
132 };
133 
134 
135 /******************************************************************************
136  *                                                                            *
137  *                             UTILITY FUNCTIONS                              *
138  *                                                                            *
139  ******************************************************************************/
140 
141 /**
142  * Generic macro for swapping two variables.
143  *
144  * \param t Type of the variables. (e.g. int)
145  * \param a First variable.
146  * \param b Second variable.
147  *
148  * \warning Do not attempt something foolish such as swap(int,a++,b++)!
149  */
150 #define swap(t,a,b) do {t x = a; a = b; b = x;} while(0)
151 
152 /**
153  * Reverses a string.
154  *
155  * \param begin Points to the first character of the string.
156  * \param end   Points one past the last character of the string.
157  */
158 static void
reverse(char * begin,char * end)159 reverse(char* begin, char* end)
160 {
161     while ( begin < --end ) {
162         swap(char, *begin, *end);
163         ++begin;
164     }
165 }
166 
167 /**
168  * Convert an unsigned integer to a string. The point of this function is that
169  * of being faster than sprintf().
170  *
171  * \param n The number to be converted.
172  * \param s The result will be written here. Must be large enough, be careful!
173  *
174  * \return The number of characters written.
175  */
176 static int
uitoa(unsigned n,char * s)177 uitoa(unsigned n, char* s)
178 {
179     char* ss = s;
180     do {
181         *ss++ = '0' + n % 10;
182     } while (n /= 10);
183     reverse(s, ss);
184     return ss - s;
185 }
186 
187 /**
188  * Extract an IPv4 address embedded in the IPv6 address \a ipv6 at offset \a
189  * offset (in bits). Note that bits are not necessarily aligned on bytes so we
190  * need to be careful.
191  *
192  * \param ipv6   IPv6 address represented as a 128-bit array in big-endian
193  *               order.
194  * \param ipv6_len length of the ipv6 byte array.
195  * \param offset Index of the MSB of the IPv4 address embedded in the IPv6
196  *               address.
197  */
198 static uint32_t
extract_ipv4(const uint8_t ipv6[],size_t ipv6_len,const int offset)199 extract_ipv4(const uint8_t ipv6[], size_t ipv6_len, const int offset)
200 {
201     uint32_t ipv4 = 0;
202     int i, pos;
203     log_assert(ipv6_len == 16); (void)ipv6_len;
204     log_assert(offset == 32 || offset == 40 || offset == 48 || offset == 56 ||
205         offset == 64 || offset == 96);
206     for(i = 0, pos = offset / 8; i < 4; i++, pos++) {
207         if (pos == 8)
208             pos++;
209         ipv4 = ipv4 << 8;
210         ipv4 |= ipv6[pos];
211     }
212     return ipv4;
213 }
214 
215 /**
216  * Builds the PTR query name corresponding to an IPv4 address. For example,
217  * given the number 3,464,175,361, this will build the string
218  * "\03206\03123\0231\011\07in-addr\04arpa".
219  *
220  * \param ipv4 IPv4 address represented as an unsigned 32-bit number.
221  * \param ptr  The result will be written here. Must be large enough, be
222  *             careful!
223  * \param nm_len length of the ptr buffer.
224  *
225  * \return The number of characters written.
226  */
227 static size_t
ipv4_to_ptr(uint32_t ipv4,char ptr[],size_t nm_len)228 ipv4_to_ptr(uint32_t ipv4, char ptr[], size_t nm_len)
229 {
230     static const char IPV4_PTR_SUFFIX[] = "\07in-addr\04arpa";
231     int i;
232     char* c = ptr;
233     log_assert(nm_len == MAX_PTR_QNAME_IPV4); (void)nm_len;
234 
235     for (i = 0; i < 4; ++i) {
236         *c = uitoa((unsigned int)(ipv4 % 256), c + 1);
237         c += *c + 1;
238 	log_assert(c < ptr+nm_len);
239         ipv4 /= 256;
240     }
241 
242     log_assert(c + sizeof(IPV4_PTR_SUFFIX) <= ptr+nm_len);
243     memmove(c, IPV4_PTR_SUFFIX, sizeof(IPV4_PTR_SUFFIX));
244 
245     return c + sizeof(IPV4_PTR_SUFFIX) - ptr;
246 }
247 
248 /**
249  * Converts an IPv6-related domain name string from a PTR query into an IPv6
250  * address represented as a 128-bit array.
251  *
252  * \param ptr  The domain name. (e.g. "\011[...]\010\012\016\012\03ip6\04arpa")
253  * \param ipv6 The result will be written here, in network byte order.
254  * \param ipv6_len length of the ipv6 byte array.
255  *
256  * \return 1 on success, 0 on failure.
257  */
258 static int
ptr_to_ipv6(const char * ptr,uint8_t ipv6[],size_t ipv6_len)259 ptr_to_ipv6(const char* ptr, uint8_t ipv6[], size_t ipv6_len)
260 {
261     int i;
262     log_assert(ipv6_len == 16); (void)ipv6_len;
263 
264     for (i = 0; i < 64; i++) {
265         int x;
266 
267         if (ptr[i++] != 1)
268             return 0;
269 
270         if (ptr[i] >= '0' && ptr[i] <= '9') {
271             x = ptr[i] - '0';
272         } else if (ptr[i] >= 'a' && ptr[i] <= 'f') {
273             x = ptr[i] - 'a' + 10;
274         } else if (ptr[i] >= 'A' && ptr[i] <= 'F') {
275             x = ptr[i] - 'A' + 10;
276         } else {
277             return 0;
278         }
279 
280         ipv6[15-i/4] |= x << (2 * ((i-1) % 4));
281     }
282 
283     return 1;
284 }
285 
286 /**
287  * Synthesize an IPv6 address based on an IPv4 address and the DNS64 prefix.
288  *
289  * \param prefix_addr DNS64 prefix address.
290  * \param prefix_addr_len length of the prefix_addr buffer.
291  * \param prefix_net  CIDR length of the DNS64 prefix. Must be between 0 and 96.
292  * \param a           IPv4 address.
293  * \param a_len       length of the a buffer.
294  * \param aaaa        IPv6 address. The result will be written here.
295  * \param aaaa_len    length of the aaaa buffer.
296  */
297 static void
synthesize_aaaa(const uint8_t prefix_addr[],size_t prefix_addr_len,int prefix_net,const uint8_t a[],size_t a_len,uint8_t aaaa[],size_t aaaa_len)298 synthesize_aaaa(const uint8_t prefix_addr[], size_t prefix_addr_len,
299 	int prefix_net, const uint8_t a[], size_t a_len, uint8_t aaaa[],
300 	size_t aaaa_len)
301 {
302     size_t i;
303     int pos;
304     log_assert(prefix_addr_len == 16 && a_len == 4 && aaaa_len == 16);
305     log_assert(prefix_net == 32 || prefix_net == 40 || prefix_net == 48 ||
306         prefix_net == 56 || prefix_net == 64 || prefix_net == 96);
307     (void)prefix_addr_len; (void)a_len; (void)aaaa_len;
308     memcpy(aaaa, prefix_addr, 16);
309     for(i = 0, pos = prefix_net / 8; i < a_len; i++, pos++) {
310         if(pos == 8)
311             aaaa[pos++] = 0;
312         aaaa[pos] = a[i];
313     }
314 }
315 
316 
317 /******************************************************************************
318  *                                                                            *
319  *                           DNS64 MODULE FUNCTIONS                           *
320  *                                                                            *
321  ******************************************************************************/
322 
323 /**
324  * insert ignore_aaaa element into the tree
325  * @param dns64_env: module env.
326  * @param str: string with domain name.
327  * @return false on failure.
328  */
329 static int
dns64_insert_ignore_aaaa(struct dns64_env * dns64_env,char * str)330 dns64_insert_ignore_aaaa(struct dns64_env* dns64_env, char* str)
331 {
332 	/* parse and insert element */
333 	struct name_tree_node* node;
334 	node = (struct name_tree_node*)calloc(1, sizeof(*node));
335 	if(!node) {
336 		log_err("out of memory");
337 		return 0;
338 	}
339 	node->name = sldns_str2wire_dname(str, &node->len);
340 	if(!node->name) {
341 		free(node);
342 		log_err("cannot parse dns64-ignore-aaaa: %s", str);
343 		return 0;
344 	}
345 	node->labs = dname_count_labels(node->name);
346 	node->dclass = LDNS_RR_CLASS_IN;
347 	if(!name_tree_insert(&dns64_env->ignore_aaaa, node,
348 		node->name, node->len, node->labs, node->dclass)) {
349 		/* ignore duplicate element */
350 		free(node->name);
351 		free(node);
352 		return 1;
353 	}
354 	return 1;
355 }
356 
357 /**
358  * This function applies the configuration found in the parsed configuration
359  * file \a cfg to this instance of the dns64 module. Currently only the DNS64
360  * prefix (a.k.a. Pref64) is configurable.
361  *
362  * \param dns64_env Module-specific global parameters.
363  * \param cfg       Parsed configuration file.
364  */
365 static int
dns64_apply_cfg(struct dns64_env * dns64_env,struct config_file * cfg)366 dns64_apply_cfg(struct dns64_env* dns64_env, struct config_file* cfg)
367 {
368     struct config_strlist* s;
369     verbose(VERB_ALGO, "dns64-prefix: %s", cfg->dns64_prefix);
370     if (!netblockstrtoaddr(cfg->dns64_prefix ? cfg->dns64_prefix :
371                 DEFAULT_DNS64_PREFIX, 0, &dns64_env->prefix_addr,
372                 &dns64_env->prefix_addrlen, &dns64_env->prefix_net)) {
373         log_err("cannot parse dns64-prefix netblock: %s", cfg->dns64_prefix);
374         return 0;
375     }
376     if (!addr_is_ip6(&dns64_env->prefix_addr, dns64_env->prefix_addrlen)) {
377         log_err("dns64_prefix is not IPv6: %s", cfg->dns64_prefix);
378         return 0;
379     }
380     if (dns64_env->prefix_net != 32 && dns64_env->prefix_net != 40 &&
381             dns64_env->prefix_net != 48 && dns64_env->prefix_net != 56 &&
382             dns64_env->prefix_net != 64 && dns64_env->prefix_net != 96 ) {
383         log_err("dns64-prefix length it not 32, 40, 48, 56, 64 or 96: %s",
384                 cfg->dns64_prefix);
385         return 0;
386     }
387     for(s = cfg->dns64_ignore_aaaa; s; s = s->next) {
388 	    if(!dns64_insert_ignore_aaaa(dns64_env, s->str))
389 		    return 0;
390     }
391     name_tree_init_parents(&dns64_env->ignore_aaaa);
392     return 1;
393 }
394 
395 /**
396  * Initializes this instance of the dns64 module.
397  *
398  * \param env Global state of all module instances.
399  * \param id  This instance's ID number.
400  */
401 int
dns64_init(struct module_env * env,int id)402 dns64_init(struct module_env* env, int id)
403 {
404     struct dns64_env* dns64_env =
405         (struct dns64_env*)calloc(1, sizeof(struct dns64_env));
406     if (!dns64_env) {
407         log_err("malloc failure");
408         return 0;
409     }
410     env->modinfo[id] = (void*)dns64_env;
411     name_tree_init(&dns64_env->ignore_aaaa);
412     if (!dns64_apply_cfg(dns64_env, env->cfg)) {
413         log_err("dns64: could not apply configuration settings.");
414         return 0;
415     }
416     return 1;
417 }
418 
419 /** free ignore AAAA elements */
420 static void
free_ignore_aaaa_node(rbnode_type * node,void * ATTR_UNUSED (arg))421 free_ignore_aaaa_node(rbnode_type* node, void* ATTR_UNUSED(arg))
422 {
423 	struct name_tree_node* n = (struct name_tree_node*)node;
424 	if(!n) return;
425 	free(n->name);
426 	free(n);
427 }
428 
429 /**
430  * Deinitializes this instance of the dns64 module.
431  *
432  * \param env Global state of all module instances.
433  * \param id  This instance's ID number.
434  */
435 void
dns64_deinit(struct module_env * env,int id)436 dns64_deinit(struct module_env* env, int id)
437 {
438     struct dns64_env* dns64_env;
439     if (!env)
440         return;
441     dns64_env = (struct dns64_env*)env->modinfo[id];
442     if(dns64_env) {
443 	    traverse_postorder(&dns64_env->ignore_aaaa, free_ignore_aaaa_node,
444 	    	NULL);
445     }
446     free(env->modinfo[id]);
447     env->modinfo[id] = NULL;
448 }
449 
450 /**
451  * Handle PTR queries for IPv6 addresses. If the address belongs to the DNS64
452  * prefix, we must do a PTR query for the corresponding IPv4 address instead.
453  *
454  * \param qstate Query state structure.
455  * \param id     This module instance's ID number.
456  *
457  * \return The new state of the query.
458  */
459 static enum module_ext_state
handle_ipv6_ptr(struct module_qstate * qstate,int id)460 handle_ipv6_ptr(struct module_qstate* qstate, int id)
461 {
462     struct dns64_env* dns64_env = (struct dns64_env*)qstate->env->modinfo[id];
463     struct module_qstate* subq = NULL;
464     struct query_info qinfo;
465     struct sockaddr_in6 sin6;
466 
467     /* Convert the PTR query string to an IPv6 address. */
468     memset(&sin6, 0, sizeof(sin6));
469     sin6.sin6_family = AF_INET6;
470     if (!ptr_to_ipv6((char*)qstate->qinfo.qname, sin6.sin6_addr.s6_addr,
471 	sizeof(sin6.sin6_addr.s6_addr)))
472         return module_wait_module;  /* Let other module handle this. */
473 
474     /*
475      * If this IPv6 address is not part of our DNS64 prefix, then we don't need
476      * to do anything. Let another module handle the query.
477      */
478     if (addr_in_common((struct sockaddr_storage*)&sin6, 128,
479                 &dns64_env->prefix_addr, dns64_env->prefix_net,
480                 (socklen_t)sizeof(sin6)) != dns64_env->prefix_net)
481         return module_wait_module;
482 
483     verbose(VERB_ALGO, "dns64: rewrite PTR record");
484 
485     /*
486      * Create a new PTR query info for the domain name corresponding to the IPv4
487      * address corresponding to the IPv6 address corresponding to the original
488      * PTR query domain name.
489      */
490     qinfo = qstate->qinfo;
491     if (!(qinfo.qname = regional_alloc(qstate->region, MAX_PTR_QNAME_IPV4)))
492         return module_error;
493     qinfo.qname_len = ipv4_to_ptr(extract_ipv4(sin6.sin6_addr.s6_addr,
494 		sizeof(sin6.sin6_addr.s6_addr), dns64_env->prefix_net),
495 		(char*)qinfo.qname, MAX_PTR_QNAME_IPV4);
496 
497     /* Create the new sub-query. */
498     fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
499     if(!(*qstate->env->attach_sub)(qstate, &qinfo, qstate->query_flags, 0, 0,
500                 &subq))
501         return module_error;
502     if (subq) {
503         subq->curmod = id;
504         subq->ext_state[id] = module_state_initial;
505 	subq->minfo[id] = NULL;
506     }
507 
508     return module_wait_subquery;
509 }
510 
511 static enum module_ext_state
generate_type_A_query(struct module_qstate * qstate,int id)512 generate_type_A_query(struct module_qstate* qstate, int id)
513 {
514 	struct module_qstate* subq = NULL;
515 	struct query_info qinfo;
516 
517 	verbose(VERB_ALGO, "dns64: query A record");
518 
519 	/* Create a new query info. */
520 	qinfo = qstate->qinfo;
521 	qinfo.qtype = LDNS_RR_TYPE_A;
522 
523 	/* Start the sub-query. */
524 	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
525 	if(!(*qstate->env->attach_sub)(qstate, &qinfo, qstate->query_flags, 0,
526 				       0, &subq))
527 	{
528 		verbose(VERB_ALGO, "dns64: sub-query creation failed");
529 		return module_error;
530 	}
531 	if (subq) {
532 		subq->curmod = id;
533 		subq->ext_state[id] = module_state_initial;
534 		subq->minfo[id] = NULL;
535 	}
536 
537 	return module_wait_subquery;
538 }
539 
540 /**
541  * See if query name is in the always synth config.
542  * The ignore-aaaa list has names for which the AAAA for the domain is
543  * ignored and the A is always used to create the answer.
544  * @param qstate: query state.
545  * @param id: module id.
546  * @return true if the name is covered by ignore-aaaa.
547  */
548 static int
dns64_always_synth_for_qname(struct module_qstate * qstate,int id)549 dns64_always_synth_for_qname(struct module_qstate* qstate, int id)
550 {
551 	struct dns64_env* dns64_env = (struct dns64_env*)qstate->env->modinfo[id];
552 	int labs = dname_count_labels(qstate->qinfo.qname);
553 	struct name_tree_node* node = name_tree_lookup(&dns64_env->ignore_aaaa,
554 		qstate->qinfo.qname, qstate->qinfo.qname_len, labs,
555 		qstate->qinfo.qclass);
556 	return (node != NULL);
557 }
558 
559 /**
560  * Handles the "pass" event for a query. This event is received when a new query
561  * is received by this module. The query may have been generated internally by
562  * another module, in which case we don't want to do any special processing
563  * (this is an interesting discussion topic),  or it may be brand new, e.g.
564  * received over a socket, in which case we do want to apply DNS64 processing.
565  *
566  * \param qstate A structure representing the state of the query that has just
567  *               received the "pass" event.
568  * \param id     This module's instance ID.
569  *
570  * \return The new state of the query.
571  */
572 static enum module_ext_state
handle_event_pass(struct module_qstate * qstate,int id)573 handle_event_pass(struct module_qstate* qstate, int id)
574 {
575 	struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
576 	int synth_all_cfg = qstate->env->cfg->dns64_synthall;
577 	int synth_qname = 0;
578 
579 	if(iq && iq->state == DNS64_NEW_QUERY
580 		&& qstate->qinfo.qtype == LDNS_RR_TYPE_PTR
581 		&& qstate->qinfo.qname_len == 74
582 		&& !strcmp((char*)&qstate->qinfo.qname[64], "\03ip6\04arpa")) {
583 		/* Handle PTR queries for IPv6 addresses. */
584 		return handle_ipv6_ptr(qstate, id);
585 	}
586 
587 	if(iq && iq->state == DNS64_NEW_QUERY &&
588 		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
589 		(synth_all_cfg ||
590 		(synth_qname=(dns64_always_synth_for_qname(qstate, id)
591 			&& !(qstate->query_flags & BIT_CD))))) {
592 		if(synth_qname)
593 			verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
594 		return generate_type_A_query(qstate, id);
595 	}
596 
597 	/* We are finished when our sub-query is finished. */
598 	if(iq && iq->state == DNS64_SUBQUERY_FINISHED)
599 		return module_finished;
600 
601 	/* Otherwise, pass request to next module. */
602 	verbose(VERB_ALGO, "dns64: pass to next module");
603 	return module_wait_module;
604 }
605 
606 /**
607  * Handles the "done" event for a query. We need to analyze the response and
608  * maybe issue a new sub-query for the A record.
609  *
610  * \param qstate A structure representing the state of the query that has just
611  *               received the "pass" event.
612  * \param id     This module's instance ID.
613  *
614  * \return The new state of the query.
615  */
616 static enum module_ext_state
handle_event_moddone(struct module_qstate * qstate,int id)617 handle_event_moddone(struct module_qstate* qstate, int id)
618 {
619 	struct dns64_qstate* iq = (struct dns64_qstate*)qstate->minfo[id];
620     /*
621      * In many cases we have nothing special to do. From most to least common:
622      *
623      *   - An internal query.
624      *   - A query for a record type other than AAAA.
625      *   - CD FLAG was set on querier
626      *   - An AAAA query for which an error was returned.(qstate.return_rcode)
627      *     -> treated as servfail thus synthesize (sec 5.1.3 6147), thus
628      *        synthesize in (sec 5.1.2 of RFC6147).
629      *   - A successful AAAA query with an answer.
630      */
631 
632 	/* When an AAAA query completes check if we want to perform DNS64
633 	 * synthesis. We skip queries with DNSSEC enabled (!CD) and
634 	 * ones generated by us to retrive the A/PTR record to use for
635 	 * synth. */
636 	int could_synth =
637 		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA &&
638 		(!iq || iq->state != DNS64_INTERNAL_QUERY) &&
639 		!(qstate->query_flags & BIT_CD);
640 	int has_data = /* whether query returned non-empty rrset */
641 		qstate->return_msg &&
642 		qstate->return_msg->rep &&
643 		reply_find_answer_rrset(&qstate->qinfo, qstate->return_msg->rep);
644 	int synth_qname = 0;
645 
646 	if(could_synth &&
647 		(!has_data ||
648 		(synth_qname=dns64_always_synth_for_qname(qstate, id)))) {
649 		if(synth_qname)
650 			verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
651 		return generate_type_A_query(qstate, id);
652 	}
653 
654 	/* Store the response in cache. */
655 	if( (!iq || !iq->started_no_cache_store) &&
656 		qstate->return_msg &&
657 		qstate->return_msg->rep &&
658 		!dns_cache_store(
659 			qstate->env, &qstate->qinfo, qstate->return_msg->rep,
660 			0, qstate->prefetch_leeway, 0, NULL,
661 			qstate->query_flags, qstate->qstarttime))
662 		log_err("out of memory");
663 
664 	/* do nothing */
665 	return module_finished;
666 }
667 
668 /**
669  * This is the module's main() function. It gets called each time a query
670  * receives an event which we may need to handle. We respond by updating the
671  * state of the query.
672  *
673  * \param qstate   Structure containing the state of the query.
674  * \param event    Event that has just been received.
675  * \param id       This module's instance ID.
676  * \param outbound State of a DNS query on an authoritative server. We never do
677  *                 our own queries ourselves (other modules do it for us), so
678  *                 this is unused.
679  */
680 void
dns64_operate(struct module_qstate * qstate,enum module_ev event,int id,struct outbound_entry * outbound)681 dns64_operate(struct module_qstate* qstate, enum module_ev event, int id,
682 		struct outbound_entry* outbound)
683 {
684 	struct dns64_qstate* iq;
685 	(void)outbound;
686 	verbose(VERB_QUERY, "dns64[module %d] operate: extstate:%s event:%s",
687 			id, strextstate(qstate->ext_state[id]),
688 			strmodulevent(event));
689 	log_query_info(VERB_QUERY, "dns64 operate: query", &qstate->qinfo);
690 
691 	switch(event) {
692 		case module_event_new:
693 			/* Tag this query as being new and fall through. */
694 			if (!(iq = (struct dns64_qstate*)regional_alloc(
695 				qstate->region, sizeof(*iq)))) {
696 				log_err("out of memory");
697 				qstate->ext_state[id] = module_error;
698 				return;
699 			}
700 			qstate->minfo[id] = iq;
701 			iq->state = DNS64_NEW_QUERY;
702 			iq->started_no_cache_store = qstate->no_cache_store;
703 			qstate->no_cache_store = 1;
704 			ATTR_FALLTHROUGH
705   			/* fallthrough */
706 		case module_event_pass:
707 			qstate->ext_state[id] = handle_event_pass(qstate, id);
708 			break;
709 		case module_event_moddone:
710 			qstate->ext_state[id] = handle_event_moddone(qstate, id);
711 			break;
712 		default:
713 			qstate->ext_state[id] = module_finished;
714 			break;
715 	}
716 	if(qstate->ext_state[id] == module_finished) {
717 		iq = (struct dns64_qstate*)qstate->minfo[id];
718 		if(iq && iq->state != DNS64_INTERNAL_QUERY)
719 			qstate->no_cache_store = iq->started_no_cache_store;
720 	}
721 }
722 
723 static void
dns64_synth_aaaa_data(const struct ub_packed_rrset_key * fk,const struct packed_rrset_data * fd,struct ub_packed_rrset_key * dk,struct packed_rrset_data ** dd_out,struct regional * region,struct dns64_env * dns64_env)724 dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
725 		      const struct packed_rrset_data* fd,
726 		      struct ub_packed_rrset_key *dk,
727 		      struct packed_rrset_data **dd_out, struct regional *region,
728 		      struct dns64_env* dns64_env )
729 {
730 	struct packed_rrset_data *dd;
731 	size_t i;
732 	/*
733 	 * Create synthesized AAAA RR set data. We need to allocated extra memory
734 	 * for the RRs themselves. Each RR has a length, TTL, pointer to wireformat
735 	 * data, 2 bytes of data length, and 16 bytes of IPv6 address.
736 	 */
737 	if(fd->count > RR_COUNT_MAX) {
738 		*dd_out = NULL;
739 		return; /* integer overflow protection in alloc */
740 	}
741 	if (!(dd = *dd_out = regional_alloc_zero(region,
742 		  sizeof(struct packed_rrset_data)
743 		  + fd->count * (sizeof(size_t) + sizeof(time_t) +
744 			     sizeof(uint8_t*) + 2 + 16)))) {
745 		log_err("out of memory");
746 		return;
747 	}
748 
749 	/* Copy attributes from A RR set. */
750 	dd->ttl = fd->ttl;
751 	dd->count = fd->count;
752 	dd->rrsig_count = 0;
753 	dd->trust = fd->trust;
754 	dd->security = fd->security;
755 
756 	/*
757 	 * Synthesize AAAA records. Adjust pointers in structure.
758 	 */
759 	dd->rr_len =
760 	    (size_t*)((uint8_t*)dd + sizeof(struct packed_rrset_data));
761 	dd->rr_data = (uint8_t**)&dd->rr_len[dd->count];
762 	dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
763 	for(i = 0; i < fd->count; ++i) {
764 		if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
765 		    || fd->rr_data[i][1] != 4) {
766 			*dd_out = NULL;
767 			return;
768 		}
769 		dd->rr_len[i] = 18;
770 		dd->rr_data[i] =
771 		    (uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
772 		dd->rr_data[i][0] = 0;
773 		dd->rr_data[i][1] = 16;
774 		synthesize_aaaa(
775 				((struct sockaddr_in6*)&dns64_env->prefix_addr)->sin6_addr.s6_addr,
776 				sizeof(((struct sockaddr_in6*)&dns64_env->prefix_addr)->sin6_addr.s6_addr),
777 				dns64_env->prefix_net, &fd->rr_data[i][2],
778 				fd->rr_len[i]-2, &dd->rr_data[i][2],
779 				dd->rr_len[i]-2);
780 		dd->rr_ttl[i] = fd->rr_ttl[i];
781 	}
782 
783 	/*
784 	 * Create synthesized AAAA RR set key. This is mostly just bookkeeping,
785 	 * nothing interesting here.
786 	 */
787 	if(!dk) {
788 		log_err("no key");
789 		*dd_out = NULL;
790 		return;
791 	}
792 
793 	dk->rk.dname = (uint8_t*)regional_alloc_init(region,
794 		     fk->rk.dname, fk->rk.dname_len);
795 
796 	if(!dk->rk.dname) {
797 		log_err("out of memory");
798 		*dd_out = NULL;
799 		return;
800 	}
801 
802 	dk->rk.type = htons(LDNS_RR_TYPE_AAAA);
803 	memset(&dk->entry, 0, sizeof(dk->entry));
804 	dk->entry.key = dk;
805 	dk->entry.hash = rrset_key_hash(&dk->rk);
806 	dk->entry.data = dd;
807 
808 }
809 
810 /**
811  * Synthesize an AAAA RR set from an A sub-query's answer and add it to the
812  * original empty response.
813  *
814  * \param id     This module's instance ID.
815  * \param super  Original AAAA query.
816  * \param qstate A query.
817  */
818 static void
dns64_adjust_a(int id,struct module_qstate * super,struct module_qstate * qstate)819 dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate)
820 {
821 	struct dns64_env* dns64_env = (struct dns64_env*)super->env->modinfo[id];
822 	struct reply_info *rep, *cp;
823 	size_t i, s;
824 	struct packed_rrset_data* fd, *dd;
825 	struct ub_packed_rrset_key* fk, *dk;
826 
827 	verbose(VERB_ALGO, "converting A answers to AAAA answers");
828 
829 	log_assert(super->region);
830 	log_assert(qstate->return_msg);
831 	log_assert(qstate->return_msg->rep);
832 
833 	/* If dns64-synthall is enabled, return_msg is not initialized */
834 	if(!super->return_msg) {
835 		super->return_msg = (struct dns_msg*)regional_alloc(
836 		    super->region, sizeof(struct dns_msg));
837 		if(!super->return_msg)
838 			return;
839 		memset(super->return_msg, 0, sizeof(*super->return_msg));
840 		super->return_msg->qinfo = super->qinfo;
841 	}
842 
843 	rep = qstate->return_msg->rep;
844 
845 	/*
846 	 * Build the actual reply.
847 	 */
848 	cp = construct_reply_info_base(super->region, rep->flags, rep->qdcount,
849 		rep->ttl, rep->prefetch_ttl, rep->serve_expired_ttl,
850 		rep->serve_expired_norec_ttl,
851 		rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
852 		rep->rrset_count, rep->security, LDNS_EDE_NONE);
853 	if(!cp)
854 		return;
855 
856 	/* allocate ub_key structures special or not */
857 	if(!reply_info_alloc_rrset_keys(cp, NULL, super->region)) {
858 		return;
859 	}
860 
861 	/* copy everything and replace A by AAAA */
862 	for(i=0; i<cp->rrset_count; i++) {
863 		fk = rep->rrsets[i];
864 		dk = cp->rrsets[i];
865 		fd = (struct packed_rrset_data*)fk->entry.data;
866 		dk->rk = fk->rk;
867 		dk->id = fk->id;
868 
869 		if(i<rep->an_numrrsets && fk->rk.type == htons(LDNS_RR_TYPE_A)) {
870 			/* also sets dk->entry.hash */
871 			dns64_synth_aaaa_data(fk, fd, dk, &dd, super->region, dns64_env);
872 			if(!dd)
873 				return;
874 			/* Delete negative AAAA record from cache stored by
875 			 * the iterator module */
876 			rrset_cache_remove(super->env->rrset_cache, dk->rk.dname,
877 					   dk->rk.dname_len, LDNS_RR_TYPE_AAAA,
878 					   LDNS_RR_CLASS_IN, 0);
879 			/* Delete negative AAAA in msg cache for CNAMEs,
880 			 * stored by the iterator module */
881 			if(i != 0) /* if not the first RR */
882 			    msg_cache_remove(super->env, dk->rk.dname,
883 				dk->rk.dname_len, LDNS_RR_TYPE_AAAA,
884 				LDNS_RR_CLASS_IN, 0);
885 		} else {
886 			dk->entry.hash = fk->entry.hash;
887 			dk->rk.dname = (uint8_t*)regional_alloc_init(super->region,
888 				fk->rk.dname, fk->rk.dname_len);
889 
890 			if(!dk->rk.dname)
891 				return;
892 
893 			s = packed_rrset_sizeof(fd);
894 			dd = (struct packed_rrset_data*)regional_alloc_init(
895 				super->region, fd, s);
896 
897 			if(!dd)
898 				return;
899 		}
900 
901 		packed_rrset_ptr_fixup(dd);
902 		dk->entry.data = (void*)dd;
903 	}
904 
905 	/* Commit changes. */
906 	super->return_msg->rep = cp;
907 }
908 
909 /**
910  * Generate a response for the original IPv6 PTR query based on an IPv4 PTR
911  * sub-query's response.
912  *
913  * \param qstate IPv4 PTR sub-query.
914  * \param super  Original IPv6 PTR query.
915  */
916 static void
dns64_adjust_ptr(struct module_qstate * qstate,struct module_qstate * super)917 dns64_adjust_ptr(struct module_qstate* qstate, struct module_qstate* super)
918 {
919     struct ub_packed_rrset_key* answer;
920 
921     verbose(VERB_ALGO, "adjusting PTR reply");
922 
923     /* Copy the sub-query's reply to the parent. */
924     if (!(super->return_msg = (struct dns_msg*)regional_alloc(super->region,
925                     sizeof(struct dns_msg))))
926         return;
927     super->return_msg->qinfo = super->qinfo;
928     if (!(super->return_msg->rep = reply_info_copy(qstate->return_msg->rep,
929                     NULL, super->region)))
930         return;
931 
932     /*
933      * Adjust the domain name of the answer RR set so that it matches the
934      * initial query's domain name.
935      */
936     answer = reply_find_answer_rrset(&qstate->qinfo, super->return_msg->rep);
937     if(answer) {
938 	    answer->rk.dname = super->qinfo.qname;
939 	    answer->rk.dname_len = super->qinfo.qname_len;
940     }
941 }
942 
943 /**
944  * This function is called when a sub-query finishes to inform the parent query.
945  *
946  * We issue two kinds of sub-queries: PTR and A.
947  *
948  * \param qstate State of the sub-query.
949  * \param id     This module's instance ID.
950  * \param super  State of the super-query.
951  */
952 void
dns64_inform_super(struct module_qstate * qstate,int id,struct module_qstate * super)953 dns64_inform_super(struct module_qstate* qstate, int id,
954 		struct module_qstate* super)
955 {
956 	struct dns64_qstate* super_dq = (struct dns64_qstate*)super->minfo[id];
957 	log_query_info(VERB_ALGO, "dns64: inform_super, sub is",
958 		       &qstate->qinfo);
959 	log_query_info(VERB_ALGO, "super is", &super->qinfo);
960 
961 	/*
962 	 * Signal that the sub-query is finished, no matter whether we are
963 	 * successful or not. This lets the state machine terminate.
964 	 */
965 	if(!super_dq) {
966 		super_dq = (struct dns64_qstate*)regional_alloc(super->region,
967 			sizeof(*super_dq));
968 		if(!super_dq) {
969 			log_err("out of memory");
970 			super->return_rcode = LDNS_RCODE_SERVFAIL;
971 			super->return_msg = NULL;
972 			return;
973 		}
974 		super->minfo[id] = super_dq;
975 		memset(super_dq, 0, sizeof(*super_dq));
976 		super_dq->started_no_cache_store = super->no_cache_store;
977 	}
978 	super_dq->state = DNS64_SUBQUERY_FINISHED;
979 
980 	/* If there is no successful answer, we're done.
981 	 * Guarantee that we have at least a NOERROR reply further on. */
982 	if(qstate->return_rcode != LDNS_RCODE_NOERROR
983 		|| !qstate->return_msg
984 		|| !qstate->return_msg->rep) {
985 		return;
986 	}
987 
988 	/* When no A record is found for synthesis fall back to AAAA again. */
989 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_A &&
990 		!reply_find_answer_rrset(&qstate->qinfo,
991 			qstate->return_msg->rep)) {
992 		super_dq->state = DNS64_INTERNAL_QUERY;
993 		return;
994 	}
995 
996 	/* Use return code from A query in response to client. */
997 	if (super->return_rcode != LDNS_RCODE_NOERROR)
998 		super->return_rcode = qstate->return_rcode;
999 
1000 	/* Generate a response suitable for the original query. */
1001 	if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) {
1002 		dns64_adjust_a(id, super, qstate);
1003 	} else {
1004 		log_assert(qstate->qinfo.qtype == LDNS_RR_TYPE_PTR);
1005 		dns64_adjust_ptr(qstate, super);
1006 	}
1007 
1008 	/* Store the generated response in cache. */
1009 	if ( (!super_dq || !super_dq->started_no_cache_store) &&
1010 		!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
1011 		0, super->prefetch_leeway, 0, NULL, super->query_flags, qstate->qstarttime))
1012 		log_err("out of memory");
1013 }
1014 
1015 /**
1016  * Clear module-specific data from query state. Since we do not allocate memory,
1017  * it's just a matter of setting a pointer to NULL.
1018  *
1019  * \param qstate Query state.
1020  * \param id     This module's instance ID.
1021  */
1022 void
dns64_clear(struct module_qstate * qstate,int id)1023 dns64_clear(struct module_qstate* qstate, int id)
1024 {
1025     qstate->minfo[id] = NULL;
1026 }
1027 
1028 /**
1029  * Returns the amount of global memory that this module uses, not including
1030  * per-query data.
1031  *
1032  * \param env Module environment.
1033  * \param id  This module's instance ID.
1034  */
1035 size_t
dns64_get_mem(struct module_env * env,int id)1036 dns64_get_mem(struct module_env* env, int id)
1037 {
1038     struct dns64_env* dns64_env = (struct dns64_env*)env->modinfo[id];
1039     if (!dns64_env)
1040         return 0;
1041     return sizeof(*dns64_env);
1042 }
1043 
1044 /**
1045  * The dns64 function block.
1046  */
1047 static struct module_func_block dns64_block = {
1048 	"dns64",
1049 	NULL, NULL, &dns64_init, &dns64_deinit, &dns64_operate,
1050 	&dns64_inform_super, &dns64_clear, &dns64_get_mem
1051 };
1052 
1053 /**
1054  * Function for returning the above function block.
1055  */
1056 struct module_func_block *
dns64_get_funcblock(void)1057 dns64_get_funcblock(void)
1058 {
1059 	return &dns64_block;
1060 }
1061