xref: /freebsd/contrib/unbound/ipsecmod/ipsecmod.c (revision 2e3f49888ec8851bafb22011533217487764fdb0)
1 /*
2  * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
3  *
4  * Copyright (c) 2017, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains a module that facilitates opportunistic IPsec. It does so
40  * by also querying for the IPSECKEY for A/AAAA queries and calling a
41  * configurable hook (eg. signaling an IKE daemon) before replying.
42  */
43 
44 #include "config.h"
45 #ifdef USE_IPSECMOD
46 #include "ipsecmod/ipsecmod.h"
47 #include "ipsecmod/ipsecmod-whitelist.h"
48 #include "util/fptr_wlist.h"
49 #include "util/regional.h"
50 #include "util/net_help.h"
51 #include "util/config_file.h"
52 #include "services/cache/dns.h"
53 #include "sldns/wire2str.h"
54 
55 /** Apply configuration to ipsecmod module 'global' state. */
56 static int
57 ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
58 {
59 	if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
60 		log_err("ipsecmod: missing ipsecmod-hook.");
61 		return 0;
62 	}
63 	if(cfg->ipsecmod_whitelist &&
64 		!ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
65 		return 0;
66 	return 1;
67 }
68 
69 int
70 ipsecmod_init(struct module_env* env, int id)
71 {
72 	struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
73 		sizeof(struct ipsecmod_env));
74 	if(!ipsecmod_env) {
75 		log_err("malloc failure");
76 		return 0;
77 	}
78 	env->modinfo[id] = (void*)ipsecmod_env;
79 	ipsecmod_env->whitelist = NULL;
80 	if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
81 		log_err("ipsecmod: could not apply configuration settings.");
82 		return 0;
83 	}
84 	return 1;
85 }
86 
87 void
88 ipsecmod_deinit(struct module_env* env, int id)
89 {
90 	struct ipsecmod_env* ipsecmod_env;
91 	if(!env || !env->modinfo[id])
92 		return;
93 	ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
94 	/* Free contents. */
95 	ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
96 	free(ipsecmod_env);
97 	env->modinfo[id] = NULL;
98 }
99 
100 /** New query for ipsecmod. */
101 static int
102 ipsecmod_new(struct module_qstate* qstate, int id)
103 {
104 	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
105 		qstate->region, sizeof(struct ipsecmod_qstate));
106 	qstate->minfo[id] = iq;
107 	if(!iq)
108 		return 0;
109 	/* Initialise it. */
110 	memset(iq, 0, sizeof(*iq));
111 	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
112 	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
113 		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
114 		qstate->qinfo.qname_len, qstate->qinfo.qclass);
115 	return 1;
116 }
117 
118 /**
119  * Exit module with an error status.
120  * @param qstate: query state
121  * @param id: module id.
122  */
123 static void
124 ipsecmod_error(struct module_qstate* qstate, int id)
125 {
126 	qstate->ext_state[id] = module_error;
127 	qstate->return_rcode = LDNS_RCODE_SERVFAIL;
128 }
129 
130 /**
131  * Generate a request for the IPSECKEY.
132  *
133  * @param qstate: query state that is the parent.
134  * @param id: module id.
135  * @param name: what name to query for.
136  * @param namelen: length of name.
137  * @param qtype: query type.
138  * @param qclass: query class.
139  * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
140  * @return false on alloc failure.
141  */
142 static int
143 generate_request(struct module_qstate* qstate, int id, uint8_t* name,
144 	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
145 {
146 	struct module_qstate* newq;
147 	struct query_info ask;
148 	ask.qname = name;
149 	ask.qname_len = namelen;
150 	ask.qtype = qtype;
151 	ask.qclass = qclass;
152 	ask.local_alias = NULL;
153 	log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
154 
155 	/* Explicitly check for cycle before trying to attach. Will result in
156 	 * cleaner error message. The attach_sub code also checks for cycle but the
157 	 * message will be out of memory in both cases then. */
158 	fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle));
159 	if((*qstate->env->detect_cycle)(qstate, &ask,
160 		(uint16_t)(BIT_RD|flags), 0, 0)) {
161 		verbose(VERB_ALGO, "Could not generate request: cycle detected");
162 		return 0;
163 	}
164 
165 	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
166 	if(!(*qstate->env->attach_sub)(qstate, &ask,
167 		(uint16_t)(BIT_RD|flags), 0, 0, &newq)){
168 		log_err("Could not generate request: out of memory");
169 		return 0;
170 	}
171 	qstate->ext_state[id] = module_wait_subquery;
172 	return 1;
173 }
174 
175 /**
176  * Check if the string passed is a valid domain name with safe characters to
177  * pass to a shell.
178  * This will only allow:
179  *  - digits
180  *  - alphas
181  *  - hyphen (not at the start)
182  *  - dot (not at the start, or the only character)
183  *  - underscore
184  * @param s: pointer to the string.
185  * @param slen: string's length.
186  * @return true if s only contains safe characters; false otherwise.
187  */
188 static int
189 domainname_has_safe_characters(char* s, size_t slen) {
190 	size_t i;
191 	for(i = 0; i < slen; i++) {
192 		if(s[i] == '\0') return 1;
193 		if((s[i] == '-' && i != 0)
194 			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
195 			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
196 			|| (s[i] >= 'A' && s[i] <= 'Z')
197 			|| (s[i] >= 'a' && s[i] <= 'z')) {
198 			continue;
199 		}
200 		return 0;
201 	}
202 	return 1;
203 }
204 
205 /**
206  * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
207  * a shell.
208  * This is only relevant for checking the gateway when the gateway type is 3
209  * (domainname).
210  * @param s: pointer to the string.
211  * @param slen: string's length.
212  * @return true if s contains only safe characters; false otherwise.
213  */
214 static int
215 ipseckey_has_safe_characters(char* s, size_t slen) {
216 	int precedence, gateway_type, algorithm;
217 	char* gateway;
218 	gateway = (char*)calloc(slen, sizeof(char));
219 	if(!gateway) {
220 		log_err("ipsecmod: out of memory when calling the hook");
221 		return 0;
222 	}
223 	if(sscanf(s, "%d %d %d %s ",
224 			&precedence, &gateway_type, &algorithm, gateway) != 4) {
225 		free(gateway);
226 		return 0;
227 	}
228 	if(gateway_type != 3) {
229 		free(gateway);
230 		return 1;
231 	}
232 	if(domainname_has_safe_characters(gateway, slen)) {
233 		free(gateway);
234 		return 1;
235 	}
236 	free(gateway);
237 	return 0;
238 }
239 
240 /**
241  *  Prepare the data and call the hook.
242  *
243  *  @param qstate: query state.
244  *  @param iq: ipsecmod qstate.
245  *  @param ie: ipsecmod environment.
246  *  @return true on success, false otherwise.
247  */
248 static int
249 call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
250 	struct ipsecmod_env* ATTR_UNUSED(ie))
251 {
252 	size_t slen, tempdata_len, tempstring_len, i;
253 	char str[65535], *s, *tempstring;
254 	int w = 0, w_temp, qtype;
255 	struct ub_packed_rrset_key* rrset_key;
256 	struct packed_rrset_data* rrset_data;
257 	uint8_t *tempdata;
258 
259 	/* Check if a shell is available */
260 	if(system(NULL) == 0) {
261 		log_err("ipsecmod: no shell available for ipsecmod-hook");
262 		return 0;
263 	}
264 
265 	/* Zero the buffer. */
266 	s = str;
267 	slen = sizeof(str);
268 	memset(s, 0, slen);
269 
270 	/* Copy the hook into the buffer. */
271 	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
272 	/* Put space into the buffer. */
273 	w += sldns_str_print(&s, &slen, " ");
274 	/* Copy the qname into the buffer. */
275 	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
276 		qstate->qinfo.qname_len);
277 	if(!tempstring) {
278 		log_err("ipsecmod: out of memory when calling the hook");
279 		return 0;
280 	}
281 	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
282 		log_err("ipsecmod: qname has unsafe characters");
283 		free(tempstring);
284 		return 0;
285 	}
286 	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
287 	free(tempstring);
288 	/* Put space into the buffer. */
289 	w += sldns_str_print(&s, &slen, " ");
290 	/* Copy the IPSECKEY TTL into the buffer. */
291 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
292 	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
293 	/* Put space into the buffer. */
294 	w += sldns_str_print(&s, &slen, " ");
295 	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
296 		qstate->return_msg->rep);
297 	/* Double check that the records are indeed A/AAAA.
298 	 * This should never happen as this function is only executed for A/AAAA
299 	 * queries but make sure we don't pass anything other than A/AAAA to the
300 	 * shell. */
301 	qtype = ntohs(rrset_key->rk.type);
302 	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
303 		log_err("ipsecmod: Answer is not of A or AAAA type");
304 		return 0;
305 	}
306 	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
307 	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
308 	 * with a double quote. */
309 	w += sldns_str_print(&s, &slen, "\"");
310 	for(i=0; i<rrset_data->count; i++) {
311 		if(i > 0) {
312 			/* Put space into the buffer. */
313 			w += sldns_str_print(&s, &slen, " ");
314 		}
315 		/* Ignore the first two bytes, they are the rr_data len. */
316 		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
317 			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
318 		if(w_temp < 0) {
319 			/* Error in printout. */
320 			log_err("ipsecmod: Error in printing IP address");
321 			return 0;
322 		} else if((size_t)w_temp >= slen) {
323 			s = NULL; /* We do not want str to point outside of buffer. */
324 			slen = 0;
325 			log_err("ipsecmod: shell command too long");
326 			return 0;
327 		} else {
328 			s += w_temp;
329 			slen -= w_temp;
330 			w += w_temp;
331 		}
332 	}
333 	w += sldns_str_print(&s, &slen, "\"");
334 	/* Put space into the buffer. */
335 	w += sldns_str_print(&s, &slen, " ");
336 	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
337 	 * with a double quote. */
338 	w += sldns_str_print(&s, &slen, "\"");
339 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
340 	for(i=0; i<rrset_data->count; i++) {
341 		if(i > 0) {
342 			/* Put space into the buffer. */
343 			w += sldns_str_print(&s, &slen, " ");
344 		}
345 		/* Ignore the first two bytes, they are the rr_data len. */
346 		tempdata = rrset_data->rr_data[i] + 2;
347 		tempdata_len = rrset_data->rr_len[i] - 2;
348 		/* Save the buffer pointers. */
349 		tempstring = s; tempstring_len = slen;
350 		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
351 			&slen, NULL, 0, NULL);
352 		/* There was an error when parsing the IPSECKEY; reset the buffer
353 		 * pointers to their previous values. */
354 		if(w_temp == -1) {
355 			s = tempstring; slen = tempstring_len;
356 		} else if(w_temp > 0) {
357 			if(!ipseckey_has_safe_characters(
358 					tempstring, tempstring_len - slen)) {
359 				log_err("ipsecmod: ipseckey has unsafe characters");
360 				return 0;
361 			}
362 			w += w_temp;
363 		}
364 	}
365 	w += sldns_str_print(&s, &slen, "\"");
366 	if(w >= (int)sizeof(str)) {
367 		log_err("ipsecmod: shell command too long");
368 		return 0;
369 	}
370 	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
371 	/* ipsecmod-hook should return 0 on success. */
372 	if(system(str) != 0)
373 		return 0;
374 	return 1;
375 }
376 
377 /**
378  * Handle an ipsecmod module event with a query
379  * @param qstate: query state (from the mesh), passed between modules.
380  * 	contains qstate->env module environment with global caches and so on.
381  * @param iq: query state specific for this module.  per-query.
382  * @param ie: environment specific for this module.  global.
383  * @param id: module id.
384  */
385 static void
386 ipsecmod_handle_query(struct module_qstate* qstate,
387 	struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
388 {
389 	struct ub_packed_rrset_key* rrset_key;
390 	struct packed_rrset_data* rrset_data;
391 	size_t i;
392 	/* Pass to next module if we are not enabled and whitelisted. */
393 	if(!(iq->enabled && iq->is_whitelisted)) {
394 		qstate->ext_state[id] = module_wait_module;
395 		return;
396 	}
397 	/* New query, check if the query is for an A/AAAA record and disable
398 	 * caching for other modules. */
399 	if(!iq->ipseckey_done) {
400 		if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
401 			qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
402 			char type[16];
403 			sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
404 				sizeof(type));
405 			verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
406 				type);
407 			qstate->no_cache_store = 1;
408 		}
409 		/* Pass request to next module. */
410 		qstate->ext_state[id] = module_wait_module;
411 		return;
412 	}
413 	/* IPSECKEY subquery is finished. */
414 	/* We have an IPSECKEY answer. */
415 	if(iq->ipseckey_rrset) {
416 		rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
417 		if(rrset_data) {
418 			/* If bogus return SERVFAIL. */
419 			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
420 				rrset_data->security == sec_status_bogus) {
421 				log_err("ipsecmod: bogus IPSECKEY");
422 				errinf(qstate, "ipsecmod: bogus IPSECKEY");
423 				ipsecmod_error(qstate, id);
424 				return;
425 			}
426 			/* We have a valid IPSECKEY reply, call hook. */
427 			if(!call_hook(qstate, iq, ie) &&
428 				qstate->env->cfg->ipsecmod_strict) {
429 				log_err("ipsecmod: ipsecmod-hook failed");
430 				errinf(qstate, "ipsecmod: ipsecmod-hook failed");
431 				ipsecmod_error(qstate, id);
432 				return;
433 			}
434 			/* Make sure the A/AAAA's TTL is equal/less than the
435 			 * ipsecmod_max_ttl. */
436 			rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
437 				qstate->return_msg->rep);
438 			rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
439 			if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
440 				/* Update TTL for rrset to fixed value. */
441 				rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
442 				for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
443 					rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
444 				/* Also update reply_info's TTL */
445 				if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
446 					qstate->return_msg->rep->ttl =
447 						qstate->env->cfg->ipsecmod_max_ttl;
448 					qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
449 						qstate->return_msg->rep->ttl);
450 					qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl +
451 						qstate->env->cfg->serve_expired_ttl;
452 				}
453 			}
454 		}
455 	}
456 	/* Store A/AAAA in cache. */
457 	if(!dns_cache_store(qstate->env, &qstate->qinfo,
458 		qstate->return_msg->rep, 0, qstate->prefetch_leeway,
459 		0, qstate->region, qstate->query_flags, qstate->qstarttime)) {
460 		log_err("ipsecmod: out of memory caching record");
461 	}
462 	qstate->ext_state[id] = module_finished;
463 }
464 
465 /**
466  * Handle an ipsecmod module event with a response from the iterator.
467  * @param qstate: query state (from the mesh), passed between modules.
468  * 	contains qstate->env module environment with global caches and so on.
469  * @param iq: query state specific for this module.  per-query.
470  * @param ie: environment specific for this module.  global.
471  * @param id: module id.
472  */
473 static void
474 ipsecmod_handle_response(struct module_qstate* qstate,
475 	struct ipsecmod_qstate* ATTR_UNUSED(iq),
476 	struct ipsecmod_env* ATTR_UNUSED(ie), int id)
477 {
478 	/* Pass to previous module if we are not enabled and whitelisted. */
479 	if(!(iq->enabled && iq->is_whitelisted)) {
480 		qstate->ext_state[id] = module_finished;
481 		return;
482 	}
483 	/* check if the response is for an A/AAAA query. */
484 	if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
485 		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
486 		/* check that we had an answer for the A/AAAA query. */
487 		qstate->return_msg &&
488 		reply_find_answer_rrset(&qstate->return_msg->qinfo,
489 		qstate->return_msg->rep) &&
490 		/* check that another module didn't SERVFAIL. */
491 		qstate->return_rcode == LDNS_RCODE_NOERROR) {
492 		char type[16];
493 		sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
494 			sizeof(type));
495 		verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
496 			"subquery", type);
497 		/* generate an IPSECKEY query. */
498 		if(!generate_request(qstate, id, qstate->qinfo.qname,
499 			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
500 			qstate->qinfo.qclass, 0)) {
501 			log_err("ipsecmod: could not generate subquery.");
502 			errinf(qstate, "ipsecmod: could not generate subquery.");
503 			ipsecmod_error(qstate, id);
504 		}
505 		return;
506 	}
507 	/* we are done with the query. */
508 	qstate->ext_state[id] = module_finished;
509 }
510 
511 void
512 ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
513 	struct outbound_entry* outbound)
514 {
515 	struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
516 	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
517 	verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
518 		id, strextstate(qstate->ext_state[id]), strmodulevent(event));
519 	if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
520 		&qstate->qinfo);
521 
522 	/* create ipsecmod_qstate. */
523 	if((event == module_event_new || event == module_event_pass) &&
524 		iq == NULL) {
525 		if(!ipsecmod_new(qstate, id)) {
526 			errinf(qstate, "ipsecmod: could not ipsecmod_new");
527 			ipsecmod_error(qstate, id);
528 			return;
529 		}
530 		iq = (struct ipsecmod_qstate*)qstate->minfo[id];
531 	}
532 	if(iq && (event == module_event_pass || event == module_event_new)) {
533 		ipsecmod_handle_query(qstate, iq, ie, id);
534 		return;
535 	}
536 	if(iq && (event == module_event_moddone)) {
537 		ipsecmod_handle_response(qstate, iq, ie, id);
538 		return;
539 	}
540 	if(iq && outbound) {
541 		/* cachedb does not need to process responses at this time
542 		 * ignore it.
543 		cachedb_process_response(qstate, iq, ie, id, outbound, event);
544 		*/
545 		return;
546 	}
547 	if(event == module_event_error) {
548 		verbose(VERB_ALGO, "got called with event error, giving up");
549 		errinf(qstate, "ipsecmod: got called with event error");
550 		ipsecmod_error(qstate, id);
551 		return;
552 	}
553 	if(!iq && (event == module_event_moddone)) {
554 		/* during priming, module done but we never started. */
555 		qstate->ext_state[id] = module_finished;
556 		return;
557 	}
558 
559 	log_err("ipsecmod: bad event %s", strmodulevent(event));
560 	errinf(qstate, "ipsecmod: operate got bad event");
561 	ipsecmod_error(qstate, id);
562 	return;
563 }
564 
565 void
566 ipsecmod_inform_super(struct module_qstate* qstate, int id,
567 	struct module_qstate* super)
568 {
569 	struct ipsecmod_qstate* siq;
570 	log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
571 		&qstate->qinfo);
572 	log_query_info(VERB_ALGO, "super is", &super->qinfo);
573 	siq = (struct ipsecmod_qstate*)super->minfo[id];
574 	if(!siq) {
575 		verbose(VERB_ALGO, "super has no ipsecmod state");
576 		return;
577 	}
578 
579 	if(qstate->return_msg) {
580 		struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
581 			&qstate->return_msg->qinfo, qstate->return_msg->rep);
582 		if(rrset_key) {
583 			/* We have an answer. */
584 			/* Copy to super's region. */
585 			rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
586 			siq->ipseckey_rrset = rrset_key;
587 			if(!rrset_key) {
588 				log_err("ipsecmod: out of memory.");
589 			}
590 		}
591 	}
592 	/* Notify super to proceed. */
593 	siq->ipseckey_done = 1;
594 }
595 
596 void
597 ipsecmod_clear(struct module_qstate* qstate, int id)
598 {
599 	if(!qstate)
600 		return;
601 	qstate->minfo[id] = NULL;
602 }
603 
604 size_t
605 ipsecmod_get_mem(struct module_env* env, int id)
606 {
607 	struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
608 	if(!ie)
609 		return 0;
610 	return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
611 }
612 
613 /**
614  * The ipsecmod function block
615  */
616 static struct module_func_block ipsecmod_block = {
617 	"ipsecmod",
618 	&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
619 	&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
620 };
621 
622 struct module_func_block*
623 ipsecmod_get_funcblock(void)
624 {
625 	return &ipsecmod_block;
626 }
627 #endif /* USE_IPSECMOD */
628