1 /* 2 * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that facilitates opportunistic IPsec. It does so 40 * by also quering for the IPSECKEY for A/AAAA queries and calling a 41 * configurable hook (eg. signaling an IKE daemon) before replying. 42 */ 43 44 #include "config.h" 45 #ifdef USE_IPSECMOD 46 #include "ipsecmod/ipsecmod.h" 47 #include "ipsecmod/ipsecmod-whitelist.h" 48 #include "util/fptr_wlist.h" 49 #include "util/regional.h" 50 #include "util/net_help.h" 51 #include "util/config_file.h" 52 #include "services/cache/dns.h" 53 #include "sldns/wire2str.h" 54 55 /** Apply configuration to ipsecmod module 'global' state. */ 56 static int 57 ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg) 58 { 59 if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) { 60 log_err("ipsecmod: missing ipsecmod-hook."); 61 return 0; 62 } 63 if(cfg->ipsecmod_whitelist && 64 !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg)) 65 return 0; 66 return 1; 67 } 68 69 int 70 ipsecmod_init(struct module_env* env, int id) 71 { 72 struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1, 73 sizeof(struct ipsecmod_env)); 74 if(!ipsecmod_env) { 75 log_err("malloc failure"); 76 return 0; 77 } 78 env->modinfo[id] = (void*)ipsecmod_env; 79 ipsecmod_env->whitelist = NULL; 80 if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) { 81 log_err("ipsecmod: could not apply configuration settings."); 82 return 0; 83 } 84 return 1; 85 } 86 87 void 88 ipsecmod_deinit(struct module_env* env, int id) 89 { 90 struct ipsecmod_env* ipsecmod_env; 91 if(!env || !env->modinfo[id]) 92 return; 93 ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id]; 94 /* Free contents. */ 95 ipsecmod_whitelist_delete(ipsecmod_env->whitelist); 96 free(ipsecmod_env); 97 env->modinfo[id] = NULL; 98 } 99 100 /** New query for ipsecmod. */ 101 static int 102 ipsecmod_new(struct module_qstate* qstate, int id) 103 { 104 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc( 105 qstate->region, sizeof(struct ipsecmod_qstate)); 106 memset(iq, 0, sizeof(*iq)); 107 qstate->minfo[id] = iq; 108 if(!iq) 109 return 0; 110 /* Initialise it. */ 111 iq->enabled = qstate->env->cfg->ipsecmod_enabled; 112 iq->is_whitelisted = ipsecmod_domain_is_whitelisted( 113 (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname, 114 qstate->qinfo.qname_len, qstate->qinfo.qclass); 115 return 1; 116 } 117 118 /** 119 * Exit module with an error status. 120 * @param qstate: query state 121 * @param id: module id. 122 */ 123 static void 124 ipsecmod_error(struct module_qstate* qstate, int id) 125 { 126 qstate->ext_state[id] = module_error; 127 qstate->return_rcode = LDNS_RCODE_SERVFAIL; 128 } 129 130 /** 131 * Generate a request for the IPSECKEY. 132 * 133 * @param qstate: query state that is the parent. 134 * @param id: module id. 135 * @param name: what name to query for. 136 * @param namelen: length of name. 137 * @param qtype: query type. 138 * @param qclass: query class. 139 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 140 * @return false on alloc failure. 141 */ 142 static int 143 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 144 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags) 145 { 146 struct module_qstate* newq; 147 struct query_info ask; 148 ask.qname = name; 149 ask.qname_len = namelen; 150 ask.qtype = qtype; 151 ask.qclass = qclass; 152 ask.local_alias = NULL; 153 log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask); 154 fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); 155 if(!(*qstate->env->attach_sub)(qstate, &ask, 156 (uint16_t)(BIT_RD|flags), 0, 0, &newq)){ 157 log_err("Could not generate request: out of memory"); 158 return 0; 159 } 160 qstate->ext_state[id] = module_wait_subquery; 161 return 1; 162 } 163 164 /** 165 * Prepare the data and call the hook. 166 * 167 * @param qstate: query state. 168 * @param iq: ipsecmod qstate. 169 * @param ie: ipsecmod environment. 170 * @return true on success, false otherwise. 171 */ 172 static int 173 call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, 174 struct ipsecmod_env* ATTR_UNUSED(ie)) 175 { 176 size_t slen, tempdata_len, tempstring_len, i; 177 char str[65535], *s, *tempstring; 178 int w; 179 struct ub_packed_rrset_key* rrset_key; 180 struct packed_rrset_data* rrset_data; 181 uint8_t *tempdata; 182 183 /* Check if a shell is available */ 184 if(system(NULL) == 0) { 185 log_err("ipsecmod: no shell available for ipsecmod-hook"); 186 return 0; 187 } 188 189 /* Zero the buffer. */ 190 s = str; 191 slen = sizeof(str); 192 memset(s, 0, slen); 193 194 /* Copy the hook into the buffer. */ 195 sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); 196 /* Put space into the buffer. */ 197 sldns_str_print(&s, &slen, " "); 198 /* Copy the qname into the buffer. */ 199 tempstring = sldns_wire2str_dname(qstate->qinfo.qname, 200 qstate->qinfo.qname_len); 201 if(!tempstring) { 202 log_err("ipsecmod: out of memory when calling the hook"); 203 return 0; 204 } 205 sldns_str_print(&s, &slen, "\"%s\"", tempstring); 206 free(tempstring); 207 /* Put space into the buffer. */ 208 sldns_str_print(&s, &slen, " "); 209 /* Copy the IPSECKEY TTL into the buffer. */ 210 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 211 sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); 212 /* Put space into the buffer. */ 213 sldns_str_print(&s, &slen, " "); 214 /* Copy the A/AAAA record(s) into the buffer. Start and end this section 215 * with a double quote. */ 216 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 217 qstate->return_msg->rep); 218 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 219 sldns_str_print(&s, &slen, "\""); 220 for(i=0; i<rrset_data->count; i++) { 221 if(i > 0) { 222 /* Put space into the buffer. */ 223 sldns_str_print(&s, &slen, " "); 224 } 225 /* Ignore the first two bytes, they are the rr_data len. */ 226 w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, 227 rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); 228 if(w < 0) { 229 /* Error in printout. */ 230 return -1; 231 } else if((size_t)w >= slen) { 232 s = NULL; /* We do not want str to point outside of buffer. */ 233 slen = 0; 234 return -1; 235 } else { 236 s += w; 237 slen -= w; 238 } 239 } 240 sldns_str_print(&s, &slen, "\""); 241 /* Put space into the buffer. */ 242 sldns_str_print(&s, &slen, " "); 243 /* Copy the IPSECKEY record(s) into the buffer. Start and end this section 244 * with a double quote. */ 245 sldns_str_print(&s, &slen, "\""); 246 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 247 for(i=0; i<rrset_data->count; i++) { 248 if(i > 0) { 249 /* Put space into the buffer. */ 250 sldns_str_print(&s, &slen, " "); 251 } 252 /* Ignore the first two bytes, they are the rr_data len. */ 253 tempdata = rrset_data->rr_data[i] + 2; 254 tempdata_len = rrset_data->rr_len[i] - 2; 255 /* Save the buffer pointers. */ 256 tempstring = s; tempstring_len = slen; 257 w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, 258 NULL, 0); 259 /* There was an error when parsing the IPSECKEY; reset the buffer 260 * pointers to their previous values. */ 261 if(w == -1){ 262 s = tempstring; slen = tempstring_len; 263 } 264 } 265 sldns_str_print(&s, &slen, "\""); 266 verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); 267 /* ipsecmod-hook should return 0 on success. */ 268 if(system(str) != 0) 269 return 0; 270 return 1; 271 } 272 273 /** 274 * Handle an ipsecmod module event with a query 275 * @param qstate: query state (from the mesh), passed between modules. 276 * contains qstate->env module environment with global caches and so on. 277 * @param iq: query state specific for this module. per-query. 278 * @param ie: environment specific for this module. global. 279 * @param id: module id. 280 */ 281 static void 282 ipsecmod_handle_query(struct module_qstate* qstate, 283 struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id) 284 { 285 struct ub_packed_rrset_key* rrset_key; 286 struct packed_rrset_data* rrset_data; 287 size_t i; 288 /* Pass to next module if we are not enabled and whitelisted. */ 289 if(!(iq->enabled && iq->is_whitelisted)) { 290 qstate->ext_state[id] = module_wait_module; 291 return; 292 } 293 /* New query, check if the query is for an A/AAAA record and disable 294 * caching for other modules. */ 295 if(!iq->ipseckey_done) { 296 if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || 297 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) { 298 char type[16]; 299 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 300 sizeof(type)); 301 verbose(VERB_ALGO, "ipsecmod: query for %s; engaging", 302 type); 303 qstate->no_cache_store = 1; 304 } 305 /* Pass request to next module. */ 306 qstate->ext_state[id] = module_wait_module; 307 return; 308 } 309 /* IPSECKEY subquery is finished. */ 310 /* We have an IPSECKEY answer. */ 311 if(iq->ipseckey_rrset) { 312 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 313 if(rrset_data) { 314 /* If bogus return SERVFAIL. */ 315 if(!qstate->env->cfg->ipsecmod_ignore_bogus && 316 rrset_data->security == sec_status_bogus) { 317 log_err("ipsecmod: bogus IPSECKEY"); 318 ipsecmod_error(qstate, id); 319 return; 320 } 321 /* We have a valid IPSECKEY reply, call hook. */ 322 if(!call_hook(qstate, iq, ie) && 323 qstate->env->cfg->ipsecmod_strict) { 324 log_err("ipsecmod: ipsecmod-hook failed"); 325 ipsecmod_error(qstate, id); 326 return; 327 } 328 /* Make sure the A/AAAA's TTL is equal/less than the 329 * ipsecmod_max_ttl. */ 330 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 331 qstate->return_msg->rep); 332 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 333 if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 334 /* Update TTL for rrset to fixed value. */ 335 rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl; 336 for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++) 337 rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl; 338 /* Also update reply_info's TTL */ 339 if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 340 qstate->return_msg->rep->ttl = 341 qstate->env->cfg->ipsecmod_max_ttl; 342 qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC( 343 qstate->return_msg->rep->ttl); 344 qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl + 345 qstate->env->cfg->serve_expired_ttl; 346 } 347 } 348 } 349 } 350 /* Store A/AAAA in cache. */ 351 if(!dns_cache_store(qstate->env, &qstate->qinfo, 352 qstate->return_msg->rep, 0, qstate->prefetch_leeway, 353 0, qstate->region, qstate->query_flags)) { 354 log_err("ipsecmod: out of memory caching record"); 355 } 356 qstate->ext_state[id] = module_finished; 357 } 358 359 /** 360 * Handle an ipsecmod module event with a response from the iterator. 361 * @param qstate: query state (from the mesh), passed between modules. 362 * contains qstate->env module environment with global caches and so on. 363 * @param iq: query state specific for this module. per-query. 364 * @param ie: environment specific for this module. global. 365 * @param id: module id. 366 */ 367 static void 368 ipsecmod_handle_response(struct module_qstate* qstate, 369 struct ipsecmod_qstate* ATTR_UNUSED(iq), 370 struct ipsecmod_env* ATTR_UNUSED(ie), int id) 371 { 372 /* Pass to previous module if we are not enabled and whitelisted. */ 373 if(!(iq->enabled && iq->is_whitelisted)) { 374 qstate->ext_state[id] = module_finished; 375 return; 376 } 377 /* check if the response is for an A/AAAA query. */ 378 if((qstate->qinfo.qtype == LDNS_RR_TYPE_A || 379 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) && 380 /* check that we had an answer for the A/AAAA query. */ 381 qstate->return_msg && 382 reply_find_answer_rrset(&qstate->return_msg->qinfo, 383 qstate->return_msg->rep) && 384 /* check that another module didn't SERVFAIL. */ 385 qstate->return_rcode == LDNS_RCODE_NOERROR) { 386 char type[16]; 387 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 388 sizeof(type)); 389 verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY " 390 "subquery", type); 391 /* generate an IPSECKEY query. */ 392 if(!generate_request(qstate, id, qstate->qinfo.qname, 393 qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY, 394 qstate->qinfo.qclass, 0)) { 395 log_err("ipsecmod: could not generate subquery."); 396 ipsecmod_error(qstate, id); 397 } 398 return; 399 } 400 /* we are done with the query. */ 401 qstate->ext_state[id] = module_finished; 402 } 403 404 void 405 ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id, 406 struct outbound_entry* outbound) 407 { 408 struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id]; 409 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 410 verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s", 411 id, strextstate(qstate->ext_state[id]), strmodulevent(event)); 412 if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query", 413 &qstate->qinfo); 414 415 /* create ipsecmod_qstate. */ 416 if((event == module_event_new || event == module_event_pass) && 417 iq == NULL) { 418 if(!ipsecmod_new(qstate, id)) { 419 ipsecmod_error(qstate, id); 420 return; 421 } 422 iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 423 } 424 if(iq && (event == module_event_pass || event == module_event_new)) { 425 ipsecmod_handle_query(qstate, iq, ie, id); 426 return; 427 } 428 if(iq && (event == module_event_moddone)) { 429 ipsecmod_handle_response(qstate, iq, ie, id); 430 return; 431 } 432 if(iq && outbound) { 433 /* cachedb does not need to process responses at this time 434 * ignore it. 435 cachedb_process_response(qstate, iq, ie, id, outbound, event); 436 */ 437 return; 438 } 439 if(event == module_event_error) { 440 verbose(VERB_ALGO, "got called with event error, giving up"); 441 ipsecmod_error(qstate, id); 442 return; 443 } 444 if(!iq && (event == module_event_moddone)) { 445 /* during priming, module done but we never started. */ 446 qstate->ext_state[id] = module_finished; 447 return; 448 } 449 450 log_err("ipsecmod: bad event %s", strmodulevent(event)); 451 ipsecmod_error(qstate, id); 452 return; 453 } 454 455 void 456 ipsecmod_inform_super(struct module_qstate* qstate, int id, 457 struct module_qstate* super) 458 { 459 struct ipsecmod_qstate* siq; 460 log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is", 461 &qstate->qinfo); 462 log_query_info(VERB_ALGO, "super is", &super->qinfo); 463 siq = (struct ipsecmod_qstate*)super->minfo[id]; 464 if(!siq) { 465 verbose(VERB_ALGO, "super has no ipsecmod state"); 466 return; 467 } 468 469 if(qstate->return_msg) { 470 struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset( 471 &qstate->return_msg->qinfo, qstate->return_msg->rep); 472 if(rrset_key) { 473 /* We have an answer. */ 474 /* Copy to super's region. */ 475 rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0); 476 siq->ipseckey_rrset = rrset_key; 477 if(!rrset_key) { 478 log_err("ipsecmod: out of memory."); 479 } 480 } 481 } 482 /* Notify super to proceed. */ 483 siq->ipseckey_done = 1; 484 } 485 486 void 487 ipsecmod_clear(struct module_qstate* qstate, int id) 488 { 489 if(!qstate) 490 return; 491 qstate->minfo[id] = NULL; 492 } 493 494 size_t 495 ipsecmod_get_mem(struct module_env* env, int id) 496 { 497 struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id]; 498 if(!ie) 499 return 0; 500 return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist); 501 } 502 503 /** 504 * The ipsecmod function block 505 */ 506 static struct module_func_block ipsecmod_block = { 507 "ipsecmod", 508 &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate, 509 &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem 510 }; 511 512 struct module_func_block* 513 ipsecmod_get_funcblock(void) 514 { 515 return &ipsecmod_block; 516 } 517 #endif /* USE_IPSECMOD */ 518