1 /* $NetBSD: client.c,v 1.18 2023/01/25 21:43:32 christos Exp $ */ 2 3 /* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16 #include <inttypes.h> 17 #include <limits.h> 18 #include <stdbool.h> 19 20 #include <isc/aes.h> 21 #include <isc/atomic.h> 22 #include <isc/formatcheck.h> 23 #include <isc/fuzz.h> 24 #include <isc/hmac.h> 25 #include <isc/mutex.h> 26 #include <isc/nonce.h> 27 #include <isc/once.h> 28 #include <isc/platform.h> 29 #include <isc/print.h> 30 #include <isc/random.h> 31 #include <isc/safe.h> 32 #include <isc/serial.h> 33 #include <isc/siphash.h> 34 #include <isc/stats.h> 35 #include <isc/stdio.h> 36 #include <isc/string.h> 37 #include <isc/task.h> 38 #include <isc/timer.h> 39 #include <isc/util.h> 40 41 #include <dns/adb.h> 42 #include <dns/badcache.h> 43 #include <dns/cache.h> 44 #include <dns/db.h> 45 #include <dns/dispatch.h> 46 #include <dns/dnstap.h> 47 #include <dns/edns.h> 48 #include <dns/events.h> 49 #include <dns/message.h> 50 #include <dns/peer.h> 51 #include <dns/rcode.h> 52 #include <dns/rdata.h> 53 #include <dns/rdataclass.h> 54 #include <dns/rdatalist.h> 55 #include <dns/rdataset.h> 56 #include <dns/resolver.h> 57 #include <dns/stats.h> 58 #include <dns/tsig.h> 59 #include <dns/view.h> 60 #include <dns/zone.h> 61 62 #include <ns/client.h> 63 #include <ns/interfacemgr.h> 64 #include <ns/log.h> 65 #include <ns/notify.h> 66 #include <ns/server.h> 67 #include <ns/stats.h> 68 #include <ns/update.h> 69 70 #ifndef _POSIX_HOST_NAME_MAX 71 #define _POSIX_HOST_NAME_MAX 255 72 #endif 73 74 /*** 75 *** Client 76 ***/ 77 78 /*! \file 79 * Client Routines 80 * 81 * Important note! 82 * 83 * All client state changes, other than that from idle to listening, occur 84 * as a result of events. This guarantees serialization and avoids the 85 * need for locking. 86 * 87 * If a routine is ever created that allows someone other than the client's 88 * task to change the client, then the client will have to be locked. 89 */ 90 91 #ifdef NS_CLIENT_TRACE 92 #define CTRACE(m) \ 93 ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \ 94 ISC_LOG_DEBUG(3), "%s", (m)) 95 #define MTRACE(m) \ 96 isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, \ 97 ISC_LOG_DEBUG(3), "clientmgr @%p: %s", manager, (m)) 98 #else /* ifdef NS_CLIENT_TRACE */ 99 #define CTRACE(m) ((void)/*LINTED*/(m)) 100 #define MTRACE(m) ((void)/*LINTED*/(m)) 101 #endif /* ifdef NS_CLIENT_TRACE */ 102 103 #define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) 104 105 #define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ 106 #define ECS_SIZE 20U /* 2 + 1 + 1 + [0..16] */ 107 108 #define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) 109 #define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) 110 #define WANTPAD(x) (((x)->attributes & NS_CLIENTATTR_WANTPAD) != 0) 111 #define USEKEEPALIVE(x) (((x)->attributes & NS_CLIENTATTR_USEKEEPALIVE) != 0) 112 113 #define MANAGER_MAGIC ISC_MAGIC('N', 'S', 'C', 'm') 114 #define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC) 115 116 /* 117 * Enable ns_client_dropport() by default. 118 */ 119 #ifndef NS_CLIENT_DROPPORT 120 #define NS_CLIENT_DROPPORT 1 121 #endif /* ifndef NS_CLIENT_DROPPORT */ 122 123 #define CLIENT_NMCTXS_PERCPU 8 124 /*%< 125 * Number of 'mctx pools' for clients. (Should this be configurable?) 126 * When enabling threads, we use a pool of memory contexts shared by 127 * client objects, since concurrent access to a shared context would cause 128 * heavy contentions. The above constant is expected to be enough for 129 * completely avoiding contentions among threads for an authoritative-only 130 * server. 131 */ 132 133 #define CLIENT_NTASKS_PERCPU 32 134 /*%< 135 * Number of tasks to be used by clients - those are used only when recursing 136 */ 137 138 #if defined(_WIN32) && !defined(_WIN64) || !defined(_LP64) 139 LIBNS_EXTERNAL_DATA atomic_uint_fast32_t ns_client_requests = 0; 140 #else /* if defined(_WIN32) && !defined(_WIN64) */ 141 LIBNS_EXTERNAL_DATA atomic_uint_fast64_t ns_client_requests = 0; 142 #endif /* if defined(_WIN32) && !defined(_WIN64) */ 143 144 static void 145 clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp); 146 static void 147 clientmgr_detach(ns_clientmgr_t **mp); 148 static void 149 clientmgr_destroy(ns_clientmgr_t *manager); 150 static void 151 ns_client_endrequest(ns_client_t *client); 152 static void 153 ns_client_dumpmessage(ns_client_t *client, const char *reason); 154 static void 155 compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce, 156 const unsigned char *secret, isc_buffer_t *buf); 157 static void 158 get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp); 159 static void 160 get_clienttask(ns_clientmgr_t *manager, isc_task_t **taskp); 161 162 void 163 ns_client_recursing(ns_client_t *client) { 164 REQUIRE(NS_CLIENT_VALID(client)); 165 REQUIRE(client->state == NS_CLIENTSTATE_WORKING); 166 167 LOCK(&client->manager->reclock); 168 client->state = NS_CLIENTSTATE_RECURSING; 169 ISC_LIST_APPEND(client->manager->recursing, client, rlink); 170 UNLOCK(&client->manager->reclock); 171 } 172 173 void 174 ns_client_killoldestquery(ns_client_t *client) { 175 ns_client_t *oldest; 176 REQUIRE(NS_CLIENT_VALID(client)); 177 178 LOCK(&client->manager->reclock); 179 oldest = ISC_LIST_HEAD(client->manager->recursing); 180 if (oldest != NULL) { 181 ISC_LIST_UNLINK(client->manager->recursing, oldest, rlink); 182 ns_query_cancel(oldest); 183 ns_stats_increment(client->sctx->nsstats, 184 ns_statscounter_reclimitdropped); 185 } 186 UNLOCK(&client->manager->reclock); 187 } 188 189 void 190 ns_client_settimeout(ns_client_t *client, unsigned int seconds) { 191 UNUSED(client); 192 UNUSED(seconds); 193 /* XXXWPK TODO use netmgr to set timeout */ 194 } 195 196 static void 197 ns_client_endrequest(ns_client_t *client) { 198 INSIST(client->nupdates == 0); 199 INSIST(client->state == NS_CLIENTSTATE_WORKING || 200 client->state == NS_CLIENTSTATE_RECURSING); 201 202 CTRACE("endrequest"); 203 204 if (client->state == NS_CLIENTSTATE_RECURSING) { 205 LOCK(&client->manager->reclock); 206 if (ISC_LINK_LINKED(client, rlink)) { 207 ISC_LIST_UNLINK(client->manager->recursing, client, 208 rlink); 209 } 210 UNLOCK(&client->manager->reclock); 211 } 212 213 if (client->cleanup != NULL) { 214 (client->cleanup)(client); 215 client->cleanup = NULL; 216 } 217 218 if (client->view != NULL) { 219 #ifdef ENABLE_AFL 220 if (client->sctx->fuzztype == isc_fuzz_resolver) { 221 dns_cache_clean(client->view->cache, INT_MAX); 222 dns_adb_flush(client->view->adb); 223 } 224 #endif /* ifdef ENABLE_AFL */ 225 dns_view_detach(&client->view); 226 } 227 if (client->opt != NULL) { 228 INSIST(dns_rdataset_isassociated(client->opt)); 229 dns_rdataset_disassociate(client->opt); 230 dns_message_puttemprdataset(client->message, &client->opt); 231 } 232 233 client->signer = NULL; 234 client->udpsize = 512; 235 client->extflags = 0; 236 client->ednsversion = -1; 237 dns_ecs_init(&client->ecs); 238 dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE); 239 240 /* 241 * Clean up from recursion - normally this would be done in 242 * fetch_callback(), but if we're shutting down and canceling then 243 * it might not have happened. 244 */ 245 if (client->recursionquota != NULL) { 246 isc_quota_detach(&client->recursionquota); 247 ns_stats_decrement(client->sctx->nsstats, 248 ns_statscounter_recursclients); 249 } 250 251 /* 252 * Clear all client attributes that are specific to the request 253 */ 254 client->attributes = 0; 255 #ifdef ENABLE_AFL 256 if (client->sctx->fuzznotify != NULL && 257 (client->sctx->fuzztype == isc_fuzz_client || 258 client->sctx->fuzztype == isc_fuzz_tcpclient || 259 client->sctx->fuzztype == isc_fuzz_resolver)) 260 { 261 client->sctx->fuzznotify(); 262 } 263 #endif /* ENABLE_AFL */ 264 } 265 266 void 267 ns_client_drop(ns_client_t *client, isc_result_t result) { 268 REQUIRE(NS_CLIENT_VALID(client)); 269 REQUIRE(client->state == NS_CLIENTSTATE_WORKING || 270 client->state == NS_CLIENTSTATE_RECURSING); 271 272 CTRACE("drop"); 273 if (result != ISC_R_SUCCESS) { 274 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 275 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 276 "request failed: %s", isc_result_totext(result)); 277 } 278 } 279 280 static void 281 client_senddone(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { 282 ns_client_t *client = cbarg; 283 284 REQUIRE(client->sendhandle == handle); 285 286 CTRACE("senddone"); 287 288 /* 289 * Set sendhandle to NULL, but don't detach it immediately, in 290 * case we need to retry the send. If we do resend, then 291 * sendhandle will be reattached. Whether or not we resend, 292 * we will then detach the handle from *this* send by detaching 293 * 'handle' directly below. 294 */ 295 client->sendhandle = NULL; 296 297 if (result != ISC_R_SUCCESS) { 298 if (!TCP_CLIENT(client) && result == ISC_R_MAXSIZE) { 299 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 300 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 301 "send exceeded maximum size: truncating"); 302 client->query.attributes &= ~NS_QUERYATTR_ANSWERED; 303 client->rcode_override = dns_rcode_noerror; 304 ns_client_error(client, ISC_R_MAXSIZE); 305 } else { 306 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 307 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 308 "send failed: %s", 309 isc_result_totext(result)); 310 } 311 } 312 313 isc_nmhandle_detach(&handle); 314 } 315 316 static void 317 client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer, 318 unsigned char **datap) { 319 unsigned char *data; 320 uint32_t bufsize; 321 322 REQUIRE(datap != NULL); 323 324 if (TCP_CLIENT(client)) { 325 INSIST(client->tcpbuf == NULL); 326 client->tcpbuf = isc_mem_get(client->mctx, 327 NS_CLIENT_TCP_BUFFER_SIZE); 328 data = client->tcpbuf; 329 isc_buffer_init(buffer, data, NS_CLIENT_TCP_BUFFER_SIZE); 330 } else { 331 data = client->sendbuf; 332 if ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) == 0) { 333 if (client->view != NULL) { 334 bufsize = client->view->nocookieudp; 335 } else { 336 bufsize = 512; 337 } 338 } else { 339 bufsize = client->udpsize; 340 } 341 if (bufsize > client->udpsize) { 342 bufsize = client->udpsize; 343 } 344 if (bufsize > NS_CLIENT_SEND_BUFFER_SIZE) { 345 bufsize = NS_CLIENT_SEND_BUFFER_SIZE; 346 } 347 isc_buffer_init(buffer, data, bufsize); 348 } 349 *datap = data; 350 } 351 352 static void 353 client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { 354 isc_region_t r; 355 356 REQUIRE(client->sendhandle == NULL); 357 358 isc_buffer_usedregion(buffer, &r); 359 isc_nmhandle_attach(client->handle, &client->sendhandle); 360 isc_nm_send(client->handle, &r, client_senddone, client); 361 } 362 363 void 364 ns_client_sendraw(ns_client_t *client, dns_message_t *message) { 365 isc_result_t result; 366 unsigned char *data; 367 isc_buffer_t buffer; 368 isc_region_t r; 369 isc_region_t *mr; 370 371 REQUIRE(NS_CLIENT_VALID(client)); 372 373 CTRACE("sendraw"); 374 375 mr = dns_message_getrawmessage(message); 376 if (mr == NULL) { 377 result = ISC_R_UNEXPECTEDEND; 378 goto done; 379 } 380 381 client_allocsendbuf(client, &buffer, &data); 382 383 if (mr->length > isc_buffer_length(&buffer)) { 384 result = ISC_R_NOSPACE; 385 goto done; 386 } 387 388 /* 389 * Copy message to buffer and fixup id. 390 */ 391 isc_buffer_availableregion(&buffer, &r); 392 result = isc_buffer_copyregion(&buffer, mr); 393 if (result != ISC_R_SUCCESS) { 394 goto done; 395 } 396 r.base[0] = (client->message->id >> 8) & 0xff; 397 r.base[1] = client->message->id & 0xff; 398 399 #ifdef HAVE_DNSTAP 400 if (client->view != NULL) { 401 bool tcp = TCP_CLIENT(client); 402 dns_dtmsgtype_t dtmsgtype; 403 if (client->message->opcode == dns_opcode_update) { 404 dtmsgtype = DNS_DTTYPE_UR; 405 } else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { 406 dtmsgtype = DNS_DTTYPE_CR; 407 } else { 408 dtmsgtype = DNS_DTTYPE_AR; 409 } 410 dns_dt_send(client->view, dtmsgtype, &client->peeraddr, 411 &client->destsockaddr, tcp, NULL, 412 &client->requesttime, NULL, &buffer); 413 } 414 #endif 415 416 client_sendpkg(client, &buffer); 417 418 return; 419 done: 420 if (client->tcpbuf != NULL) { 421 isc_mem_put(client->mctx, client->tcpbuf, 422 NS_CLIENT_TCP_BUFFER_SIZE); 423 client->tcpbuf = NULL; 424 } 425 426 ns_client_drop(client, result); 427 } 428 429 void 430 ns_client_send(ns_client_t *client) { 431 isc_result_t result; 432 unsigned char *data; 433 isc_buffer_t buffer = { .magic = 0 }; 434 isc_region_t r; 435 dns_compress_t cctx; 436 bool cleanup_cctx = false; 437 unsigned int render_opts; 438 unsigned int preferred_glue; 439 bool opt_included = false; 440 size_t respsize; 441 dns_aclenv_t *env; 442 #ifdef HAVE_DNSTAP 443 unsigned char zone[DNS_NAME_MAXWIRE]; 444 dns_dtmsgtype_t dtmsgtype; 445 isc_region_t zr; 446 #endif /* HAVE_DNSTAP */ 447 448 REQUIRE(NS_CLIENT_VALID(client)); 449 450 if ((client->query.attributes & NS_QUERYATTR_ANSWERED) != 0) { 451 return; 452 } 453 454 /* 455 * XXXWPK TODO 456 * Delay the response according to the -T delay option 457 */ 458 459 env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); 460 461 CTRACE("send"); 462 463 if (client->message->opcode == dns_opcode_query && 464 (client->attributes & NS_CLIENTATTR_RA) != 0) 465 { 466 client->message->flags |= DNS_MESSAGEFLAG_RA; 467 } 468 469 if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) { 470 render_opts = 0; 471 } else { 472 render_opts = DNS_MESSAGERENDER_OMITDNSSEC; 473 } 474 475 preferred_glue = 0; 476 if (client->view != NULL) { 477 if (client->view->preferred_glue == dns_rdatatype_a) { 478 preferred_glue = DNS_MESSAGERENDER_PREFER_A; 479 } else if (client->view->preferred_glue == dns_rdatatype_aaaa) { 480 preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; 481 } 482 } 483 if (preferred_glue == 0) { 484 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET) { 485 preferred_glue = DNS_MESSAGERENDER_PREFER_A; 486 } else { 487 preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; 488 } 489 } 490 491 /* 492 * Create an OPT for our reply. 493 */ 494 if ((client->attributes & NS_CLIENTATTR_WANTOPT) != 0) { 495 result = ns_client_addopt(client, client->message, 496 &client->opt); 497 if (result != ISC_R_SUCCESS) { 498 goto cleanup; 499 } 500 } 501 502 client_allocsendbuf(client, &buffer, &data); 503 504 result = dns_compress_init(&cctx, -1, client->mctx); 505 if (result != ISC_R_SUCCESS) { 506 goto cleanup; 507 } 508 if (client->peeraddr_valid && client->view != NULL) { 509 isc_netaddr_t netaddr; 510 dns_name_t *name = NULL; 511 512 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 513 if (client->message->tsigkey != NULL) { 514 name = &client->message->tsigkey->name; 515 } 516 517 if (client->view->nocasecompress == NULL || 518 !dns_acl_allowed(&netaddr, name, 519 client->view->nocasecompress, env)) 520 { 521 dns_compress_setsensitive(&cctx, true); 522 } 523 524 if (!client->view->msgcompression) { 525 dns_compress_disable(&cctx); 526 } 527 } 528 cleanup_cctx = true; 529 530 result = dns_message_renderbegin(client->message, &cctx, &buffer); 531 if (result != ISC_R_SUCCESS) { 532 goto cleanup; 533 } 534 535 if (client->opt != NULL) { 536 result = dns_message_setopt(client->message, client->opt); 537 opt_included = true; 538 client->opt = NULL; 539 if (result != ISC_R_SUCCESS) { 540 goto cleanup; 541 } 542 } 543 result = dns_message_rendersection(client->message, 544 DNS_SECTION_QUESTION, 0); 545 if (result == ISC_R_NOSPACE) { 546 client->message->flags |= DNS_MESSAGEFLAG_TC; 547 goto renderend; 548 } 549 if (result != ISC_R_SUCCESS) { 550 goto cleanup; 551 } 552 /* 553 * Stop after the question if TC was set for rate limiting. 554 */ 555 if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) { 556 goto renderend; 557 } 558 result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, 559 DNS_MESSAGERENDER_PARTIAL | 560 render_opts); 561 if (result == ISC_R_NOSPACE) { 562 client->message->flags |= DNS_MESSAGEFLAG_TC; 563 goto renderend; 564 } 565 if (result != ISC_R_SUCCESS) { 566 goto cleanup; 567 } 568 result = dns_message_rendersection( 569 client->message, DNS_SECTION_AUTHORITY, 570 DNS_MESSAGERENDER_PARTIAL | render_opts); 571 if (result == ISC_R_NOSPACE) { 572 client->message->flags |= DNS_MESSAGEFLAG_TC; 573 goto renderend; 574 } 575 if (result != ISC_R_SUCCESS) { 576 goto cleanup; 577 } 578 result = dns_message_rendersection(client->message, 579 DNS_SECTION_ADDITIONAL, 580 preferred_glue | render_opts); 581 if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) { 582 goto cleanup; 583 } 584 renderend: 585 result = dns_message_renderend(client->message); 586 if (result != ISC_R_SUCCESS) { 587 goto cleanup; 588 } 589 590 #ifdef HAVE_DNSTAP 591 memset(&zr, 0, sizeof(zr)); 592 if (((client->message->flags & DNS_MESSAGEFLAG_AA) != 0) && 593 (client->query.authzone != NULL)) 594 { 595 isc_result_t eresult; 596 isc_buffer_t b; 597 dns_name_t *zo = dns_zone_getorigin(client->query.authzone); 598 599 isc_buffer_init(&b, zone, sizeof(zone)); 600 dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE); 601 eresult = dns_name_towire(zo, &cctx, &b); 602 if (eresult == ISC_R_SUCCESS) { 603 isc_buffer_usedregion(&b, &zr); 604 } 605 } 606 607 if (client->message->opcode == dns_opcode_update) { 608 dtmsgtype = DNS_DTTYPE_UR; 609 } else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { 610 dtmsgtype = DNS_DTTYPE_CR; 611 } else { 612 dtmsgtype = DNS_DTTYPE_AR; 613 } 614 #endif /* HAVE_DNSTAP */ 615 616 if (cleanup_cctx) { 617 dns_compress_invalidate(&cctx); 618 } 619 620 if (client->sendcb != NULL) { 621 client->sendcb(&buffer); 622 } else if (TCP_CLIENT(client)) { 623 isc_buffer_usedregion(&buffer, &r); 624 #ifdef HAVE_DNSTAP 625 if (client->view != NULL) { 626 dns_dt_send(client->view, dtmsgtype, &client->peeraddr, 627 &client->destsockaddr, true, &zr, 628 &client->requesttime, NULL, &buffer); 629 } 630 #endif /* HAVE_DNSTAP */ 631 632 respsize = isc_buffer_usedlength(&buffer); 633 634 client_sendpkg(client, &buffer); 635 636 switch (isc_sockaddr_pf(&client->peeraddr)) { 637 case AF_INET: 638 isc_stats_increment(client->sctx->tcpoutstats4, 639 ISC_MIN((int)respsize / 16, 256)); 640 break; 641 case AF_INET6: 642 isc_stats_increment(client->sctx->tcpoutstats6, 643 ISC_MIN((int)respsize / 16, 256)); 644 break; 645 default: 646 UNREACHABLE(); 647 } 648 } else { 649 #ifdef HAVE_DNSTAP 650 /* 651 * Log dnstap data first, because client_sendpkg() may 652 * leave client->view set to NULL. 653 */ 654 if (client->view != NULL) { 655 dns_dt_send(client->view, dtmsgtype, &client->peeraddr, 656 &client->destsockaddr, false, &zr, 657 &client->requesttime, NULL, &buffer); 658 } 659 #endif /* HAVE_DNSTAP */ 660 661 respsize = isc_buffer_usedlength(&buffer); 662 663 client_sendpkg(client, &buffer); 664 665 switch (isc_sockaddr_pf(&client->peeraddr)) { 666 case AF_INET: 667 isc_stats_increment(client->sctx->udpoutstats4, 668 ISC_MIN((int)respsize / 16, 256)); 669 break; 670 case AF_INET6: 671 isc_stats_increment(client->sctx->udpoutstats6, 672 ISC_MIN((int)respsize / 16, 256)); 673 break; 674 default: 675 UNREACHABLE(); 676 } 677 } 678 679 /* update statistics (XXXJT: is it okay to access message->xxxkey?) */ 680 ns_stats_increment(client->sctx->nsstats, ns_statscounter_response); 681 682 dns_rcodestats_increment(client->sctx->rcodestats, 683 client->message->rcode); 684 if (opt_included) { 685 ns_stats_increment(client->sctx->nsstats, 686 ns_statscounter_edns0out); 687 } 688 if (client->message->tsigkey != NULL) { 689 ns_stats_increment(client->sctx->nsstats, 690 ns_statscounter_tsigout); 691 } 692 if (client->message->sig0key != NULL) { 693 ns_stats_increment(client->sctx->nsstats, 694 ns_statscounter_sig0out); 695 } 696 if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) { 697 ns_stats_increment(client->sctx->nsstats, 698 ns_statscounter_truncatedresp); 699 } 700 701 client->query.attributes |= NS_QUERYATTR_ANSWERED; 702 703 return; 704 705 cleanup: 706 if (client->tcpbuf != NULL) { 707 isc_mem_put(client->mctx, client->tcpbuf, 708 NS_CLIENT_TCP_BUFFER_SIZE); 709 client->tcpbuf = NULL; 710 } 711 712 if (cleanup_cctx) { 713 dns_compress_invalidate(&cctx); 714 } 715 } 716 717 #if NS_CLIENT_DROPPORT 718 #define DROPPORT_NO 0 719 #define DROPPORT_REQUEST 1 720 #define DROPPORT_RESPONSE 2 721 /*% 722 * ns_client_dropport determines if certain requests / responses 723 * should be dropped based on the port number. 724 * 725 * Returns: 726 * \li 0: Don't drop. 727 * \li 1: Drop request. 728 * \li 2: Drop (error) response. 729 */ 730 static int 731 ns_client_dropport(in_port_t port) { 732 switch (port) { 733 case 7: /* echo */ 734 case 13: /* daytime */ 735 case 19: /* chargen */ 736 case 37: /* time */ 737 return (DROPPORT_REQUEST); 738 case 464: /* kpasswd */ 739 return (DROPPORT_RESPONSE); 740 } 741 return (DROPPORT_NO); 742 } 743 #endif /* if NS_CLIENT_DROPPORT */ 744 745 void 746 ns_client_error(ns_client_t *client, isc_result_t result) { 747 dns_message_t *message = NULL; 748 dns_rcode_t rcode; 749 bool trunc = false; 750 751 REQUIRE(NS_CLIENT_VALID(client)); 752 753 CTRACE("error"); 754 755 message = client->message; 756 757 if (client->rcode_override == -1) { 758 rcode = dns_result_torcode(result); 759 } else { 760 rcode = (dns_rcode_t)(client->rcode_override & 0xfff); 761 } 762 763 if (result == ISC_R_MAXSIZE) { 764 trunc = true; 765 } 766 767 #if NS_CLIENT_DROPPORT 768 /* 769 * Don't send FORMERR to ports on the drop port list. 770 */ 771 if (rcode == dns_rcode_formerr && 772 ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) != 773 DROPPORT_NO) 774 { 775 char buf[64]; 776 isc_buffer_t b; 777 778 isc_buffer_init(&b, buf, sizeof(buf) - 1); 779 if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS) { 780 isc_buffer_putstr(&b, "UNKNOWN RCODE"); 781 } 782 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 783 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), 784 "dropped error (%.*s) response: suspicious port", 785 (int)isc_buffer_usedlength(&b), buf); 786 ns_client_drop(client, ISC_R_SUCCESS); 787 return; 788 } 789 #endif /* if NS_CLIENT_DROPPORT */ 790 791 /* 792 * Try to rate limit error responses. 793 */ 794 if (client->view != NULL && client->view->rrl != NULL) { 795 bool wouldlog; 796 char log_buf[DNS_RRL_LOG_BUF_LEN]; 797 dns_rrl_result_t rrl_result; 798 int loglevel; 799 800 if ((client->sctx->options & NS_SERVER_LOGQUERIES) != 0) { 801 loglevel = DNS_RRL_LOG_DROP; 802 } else { 803 loglevel = ISC_LOG_DEBUG(1); 804 } 805 wouldlog = isc_log_wouldlog(ns_lctx, loglevel); 806 rrl_result = dns_rrl(client->view, NULL, &client->peeraddr, 807 TCP_CLIENT(client), dns_rdataclass_in, 808 dns_rdatatype_none, NULL, result, 809 client->now, wouldlog, log_buf, 810 sizeof(log_buf)); 811 if (rrl_result != DNS_RRL_RESULT_OK) { 812 /* 813 * Log dropped errors in the query category 814 * so that they are not lost in silence. 815 * Starts of rate-limited bursts are logged in 816 * NS_LOGCATEGORY_RRL. 817 */ 818 if (wouldlog) { 819 ns_client_log(client, 820 NS_LOGCATEGORY_QUERY_ERRORS, 821 NS_LOGMODULE_CLIENT, loglevel, 822 "%s", log_buf); 823 } 824 /* 825 * Some error responses cannot be 'slipped', 826 * so don't try to slip any error responses. 827 */ 828 if (!client->view->rrl->log_only) { 829 ns_stats_increment(client->sctx->nsstats, 830 ns_statscounter_ratedropped); 831 ns_stats_increment(client->sctx->nsstats, 832 ns_statscounter_dropped); 833 ns_client_drop(client, DNS_R_DROP); 834 return; 835 } 836 } 837 } 838 839 /* 840 * Message may be an in-progress reply that we had trouble 841 * with, in which case QR will be set. We need to clear QR before 842 * calling dns_message_reply() to avoid triggering an assertion. 843 */ 844 message->flags &= ~DNS_MESSAGEFLAG_QR; 845 /* 846 * AA and AD shouldn't be set. 847 */ 848 message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD); 849 result = dns_message_reply(message, true); 850 if (result != ISC_R_SUCCESS) { 851 /* 852 * It could be that we've got a query with a good header, 853 * but a bad question section, so we try again with 854 * want_question_section set to false. 855 */ 856 result = dns_message_reply(message, false); 857 if (result != ISC_R_SUCCESS) { 858 ns_client_drop(client, result); 859 return; 860 } 861 } 862 863 message->rcode = rcode; 864 if (trunc) { 865 message->flags |= DNS_MESSAGEFLAG_TC; 866 } 867 868 if (rcode == dns_rcode_formerr) { 869 /* 870 * FORMERR loop avoidance: If we sent a FORMERR message 871 * with the same ID to the same client less than two 872 * seconds ago, assume that we are in an infinite error 873 * packet dialog with a server for some protocol whose 874 * error responses look enough like DNS queries to 875 * elicit a FORMERR response. Drop a packet to break 876 * the loop. 877 */ 878 if (isc_sockaddr_equal(&client->peeraddr, 879 &client->formerrcache.addr) && 880 message->id == client->formerrcache.id && 881 (isc_time_seconds(&client->requesttime) - 882 client->formerrcache.time) < 2) 883 { 884 /* Drop packet. */ 885 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 886 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), 887 "possible error packet loop, " 888 "FORMERR dropped"); 889 ns_client_drop(client, result); 890 return; 891 } 892 client->formerrcache.addr = client->peeraddr; 893 client->formerrcache.time = 894 isc_time_seconds(&client->requesttime); 895 client->formerrcache.id = message->id; 896 } else if (rcode == dns_rcode_servfail && client->query.qname != NULL && 897 client->view != NULL && client->view->fail_ttl != 0 && 898 ((client->attributes & NS_CLIENTATTR_NOSETFC) == 0)) 899 { 900 /* 901 * SERVFAIL caching: store qname/qtype of failed queries 902 */ 903 isc_time_t expire; 904 isc_interval_t i; 905 uint32_t flags = 0; 906 907 if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) { 908 flags = NS_FAILCACHE_CD; 909 } 910 911 isc_interval_set(&i, client->view->fail_ttl, 0); 912 result = isc_time_nowplusinterval(&expire, &i); 913 if (result == ISC_R_SUCCESS) { 914 dns_badcache_add( 915 client->view->failcache, client->query.qname, 916 client->query.qtype, true, flags, &expire); 917 } 918 } 919 920 ns_client_send(client); 921 } 922 923 isc_result_t 924 ns_client_addopt(ns_client_t *client, dns_message_t *message, 925 dns_rdataset_t **opt) { 926 unsigned char ecs[ECS_SIZE]; 927 char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL; 928 unsigned char cookie[COOKIE_SIZE]; 929 isc_result_t result; 930 dns_view_t *view; 931 dns_resolver_t *resolver; 932 uint16_t udpsize; 933 dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS]; 934 int count = 0; 935 unsigned int flags; 936 unsigned char expire[4]; 937 unsigned char advtimo[2]; 938 dns_aclenv_t *env; 939 940 REQUIRE(NS_CLIENT_VALID(client)); 941 REQUIRE(opt != NULL && *opt == NULL); 942 REQUIRE(message != NULL); 943 944 env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); 945 view = client->view; 946 resolver = (view != NULL) ? view->resolver : NULL; 947 if (resolver != NULL) { 948 udpsize = dns_resolver_getudpsize(resolver); 949 } else { 950 udpsize = client->sctx->udpsize; 951 } 952 953 flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; 954 955 /* Set EDNS options if applicable */ 956 if (WANTNSID(client)) { 957 if (client->sctx->server_id != NULL) { 958 nsidp = client->sctx->server_id; 959 } else if (client->sctx->gethostname != NULL) { 960 result = client->sctx->gethostname(nsid, sizeof(nsid)); 961 if (result != ISC_R_SUCCESS) { 962 goto no_nsid; 963 } 964 nsidp = nsid; 965 } else { 966 goto no_nsid; 967 } 968 969 INSIST(count < DNS_EDNSOPTIONS); 970 ednsopts[count].code = DNS_OPT_NSID; 971 ednsopts[count].length = (uint16_t)strlen(nsidp); 972 ednsopts[count].value = (unsigned char *)nsidp; 973 count++; 974 } 975 no_nsid: 976 if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) { 977 isc_buffer_t buf; 978 isc_stdtime_t now; 979 uint32_t nonce; 980 981 isc_buffer_init(&buf, cookie, sizeof(cookie)); 982 isc_stdtime_get(&now); 983 984 isc_random_buf(&nonce, sizeof(nonce)); 985 986 compute_cookie(client, now, nonce, client->sctx->secret, &buf); 987 988 INSIST(count < DNS_EDNSOPTIONS); 989 ednsopts[count].code = DNS_OPT_COOKIE; 990 ednsopts[count].length = COOKIE_SIZE; 991 ednsopts[count].value = cookie; 992 count++; 993 } 994 if ((client->attributes & NS_CLIENTATTR_HAVEEXPIRE) != 0) { 995 isc_buffer_t buf; 996 997 INSIST(count < DNS_EDNSOPTIONS); 998 999 isc_buffer_init(&buf, expire, sizeof(expire)); 1000 isc_buffer_putuint32(&buf, client->expire); 1001 ednsopts[count].code = DNS_OPT_EXPIRE; 1002 ednsopts[count].length = 4; 1003 ednsopts[count].value = expire; 1004 count++; 1005 } 1006 if (((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) && 1007 (client->ecs.addr.family == AF_INET || 1008 client->ecs.addr.family == AF_INET6 || 1009 client->ecs.addr.family == AF_UNSPEC)) 1010 { 1011 isc_buffer_t buf; 1012 uint8_t addr[16]; 1013 uint32_t plen, addrl; 1014 uint16_t family = 0; 1015 1016 /* Add CLIENT-SUBNET option. */ 1017 1018 plen = client->ecs.source; 1019 1020 /* Round up prefix len to a multiple of 8 */ 1021 addrl = (plen + 7) / 8; 1022 1023 switch (client->ecs.addr.family) { 1024 case AF_UNSPEC: 1025 INSIST(plen == 0); 1026 family = 0; 1027 break; 1028 case AF_INET: 1029 INSIST(plen <= 32); 1030 family = 1; 1031 memmove(addr, &client->ecs.addr.type, addrl); 1032 break; 1033 case AF_INET6: 1034 INSIST(plen <= 128); 1035 family = 2; 1036 memmove(addr, &client->ecs.addr.type, addrl); 1037 break; 1038 default: 1039 UNREACHABLE(); 1040 } 1041 1042 isc_buffer_init(&buf, ecs, sizeof(ecs)); 1043 /* family */ 1044 isc_buffer_putuint16(&buf, family); 1045 /* source prefix-length */ 1046 isc_buffer_putuint8(&buf, client->ecs.source); 1047 /* scope prefix-length */ 1048 isc_buffer_putuint8(&buf, client->ecs.scope); 1049 1050 /* address */ 1051 if (addrl > 0) { 1052 /* Mask off last address byte */ 1053 if ((plen % 8) != 0) { 1054 addr[addrl - 1] &= ~0U << (8 - (plen % 8)); 1055 } 1056 isc_buffer_putmem(&buf, addr, (unsigned)addrl); 1057 } 1058 1059 ednsopts[count].code = DNS_OPT_CLIENT_SUBNET; 1060 ednsopts[count].length = addrl + 4; 1061 ednsopts[count].value = ecs; 1062 count++; 1063 } 1064 if (TCP_CLIENT(client) && USEKEEPALIVE(client)) { 1065 isc_buffer_t buf; 1066 uint32_t adv; 1067 1068 INSIST(count < DNS_EDNSOPTIONS); 1069 1070 isc_nm_gettimeouts(isc_nmhandle_netmgr(client->handle), NULL, 1071 NULL, NULL, &adv); 1072 adv /= 100; /* units of 100 milliseconds */ 1073 isc_buffer_init(&buf, advtimo, sizeof(advtimo)); 1074 isc_buffer_putuint16(&buf, (uint16_t)adv); 1075 ednsopts[count].code = DNS_OPT_TCP_KEEPALIVE; 1076 ednsopts[count].length = 2; 1077 ednsopts[count].value = advtimo; 1078 count++; 1079 } 1080 1081 /* Padding must be added last */ 1082 if ((view != NULL) && (view->padding > 0) && WANTPAD(client) && 1083 (TCP_CLIENT(client) || 1084 ((client->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0))) 1085 { 1086 isc_netaddr_t netaddr; 1087 int match; 1088 1089 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 1090 result = dns_acl_match(&netaddr, NULL, view->pad_acl, env, 1091 &match, NULL); 1092 if (result == ISC_R_SUCCESS && match > 0) { 1093 INSIST(count < DNS_EDNSOPTIONS); 1094 1095 ednsopts[count].code = DNS_OPT_PAD; 1096 ednsopts[count].length = 0; 1097 ednsopts[count].value = NULL; 1098 count++; 1099 1100 dns_message_setpadding(message, view->padding); 1101 } 1102 } 1103 1104 result = dns_message_buildopt(message, opt, 0, udpsize, flags, ednsopts, 1105 count); 1106 return (result); 1107 } 1108 1109 static void 1110 compute_cookie(ns_client_t *client, uint32_t when, uint32_t nonce, 1111 const unsigned char *secret, isc_buffer_t *buf) { 1112 unsigned char digest[ISC_MAX_MD_SIZE] ISC_NONSTRING = { 0 }; 1113 STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_SIPHASH24_TAG_LENGTH, "You need " 1114 "to " 1115 "increase " 1116 "the digest " 1117 "buffer."); 1118 STATIC_ASSERT(ISC_MAX_MD_SIZE >= ISC_AES_BLOCK_LENGTH, "You need to " 1119 "increase the " 1120 "digest " 1121 "buffer."); 1122 1123 switch (client->sctx->cookiealg) { 1124 case ns_cookiealg_siphash24: { 1125 unsigned char input[16 + 16] ISC_NONSTRING = { 0 }; 1126 size_t inputlen = 0; 1127 isc_netaddr_t netaddr; 1128 unsigned char *cp; 1129 1130 cp = isc_buffer_used(buf); 1131 isc_buffer_putmem(buf, client->cookie, 8); 1132 isc_buffer_putuint8(buf, NS_COOKIE_VERSION_1); 1133 isc_buffer_putuint24(buf, 0); /* Reserved */ 1134 isc_buffer_putuint32(buf, when); 1135 1136 memmove(input, cp, 16); 1137 1138 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 1139 switch (netaddr.family) { 1140 case AF_INET: 1141 cp = (unsigned char *)&netaddr.type.in; 1142 memmove(input + 16, cp, 4); 1143 inputlen = 20; 1144 break; 1145 case AF_INET6: 1146 cp = (unsigned char *)&netaddr.type.in6; 1147 memmove(input + 16, cp, 16); 1148 inputlen = 32; 1149 break; 1150 default: 1151 UNREACHABLE(); 1152 } 1153 1154 isc_siphash24(secret, input, inputlen, digest); 1155 isc_buffer_putmem(buf, digest, 8); 1156 break; 1157 } 1158 case ns_cookiealg_aes: { 1159 unsigned char input[4 + 4 + 16] ISC_NONSTRING = { 0 }; 1160 isc_netaddr_t netaddr; 1161 unsigned char *cp; 1162 unsigned int i; 1163 1164 cp = isc_buffer_used(buf); 1165 isc_buffer_putmem(buf, client->cookie, 8); 1166 isc_buffer_putuint32(buf, nonce); 1167 isc_buffer_putuint32(buf, when); 1168 memmove(input, cp, 16); 1169 isc_aes128_crypt(secret, input, digest); 1170 for (i = 0; i < 8; i++) { 1171 input[i] = digest[i] ^ digest[i + 8]; 1172 } 1173 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 1174 switch (netaddr.family) { 1175 case AF_INET: 1176 cp = (unsigned char *)&netaddr.type.in; 1177 memmove(input + 8, cp, 4); 1178 memset(input + 12, 0, 4); 1179 isc_aes128_crypt(secret, input, digest); 1180 break; 1181 case AF_INET6: 1182 cp = (unsigned char *)&netaddr.type.in6; 1183 memmove(input + 8, cp, 16); 1184 isc_aes128_crypt(secret, input, digest); 1185 for (i = 0; i < 8; i++) { 1186 input[i + 8] = digest[i] ^ digest[i + 8]; 1187 } 1188 isc_aes128_crypt(client->sctx->secret, input + 8, 1189 digest); 1190 break; 1191 default: 1192 UNREACHABLE(); 1193 } 1194 for (i = 0; i < 8; i++) { 1195 digest[i] ^= digest[i + 8]; 1196 } 1197 isc_buffer_putmem(buf, digest, 8); 1198 break; 1199 } 1200 1201 default: 1202 UNREACHABLE(); 1203 } 1204 } 1205 1206 static void 1207 process_cookie(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { 1208 ns_altsecret_t *altsecret; 1209 unsigned char dbuf[COOKIE_SIZE]; 1210 unsigned char *old; 1211 isc_stdtime_t now; 1212 uint32_t when; 1213 uint32_t nonce; 1214 isc_buffer_t db; 1215 1216 /* 1217 * If we have already seen a cookie option skip this cookie option. 1218 */ 1219 if ((!client->sctx->answercookie) || 1220 (client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) 1221 { 1222 isc_buffer_forward(buf, (unsigned int)optlen); 1223 return; 1224 } 1225 1226 client->attributes |= NS_CLIENTATTR_WANTCOOKIE; 1227 1228 ns_stats_increment(client->sctx->nsstats, ns_statscounter_cookiein); 1229 1230 if (optlen != COOKIE_SIZE) { 1231 /* 1232 * Not our token. 1233 */ 1234 INSIST(optlen >= 8U); 1235 memmove(client->cookie, isc_buffer_current(buf), 8); 1236 isc_buffer_forward(buf, (unsigned int)optlen); 1237 1238 if (optlen == 8U) { 1239 ns_stats_increment(client->sctx->nsstats, 1240 ns_statscounter_cookienew); 1241 } else { 1242 ns_stats_increment(client->sctx->nsstats, 1243 ns_statscounter_cookiebadsize); 1244 } 1245 return; 1246 } 1247 1248 /* 1249 * Process all of the incoming buffer. 1250 */ 1251 old = isc_buffer_current(buf); 1252 memmove(client->cookie, old, 8); 1253 isc_buffer_forward(buf, 8); 1254 nonce = isc_buffer_getuint32(buf); 1255 when = isc_buffer_getuint32(buf); 1256 isc_buffer_forward(buf, 8); 1257 1258 /* 1259 * Allow for a 5 minute clock skew between servers sharing a secret. 1260 * Only accept COOKIE if we have talked to the client in the last hour. 1261 */ 1262 isc_stdtime_get(&now); 1263 if (isc_serial_gt(when, (now + 300)) || /* In the future. */ 1264 isc_serial_lt(when, (now - 3600))) 1265 { /* In the past. */ 1266 ns_stats_increment(client->sctx->nsstats, 1267 ns_statscounter_cookiebadtime); 1268 return; 1269 } 1270 1271 isc_buffer_init(&db, dbuf, sizeof(dbuf)); 1272 compute_cookie(client, when, nonce, client->sctx->secret, &db); 1273 1274 if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { 1275 ns_stats_increment(client->sctx->nsstats, 1276 ns_statscounter_cookiematch); 1277 client->attributes |= NS_CLIENTATTR_HAVECOOKIE; 1278 return; 1279 } 1280 1281 for (altsecret = ISC_LIST_HEAD(client->sctx->altsecrets); 1282 altsecret != NULL; altsecret = ISC_LIST_NEXT(altsecret, link)) 1283 { 1284 isc_buffer_init(&db, dbuf, sizeof(dbuf)); 1285 compute_cookie(client, when, nonce, altsecret->secret, &db); 1286 if (isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { 1287 ns_stats_increment(client->sctx->nsstats, 1288 ns_statscounter_cookiematch); 1289 client->attributes |= NS_CLIENTATTR_HAVECOOKIE; 1290 return; 1291 } 1292 } 1293 1294 ns_stats_increment(client->sctx->nsstats, 1295 ns_statscounter_cookienomatch); 1296 } 1297 1298 static isc_result_t 1299 process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { 1300 uint16_t family; 1301 uint8_t addrlen, addrbytes, scope, *paddr; 1302 isc_netaddr_t caddr; 1303 1304 /* 1305 * If we have already seen a ECS option skip this ECS option. 1306 */ 1307 if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { 1308 isc_buffer_forward(buf, (unsigned int)optlen); 1309 return (ISC_R_SUCCESS); 1310 } 1311 1312 /* 1313 * XXXMUKS: Is there any need to repeat these checks here 1314 * (except query's scope length) when they are done in the OPT 1315 * RDATA fromwire code? 1316 */ 1317 1318 if (optlen < 4U) { 1319 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1320 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1321 "EDNS client-subnet option too short"); 1322 return (DNS_R_FORMERR); 1323 } 1324 1325 family = isc_buffer_getuint16(buf); 1326 addrlen = isc_buffer_getuint8(buf); 1327 scope = isc_buffer_getuint8(buf); 1328 optlen -= 4; 1329 1330 if (scope != 0U) { 1331 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1332 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1333 "EDNS client-subnet option: invalid scope"); 1334 return (DNS_R_OPTERR); 1335 } 1336 1337 memset(&caddr, 0, sizeof(caddr)); 1338 switch (family) { 1339 case 0: 1340 /* 1341 * XXXMUKS: In queries, if FAMILY is set to 0, SOURCE 1342 * PREFIX-LENGTH must be 0 and ADDRESS should not be 1343 * present as the address and prefix lengths don't make 1344 * sense because the family is unknown. 1345 */ 1346 if (addrlen != 0U) { 1347 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1348 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1349 "EDNS client-subnet option: invalid " 1350 "address length (%u) for FAMILY=0", 1351 addrlen); 1352 return (DNS_R_OPTERR); 1353 } 1354 caddr.family = AF_UNSPEC; 1355 break; 1356 case 1: 1357 if (addrlen > 32U) { 1358 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1359 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1360 "EDNS client-subnet option: invalid " 1361 "address length (%u) for IPv4", 1362 addrlen); 1363 return (DNS_R_OPTERR); 1364 } 1365 caddr.family = AF_INET; 1366 break; 1367 case 2: 1368 if (addrlen > 128U) { 1369 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1370 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1371 "EDNS client-subnet option: invalid " 1372 "address length (%u) for IPv6", 1373 addrlen); 1374 return (DNS_R_OPTERR); 1375 } 1376 caddr.family = AF_INET6; 1377 break; 1378 default: 1379 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1380 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1381 "EDNS client-subnet option: invalid family"); 1382 return (DNS_R_OPTERR); 1383 } 1384 1385 addrbytes = (addrlen + 7) / 8; 1386 if (isc_buffer_remaininglength(buf) < addrbytes) { 1387 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1388 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), 1389 "EDNS client-subnet option: address too short"); 1390 return (DNS_R_OPTERR); 1391 } 1392 1393 paddr = (uint8_t *)&caddr.type; 1394 if (addrbytes != 0U) { 1395 memmove(paddr, isc_buffer_current(buf), addrbytes); 1396 isc_buffer_forward(buf, addrbytes); 1397 optlen -= addrbytes; 1398 1399 if ((addrlen % 8) != 0) { 1400 uint8_t bits = ~0U << (8 - (addrlen % 8)); 1401 bits &= paddr[addrbytes - 1]; 1402 if (bits != paddr[addrbytes - 1]) { 1403 return (DNS_R_OPTERR); 1404 } 1405 } 1406 } 1407 1408 memmove(&client->ecs.addr, &caddr, sizeof(caddr)); 1409 client->ecs.source = addrlen; 1410 client->ecs.scope = 0; 1411 client->attributes |= NS_CLIENTATTR_HAVEECS; 1412 1413 isc_buffer_forward(buf, (unsigned int)optlen); 1414 return (ISC_R_SUCCESS); 1415 } 1416 1417 static isc_result_t 1418 process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { 1419 if (optlen == 0 || (optlen % 2) != 0) { 1420 isc_buffer_forward(buf, (unsigned int)optlen); 1421 return (DNS_R_OPTERR); 1422 } 1423 1424 /* Silently drop additional keytag options. */ 1425 if (client->keytag != NULL) { 1426 isc_buffer_forward(buf, (unsigned int)optlen); 1427 return (ISC_R_SUCCESS); 1428 } 1429 1430 client->keytag = isc_mem_get(client->mctx, optlen); 1431 { 1432 client->keytag_len = (uint16_t)optlen; 1433 memmove(client->keytag, isc_buffer_current(buf), optlen); 1434 } 1435 isc_buffer_forward(buf, (unsigned int)optlen); 1436 return (ISC_R_SUCCESS); 1437 } 1438 1439 static isc_result_t 1440 process_opt(ns_client_t *client, dns_rdataset_t *opt) { 1441 dns_rdata_t rdata; 1442 isc_buffer_t optbuf; 1443 isc_result_t result; 1444 uint16_t optcode; 1445 uint16_t optlen; 1446 1447 /* 1448 * Set the client's UDP buffer size. 1449 */ 1450 client->udpsize = opt->rdclass; 1451 1452 /* 1453 * If the requested UDP buffer size is less than 512, 1454 * ignore it and use 512. 1455 */ 1456 if (client->udpsize < 512) { 1457 client->udpsize = 512; 1458 } 1459 1460 /* 1461 * Get the flags out of the OPT record. 1462 */ 1463 client->extflags = (uint16_t)(opt->ttl & 0xFFFF); 1464 1465 /* 1466 * Do we understand this version of EDNS? 1467 * 1468 * XXXRTH need library support for this! 1469 */ 1470 client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; 1471 if (client->ednsversion > DNS_EDNS_VERSION) { 1472 ns_stats_increment(client->sctx->nsstats, 1473 ns_statscounter_badednsver); 1474 result = ns_client_addopt(client, client->message, 1475 &client->opt); 1476 if (result == ISC_R_SUCCESS) { 1477 result = DNS_R_BADVERS; 1478 } 1479 ns_client_error(client, result); 1480 return (result); 1481 } 1482 1483 /* Check for NSID request */ 1484 result = dns_rdataset_first(opt); 1485 if (result == ISC_R_SUCCESS) { 1486 dns_rdata_init(&rdata); 1487 dns_rdataset_current(opt, &rdata); 1488 isc_buffer_init(&optbuf, rdata.data, rdata.length); 1489 isc_buffer_add(&optbuf, rdata.length); 1490 while (isc_buffer_remaininglength(&optbuf) >= 4) { 1491 optcode = isc_buffer_getuint16(&optbuf); 1492 optlen = isc_buffer_getuint16(&optbuf); 1493 switch (optcode) { 1494 case DNS_OPT_NSID: 1495 if (!WANTNSID(client)) { 1496 ns_stats_increment( 1497 client->sctx->nsstats, 1498 ns_statscounter_nsidopt); 1499 } 1500 client->attributes |= NS_CLIENTATTR_WANTNSID; 1501 isc_buffer_forward(&optbuf, optlen); 1502 break; 1503 case DNS_OPT_COOKIE: 1504 process_cookie(client, &optbuf, optlen); 1505 break; 1506 case DNS_OPT_EXPIRE: 1507 if (!WANTEXPIRE(client)) { 1508 ns_stats_increment( 1509 client->sctx->nsstats, 1510 ns_statscounter_expireopt); 1511 } 1512 client->attributes |= NS_CLIENTATTR_WANTEXPIRE; 1513 isc_buffer_forward(&optbuf, optlen); 1514 break; 1515 case DNS_OPT_CLIENT_SUBNET: 1516 result = process_ecs(client, &optbuf, optlen); 1517 if (result != ISC_R_SUCCESS) { 1518 ns_client_error(client, result); 1519 return (result); 1520 } 1521 ns_stats_increment(client->sctx->nsstats, 1522 ns_statscounter_ecsopt); 1523 break; 1524 case DNS_OPT_TCP_KEEPALIVE: 1525 if (!USEKEEPALIVE(client)) { 1526 ns_stats_increment( 1527 client->sctx->nsstats, 1528 ns_statscounter_keepaliveopt); 1529 } 1530 client->attributes |= 1531 NS_CLIENTATTR_USEKEEPALIVE; 1532 isc_nmhandle_keepalive(client->handle, true); 1533 isc_buffer_forward(&optbuf, optlen); 1534 break; 1535 case DNS_OPT_PAD: 1536 client->attributes |= NS_CLIENTATTR_WANTPAD; 1537 ns_stats_increment(client->sctx->nsstats, 1538 ns_statscounter_padopt); 1539 isc_buffer_forward(&optbuf, optlen); 1540 break; 1541 case DNS_OPT_KEY_TAG: 1542 result = process_keytag(client, &optbuf, 1543 optlen); 1544 if (result != ISC_R_SUCCESS) { 1545 ns_client_error(client, result); 1546 return (result); 1547 } 1548 ns_stats_increment(client->sctx->nsstats, 1549 ns_statscounter_keytagopt); 1550 break; 1551 default: 1552 ns_stats_increment(client->sctx->nsstats, 1553 ns_statscounter_otheropt); 1554 isc_buffer_forward(&optbuf, optlen); 1555 break; 1556 } 1557 } 1558 } 1559 1560 ns_stats_increment(client->sctx->nsstats, ns_statscounter_edns0in); 1561 client->attributes |= NS_CLIENTATTR_WANTOPT; 1562 1563 return (result); 1564 } 1565 1566 void 1567 ns__client_reset_cb(void *client0) { 1568 ns_client_t *client = client0; 1569 1570 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, 1571 ISC_LOG_DEBUG(3), "reset client"); 1572 1573 /* 1574 * We never started processing this client, possible if we're 1575 * shutting down, just exit. 1576 */ 1577 if (client->state == NS_CLIENTSTATE_READY) { 1578 return; 1579 } 1580 1581 ns_client_endrequest(client); 1582 if (client->tcpbuf != NULL) { 1583 isc_mem_put(client->mctx, client->tcpbuf, 1584 NS_CLIENT_TCP_BUFFER_SIZE); 1585 } 1586 1587 if (client->keytag != NULL) { 1588 isc_mem_put(client->mctx, client->keytag, client->keytag_len); 1589 client->keytag_len = 0; 1590 } 1591 1592 client->state = NS_CLIENTSTATE_READY; 1593 INSIST(client->recursionquota == NULL); 1594 } 1595 1596 void 1597 ns__client_put_cb(void *client0) { 1598 ns_client_t *client = client0; 1599 1600 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, 1601 ISC_LOG_DEBUG(3), "freeing client"); 1602 1603 /* 1604 * Call this first because it requires a valid client. 1605 */ 1606 ns_query_free(client); 1607 1608 client->magic = 0; 1609 client->shuttingdown = true; 1610 1611 if (client->manager != NULL) { 1612 clientmgr_detach(&client->manager); 1613 } 1614 1615 isc_mem_put(client->mctx, client->sendbuf, NS_CLIENT_SEND_BUFFER_SIZE); 1616 if (client->opt != NULL) { 1617 INSIST(dns_rdataset_isassociated(client->opt)); 1618 dns_rdataset_disassociate(client->opt); 1619 dns_message_puttemprdataset(client->message, &client->opt); 1620 } 1621 1622 dns_message_detach(&client->message); 1623 1624 /* 1625 * Detaching the task must be done after unlinking from 1626 * the manager's lists because the manager accesses 1627 * client->task. 1628 */ 1629 if (client->task != NULL) { 1630 isc_task_detach(&client->task); 1631 } 1632 1633 /* 1634 * Destroy the fetchlock mutex that was created in 1635 * ns_query_init(). 1636 */ 1637 isc_mutex_destroy(&client->query.fetchlock); 1638 1639 if (client->sctx != NULL) { 1640 ns_server_detach(&client->sctx); 1641 } 1642 1643 if (client->mctx != NULL) { 1644 isc_mem_detach(&client->mctx); 1645 } 1646 } 1647 1648 /* 1649 * Handle an incoming request event from the socket (UDP case) 1650 * or tcpmsg (TCP case). 1651 */ 1652 void 1653 ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, 1654 isc_region_t *region, void *arg) { 1655 ns_client_t *client = NULL; 1656 isc_result_t result; 1657 isc_result_t sigresult = ISC_R_SUCCESS; 1658 isc_buffer_t *buffer = NULL; 1659 isc_buffer_t tbuffer; 1660 dns_rdataset_t *opt = NULL; 1661 const dns_name_t *signame = NULL; 1662 bool ra; /* Recursion available. */ 1663 isc_netaddr_t netaddr; 1664 int match; 1665 dns_messageid_t id; 1666 unsigned int flags; 1667 bool notimp; 1668 size_t reqsize; 1669 dns_aclenv_t *env = NULL; 1670 #ifdef HAVE_DNSTAP 1671 dns_dtmsgtype_t dtmsgtype; 1672 #endif /* ifdef HAVE_DNSTAP */ 1673 1674 if (eresult != ISC_R_SUCCESS) { 1675 return; 1676 } 1677 1678 client = isc_nmhandle_getdata(handle); 1679 if (client == NULL) { 1680 ns_interface_t *ifp = (ns_interface_t *)arg; 1681 1682 INSIST(VALID_MANAGER(ifp->clientmgr)); 1683 1684 client = isc_nmhandle_getextra(handle); 1685 1686 result = ns__client_setup(client, ifp->clientmgr, true); 1687 if (result != ISC_R_SUCCESS) { 1688 return; 1689 } 1690 1691 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1692 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 1693 "allocate new client"); 1694 } else { 1695 result = ns__client_setup(client, NULL, false); 1696 if (result != ISC_R_SUCCESS) { 1697 return; 1698 } 1699 } 1700 1701 client->state = NS_CLIENTSTATE_READY; 1702 1703 isc_task_pause(client->task); 1704 if (client->handle == NULL) { 1705 isc_nmhandle_setdata(handle, client, ns__client_reset_cb, 1706 ns__client_put_cb); 1707 client->handle = handle; 1708 } 1709 1710 if (isc_nmhandle_is_stream(handle)) { 1711 client->attributes |= NS_CLIENTATTR_TCP; 1712 } 1713 1714 INSIST(client->recursionquota == NULL); 1715 1716 INSIST(client->state == NS_CLIENTSTATE_READY); 1717 1718 (void)atomic_fetch_add_relaxed(&ns_client_requests, 1); 1719 1720 isc_buffer_init(&tbuffer, region->base, region->length); 1721 isc_buffer_add(&tbuffer, region->length); 1722 buffer = &tbuffer; 1723 1724 client->peeraddr = isc_nmhandle_peeraddr(handle); 1725 client->peeraddr_valid = true; 1726 1727 reqsize = isc_buffer_usedlength(buffer); 1728 1729 client->state = NS_CLIENTSTATE_WORKING; 1730 1731 TIME_NOW(&client->requesttime); 1732 client->tnow = client->requesttime; 1733 client->now = isc_time_seconds(&client->tnow); 1734 1735 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 1736 1737 #if NS_CLIENT_DROPPORT 1738 if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) == 1739 DROPPORT_REQUEST) 1740 { 1741 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1742 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), 1743 "dropped request: suspicious port"); 1744 isc_task_unpause(client->task); 1745 return; 1746 } 1747 #endif /* if NS_CLIENT_DROPPORT */ 1748 1749 env = ns_interfacemgr_getaclenv(client->manager->interface->mgr); 1750 if (client->sctx->blackholeacl != NULL && 1751 (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, env, 1752 &match, NULL) == ISC_R_SUCCESS) && 1753 match > 0) 1754 { 1755 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1756 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), 1757 "dropped request: blackholed peer"); 1758 isc_task_unpause(client->task); 1759 return; 1760 } 1761 1762 ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, 1763 ISC_LOG_DEBUG(3), "%s request", 1764 TCP_CLIENT(client) ? "TCP" : "UDP"); 1765 1766 result = dns_message_peekheader(buffer, &id, &flags); 1767 if (result != ISC_R_SUCCESS) { 1768 /* 1769 * There isn't enough header to determine whether 1770 * this was a request or a response. Drop it. 1771 */ 1772 isc_task_unpause(client->task); 1773 return; 1774 } 1775 1776 /* 1777 * The client object handles requests, not responses. 1778 * If this is a UDP response, forward it to the dispatcher. 1779 * If it's a TCP response, discard it here. 1780 */ 1781 if ((flags & DNS_MESSAGEFLAG_QR) != 0) { 1782 CTRACE("unexpected response"); 1783 isc_task_unpause(client->task); 1784 return; 1785 } 1786 1787 /* 1788 * Update some statistics counters. Don't count responses. 1789 */ 1790 if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) { 1791 ns_stats_increment(client->sctx->nsstats, 1792 ns_statscounter_requestv4); 1793 } else { 1794 ns_stats_increment(client->sctx->nsstats, 1795 ns_statscounter_requestv6); 1796 } 1797 if (TCP_CLIENT(client)) { 1798 ns_stats_increment(client->sctx->nsstats, 1799 ns_statscounter_requesttcp); 1800 switch (isc_sockaddr_pf(&client->peeraddr)) { 1801 case AF_INET: 1802 isc_stats_increment(client->sctx->tcpinstats4, 1803 ISC_MIN((int)reqsize / 16, 18)); 1804 break; 1805 case AF_INET6: 1806 isc_stats_increment(client->sctx->tcpinstats6, 1807 ISC_MIN((int)reqsize / 16, 18)); 1808 break; 1809 default: 1810 UNREACHABLE(); 1811 } 1812 } else { 1813 switch (isc_sockaddr_pf(&client->peeraddr)) { 1814 case AF_INET: 1815 isc_stats_increment(client->sctx->udpinstats4, 1816 ISC_MIN((int)reqsize / 16, 18)); 1817 break; 1818 case AF_INET6: 1819 isc_stats_increment(client->sctx->udpinstats6, 1820 ISC_MIN((int)reqsize / 16, 18)); 1821 break; 1822 default: 1823 UNREACHABLE(); 1824 } 1825 } 1826 1827 /* 1828 * It's a request. Parse it. 1829 */ 1830 result = dns_message_parse(client->message, buffer, 0); 1831 if (result != ISC_R_SUCCESS) { 1832 /* 1833 * Parsing the request failed. Send a response 1834 * (typically FORMERR or SERVFAIL). 1835 */ 1836 if (result == DNS_R_OPTERR) { 1837 (void)ns_client_addopt(client, client->message, 1838 &client->opt); 1839 } 1840 1841 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1842 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), 1843 "message parsing failed: %s", 1844 isc_result_totext(result)); 1845 if (result == ISC_R_NOSPACE || result == DNS_R_BADTSIG) { 1846 result = DNS_R_FORMERR; 1847 } 1848 ns_client_error(client, result); 1849 isc_task_unpause(client->task); 1850 return; 1851 } 1852 1853 /* 1854 * Disable pipelined TCP query processing if necessary. 1855 */ 1856 if (TCP_CLIENT(client) && 1857 (client->message->opcode != dns_opcode_query || 1858 (client->sctx->keepresporder != NULL && 1859 dns_acl_allowed(&netaddr, NULL, client->sctx->keepresporder, 1860 env)))) 1861 { 1862 isc_nm_tcpdns_sequential(handle); 1863 } 1864 1865 dns_opcodestats_increment(client->sctx->opcodestats, 1866 client->message->opcode); 1867 switch (client->message->opcode) { 1868 case dns_opcode_query: 1869 case dns_opcode_update: 1870 case dns_opcode_notify: 1871 notimp = false; 1872 break; 1873 case dns_opcode_iquery: 1874 default: 1875 notimp = true; 1876 break; 1877 } 1878 1879 client->message->rcode = dns_rcode_noerror; 1880 1881 /* 1882 * Deal with EDNS. 1883 */ 1884 if ((client->sctx->options & NS_SERVER_NOEDNS) != 0) { 1885 opt = NULL; 1886 } else { 1887 opt = dns_message_getopt(client->message); 1888 } 1889 1890 client->ecs.source = 0; 1891 client->ecs.scope = 0; 1892 1893 if (opt != NULL) { 1894 /* 1895 * Are returning FORMERR to all EDNS queries? 1896 * Simulate a STD13 compliant server. 1897 */ 1898 if ((client->sctx->options & NS_SERVER_EDNSFORMERR) != 0) { 1899 ns_client_error(client, DNS_R_FORMERR); 1900 isc_task_unpause(client->task); 1901 return; 1902 } 1903 1904 /* 1905 * Are returning NOTIMP to all EDNS queries? 1906 */ 1907 if ((client->sctx->options & NS_SERVER_EDNSNOTIMP) != 0) { 1908 ns_client_error(client, DNS_R_NOTIMP); 1909 isc_task_unpause(client->task); 1910 return; 1911 } 1912 1913 /* 1914 * Are returning REFUSED to all EDNS queries? 1915 */ 1916 if ((client->sctx->options & NS_SERVER_EDNSREFUSED) != 0) { 1917 ns_client_error(client, DNS_R_REFUSED); 1918 isc_task_unpause(client->task); 1919 return; 1920 } 1921 1922 /* 1923 * Are we dropping all EDNS queries? 1924 */ 1925 if ((client->sctx->options & NS_SERVER_DROPEDNS) != 0) { 1926 ns_client_drop(client, ISC_R_SUCCESS); 1927 isc_task_unpause(client->task); 1928 return; 1929 } 1930 1931 result = process_opt(client, opt); 1932 if (result != ISC_R_SUCCESS) { 1933 isc_task_unpause(client->task); 1934 return; 1935 } 1936 } 1937 1938 if (client->message->rdclass == 0) { 1939 if ((client->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0 && 1940 client->message->opcode == dns_opcode_query && 1941 client->message->counts[DNS_SECTION_QUESTION] == 0U) 1942 { 1943 result = dns_message_reply(client->message, true); 1944 if (result != ISC_R_SUCCESS) { 1945 ns_client_error(client, result); 1946 isc_task_unpause(client->task); 1947 return; 1948 } 1949 1950 if (notimp) { 1951 client->message->rcode = dns_rcode_notimp; 1952 } 1953 1954 ns_client_send(client); 1955 isc_task_unpause(client->task); 1956 return; 1957 } 1958 1959 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 1960 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), 1961 "message class could not be determined"); 1962 ns_client_dumpmessage(client, "message class could not be " 1963 "determined"); 1964 ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR); 1965 isc_task_unpause(client->task); 1966 return; 1967 } 1968 1969 if ((client->manager->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0) 1970 { 1971 client->destsockaddr = client->manager->interface->addr; 1972 } else { 1973 client->destsockaddr = isc_nmhandle_localaddr(handle); 1974 } 1975 isc_netaddr_fromsockaddr(&client->destaddr, &client->destsockaddr); 1976 1977 result = client->sctx->matchingview(&netaddr, &client->destaddr, 1978 client->message, env, &sigresult, 1979 &client->view); 1980 if (result != ISC_R_SUCCESS) { 1981 char classname[DNS_RDATACLASS_FORMATSIZE]; 1982 1983 /* 1984 * Do a dummy TSIG verification attempt so that the 1985 * response will have a TSIG if the query did, as 1986 * required by RFC2845. 1987 */ 1988 isc_buffer_t b; 1989 isc_region_t *r; 1990 1991 dns_message_resetsig(client->message); 1992 1993 r = dns_message_getrawmessage(client->message); 1994 isc_buffer_init(&b, r->base, r->length); 1995 isc_buffer_add(&b, r->length); 1996 (void)dns_tsig_verify(&b, client->message, NULL, NULL); 1997 1998 dns_rdataclass_format(client->message->rdclass, classname, 1999 sizeof(classname)); 2000 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 2001 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), 2002 "no matching view in class '%s'", classname); 2003 ns_client_dumpmessage(client, "no matching view in class"); 2004 ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED); 2005 isc_task_unpause(client->task); 2006 return; 2007 } 2008 2009 ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, 2010 ISC_LOG_DEBUG(5), "using view '%s'", client->view->name); 2011 2012 /* 2013 * Check for a signature. We log bad signatures regardless of 2014 * whether they ultimately cause the request to be rejected or 2015 * not. We do not log the lack of a signature unless we are 2016 * debugging. 2017 */ 2018 client->signer = NULL; 2019 dns_name_init(&client->signername, NULL); 2020 result = dns_message_signer(client->message, &client->signername); 2021 if (result != ISC_R_NOTFOUND) { 2022 signame = NULL; 2023 if (dns_message_gettsig(client->message, &signame) != NULL) { 2024 ns_stats_increment(client->sctx->nsstats, 2025 ns_statscounter_tsigin); 2026 } else { 2027 ns_stats_increment(client->sctx->nsstats, 2028 ns_statscounter_sig0in); 2029 } 2030 } 2031 if (result == ISC_R_SUCCESS) { 2032 char namebuf[DNS_NAME_FORMATSIZE]; 2033 dns_name_format(&client->signername, namebuf, sizeof(namebuf)); 2034 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2035 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 2036 "request has valid signature: %s", namebuf); 2037 client->signer = &client->signername; 2038 } else if (result == ISC_R_NOTFOUND) { 2039 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2040 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 2041 "request is not signed"); 2042 } else if (result == DNS_R_NOIDENTITY) { 2043 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2044 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 2045 "request is signed by a nonauthoritative key"); 2046 } else { 2047 char tsigrcode[64]; 2048 isc_buffer_t b; 2049 dns_rcode_t status; 2050 isc_result_t tresult; 2051 2052 /* There is a signature, but it is bad. */ 2053 ns_stats_increment(client->sctx->nsstats, 2054 ns_statscounter_invalidsig); 2055 signame = NULL; 2056 if (dns_message_gettsig(client->message, &signame) != NULL) { 2057 char namebuf[DNS_NAME_FORMATSIZE]; 2058 char cnamebuf[DNS_NAME_FORMATSIZE]; 2059 dns_name_format(signame, namebuf, sizeof(namebuf)); 2060 status = client->message->tsigstatus; 2061 isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); 2062 tresult = dns_tsigrcode_totext(status, &b); 2063 INSIST(tresult == ISC_R_SUCCESS); 2064 tsigrcode[isc_buffer_usedlength(&b)] = '\0'; 2065 if (client->message->tsigkey->generated) { 2066 dns_name_format( 2067 client->message->tsigkey->creator, 2068 cnamebuf, sizeof(cnamebuf)); 2069 ns_client_log( 2070 client, DNS_LOGCATEGORY_SECURITY, 2071 NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, 2072 "request has invalid signature: " 2073 "TSIG %s (%s): %s (%s)", 2074 namebuf, cnamebuf, 2075 isc_result_totext(result), tsigrcode); 2076 } else { 2077 ns_client_log( 2078 client, DNS_LOGCATEGORY_SECURITY, 2079 NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, 2080 "request has invalid signature: " 2081 "TSIG %s: %s (%s)", 2082 namebuf, isc_result_totext(result), 2083 tsigrcode); 2084 } 2085 } else { 2086 status = client->message->sig0status; 2087 isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); 2088 tresult = dns_tsigrcode_totext(status, &b); 2089 INSIST(tresult == ISC_R_SUCCESS); 2090 tsigrcode[isc_buffer_usedlength(&b)] = '\0'; 2091 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2092 NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, 2093 "request has invalid signature: %s (%s)", 2094 isc_result_totext(result), tsigrcode); 2095 } 2096 2097 /* 2098 * Accept update messages signed by unknown keys so that 2099 * update forwarding works transparently through slaves 2100 * that don't have all the same keys as the master. 2101 */ 2102 if (!(client->message->tsigstatus == dns_tsigerror_badkey && 2103 client->message->opcode == dns_opcode_update)) 2104 { 2105 ns_client_error(client, sigresult); 2106 isc_task_unpause(client->task); 2107 return; 2108 } 2109 } 2110 2111 /* 2112 * Decide whether recursive service is available to this client. 2113 * We do this here rather than in the query code so that we can 2114 * set the RA bit correctly on all kinds of responses, not just 2115 * responses to ordinary queries. Note if you can't query the 2116 * cache there is no point in setting RA. 2117 */ 2118 ra = false; 2119 if (client->view->resolver != NULL && client->view->recursion && 2120 ns_client_checkaclsilent(client, NULL, client->view->recursionacl, 2121 true) == ISC_R_SUCCESS && 2122 ns_client_checkaclsilent(client, NULL, client->view->cacheacl, 2123 true) == ISC_R_SUCCESS && 2124 ns_client_checkaclsilent(client, &client->destaddr, 2125 client->view->recursiononacl, 2126 true) == ISC_R_SUCCESS && 2127 ns_client_checkaclsilent(client, &client->destaddr, 2128 client->view->cacheonacl, 2129 true) == ISC_R_SUCCESS) 2130 { 2131 ra = true; 2132 } 2133 2134 if (ra) { 2135 client->attributes |= NS_CLIENTATTR_RA; 2136 } 2137 2138 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, 2139 ISC_LOG_DEBUG(3), 2140 ra ? "recursion available" : "recursion not available"); 2141 2142 /* 2143 * Adjust maximum UDP response size for this client. 2144 */ 2145 if (client->udpsize > 512) { 2146 dns_peer_t *peer = NULL; 2147 uint16_t udpsize = client->view->maxudp; 2148 (void)dns_peerlist_peerbyaddr(client->view->peers, &netaddr, 2149 &peer); 2150 if (peer != NULL) { 2151 dns_peer_getmaxudp(peer, &udpsize); 2152 } 2153 if (client->udpsize > udpsize) { 2154 client->udpsize = udpsize; 2155 } 2156 } 2157 2158 /* 2159 * Dispatch the request. 2160 */ 2161 switch (client->message->opcode) { 2162 case dns_opcode_query: 2163 CTRACE("query"); 2164 #ifdef HAVE_DNSTAP 2165 if (ra && (client->message->flags & DNS_MESSAGEFLAG_RD) != 0) { 2166 dtmsgtype = DNS_DTTYPE_CQ; 2167 } else { 2168 dtmsgtype = DNS_DTTYPE_AQ; 2169 } 2170 2171 dns_dt_send(client->view, dtmsgtype, &client->peeraddr, 2172 &client->destsockaddr, TCP_CLIENT(client), NULL, 2173 &client->requesttime, NULL, buffer); 2174 #endif /* HAVE_DNSTAP */ 2175 2176 ns_query_start(client, handle); 2177 break; 2178 case dns_opcode_update: 2179 CTRACE("update"); 2180 #ifdef HAVE_DNSTAP 2181 dns_dt_send(client->view, DNS_DTTYPE_UQ, &client->peeraddr, 2182 &client->destsockaddr, TCP_CLIENT(client), NULL, 2183 &client->requesttime, NULL, buffer); 2184 #endif /* HAVE_DNSTAP */ 2185 ns_client_settimeout(client, 60); 2186 ns_update_start(client, handle, sigresult); 2187 break; 2188 case dns_opcode_notify: 2189 CTRACE("notify"); 2190 ns_client_settimeout(client, 60); 2191 ns_notify_start(client, handle); 2192 break; 2193 case dns_opcode_iquery: 2194 CTRACE("iquery"); 2195 ns_client_error(client, DNS_R_NOTIMP); 2196 break; 2197 default: 2198 CTRACE("unknown opcode"); 2199 ns_client_error(client, DNS_R_NOTIMP); 2200 } 2201 2202 isc_task_unpause(client->task); 2203 } 2204 2205 isc_result_t 2206 ns__client_tcpconn(isc_nmhandle_t *handle, isc_result_t result, void *arg) { 2207 ns_interface_t *ifp = (ns_interface_t *)arg; 2208 dns_aclenv_t *env = ns_interfacemgr_getaclenv(ifp->mgr); 2209 ns_server_t *sctx = ns_interfacemgr_getserver(ifp->mgr); 2210 unsigned int tcpquota; 2211 isc_sockaddr_t peeraddr; 2212 isc_netaddr_t netaddr; 2213 int match; 2214 2215 if (result != ISC_R_SUCCESS) { 2216 return (result); 2217 } 2218 2219 if (handle != NULL) { 2220 peeraddr = isc_nmhandle_peeraddr(handle); 2221 isc_netaddr_fromsockaddr(&netaddr, &peeraddr); 2222 2223 if (sctx->blackholeacl != NULL && 2224 (dns_acl_match(&netaddr, NULL, sctx->blackholeacl, env, 2225 &match, NULL) == ISC_R_SUCCESS) && 2226 match > 0) 2227 { 2228 return (ISC_R_CONNREFUSED); 2229 } 2230 } 2231 2232 tcpquota = isc_quota_getused(&sctx->tcpquota); 2233 ns_stats_update_if_greater(sctx->nsstats, ns_statscounter_tcphighwater, 2234 tcpquota); 2235 2236 return (ISC_R_SUCCESS); 2237 } 2238 2239 static void 2240 get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { 2241 isc_mem_t *clientmctx; 2242 MTRACE("clientmctx"); 2243 2244 int tid = isc_nm_tid(); 2245 if (tid < 0) { 2246 tid = isc_random_uniform(manager->ncpus); 2247 } 2248 int rand = isc_random_uniform(CLIENT_NMCTXS_PERCPU); 2249 int nextmctx = (rand * manager->ncpus) + tid; 2250 clientmctx = manager->mctxpool[nextmctx]; 2251 2252 isc_mem_attach(clientmctx, mctxp); 2253 } 2254 2255 static void 2256 get_clienttask(ns_clientmgr_t *manager, isc_task_t **taskp) { 2257 MTRACE("clienttask"); 2258 2259 int tid = isc_nm_tid(); 2260 if (tid < 0) { 2261 tid = isc_random_uniform(manager->ncpus); 2262 } 2263 2264 int rand = isc_random_uniform(CLIENT_NTASKS_PERCPU); 2265 int nexttask = (rand * manager->ncpus) + tid; 2266 isc_task_attach(manager->taskpool[nexttask], taskp); 2267 } 2268 2269 isc_result_t 2270 ns__client_setup(ns_client_t *client, ns_clientmgr_t *mgr, bool new) { 2271 isc_result_t result; 2272 2273 /* 2274 * Caller must be holding the manager lock. 2275 * 2276 * Note: creating a client does not add the client to the 2277 * manager's client list or set the client's manager pointer. 2278 * The caller is responsible for that. 2279 */ 2280 2281 REQUIRE(NS_CLIENT_VALID(client) || (new &&client != NULL)); 2282 REQUIRE(VALID_MANAGER(mgr) || !new); 2283 2284 if (new) { 2285 *client = (ns_client_t){ .magic = 0 }; 2286 2287 get_clientmctx(mgr, &client->mctx); 2288 clientmgr_attach(mgr, &client->manager); 2289 ns_server_attach(mgr->sctx, &client->sctx); 2290 get_clienttask(mgr, &client->task); 2291 2292 dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE, 2293 &client->message); 2294 2295 client->sendbuf = isc_mem_get(client->mctx, 2296 NS_CLIENT_SEND_BUFFER_SIZE); 2297 /* 2298 * Set magic earlier than usual because ns_query_init() 2299 * and the functions it calls will require it. 2300 */ 2301 client->magic = NS_CLIENT_MAGIC; 2302 result = ns_query_init(client); 2303 if (result != ISC_R_SUCCESS) { 2304 goto cleanup; 2305 } 2306 } else { 2307 ns_clientmgr_t *oldmgr = client->manager; 2308 ns_server_t *sctx = client->sctx; 2309 isc_task_t *task = client->task; 2310 unsigned char *sendbuf = client->sendbuf; 2311 dns_message_t *message = client->message; 2312 isc_mem_t *oldmctx = client->mctx; 2313 ns_query_t query = client->query; 2314 2315 /* 2316 * Retain these values from the existing client, but 2317 * zero every thing else. 2318 */ 2319 *client = (ns_client_t){ .magic = 0, 2320 .mctx = oldmctx, 2321 .manager = oldmgr, 2322 .sctx = sctx, 2323 .task = task, 2324 .sendbuf = sendbuf, 2325 .message = message, 2326 .query = query }; 2327 } 2328 2329 client->query.attributes &= ~NS_QUERYATTR_ANSWERED; 2330 client->state = NS_CLIENTSTATE_INACTIVE; 2331 client->udpsize = 512; 2332 client->ednsversion = -1; 2333 dns_name_init(&client->signername, NULL); 2334 dns_ecs_init(&client->ecs); 2335 isc_sockaddr_any(&client->formerrcache.addr); 2336 client->formerrcache.time = 0; 2337 client->formerrcache.id = 0; 2338 ISC_LINK_INIT(client, rlink); 2339 client->rcode_override = -1; /* not set */ 2340 2341 client->magic = NS_CLIENT_MAGIC; 2342 2343 CTRACE("client_setup"); 2344 2345 return (ISC_R_SUCCESS); 2346 2347 cleanup: 2348 if (client->sendbuf != NULL) { 2349 isc_mem_put(client->mctx, client->sendbuf, 2350 NS_CLIENT_SEND_BUFFER_SIZE); 2351 } 2352 2353 if (client->message != NULL) { 2354 dns_message_detach(&client->message); 2355 } 2356 2357 if (client->task != NULL) { 2358 isc_task_detach(&client->task); 2359 } 2360 2361 if (client->manager != NULL) { 2362 clientmgr_detach(&client->manager); 2363 } 2364 if (client->mctx != NULL) { 2365 isc_mem_detach(&client->mctx); 2366 } 2367 if (client->sctx != NULL) { 2368 ns_server_detach(&client->sctx); 2369 } 2370 2371 return (result); 2372 } 2373 2374 bool 2375 ns_client_shuttingdown(ns_client_t *client) { 2376 return (client->shuttingdown); 2377 } 2378 2379 /*** 2380 *** Client Manager 2381 ***/ 2382 2383 static void 2384 clientmgr_attach(ns_clientmgr_t *source, ns_clientmgr_t **targetp) { 2385 int32_t oldrefs; 2386 2387 REQUIRE(VALID_MANAGER(source)); 2388 REQUIRE(targetp != NULL && *targetp == NULL); 2389 2390 oldrefs = isc_refcount_increment0(&source->references); 2391 isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, 2392 ISC_LOG_DEBUG(3), "clientmgr @%p attach: %d", source, 2393 oldrefs + 1); 2394 2395 *targetp = source; 2396 } 2397 2398 static void 2399 clientmgr_detach(ns_clientmgr_t **mp) { 2400 int32_t oldrefs; 2401 ns_clientmgr_t *mgr = *mp; 2402 *mp = NULL; 2403 2404 oldrefs = isc_refcount_decrement(&mgr->references); 2405 isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_CLIENT, 2406 ISC_LOG_DEBUG(3), "clientmgr @%p detach: %d", mgr, 2407 oldrefs - 1); 2408 if (oldrefs == 1) { 2409 clientmgr_destroy(mgr); 2410 } 2411 } 2412 2413 static void 2414 clientmgr_destroy(ns_clientmgr_t *manager) { 2415 int i; 2416 2417 MTRACE("clientmgr_destroy"); 2418 2419 isc_refcount_destroy(&manager->references); 2420 manager->magic = 0; 2421 2422 for (i = 0; i < manager->ncpus * CLIENT_NMCTXS_PERCPU; i++) { 2423 isc_mem_detach(&manager->mctxpool[i]); 2424 } 2425 isc_mem_put(manager->mctx, manager->mctxpool, 2426 manager->ncpus * CLIENT_NMCTXS_PERCPU * 2427 sizeof(isc_mem_t *)); 2428 2429 if (manager->interface != NULL) { 2430 ns_interface_detach(&manager->interface); 2431 } 2432 2433 isc_mutex_destroy(&manager->lock); 2434 isc_mutex_destroy(&manager->reclock); 2435 2436 if (manager->excl != NULL) { 2437 isc_task_detach(&manager->excl); 2438 } 2439 2440 for (i = 0; i < manager->ncpus * CLIENT_NTASKS_PERCPU; i++) { 2441 if (manager->taskpool[i] != NULL) { 2442 isc_task_detach(&manager->taskpool[i]); 2443 } 2444 } 2445 isc_mem_put(manager->mctx, manager->taskpool, 2446 manager->ncpus * CLIENT_NTASKS_PERCPU * 2447 sizeof(isc_task_t *)); 2448 ns_server_detach(&manager->sctx); 2449 2450 isc_mem_put(manager->mctx, manager, sizeof(*manager)); 2451 } 2452 2453 isc_result_t 2454 ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr, 2455 isc_timermgr_t *timermgr, ns_interface_t *interface, 2456 int ncpus, ns_clientmgr_t **managerp) { 2457 ns_clientmgr_t *manager; 2458 isc_result_t result; 2459 int i; 2460 int npools; 2461 2462 manager = isc_mem_get(mctx, sizeof(*manager)); 2463 *manager = (ns_clientmgr_t){ .magic = 0 }; 2464 2465 isc_mutex_init(&manager->lock); 2466 isc_mutex_init(&manager->reclock); 2467 2468 manager->excl = NULL; 2469 result = isc_taskmgr_excltask(taskmgr, &manager->excl); 2470 if (result != ISC_R_SUCCESS) { 2471 goto cleanup_reclock; 2472 } 2473 2474 manager->mctx = mctx; 2475 manager->taskmgr = taskmgr; 2476 manager->timermgr = timermgr; 2477 manager->ncpus = ncpus; 2478 2479 ns_interface_attach(interface, &manager->interface); 2480 2481 manager->exiting = false; 2482 int ntasks = CLIENT_NTASKS_PERCPU * manager->ncpus; 2483 manager->taskpool = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *)); 2484 for (i = 0; i < ntasks; i++) { 2485 manager->taskpool[i] = NULL; 2486 result = isc_task_create_bound(manager->taskmgr, 20, 2487 &manager->taskpool[i], 2488 i % CLIENT_NTASKS_PERCPU); 2489 RUNTIME_CHECK(result == ISC_R_SUCCESS); 2490 } 2491 isc_refcount_init(&manager->references, 1); 2492 manager->sctx = NULL; 2493 ns_server_attach(sctx, &manager->sctx); 2494 2495 ISC_LIST_INIT(manager->recursing); 2496 2497 npools = CLIENT_NMCTXS_PERCPU * manager->ncpus; 2498 manager->mctxpool = isc_mem_get(manager->mctx, 2499 npools * sizeof(isc_mem_t *)); 2500 for (i = 0; i < npools; i++) { 2501 manager->mctxpool[i] = NULL; 2502 isc_mem_create(&manager->mctxpool[i]); 2503 isc_mem_setname(manager->mctxpool[i], "client", NULL); 2504 } 2505 2506 manager->magic = MANAGER_MAGIC; 2507 2508 MTRACE("create"); 2509 2510 *managerp = manager; 2511 2512 return (ISC_R_SUCCESS); 2513 2514 cleanup_reclock: 2515 isc_mutex_destroy(&manager->reclock); 2516 isc_mutex_destroy(&manager->lock); 2517 2518 isc_mem_put(mctx, manager, sizeof(*manager)); 2519 2520 return (result); 2521 } 2522 2523 void 2524 ns_clientmgr_shutdown(ns_clientmgr_t *manager) { 2525 REQUIRE(VALID_MANAGER(manager)); 2526 2527 LOCK(&manager->reclock); 2528 for (ns_client_t *client = ISC_LIST_HEAD(manager->recursing); 2529 client != NULL; client = ISC_LIST_NEXT(client, rlink)) 2530 { 2531 ns_query_cancel(client); 2532 } 2533 UNLOCK(&manager->reclock); 2534 } 2535 2536 void 2537 ns_clientmgr_destroy(ns_clientmgr_t **managerp) { 2538 isc_result_t result; 2539 ns_clientmgr_t *manager; 2540 bool unlock = false; 2541 2542 REQUIRE(managerp != NULL); 2543 manager = *managerp; 2544 *managerp = NULL; 2545 REQUIRE(VALID_MANAGER(manager)); 2546 2547 MTRACE("destroy"); 2548 2549 /* 2550 * Check for success because we may already be task-exclusive 2551 * at this point. Only if we succeed at obtaining an exclusive 2552 * lock now will we need to relinquish it later. 2553 */ 2554 result = isc_task_beginexclusive(manager->excl); 2555 if (result == ISC_R_SUCCESS) { 2556 unlock = true; 2557 } 2558 2559 manager->exiting = true; 2560 2561 if (unlock) { 2562 isc_task_endexclusive(manager->excl); 2563 } 2564 2565 if (isc_refcount_decrement(&manager->references) == 1) { 2566 clientmgr_destroy(manager); 2567 } 2568 } 2569 2570 isc_sockaddr_t * 2571 ns_client_getsockaddr(ns_client_t *client) { 2572 return (&client->peeraddr); 2573 } 2574 2575 isc_sockaddr_t * 2576 ns_client_getdestaddr(ns_client_t *client) { 2577 return (&client->destsockaddr); 2578 } 2579 2580 isc_result_t 2581 ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, 2582 dns_acl_t *acl, bool default_allow) { 2583 isc_result_t result; 2584 dns_aclenv_t *env = 2585 ns_interfacemgr_getaclenv(client->manager->interface->mgr); 2586 isc_netaddr_t tmpnetaddr; 2587 int match; 2588 2589 if (acl == NULL) { 2590 if (default_allow) { 2591 goto allow; 2592 } else { 2593 goto deny; 2594 } 2595 } 2596 2597 if (netaddr == NULL) { 2598 isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr); 2599 netaddr = &tmpnetaddr; 2600 } 2601 2602 result = dns_acl_match(netaddr, client->signer, acl, env, &match, NULL); 2603 if (result != ISC_R_SUCCESS) { 2604 goto deny; /* Internal error, already logged. */ 2605 } 2606 2607 if (match > 0) { 2608 goto allow; 2609 } 2610 goto deny; /* Negative match or no match. */ 2611 2612 allow: 2613 return (ISC_R_SUCCESS); 2614 2615 deny: 2616 return (DNS_R_REFUSED); 2617 } 2618 2619 isc_result_t 2620 ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, 2621 const char *opname, dns_acl_t *acl, bool default_allow, 2622 int log_level) { 2623 isc_result_t result; 2624 isc_netaddr_t netaddr; 2625 2626 if (sockaddr != NULL) { 2627 isc_netaddr_fromsockaddr(&netaddr, sockaddr); 2628 } 2629 2630 result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, 2631 acl, default_allow); 2632 2633 if (result == ISC_R_SUCCESS) { 2634 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2635 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 2636 "%s approved", opname); 2637 } else { 2638 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 2639 NS_LOGMODULE_CLIENT, log_level, "%s denied", 2640 opname); 2641 } 2642 return (result); 2643 } 2644 2645 static void 2646 ns_client_name(ns_client_t *client, char *peerbuf, size_t len) { 2647 if (client->peeraddr_valid) { 2648 isc_sockaddr_format(&client->peeraddr, peerbuf, 2649 (unsigned int)len); 2650 } else { 2651 snprintf(peerbuf, len, "@%p", client); 2652 } 2653 } 2654 2655 void 2656 ns_client_logv(ns_client_t *client, isc_logcategory_t *category, 2657 isc_logmodule_t *module, int level, const char *fmt, 2658 va_list ap) { 2659 char msgbuf[4096]; 2660 char signerbuf[DNS_NAME_FORMATSIZE], qnamebuf[DNS_NAME_FORMATSIZE]; 2661 char peerbuf[ISC_SOCKADDR_FORMATSIZE]; 2662 const char *viewname = ""; 2663 const char *sep1 = "", *sep2 = "", *sep3 = "", *sep4 = ""; 2664 const char *signer = "", *qname = ""; 2665 dns_name_t *q = NULL; 2666 2667 REQUIRE(client != NULL); 2668 2669 vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); 2670 2671 if (client->signer != NULL) { 2672 dns_name_format(client->signer, signerbuf, sizeof(signerbuf)); 2673 sep1 = "/key "; 2674 signer = signerbuf; 2675 } 2676 2677 q = client->query.origqname != NULL ? client->query.origqname 2678 : client->query.qname; 2679 if (q != NULL) { 2680 dns_name_format(q, qnamebuf, sizeof(qnamebuf)); 2681 sep2 = " ("; 2682 sep3 = ")"; 2683 qname = qnamebuf; 2684 } 2685 2686 if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 && 2687 strcmp(client->view->name, "_default") != 0) 2688 { 2689 sep4 = ": view "; 2690 viewname = client->view->name; 2691 } 2692 2693 if (client->peeraddr_valid) { 2694 isc_sockaddr_format(&client->peeraddr, peerbuf, 2695 sizeof(peerbuf)); 2696 } else { 2697 snprintf(peerbuf, sizeof(peerbuf), "(no-peer)"); 2698 } 2699 2700 isc_log_write(ns_lctx, category, module, level, 2701 "client @%p %s%s%s%s%s%s%s%s: %s", client, peerbuf, sep1, 2702 signer, sep2, qname, sep3, sep4, viewname, msgbuf); 2703 } 2704 2705 void 2706 ns_client_log(ns_client_t *client, isc_logcategory_t *category, 2707 isc_logmodule_t *module, int level, const char *fmt, ...) { 2708 va_list ap; 2709 2710 if (!isc_log_wouldlog(ns_lctx, level)) { 2711 return; 2712 } 2713 2714 va_start(ap, fmt); 2715 ns_client_logv(client, category, module, level, fmt, ap); 2716 va_end(ap); 2717 } 2718 2719 void 2720 ns_client_aclmsg(const char *msg, const dns_name_t *name, dns_rdatatype_t type, 2721 dns_rdataclass_t rdclass, char *buf, size_t len) { 2722 char namebuf[DNS_NAME_FORMATSIZE]; 2723 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 2724 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 2725 2726 dns_name_format(name, namebuf, sizeof(namebuf)); 2727 dns_rdatatype_format(type, typebuf, sizeof(typebuf)); 2728 dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); 2729 (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf, 2730 classbuf); 2731 } 2732 2733 static void 2734 ns_client_dumpmessage(ns_client_t *client, const char *reason) { 2735 isc_buffer_t buffer; 2736 char *buf = NULL; 2737 int len = 1024; 2738 isc_result_t result; 2739 2740 if (!isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { 2741 return; 2742 } 2743 2744 /* 2745 * Note that these are multiline debug messages. We want a newline 2746 * to appear in the log after each message. 2747 */ 2748 2749 do { 2750 buf = isc_mem_get(client->mctx, len); 2751 isc_buffer_init(&buffer, buf, len); 2752 result = dns_message_totext( 2753 client->message, &dns_master_style_debug, 0, &buffer); 2754 if (result == ISC_R_NOSPACE) { 2755 isc_mem_put(client->mctx, buf, len); 2756 len += 1024; 2757 } else if (result == ISC_R_SUCCESS) { 2758 ns_client_log(client, NS_LOGCATEGORY_CLIENT, 2759 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), 2760 "%s\n%.*s", reason, 2761 (int)isc_buffer_usedlength(&buffer), buf); 2762 } 2763 } while (result == ISC_R_NOSPACE); 2764 2765 if (buf != NULL) { 2766 isc_mem_put(client->mctx, buf, len); 2767 } 2768 } 2769 2770 void 2771 ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) { 2772 ns_client_t *client; 2773 char namebuf[DNS_NAME_FORMATSIZE]; 2774 char original[DNS_NAME_FORMATSIZE]; 2775 char peerbuf[ISC_SOCKADDR_FORMATSIZE]; 2776 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 2777 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 2778 const char *name; 2779 const char *sep; 2780 const char *origfor; 2781 dns_rdataset_t *rdataset; 2782 2783 REQUIRE(VALID_MANAGER(manager)); 2784 2785 LOCK(&manager->reclock); 2786 client = ISC_LIST_HEAD(manager->recursing); 2787 while (client != NULL) { 2788 INSIST(client->state == NS_CLIENTSTATE_RECURSING); 2789 2790 ns_client_name(client, peerbuf, sizeof(peerbuf)); 2791 if (client->view != NULL && 2792 strcmp(client->view->name, "_bind") != 0 && 2793 strcmp(client->view->name, "_default") != 0) 2794 { 2795 name = client->view->name; 2796 sep = ": view "; 2797 } else { 2798 name = ""; 2799 sep = ""; 2800 } 2801 2802 LOCK(&client->query.fetchlock); 2803 INSIST(client->query.qname != NULL); 2804 dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); 2805 if (client->query.qname != client->query.origqname && 2806 client->query.origqname != NULL) 2807 { 2808 origfor = " for "; 2809 dns_name_format(client->query.origqname, original, 2810 sizeof(original)); 2811 } else { 2812 origfor = ""; 2813 original[0] = '\0'; 2814 } 2815 rdataset = ISC_LIST_HEAD(client->query.qname->list); 2816 if (rdataset == NULL && client->query.origqname != NULL) { 2817 rdataset = ISC_LIST_HEAD(client->query.origqname->list); 2818 } 2819 if (rdataset != NULL) { 2820 dns_rdatatype_format(rdataset->type, typebuf, 2821 sizeof(typebuf)); 2822 dns_rdataclass_format(rdataset->rdclass, classbuf, 2823 sizeof(classbuf)); 2824 } else { 2825 strlcpy(typebuf, "-", sizeof(typebuf)); 2826 strlcpy(classbuf, "-", sizeof(classbuf)); 2827 } 2828 UNLOCK(&client->query.fetchlock); 2829 fprintf(f, 2830 "; client %s%s%s: id %u '%s/%s/%s'%s%s " 2831 "requesttime %u\n", 2832 peerbuf, sep, name, client->message->id, namebuf, 2833 typebuf, classbuf, origfor, original, 2834 isc_time_seconds(&client->requesttime)); 2835 client = ISC_LIST_NEXT(client, rlink); 2836 } 2837 UNLOCK(&manager->reclock); 2838 } 2839 2840 void 2841 ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) { 2842 LOCK(&client->query.fetchlock); 2843 if (client->query.restarts > 0) { 2844 /* 2845 * client->query.qname was dynamically allocated. 2846 */ 2847 dns_message_puttempname(client->message, &client->query.qname); 2848 } 2849 client->query.qname = name; 2850 client->query.attributes &= ~NS_QUERYATTR_REDIRECT; 2851 UNLOCK(&client->query.fetchlock); 2852 } 2853 2854 isc_result_t 2855 ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp) { 2856 ns_client_t *client = (ns_client_t *)ci->data; 2857 2858 REQUIRE(NS_CLIENT_VALID(client)); 2859 REQUIRE(addrp != NULL); 2860 2861 *addrp = &client->peeraddr; 2862 return (ISC_R_SUCCESS); 2863 } 2864 2865 dns_rdataset_t * 2866 ns_client_newrdataset(ns_client_t *client) { 2867 dns_rdataset_t *rdataset; 2868 isc_result_t result; 2869 2870 REQUIRE(NS_CLIENT_VALID(client)); 2871 2872 rdataset = NULL; 2873 result = dns_message_gettemprdataset(client->message, &rdataset); 2874 if (result != ISC_R_SUCCESS) { 2875 return (NULL); 2876 } 2877 2878 return (rdataset); 2879 } 2880 2881 void 2882 ns_client_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { 2883 dns_rdataset_t *rdataset; 2884 2885 REQUIRE(NS_CLIENT_VALID(client)); 2886 REQUIRE(rdatasetp != NULL); 2887 2888 rdataset = *rdatasetp; 2889 2890 if (rdataset != NULL) { 2891 if (dns_rdataset_isassociated(rdataset)) { 2892 dns_rdataset_disassociate(rdataset); 2893 } 2894 dns_message_puttemprdataset(client->message, rdatasetp); 2895 } 2896 } 2897 2898 isc_result_t 2899 ns_client_newnamebuf(ns_client_t *client) { 2900 isc_buffer_t *dbuf = NULL; 2901 2902 CTRACE("ns_client_newnamebuf"); 2903 2904 isc_buffer_allocate(client->mctx, &dbuf, 1024); 2905 ISC_LIST_APPEND(client->query.namebufs, dbuf, link); 2906 2907 CTRACE("ns_client_newnamebuf: done"); 2908 return (ISC_R_SUCCESS); 2909 } 2910 2911 dns_name_t * 2912 ns_client_newname(ns_client_t *client, isc_buffer_t *dbuf, isc_buffer_t *nbuf) { 2913 dns_name_t *name = NULL; 2914 isc_region_t r; 2915 isc_result_t result; 2916 2917 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); 2918 2919 CTRACE("ns_client_newname"); 2920 2921 result = dns_message_gettempname(client->message, &name); 2922 if (result != ISC_R_SUCCESS) { 2923 CTRACE("ns_client_newname: " 2924 "dns_message_gettempname failed: done"); 2925 return (NULL); 2926 } 2927 isc_buffer_availableregion(dbuf, &r); 2928 isc_buffer_init(nbuf, r.base, r.length); 2929 dns_name_setbuffer(name, NULL); 2930 dns_name_setbuffer(name, nbuf); 2931 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; 2932 2933 CTRACE("ns_client_newname: done"); 2934 return (name); 2935 } 2936 2937 isc_buffer_t * 2938 ns_client_getnamebuf(ns_client_t *client) { 2939 isc_buffer_t *dbuf; 2940 isc_region_t r; 2941 2942 CTRACE("ns_client_getnamebuf"); 2943 2944 /*% 2945 * Return a name buffer with space for a maximal name, allocating 2946 * a new one if necessary. 2947 */ 2948 if (ISC_LIST_EMPTY(client->query.namebufs)) { 2949 ns_client_newnamebuf(client); 2950 } 2951 2952 dbuf = ISC_LIST_TAIL(client->query.namebufs); 2953 INSIST(dbuf != NULL); 2954 isc_buffer_availableregion(dbuf, &r); 2955 if (r.length < DNS_NAME_MAXWIRE) { 2956 ns_client_newnamebuf(client); 2957 dbuf = ISC_LIST_TAIL(client->query.namebufs); 2958 isc_buffer_availableregion(dbuf, &r); 2959 INSIST(r.length >= 255); 2960 } 2961 CTRACE("ns_client_getnamebuf: done"); 2962 return (dbuf); 2963 } 2964 2965 void 2966 ns_client_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { 2967 isc_region_t r; 2968 2969 CTRACE("ns_client_keepname"); 2970 2971 /*% 2972 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been 2973 * adjusted to take account of that. We do the adjustment. 2974 */ 2975 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); 2976 2977 dns_name_toregion(name, &r); 2978 isc_buffer_add(dbuf, r.length); 2979 dns_name_setbuffer(name, NULL); 2980 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; 2981 } 2982 2983 void 2984 ns_client_releasename(ns_client_t *client, dns_name_t **namep) { 2985 /*% 2986 * 'name' is no longer needed. Return it to our pool of temporary 2987 * names. If it is using a name buffer, relinquish its exclusive 2988 * rights on the buffer. 2989 */ 2990 2991 CTRACE("ns_client_releasename"); 2992 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; 2993 dns_message_puttempname(client->message, namep); 2994 CTRACE("ns_client_releasename: done"); 2995 } 2996 2997 isc_result_t 2998 ns_client_newdbversion(ns_client_t *client, unsigned int n) { 2999 unsigned int i; 3000 ns_dbversion_t *dbversion = NULL; 3001 3002 for (i = 0; i < n; i++) { 3003 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion)); 3004 *dbversion = (ns_dbversion_t){ 0 }; 3005 ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion, 3006 link); 3007 } 3008 3009 return (ISC_R_SUCCESS); 3010 } 3011 3012 static ns_dbversion_t * 3013 client_getdbversion(ns_client_t *client) { 3014 ns_dbversion_t *dbversion = NULL; 3015 3016 if (ISC_LIST_EMPTY(client->query.freeversions)) { 3017 ns_client_newdbversion(client, 1); 3018 } 3019 dbversion = ISC_LIST_HEAD(client->query.freeversions); 3020 INSIST(dbversion != NULL); 3021 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link); 3022 3023 return (dbversion); 3024 } 3025 3026 ns_dbversion_t * 3027 ns_client_findversion(ns_client_t *client, dns_db_t *db) { 3028 ns_dbversion_t *dbversion; 3029 3030 for (dbversion = ISC_LIST_HEAD(client->query.activeversions); 3031 dbversion != NULL; dbversion = ISC_LIST_NEXT(dbversion, link)) 3032 { 3033 if (dbversion->db == db) { 3034 break; 3035 } 3036 } 3037 3038 if (dbversion == NULL) { 3039 /* 3040 * This is a new zone for this query. Add it to 3041 * the active list. 3042 */ 3043 dbversion = client_getdbversion(client); 3044 if (dbversion == NULL) { 3045 return (NULL); 3046 } 3047 dns_db_attach(db, &dbversion->db); 3048 dns_db_currentversion(db, &dbversion->version); 3049 dbversion->acl_checked = false; 3050 dbversion->queryok = false; 3051 ISC_LIST_APPEND(client->query.activeversions, dbversion, link); 3052 } 3053 3054 return (dbversion); 3055 } 3056