« back to all changes in this revision
Viewing changes to src/forward.c
- browse files at revision 36
- compare with another revision
- download diff
- download tarball
- view history from revision 36
- Committer: Package Import Robot
- Author(s): Simon Kelley
- Date: 2014-04-23 15:14:42 UTC
- mfrom: (0.5.8) (12.2.17 sid)
- Revision ID: package-import@ubuntu.com-20140423151442-22uqxwgu9wi56gd7
Tags: 2.70-1
New upstream.
- files added:
- contrib/try-all-ns/dnsmasq-2.68-try-all-ns
- files modified:
- CHANGELOG
added
removed
src/forward.c
1
/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
1
/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
2
2
3
3
This program is free software; you can redistribute it and/or modify
4
4
it under the terms of the GNU General Public License as published by
16
16
17
17
#include "dnsmasq.h"
18
18
19
static struct frec *lookup_frec(unsigned short id, unsigned int crc);
19
static struct frec *lookup_frec(unsigned short id, void *hash);
20
20
static struct frec *lookup_frec_by_sender(unsigned short id,
21
21
union mysockaddr *addr,
22
unsigned int crc);
23
static unsigned short get_id(unsigned int crc);
22
void *hash);
23
static unsigned short get_id(void);
24
24
static void free_frec(struct frec *f);
25
25
static struct randfd *allocate_rfd(int family);
26
26
27
#ifdef HAVE_DNSSEC
28
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
29
int class, char *name, char *keyname, struct server *server, int *keycount);
30
static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
31
static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
32
#endif
33
34
27
35
/* Send a UDP packet with its source address set as "source"
28
36
unless nowild is true, when we just send it with the kernel default */
29
37
int send_from(int fd, int nowild, char *packet, size_t len,
234
242
235
243
static int forward_query(int udpfd, union mysockaddr *udpaddr,
236
244
struct all_addr *dst_addr, unsigned int dst_iface,
237
struct dns_header *header, size_t plen, time_t now, struct frec *forward)
245
struct dns_header *header, size_t plen, time_t now,
246
struct frec *forward, int ad_reqd, int do_bit)
238
247
{
239
248
char *domain = NULL;
240
249
int type = 0, norebind = 0;
241
250
struct all_addr *addrp = NULL;
251
unsigned int flags = 0;
252
struct server *start = NULL;
253
#ifdef HAVE_DNSSEC
254
void *hash = hash_questions(header, plen, daemon->namebuff);
255
#else
242
256
unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243
unsigned int flags = 0;
244
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245
struct server *start = NULL;
246
247
/* RFC 4035: sect 4.6 para 2 */
248
header->hb4 &= ~HB4_AD;
249
257
void *hash = &crc;
258
#endif
259
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
260
261
(void)do_bit;
262
250
263
/* may be no servers available. */
251
264
if (!daemon->servers)
252
265
forward = NULL;
253
else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
266
else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
254
267
{
268
#ifdef HAVE_DNSSEC
269
/* If we've already got an answer to this query, but we're awaiting keys for validation,
270
there's no point retrying the query, retry the key query instead...... */
271
if (forward->blocking_query)
272
{
273
int fd;
274
275
while (forward->blocking_query)
276
forward = forward->blocking_query;
277
278
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
279
plen = forward->stash_len;
280
281
if (forward->sentto->addr.sa.sa_family == AF_INET)
282
log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
283
#ifdef HAVE_IPV6
284
else
285
log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
286
#endif
287
288
if (forward->sentto->sfd)
289
fd = forward->sentto->sfd->fd;
290
else
291
{
292
#ifdef HAVE_IPV6
293
if (forward->sentto->addr.sa.sa_family == AF_INET6)
294
fd = forward->rfd6->fd;
295
else
296
#endif
297
fd = forward->rfd4->fd;
298
}
299
300
while (sendto(fd, (char *)header, plen, 0,
301
&forward->sentto->addr.sa,
302
sa_len(&forward->sentto->addr)) == -1 && retry_send());
303
304
return 1;
305
}
306
#endif
307
255
308
/* retry on existing query, send to all available servers */
256
309
domain = forward->sentto->domain;
257
310
forward->sentto->failed_queries++;
270
323
if (gotname)
271
324
flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272
325
273
if (!flags && !(forward = get_new_frec(now, NULL)))
326
if (!flags && !(forward = get_new_frec(now, NULL, 0)))
274
327
/* table full - server failure. */
275
328
flags = F_NEG;
276
329
280
333
forward->dest = *dst_addr;
281
334
forward->iface = dst_iface;
282
335
forward->orig_id = ntohs(header->id);
283
forward->new_id = get_id(crc);
336
forward->new_id = get_id();
284
337
forward->fd = udpfd;
285
forward->crc = crc;
338
memcpy(forward->hash, hash, HASH_SIZE);
286
339
forward->forwardall = 0;
287
340
forward->flags = 0;
288
341
if (norebind)
289
342
forward->flags |= FREC_NOREBIND;
290
343
if (header->hb4 & HB4_CD)
291
344
forward->flags |= FREC_CHECKING_DISABLED;
292
345
if (ad_reqd)
346
forward->flags |= FREC_AD_QUESTION;
347
#ifdef HAVE_DNSSEC
348
forward->work_counter = DNSSEC_WORK;
349
if (do_bit)
350
forward->flags |= FREC_DO_QUESTION;
351
#endif
352
293
353
header->id = htons(forward->new_id);
294
354
295
355
/* In strict_order mode, always try servers in the order
330
390
int forwarded = 0;
331
391
332
392
if (option_bool(OPT_ADD_MAC))
333
plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
393
plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
334
394
335
395
if (option_bool(OPT_CLIENT_SUBNET))
336
396
{
337
size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source);
397
size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
338
398
if (new != plen)
339
399
{
340
400
plen = new;
342
402
}
343
403
}
344
404
405
#ifdef HAVE_DNSSEC
406
if (option_bool(OPT_DNSSEC_VALID))
407
{
408
size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
409
410
/* For debugging, set Checking Disabled, otherwise, have the upstream check too,
411
this allows it to select auth servers when one is returning bad data. */
412
if (option_bool(OPT_DNSSEC_DEBUG))
413
header->hb4 |= HB4_CD;
414
415
if (new_plen != plen)
416
forward->flags |= FREC_ADDED_PHEADER;
417
418
plen = new_plen;
419
}
420
#endif
421
345
422
while (1)
346
423
{
347
424
/* only send to servers dealing with our domain.
447
524
}
448
525
449
526
static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
450
int checking_disabled, int check_subnet, union mysockaddr *query_source)
527
int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
451
528
{
452
529
unsigned char *pheader, *sizep;
453
530
char **sets = 0;
454
531
int munged = 0, is_sign;
455
532
size_t plen;
456
533
534
(void)ad_reqd;
535
(void) do_bit;
536
457
537
#ifdef HAVE_IPSET
458
/* Similar algorithm to search_servers. */
459
struct ipsets *ipset_pos;
460
unsigned int namelen = strlen(daemon->namebuff);
461
unsigned int matchlen = 0;
462
for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
538
if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
463
539
{
464
unsigned int domainlen = strlen(ipset_pos->domain);
465
char *matchstart = daemon->namebuff + namelen - domainlen;
466
if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
467
(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
468
domainlen >= matchlen) {
469
matchlen = domainlen;
470
sets = ipset_pos->sets;
471
}
540
/* Similar algorithm to search_servers. */
541
struct ipsets *ipset_pos;
542
unsigned int namelen = strlen(daemon->namebuff);
543
unsigned int matchlen = 0;
544
for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
545
{
546
unsigned int domainlen = strlen(ipset_pos->domain);
547
char *matchstart = daemon->namebuff + namelen - domainlen;
548
if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
549
(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
550
domainlen >= matchlen)
551
{
552
matchlen = domainlen;
553
sets = ipset_pos->sets;
554
}
555
}
472
556
}
473
557
#endif
474
558
478
562
479
563
if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
480
564
{
481
if (!is_sign)
482
{
483
unsigned short udpsz;
484
unsigned char *psave = sizep;
485
486
GETSHORT(udpsz, sizep);
487
if (udpsz > daemon->edns_pktsz)
488
PUTSHORT(daemon->edns_pktsz, psave);
489
}
565
unsigned short udpsz;
566
unsigned char *psave = sizep;
567
568
GETSHORT(udpsz, sizep);
569
570
if (!is_sign && udpsz > daemon->edns_pktsz)
571
PUTSHORT(daemon->edns_pktsz, psave);
490
572
491
573
if (check_subnet && !check_source(header, plen, pheader, query_source))
492
574
{
493
575
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
494
576
return 0;
495
577
}
578
579
if (added_pheader)
580
{
581
pheader = 0;
582
header->arcount = htons(0);
583
}
496
584
}
497
498
585
499
586
/* RFC 4035 sect 4.6 para 3 */
500
if (!is_sign && !option_bool(OPT_DNSSEC))
501
header->hb4 &= ~HB4_AD;
502
587
if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
588
header->hb4 &= ~HB4_AD;
589
503
590
if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
504
591
return n;
505
592
512
599
if (!option_bool(OPT_LOG))
513
600
server->flags |= SERV_WARNED_RECURSIVE;
514
601
}
515
602
516
603
if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
517
604
check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
518
605
{
519
606
munged = 1;
520
607
SET_RCODE(header, NXDOMAIN);
521
608
header->hb3 &= ~HB3_AA;
609
cache_secure = 0;
522
610
}
523
611
else
524
612
{
613
int doctored = 0;
614
525
615
if (RCODE(header) == NXDOMAIN &&
526
616
extract_request(header, n, daemon->namebuff, NULL) &&
527
617
check_for_local_domain(daemon->namebuff, now))
532
622
munged = 1;
533
623
header->hb3 |= HB3_AA;
534
624
SET_RCODE(header, NOERROR);
625
cache_secure = 0;
535
626
}
536
627
537
if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, checking_disabled))
628
if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
538
629
{
539
630
my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
540
631
munged = 1;
541
}
542
}
543
632
cache_secure = 0;
633
}
634
635
if (doctored)
636
cache_secure = 0;
637
}
638
639
#ifdef HAVE_DNSSEC
640
if (no_cache && !(header->hb4 & HB4_CD))
641
{
642
if (!option_bool(OPT_DNSSEC_DEBUG))
643
{
644
/* Bogus reply, turn into SERVFAIL */
645
SET_RCODE(header, SERVFAIL);
646
munged = 1;
647
}
648
}
649
650
if (option_bool(OPT_DNSSEC_VALID))
651
header->hb4 &= ~HB4_AD;
652
653
if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
654
header->hb4 |= HB4_AD;
655
656
/* If the requestor didn't set the DO bit, don't return DNSSEC info. */
657
if (!do_bit)
658
n = filter_rrsigs(header, n);
659
#endif
660
544
661
/* do this after extract_addresses. Ensure NODATA reply and remove
545
662
nameserver info. */
546
663
566
683
union mysockaddr serveraddr;
567
684
struct frec *forward;
568
685
socklen_t addrlen = sizeof(serveraddr);
569
ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
686
ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
570
687
size_t nn;
571
688
struct server *server;
572
689
void *hash;
690
#ifndef HAVE_DNSSEC
691
unsigned int crc;
692
#endif
693
573
694
/* packet buffer overwritten */
574
695
daemon->srv_save = NULL;
575
696
580
701
serveraddr.in6.sin6_flowinfo = 0;
581
702
#endif
582
703
704
header = (struct dns_header *)daemon->packet;
705
706
if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
707
return;
708
583
709
/* spoof check: answer must come from known server, */
584
710
for (server = daemon->servers; server; server = server->next)
585
711
if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
586
712
sockaddr_isequal(&server->addr, &serveraddr))
587
713
break;
588
589
header = (struct dns_header *)daemon->packet;
590
591
if (!server ||
592
n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
593
!(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
594
return;
595
596
server = forward->sentto;
714
715
if (!server)
716
return;
717
718
#ifdef HAVE_DNSSEC
719
hash = hash_questions(header, n, daemon->namebuff);
720
#else
721
hash = &crc;
722
crc = questions_crc(header, n, daemon->namebuff);
723
#endif
724
725
if (!(forward = lookup_frec(ntohs(header->id), hash)))
726
return;
597
727
598
728
if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
599
729
!option_bool(OPT_ORDER) &&
614
744
if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
615
745
{
616
746
header->hb3 &= ~(HB3_QR | HB3_TC);
617
forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
747
forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
618
748
return;
619
749
}
620
750
}
621
751
}
752
753
server = forward->sentto;
622
754
623
755
if ((forward->sentto->flags & SERV_TYPE) == 0)
624
756
{
625
if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
757
if (RCODE(header) == REFUSED)
626
758
server = NULL;
627
759
else
628
760
{
640
772
if (!option_bool(OPT_ALL_SERVERS))
641
773
daemon->last_server = server;
642
774
}
643
775
644
776
/* If the answer is an error, keep the forward record in place in case
645
777
we get a good reply from another server. Kill it when we've
646
778
had replies from all to avoid filling the forwarding table when
647
779
everything is broken */
648
if (forward->forwardall == 0 || --forward->forwardall == 1 ||
649
(RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
780
if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
650
781
{
651
int check_rebind = !(forward->flags & FREC_NOREBIND);
652
653
if (!option_bool(OPT_NO_REBIND))
654
check_rebind = 0;
655
656
if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED,
657
forward->flags & FREC_HAS_SUBNET, &forward->source)))
782
int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
783
784
if (option_bool(OPT_NO_REBIND))
785
check_rebind = !(forward->flags & FREC_NOREBIND);
786
787
/* Don't cache replies where DNSSEC validation was turned off, either
788
the upstream server told us so, or the original query specified it. */
789
if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
790
no_cache_dnssec = 1;
791
792
#ifdef HAVE_DNSSEC
793
if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
794
{
795
int status;
796
797
/* We've had a reply already, which we're validating. Ignore this duplicate */
798
if (forward->blocking_query)
799
return;
800
801
if (header->hb3 & HB3_TC)
802
{
803
/* Truncated answer can't be validated.
804
If this is an answer to a DNSSEC-generated query, we still
805
need to get the client to retry over TCP, so return
806
an answer with the TC bit set, even if the actual answer fits.
807
*/
808
status = STAT_TRUNCATED;
809
}
810
else if (forward->flags & FREC_DNSKEY_QUERY)
811
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
812
else if (forward->flags & FREC_DS_QUERY)
813
{
814
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
815
if (status == STAT_NO_DS)
816
status = STAT_INSECURE;
817
}
818
else if (forward->flags & FREC_CHECK_NOSIGN)
819
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
820
else
821
{
822
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
823
if (status == STAT_NO_SIG)
824
{
825
if (option_bool(OPT_DNSSEC_NO_SIGN))
826
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
827
else
828
status = STAT_INSECURE;
829
}
830
}
831
/* Can't validate, as we're missing key data. Put this
832
answer aside, whilst we get that. */
833
if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
834
{
835
struct frec *new, *orig;
836
837
/* Free any saved query */
838
if (forward->stash)
839
blockdata_free(forward->stash);
840
841
/* Now save reply pending receipt of key data */
842
if (!(forward->stash = blockdata_alloc((char *)header, n)))
843
return;
844
forward->stash_len = n;
845
846
anotherkey:
847
/* Find the original query that started it all.... */
848
for (orig = forward; orig->dependent; orig = orig->dependent);
849
850
if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
851
status = STAT_INSECURE;
852
else
853
{
854
int fd;
855
struct frec *next = new->next;
856
*new = *forward; /* copy everything, then overwrite */
857
new->next = next;
858
new->blocking_query = NULL;
859
new->sentto = server;
860
new->rfd4 = NULL;
861
#ifdef HAVE_IPV6
862
new->rfd6 = NULL;
863
#endif
864
new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
865
866
new->dependent = forward; /* to find query awaiting new one. */
867
forward->blocking_query = new; /* for garbage cleaning */
868
/* validate routines leave name of required record in daemon->keyname */
869
if (status == STAT_NEED_KEY)
870
{
871
new->flags |= FREC_DNSKEY_QUERY;
872
nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
873
daemon->keyname, forward->class, T_DNSKEY, &server->addr);
874
}
875
else
876
{
877
if (status == STAT_NEED_DS_NEG)
878
new->flags |= FREC_CHECK_NOSIGN;
879
else
880
new->flags |= FREC_DS_QUERY;
881
nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
882
daemon->keyname, forward->class, T_DS, &server->addr);
883
}
884
if ((hash = hash_questions(header, nn, daemon->namebuff)))
885
memcpy(new->hash, hash, HASH_SIZE);
886
new->new_id = get_id();
887
header->id = htons(new->new_id);
888
/* Save query for retransmission */
889
new->stash = blockdata_alloc((char *)header, nn);
890
new->stash_len = nn;
891
892
/* Don't resend this. */
893
daemon->srv_save = NULL;
894
895
if (server->sfd)
896
fd = server->sfd->fd;
897
else
898
{
899
fd = -1;
900
#ifdef HAVE_IPV6
901
if (server->addr.sa.sa_family == AF_INET6)
902
{
903
if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
904
fd = new->rfd6->fd;
905
}
906
else
907
#endif
908
{
909
if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
910
fd = new->rfd4->fd;
911
}
912
}
913
914
if (fd != -1)
915
{
916
while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
917
server->queries++;
918
}
919
920
return;
921
}
922
}
923
924
/* Ok, we reached far enough up the chain-of-trust that we can validate something.
925
Now wind back down, pulling back answers which wouldn't previously validate
926
and validate them with the new data. Note that if an answer needs multiple
927
keys to validate, we may find another key is needed, in which case we set off
928
down another branch of the tree. Once we get to the original answer
929
(FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
930
while (forward->dependent)
931
{
932
struct frec *prev = forward->dependent;
933
free_frec(forward);
934
forward = prev;
935
forward->blocking_query = NULL; /* already gone */
936
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
937
n = forward->stash_len;
938
939
if (status == STAT_SECURE)
940
{
941
if (forward->flags & FREC_DNSKEY_QUERY)
942
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
943
else if (forward->flags & FREC_DS_QUERY)
944
{
945
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
946
if (status == STAT_NO_DS)
947
status = STAT_INSECURE;
948
}
949
else if (forward->flags & FREC_CHECK_NOSIGN)
950
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
951
else
952
{
953
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
954
if (status == STAT_NO_SIG)
955
{
956
if (option_bool(OPT_DNSSEC_NO_SIGN))
957
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
958
else
959
status = STAT_INSECURE;
960
}
961
}
962
963
if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
964
goto anotherkey;
965
}
966
}
967
968
if (status == STAT_TRUNCATED)
969
header->hb3 |= HB3_TC;
970
else
971
{
972
char *result;
973
974
if (forward->work_counter == 0)
975
result = "ABANDONED";
976
else
977
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
978
979
log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
980
}
981
982
no_cache_dnssec = 0;
983
984
if (status == STAT_SECURE)
985
cache_secure = 1;
986
else if (status == STAT_BOGUS)
987
no_cache_dnssec = 1;
988
}
989
#endif
990
991
/* restore CD bit to the value in the query */
992
if (forward->flags & FREC_CHECKING_DISABLED)
993
header->hb4 |= HB4_CD;
994
else
995
header->hb4 &= ~HB4_CD;
996
997
if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
998
forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
999
forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
658
1000
{
659
1001
header->id = htons(forward->orig_id);
660
1002
header->hb4 |= HB4_RA; /* recursion if available */
741
1083
return;
742
1084
743
1085
source_addr.sa.sa_family = listen->family;
744
#ifdef HAVE_IPV6
745
if (listen->family == AF_INET6)
746
source_addr.in6.sin6_flowinfo = 0;
747
#endif
748
1086
1087
if (listen->family == AF_INET)
1088
{
1089
/* Source-port == 0 is an error, we can't send back to that.
1090
http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1091
if (source_addr.in.sin_port == 0)
1092
return;
1093
}
1094
#ifdef HAVE_IPV6
1095
else
1096
{
1097
/* Source-port == 0 is an error, we can't send back to that. */
1098
if (source_addr.in6.sin6_port == 0)
1099
return;
1100
source_addr.in6.sin6_flowinfo = 0;
1101
}
1102
#endif
1103
1104
/* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1105
if (option_bool(OPT_LOCAL_SERVICE))
1106
{
1107
struct addrlist *addr;
1108
#ifdef HAVE_IPV6
1109
if (listen->family == AF_INET6)
1110
{
1111
for (addr = daemon->interface_addrs; addr; addr = addr->next)
1112
if ((addr->flags & ADDRLIST_IPV6) &&
1113
is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1114
break;
1115
}
1116
else
1117
#endif
1118
{
1119
struct in_addr netmask;
1120
for (addr = daemon->interface_addrs; addr; addr = addr->next)
1121
{
1122
netmask.s_addr = 0xffffffff << (32 - addr->prefixlen);
1123
if (!(addr->flags & ADDRLIST_IPV6) &&
1124
is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1125
break;
1126
}
1127
}
1128
if (!addr)
1129
{
1130
static int warned = 0;
1131
if (!warned)
1132
{
1133
my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1134
warned = 1;
1135
}
1136
return;
1137
}
1138
}
1139
749
1140
if (check_dst)
750
1141
{
751
1142
struct ifreq ifr;
855
1246
856
1247
if (extract_request(header, (size_t)n, daemon->namebuff, &type))
857
1248
{
858
char types[20];
859
1249
#ifdef HAVE_AUTH
860
1250
struct auth_zone *zone;
861
1251
#endif
862
863
querystr(auth_dns ? "auth" : "query", types, type);
864
1252
char *types = querystr(auth_dns ? "auth" : "query", type);
1253
865
1254
if (listen->family == AF_INET)
866
1255
log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
867
1256
(struct all_addr *)&source_addr.in.sin_addr, types);
887
1276
#ifdef HAVE_AUTH
888
1277
if (auth_dns)
889
1278
{
890
m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
1279
m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
891
1280
if (m >= 1)
892
1281
{
893
1282
send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
898
1287
else
899
1288
#endif
900
1289
{
901
m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
902
dst_addr_4, netmask, now);
1290
int ad_reqd, do_bit;
1291
m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
1292
dst_addr_4, netmask, now, &ad_reqd, &do_bit);
903
1293
904
1294
if (m >= 1)
905
1295
{
908
1298
daemon->local_answer++;
909
1299
}
910
1300
else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
911
header, (size_t)n, now, NULL))
1301
header, (size_t)n, now, NULL, ad_reqd, do_bit))
912
1302
daemon->queries_forwarded++;
913
1303
else
914
1304
daemon->local_answer++;
915
1305
}
916
1306
}
917
1307
1308
#ifdef HAVE_DNSSEC
1309
1310
/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1311
and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1312
STAT_NEED_DS_NEG and keyname if we need to do the query. */
1313
static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname)
1314
{
1315
struct crec *crecp;
1316
char *name_start = name;
1317
int status = dnssec_chase_cname(now, header, plen, name, keyname);
1318
1319
if (status != STAT_INSECURE)
1320
return status;
1321
1322
while (1)
1323
{
1324
crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1325
1326
if (crecp && (crecp->flags & F_DNSSECOK))
1327
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1328
1329
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1330
{
1331
name_start++; /* chop a label off and try again */
1332
continue;
1333
}
1334
1335
/* Reached the root */
1336
if (!name_start)
1337
return STAT_BOGUS;
1338
1339
strcpy(keyname, name_start);
1340
return STAT_NEED_DS_NEG;
1341
}
1342
}
1343
1344
/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
1345
static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
1346
1347
{
1348
char *name_start;
1349
unsigned char *p;
1350
int status = dnssec_validate_ds(now, header, plen, name, keyname, class);
1351
1352
if (status != STAT_INSECURE)
1353
{
1354
if (status == STAT_NO_DS)
1355
status = STAT_INSECURE;
1356
return status;
1357
}
1358
1359
p = (unsigned char *)(header+1);
1360
1361
if (extract_name(header, plen, &p, name, 1, 4) &&
1362
(name_start = strchr(name, '.')))
1363
{
1364
name_start++; /* chop a label off and try again */
1365
strcpy(keyname, name_start);
1366
return STAT_NEED_DS_NEG;
1367
}
1368
1369
return STAT_BOGUS;
1370
}
1371
1372
/* Move toward the root, until we find a signed non-existance of a DS, in which case
1373
an unsigned answer is OK, or we find a signed DS, in which case there should be
1374
a signature, and the answer is BOGUS */
1375
static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1376
char *keyname, struct server *server, int *keycount)
1377
{
1378
size_t m;
1379
unsigned char *packet, *payload;
1380
u16 *length;
1381
unsigned char *p = (unsigned char *)(header+1);
1382
int status;
1383
char *name_start = name;
1384
1385
/* Get first insecure entry in CNAME chain */
1386
status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1387
if (status == STAT_BOGUS)
1388
return STAT_BOGUS;
1389
1390
if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1391
return STAT_BOGUS;
1392
1393
payload = &packet[2];
1394
header = (struct dns_header *)payload;
1395
length = (u16 *)packet;
1396
1397
while (1)
1398
{
1399
unsigned char *newhash, hash[HASH_SIZE];
1400
unsigned char c1, c2;
1401
struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1402
1403
if (--(*keycount) == 0)
1404
{
1405
free(packet);
1406
return STAT_BOGUS;
1407
}
1408
1409
if (crecp && (crecp->flags & F_DNSSECOK))
1410
{
1411
free(packet);
1412
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1413
}
1414
1415
/* If we have cached insecurely that a DS doesn't exist,
1416
ise that is a hit for where to start looking for the secure one */
1417
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1418
{
1419
name_start++; /* chop a label off and try again */
1420
continue;
1421
}
1422
1423
/* reached the root */
1424
if (!name_start)
1425
{
1426
free(packet);
1427
return STAT_BOGUS;
1428
}
1429
1430
m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1431
1432
/* We rely on the question section coming back unchanged, ensure it is with the hash. */
1433
if ((newhash = hash_questions(header, (unsigned int)m, name)))
1434
{
1435
memcpy(hash, newhash, HASH_SIZE);
1436
1437
*length = htons(m);
1438
1439
if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1440
read_write(server->tcpfd, &c1, 1, 1) &&
1441
read_write(server->tcpfd, &c2, 1, 1) &&
1442
read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1443
{
1444
m = (c1 << 8) | c2;
1445
1446
newhash = hash_questions(header, (unsigned int)m, name);
1447
if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
1448
{
1449
/* Note this trashes all three name workspaces */
1450
status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1451
1452
/* We've found a DS which proves the bit of the DNS where the
1453
original query is, is unsigned, so the answer is OK,
1454
if unvalidated. */
1455
if (status == STAT_NO_DS)
1456
{
1457
free(packet);
1458
return STAT_INSECURE;
1459
}
1460
1461
/* No DS, not got to DNSSEC-land yet, go up. */
1462
if (status == STAT_INSECURE)
1463
{
1464
p = (unsigned char *)(header+1);
1465
1466
if (extract_name(header, plen, &p, name, 1, 4) &&
1467
(name_start = strchr(name, '.')))
1468
{
1469
name_start++; /* chop a label off and try again */
1470
continue;
1471
}
1472
}
1473
}
1474
}
1475
}
1476
1477
free(packet);
1478
1479
return STAT_BOGUS;
1480
}
1481
}
1482
1483
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1484
int class, char *name, char *keyname, struct server *server, int *keycount)
1485
{
1486
/* Recurse up the key heirarchy */
1487
int new_status;
1488
1489
/* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1490
if (--(*keycount) == 0)
1491
return STAT_INSECURE;
1492
1493
if (status == STAT_NEED_KEY)
1494
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1495
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1496
{
1497
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1498
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1499
new_status = STAT_INSECURE;
1500
}
1501
else if (status == STAT_CHASE_CNAME)
1502
new_status = dnssec_chase_cname(now, header, n, name, keyname);
1503
else
1504
{
1505
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1506
1507
if (new_status == STAT_NO_SIG)
1508
{
1509
if (option_bool(OPT_DNSSEC_NO_SIGN))
1510
new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1511
else
1512
new_status = STAT_INSECURE;
1513
}
1514
}
1515
1516
/* Can't validate because we need a key/DS whose name now in keyname.
1517
Make query for same, and recurse to validate */
1518
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1519
{
1520
size_t m;
1521
unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1522
unsigned char *payload = &packet[2];
1523
struct dns_header *new_header = (struct dns_header *)payload;
1524
u16 *length = (u16 *)packet;
1525
unsigned char c1, c2;
1526
1527
if (!packet)
1528
return STAT_INSECURE;
1529
1530
another_tcp_key:
1531
m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1532
new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1533
1534
*length = htons(m);
1535
1536
if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1537
!read_write(server->tcpfd, &c1, 1, 1) ||
1538
!read_write(server->tcpfd, &c2, 1, 1) ||
1539
!read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1540
new_status = STAT_INSECURE;
1541
else
1542
{
1543
m = (c1 << 8) | c2;
1544
1545
new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1546
1547
if (new_status == STAT_SECURE)
1548
{
1549
/* Reached a validated record, now try again at this level.
1550
Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1551
If so, go round again. */
1552
1553
if (status == STAT_NEED_KEY)
1554
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1555
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1556
{
1557
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1558
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1559
new_status = STAT_INSECURE; /* Validated no DS */
1560
}
1561
else if (status == STAT_CHASE_CNAME)
1562
new_status = dnssec_chase_cname(now, header, n, name, keyname);
1563
else
1564
{
1565
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1566
1567
if (new_status == STAT_NO_SIG)
1568
{
1569
if (option_bool(OPT_DNSSEC_NO_SIGN))
1570
new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1571
else
1572
new_status = STAT_INSECURE;
1573
}
1574
}
1575
1576
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1577
goto another_tcp_key;
1578
}
1579
}
1580
1581
free(packet);
1582
}
1583
return new_status;
1584
}
1585
#endif
1586
1587
918
1588
/* The daemon forks before calling this: it should deal with one connection,
919
1589
blocking as neccessary, and then return. Note, need to be a bit careful
920
1590
about resources for debug mode, when the fork is suppressed: that's
927
1597
#ifdef HAVE_AUTH
928
1598
int local_auth = 0;
929
1599
#endif
930
int checking_disabled, check_subnet;
1600
int checking_disabled, ad_question, do_bit, added_pheader = 0;
1601
int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
931
1602
size_t m;
932
1603
unsigned short qtype;
933
1604
unsigned int gotname;
945
1616
946
1617
if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
947
1618
return packet;
1619
1620
/* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1621
if (option_bool(OPT_LOCAL_SERVICE))
1622
{
1623
struct addrlist *addr;
1624
#ifdef HAVE_IPV6
1625
if (peer_addr.sa.sa_family == AF_INET6)
1626
{
1627
for (addr = daemon->interface_addrs; addr; addr = addr->next)
1628
if ((addr->flags & ADDRLIST_IPV6) &&
1629
is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1630
break;
1631
}
1632
else
1633
#endif
1634
{
1635
struct in_addr netmask;
1636
for (addr = daemon->interface_addrs; addr; addr = addr->next)
1637
{
1638
netmask.s_addr = 0xffffffff << (32 - addr->prefixlen);
1639
if (!(addr->flags & ADDRLIST_IPV6) &&
1640
is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1641
break;
1642
}
1643
}
1644
if (!addr)
1645
{
1646
my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1647
return packet;
1648
}
1649
}
948
1650
949
1651
while (1)
950
1652
{
960
1662
check_subnet = 0;
961
1663
962
1664
/* save state of "cd" flag in query */
963
checking_disabled = header->hb4 & HB4_CD;
1665
if ((checking_disabled = header->hb4 & HB4_CD))
1666
no_cache_dnssec = 1;
964
1667
965
/* RFC 4035: sect 4.6 para 2 */
966
header->hb4 &= ~HB4_AD;
967
968
1668
if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
969
1669
{
970
char types[20];
971
1670
#ifdef HAVE_AUTH
972
1671
struct auth_zone *zone;
973
1672
#endif
974
querystr(auth_dns ? "auth" : "query", types, qtype);
1673
char *types = querystr(auth_dns ? "auth" : "query", qtype);
975
1674
976
1675
if (peer_addr.sa.sa_family == AF_INET)
977
1676
log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1008
1707
{
1009
1708
/* m > 0 if answered from cache */
1010
1709
m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1011
dst_addr_4, netmask, now);
1710
dst_addr_4, netmask, now, &ad_question, &do_bit);
1012
1711
1013
1712
/* Do this by steam now we're not in the select() loop */
1014
1713
check_log_writer(NULL);
1044
1743
if (!flags && last_server)
1045
1744
{
1046
1745
struct server *firstsendto = NULL;
1746
#ifdef HAVE_DNSSEC
1747
unsigned char *newhash, hash[HASH_SIZE];
1748
if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
1749
memcpy(hash, newhash, HASH_SIZE);
1750
else
1751
memset(hash, 0, HASH_SIZE);
1752
#else
1047
1753
unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1048
1754
#endif
1049
1755
/* Loop round available servers until we succeed in connecting to one.
1050
1756
Note that this code subtley ensures that consecutive queries on this connection
1051
1757
which can go to the same server, do so. */
1080
1786
continue;
1081
1787
}
1082
1788
1789
#ifdef HAVE_DNSSEC
1790
if (option_bool(OPT_DNSSEC_VALID))
1791
{
1792
size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1793
1794
/* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1795
this allows it to select auth servers when one is returning bad data. */
1796
if (option_bool(OPT_DNSSEC_DEBUG))
1797
header->hb4 |= HB4_CD;
1798
1799
if (size != new_size)
1800
added_pheader = 1;
1801
1802
size = new_size;
1803
}
1804
#endif
1805
1083
1806
#ifdef HAVE_CONNTRACK
1084
1807
/* Copy connection mark of incoming query to outgoing connection. */
1085
1808
if (option_bool(OPT_CONNTRACK))
1103
1826
1104
1827
if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1105
1828
!read_write(last_server->tcpfd, &c1, 1, 1) ||
1106
!read_write(last_server->tcpfd, &c2, 1, 1))
1829
!read_write(last_server->tcpfd, &c2, 1, 1) ||
1830
!read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
1107
1831
{
1108
1832
close(last_server->tcpfd);
1109
1833
last_server->tcpfd = -1;
1111
1835
}
1112
1836
1113
1837
m = (c1 << 8) | c2;
1114
if (!read_write(last_server->tcpfd, payload, m, 1))
1115
return packet;
1116
1838
1117
1839
if (!gotname)
1118
1840
strcpy(daemon->namebuff, "query");
1124
1846
log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1125
1847
(struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1126
1848
#endif
1849
1850
#ifdef HAVE_DNSSEC
1851
if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1852
{
1853
int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1854
int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
1855
char *result;
1856
1857
if (keycount == 0)
1858
result = "ABANDONED";
1859
else
1860
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1861
1862
log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1863
1864
if (status == STAT_BOGUS)
1865
no_cache_dnssec = 1;
1866
1867
if (status == STAT_SECURE)
1868
cache_secure = 1;
1869
}
1870
#endif
1871
1872
/* restore CD bit to the value in the query */
1873
if (checking_disabled)
1874
header->hb4 |= HB4_CD;
1875
else
1876
header->hb4 &= ~HB4_CD;
1127
1877
1128
1878
/* There's no point in updating the cache, since this process will exit and
1129
1879
lose the information after a few queries. We make this call for the alias and
1131
1881
/* If the crc of the question section doesn't match the crc we sent, then
1132
1882
someone might be attempting to insert bogus values into the cache by
1133
1883
sending replies containing questions and bogus answers. */
1134
if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1135
m = process_reply(header, now, last_server, (unsigned int)m,
1136
option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
1137
check_subnet, &peer_addr);
1884
#ifdef HAVE_DNSSEC
1885
newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
1886
if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
1887
{
1888
m = 0;
1889
break;
1890
}
1891
#else
1892
if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
1893
{
1894
m = 0;
1895
break;
1896
}
1897
#endif
1898
1899
m = process_reply(header, now, last_server, (unsigned int)m,
1900
option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1901
cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
1138
1902
1139
1903
break;
1140
1904
}
1169
1933
#ifdef HAVE_IPV6
1170
1934
f->rfd6 = NULL;
1171
1935
#endif
1936
#ifdef HAVE_DNSSEC
1937
f->dependent = NULL;
1938
f->blocking_query = NULL;
1939
f->stash = NULL;
1940
#endif
1172
1941
daemon->frec_list = f;
1173
1942
}
1174
1943
1210
1979
1211
1980
return NULL; /* doom */
1212
1981
}
1213
1214
1982
static void free_frec(struct frec *f)
1215
1983
{
1216
1984
if (f->rfd4 && --(f->rfd4->refcount) == 0)
1226
1994
1227
1995
f->rfd6 = NULL;
1228
1996
#endif
1997
1998
#ifdef HAVE_DNSSEC
1999
if (f->stash)
2000
{
2001
blockdata_free(f->stash);
2002
f->stash = NULL;
2003
}
2004
2005
/* Anything we're waiting on is pointless now, too */
2006
if (f->blocking_query)
2007
free_frec(f->blocking_query);
2008
f->blocking_query = NULL;
2009
f->dependent = NULL;
2010
#endif
1229
2011
}
1230
2012
1231
2013
/* if wait==NULL return a free or older than TIMEOUT record.
1232
2014
else return *wait zero if one available, or *wait is delay to
1233
2015
when the oldest in-use record will expire. Impose an absolute
1234
limit of 4*TIMEOUT before we wipe things (for random sockets) */
1235
struct frec *get_new_frec(time_t now, int *wait)
2016
limit of 4*TIMEOUT before we wipe things (for random sockets).
2017
If force is set, always return a result, even if we have
2018
to allocate above the limit. */
2019
struct frec *get_new_frec(time_t now, int *wait, int force)
1236
2020
{
1237
2021
struct frec *f, *oldest, *target;
1238
2022
int count;
1281
2065
}
1282
2066
1283
2067
/* none available, calculate time 'till oldest record expires */
1284
if (count > daemon->ftabsize)
2068
if (!force && count > daemon->ftabsize)
1285
2069
{
1286
2070
static time_t last_log = 0;
1287
2071
1305
2089
}
1306
2090
1307
2091
/* crc is all-ones if not known. */
1308
static struct frec *lookup_frec(unsigned short id, unsigned int crc)
2092
static struct frec *lookup_frec(unsigned short id, void *hash)
1309
2093
{
1310
2094
struct frec *f;
1311
2095
1312
2096
for(f = daemon->frec_list; f; f = f->next)
1313
2097
if (f->sentto && f->new_id == id &&
1314
(f->crc == crc || crc == 0xffffffff))
2098
(!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
1315
2099
return f;
1316
2100
1317
2101
return NULL;
1319
2103
1320
2104
static struct frec *lookup_frec_by_sender(unsigned short id,
1321
2105
union mysockaddr *addr,
1322
unsigned int crc)
2106
void *hash)
1323
2107
{
1324
2108
struct frec *f;
1325
2109
1326
2110
for(f = daemon->frec_list; f; f = f->next)
1327
2111
if (f->sentto &&
1328
2112
f->orig_id == id &&
1329
f->crc == crc &&
2113
memcmp(hash, f->hash, HASH_SIZE) == 0 &&
1330
2114
sockaddr_isequal(&f->source, addr))
1331
2115
return f;
1332
2116
1350
2134
}
1351
2135
1352
2136
/* return unique random ids. */
1353
static unsigned short get_id(unsigned int crc)
2137
static unsigned short get_id(void)
1354
2138
{
1355
2139
unsigned short ret = 0;
1356
2140
1357
2141
do
1358
2142
ret = rand16();
1359
while (lookup_frec(ret, crc));
2143
while (lookup_frec(ret, NULL));
1360
2144
1361
2145
return ret;
1362
2146
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1