/** * * \file context.c * @brief getdns context management functions * * Declarations taken from the getdns API description pseudo implementation. * */ /* * Copyright (c) 2013, NLnet Labs, Verisign, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * Neither the names of the copyright holders nor the * names of its contributors may be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include "anchor.h" #ifndef USE_WINSOCK #include #include #include #include #else #include #include typedef unsigned short in_port_t; #include #include #include #include #include #include #include #endif #include #include #include #include #include #include #include #ifdef HAVE_PTHREAD #include #endif #include #ifdef HAVE_LIBUNBOUND #include #endif #include "debug.h" #include "gldns/str2wire.h" #include "gldns/wire2str.h" #include "context.h" #include "types-internal.h" #include "util-internal.h" #include "platform.h" #include "dnssec.h" #include "stub.h" #include "list.h" #include "dict.h" #include "pubkey-pinning.h" #define GETDNS_PORT_ZERO 0 #define GETDNS_PORT_DNS 53 #define GETDNS_PORT_DNS_OVER_TLS 853 #define GETDNS_STR_PORT_ZERO "0" #define GETDNS_STR_PORT_DNS "53" #define GETDNS_STR_PORT_DNS_OVER_TLS "853" #ifdef HAVE_PTHREAD static pthread_mutex_t ssl_init_lock = PTHREAD_MUTEX_INITIALIZER; #endif static bool ssl_init=false; #ifdef HAVE_MDNS_SUPPORT /* * Forward declaration of MDNS context init and destroy function. * We do this here instead of including mdns.h, in order to * minimize dependencies. */ void _getdns_mdns_context_init(struct getdns_context *context); void _getdns_mdns_context_destroy(struct getdns_context *context); #endif void *plain_mem_funcs_user_arg = MF_PLAIN; typedef struct host_name_addrs { _getdns_rbnode_t node; getdns_list *ipv4addrs; getdns_list *ipv6addrs; uint8_t host_name[]; } host_name_addrs; /* If changing these lists also remember to change the value of GETDNS_UPSTREAM_TRANSPORTS */ static getdns_transport_list_t getdns_upstream_transports[GETDNS_UPSTREAM_TRANSPORTS] = { GETDNS_TRANSPORT_TCP, GETDNS_TRANSPORT_TLS, }; static in_port_t getdns_port_array[GETDNS_UPSTREAM_TRANSPORTS] = { GETDNS_PORT_DNS, GETDNS_PORT_DNS_OVER_TLS }; static char* getdns_port_str_array[] = { GETDNS_STR_PORT_DNS, GETDNS_STR_PORT_DNS_OVER_TLS }; static const uint8_t no_suffixes[] = { 1, 0 }; /* Private functions */ static getdns_return_t create_default_namespaces(struct getdns_context *context); static getdns_return_t create_default_dns_transports(struct getdns_context *context); static int transaction_id_cmp(const void *, const void *); static void dispatch_updated(struct getdns_context *, uint16_t); static void cancel_outstanding_requests(getdns_context*); /* unbound helpers */ #ifdef HAVE_LIBUNBOUND static getdns_return_t rebuild_ub_ctx(struct getdns_context* context); static void set_ub_string_opt(struct getdns_context *, char *, char *); static void set_ub_number_opt(struct getdns_context *, char *, uint16_t); static getdns_return_t set_ub_dns_transport(struct getdns_context*); static void set_ub_limit_outstanding_queries(struct getdns_context*, uint16_t); static void set_ub_dnssec_allowed_skew(struct getdns_context*, uint32_t); #endif /* Stuff to make it compile pedantically */ #define RETURN_IF_NULL(ptr, code) if(ptr == NULL) return code; #ifdef USE_WINSOCK /* For windows, the CA trust store is not read by openssl. Add code to open the trust store using wincrypt API and add the root certs into openssl trust store */ static int add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx) { HCERTSTORE hSystemStore; PCCERT_CONTEXT pTargetCert = NULL; DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, "Adding Windows certificates to CA store"); /* load just once per context lifetime for this version of getdns TODO: dynamically update CA trust changes as they are available */ if (!tls_ctx) return 0; /* Call wincrypt's CertOpenStore to open the CA root store. */ if ((hSystemStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, 0, /* NOTE: mingw does not have this const: replace with 1 << 16 from code CERT_SYSTEM_STORE_CURRENT_USER, */ 1 << 16, L"root")) == 0) { return 0; } X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx); if (!store) return 0; /* failure if the CA store is empty or the call fails */ if ((pTargetCert = CertEnumCertificatesInStore( hSystemStore, pTargetCert)) == 0) { DEBUG_STUB("%s %-35s: %s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, "CA certificate store for Windows is empty."); return 0; } /* iterate over the windows cert store and add to openssl store */ do { X509 *cert1 = d2i_X509(NULL, (const unsigned char **)&pTargetCert->pbCertEncoded, pTargetCert->cbCertEncoded); if (!cert1) { /* return error if a cert fails */ DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, "Unable to parse certificate in memory", ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); return 0; } else { /* return error if a cert add to store fails */ if (X509_STORE_add_cert(store, cert1) == 0) { DEBUG_STUB("%s %-35s: %s %d:%s\n", STUB_DEBUG_SETUP_TLS, __FUNC__, "Error adding certificate", ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); return 0; } X509_free(cert1); } } while ((pTargetCert = CertEnumCertificatesInStore( hSystemStore, pTargetCert)) != 0); /* Clean up memory and quit. */ if (pTargetCert) CertFreeCertificateContext(pTargetCert); if (hSystemStore) { if (!CertCloseStore( hSystemStore, 0)) return 0; } return 1; } #endif static uint8_t* upstream_addr(getdns_upstream *upstream) { return upstream->addr.ss_family == AF_INET ? (void *)&((struct sockaddr_in*)&upstream->addr)->sin_addr : (void *)&((struct sockaddr_in6*)&upstream->addr)->sin6_addr; } static in_port_t upstream_port(getdns_upstream *upstream) { return ntohs(upstream->addr.ss_family == AF_INET ? ((struct sockaddr_in *)&upstream->addr)->sin_port : ((struct sockaddr_in6*)&upstream->addr)->sin6_port); } static void destroy_local_host(_getdns_rbnode_t * node, void *arg) { getdns_context *context = (getdns_context *)arg; host_name_addrs *hnas = (host_name_addrs *)node; getdns_list_destroy(hnas->ipv4addrs); getdns_list_destroy(hnas->ipv6addrs); GETDNS_FREE(context->my_mf, hnas); } /** * Helper to get default lookup namespaces. * TODO: Determine from OS */ static getdns_return_t create_default_namespaces(struct getdns_context *context) { context->namespaces = GETDNS_XMALLOC(context->my_mf, getdns_namespace_t, 2); if(context->namespaces == NULL) return GETDNS_RETURN_GENERIC_ERROR; context->namespaces[0] = GETDNS_NAMESPACE_LOCALNAMES; context->namespaces[1] = GETDNS_NAMESPACE_DNS; context->namespace_count = 2; return GETDNS_RETURN_GOOD; } /** * Helper to get default transports. */ static getdns_return_t create_default_dns_transports(struct getdns_context *context) { context->dns_transports = GETDNS_XMALLOC(context->my_mf, getdns_transport_list_t, 2); if(context->dns_transports == NULL) return GETDNS_RETURN_GENERIC_ERROR; context->dns_transports[0] = GETDNS_TRANSPORT_UDP; context->dns_transports[1] = GETDNS_TRANSPORT_TCP; context->dns_transport_count = 2; return GETDNS_RETURN_GOOD; } static inline void canonicalize_dname(uint8_t *dname) { uint8_t *next_label; while (*dname && !(*dname & 0xC0)) { next_label = dname + *dname + 1; dname += 1; while (dname < next_label) { *dname = (uint8_t)tolower((unsigned char)*dname); dname++; } } } static int canonical_dname_compare(register const uint8_t *d1, register const uint8_t *d2) { register uint8_t lab1, lab2; assert(d1 && d2); lab1 = *d1++; lab2 = *d2++; while (lab1 != 0 || lab2 != 0) { /* compare label length */ /* if one dname ends, it has labellength 0 */ if (lab1 != lab2) { if (lab1 < lab2) return -1; return 1; } while (lab1--) { /* compare bytes first for speed */ if (*d1 != *d2) { if (*d1 < *d2) return -1; return 1; } d1++; d2++; } /* next pair of labels. */ lab1 = *d1++; lab2 = *d2++; } return 0; } static int local_host_cmp(const void *id1, const void *id2) { return canonical_dname_compare(id1, id2); } /** return 0 on success */ static int add_local_host(getdns_context *context, getdns_dict *address, const char *str) { uint8_t host_name[256]; size_t host_name_len = sizeof(host_name); host_name_addrs *hnas; getdns_bindata *address_type; int hnas_found = 0; getdns_list **addrs; if (gldns_str2wire_dname_buf(str, host_name, &host_name_len)) return -1; canonicalize_dname(host_name); if (!(hnas = (host_name_addrs *)_getdns_rbtree_search( &context->local_hosts, host_name))) { if (!(hnas = (host_name_addrs *)GETDNS_XMALLOC(context->mf, uint8_t, sizeof(host_name_addrs) + host_name_len))) return -1; hnas->ipv4addrs = NULL; hnas->ipv6addrs = NULL; (void)memcpy(hnas->host_name, host_name, host_name_len); hnas->node.key = &hnas->host_name; } else hnas_found = 1; if (getdns_dict_get_bindata(address, "address_type", &address_type) || address_type->size < 4 || !(addrs = address_type->data[3] == '4'? &hnas->ipv4addrs : address_type->data[3] == '6'? &hnas->ipv4addrs : NULL)) { if (!hnas_found) GETDNS_FREE(context->mf, hnas); return -1; } if (!*addrs && !(*addrs = getdns_list_create_with_context(context))) { if (!hnas_found) GETDNS_FREE(context->mf, hnas); return -1; } if (_getdns_list_append_this_dict(*addrs, address)) { if (!hnas_found) { getdns_list_destroy(*addrs); GETDNS_FREE(context->mf, hnas); } return -1; } else if (!hnas_found) (void)_getdns_rbtree_insert(&context->local_hosts, &hnas->node); return 0; } static getdns_dict * sockaddr_dict(getdns_context *context, struct sockaddr *sa) { getdns_dict *address = getdns_dict_create_with_context(context); char addrstr[1024], *b; getdns_bindata bindata; uint16_t port; if (!address) return NULL; switch (sa->sa_family) { case AF_INET: if (getdns_dict_util_set_string(address,"address_type","IPv4")) break; bindata.size = 4; bindata.data = (void *)&((struct sockaddr_in*)sa)->sin_addr; if ((getdns_dict_set_bindata(address,"address_data",&bindata))) break; port = ntohs(((struct sockaddr_in *)sa)->sin_port); if (port != GETDNS_PORT_ZERO && port != GETDNS_PORT_DNS && getdns_dict_set_int(address, "port", (uint32_t)port)) break; return address; case AF_INET6: if (getdns_dict_util_set_string(address,"address_type","IPv6")) break; bindata.size = 16; bindata.data = (void *)&((struct sockaddr_in6*)sa)->sin6_addr; if ((getdns_dict_set_bindata(address,"address_data",&bindata))) break; port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port); if (port != GETDNS_PORT_ZERO && port != GETDNS_PORT_DNS && getdns_dict_set_int(address, "port", (uint32_t)port)) break; /* Try to get scope_id too */ if (getnameinfo(sa, sizeof(struct sockaddr_in6), addrstr, sizeof(addrstr), NULL, 0, NI_NUMERICHOST)) break; if ((b = strchr(addrstr, '%')) && getdns_dict_util_set_string(address, "scope_id", b+1)) break; return address; default: /* Unknown protocol */ break; } getdns_dict_destroy(address); return NULL; } static getdns_dict * str_addr_dict(getdns_context *context, const char *str) { static struct addrinfo hints = { .ai_family = AF_UNSPEC , .ai_flags = AI_NUMERICHOST }; struct addrinfo *ai; getdns_dict *address; if (getaddrinfo(str, NULL, &hints, &ai)) return NULL; if (!ai) return NULL; address = sockaddr_dict(context, ai->ai_addr); freeaddrinfo(ai); return address; } static void create_local_hosts(getdns_context *context) { /* enough space in buf for longest allowed domain name */ char buf[1024]; char *pos = buf, prev_c, *start_of_word = NULL; FILE *in; int start_of_line = 1; getdns_dict *address = NULL; #ifdef USE_WINSOCK in = fopen("c:\\WINDOWS\\system32\\drivers\\etc\\hosts", "r"); #else in = fopen("/etc/hosts", "r"); #endif while (fgets(pos, (int)(sizeof(buf) - (pos - buf)), in)) { pos = buf; /* Break out of for to read more */ for (;;) { /* Skip whitespace */ while (*pos == ' ' || *pos == '\f' || *pos == '\t' || *pos == '\v') pos++; if (*pos == '\0') { /* End of read data */ pos = buf; goto read_more; } else if (*pos == '#' || *pos == '\r' || *pos == '\n') /* Comments or end of line */ break; /* skip to next line */ assert(*pos && !isspace(*pos)); start_of_word = pos; /* Search for end of word */ while (*pos && !isspace(*pos)) pos++; /* '\0' before whitespace, so either the word did not * fit, or we are at the end of the file. */ if (*pos == '\0') { if (start_of_word == buf) /* word too big */ break; /* skip to next line */ /* Move word to fit in buffer */ memmove(buf,start_of_word,pos - start_of_word); pos = buf + (pos - start_of_word); start_of_word = buf; *pos = '\0'; goto read_more; } assert(isspace(*pos)); prev_c = *pos; *pos = '\0'; if (start_of_line) { start_of_line = 0; if (address) getdns_dict_destroy(address); if (!(address = str_addr_dict(context, start_of_word))) /* Unparseable address */ break; /* skip to next line */ } else if (!add_local_host(context, address, start_of_word)) address = NULL; start_of_word = NULL; *pos = prev_c; /* process next word in buf */ } /* skip to next line */ while (*pos != '\r' && *pos != '\n') if (*pos) pos++; else if (!fgets((pos = buf), sizeof(buf), in)) break; /* We're done */ start_of_line = 1; if (address) { getdns_dict_destroy(address); address = NULL; } pos = buf; read_more: ; } fclose(in); if (address) { /* One last name for this address? */ if (start_of_word && !start_of_line) if (!add_local_host(context, address, start_of_word)) address = NULL; getdns_dict_destroy(address); } } /** * check a file for changes since the last check * and refresh the current data if changes are detected * @param context pointer to a previously created context to be used for this call * @param fchg file to check * @returns changes as OR'd list of GETDNS_FCHG_* values * @returns GETDNS_FCHG_NONE if no changes * @returns GETDNS_FCHG_ERRORS if problems (see fchg->errors for details) */ int _getdns_filechg_check(struct getdns_context *context, struct filechg *fchg) { struct stat *finfo; if(fchg == NULL) return 0; fchg->errors = GETDNS_FCHG_NOERROR; fchg->changes = GETDNS_FCHG_NOCHANGES; finfo = GETDNS_MALLOC(context->my_mf, struct stat); if(finfo == NULL) { fchg->errors = errno; return GETDNS_FCHG_ERRORS; } if(stat(fchg->fn, finfo) != 0) { GETDNS_FREE(context->my_mf, finfo); fchg->errors = errno; return GETDNS_FCHG_ERRORS; } /* we want to consider a file that previously returned error for stat() as a change */ if(fchg->prevstat == NULL) fchg->changes = GETDNS_FCHG_MTIME | GETDNS_FCHG_CTIME; else { if(fchg->prevstat->st_mtime != finfo->st_mtime) fchg->changes |= GETDNS_FCHG_MTIME; if(fchg->prevstat->st_ctime != finfo->st_ctime) fchg->changes |= GETDNS_FCHG_CTIME; GETDNS_FREE(context->my_mf, fchg->prevstat); } fchg->prevstat = finfo; return fchg->changes; } /* filechg */ static getdns_upstreams * upstreams_create(getdns_context *context, size_t size) { getdns_upstreams *r = (void *) GETDNS_XMALLOC(context->mf, char, sizeof(getdns_upstreams) + sizeof(getdns_upstream) * size); r->mf = context->mf; r->referenced = 1; r->count = 0; r->current_udp = 0; r->current_stateful = 0; r->tls_backoff_time = context->tls_backoff_time; r->tls_connection_retries = context->tls_connection_retries; r->log = context->log; return r; } void _getdns_upstreams_dereference(getdns_upstreams *upstreams) { getdns_upstream *upstream; getdns_dns_req *dnsreq; if (!upstreams || --upstreams->referenced > 0) return; for ( upstream = upstreams->upstreams ; upstreams->count ; upstreams->count--, upstream++ ) { sha256_pin_t *pin = upstream->tls_pubkey_pinset; if (upstream->loop && ( upstream->event.read_cb || upstream->event.write_cb || upstream->event.timeout_cb) ) { GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.read_cb = NULL; upstream->event.write_cb = NULL; upstream->event.timeout_cb = NULL; } if (upstream->loop && upstream->finished_event.timeout_cb) { GETDNS_CLEAR_EVENT(upstream->loop, &upstream->finished_event); upstream->finished_event.timeout_cb = NULL; } while (upstream->finished_dnsreqs) { dnsreq = upstream->finished_dnsreqs; upstream->finished_dnsreqs = dnsreq->finished_next; if (!dnsreq->internal_cb) { /* Not part of chain */ debug_req("Destroy ", *dnsreq->netreqs); _getdns_context_cancel_request(dnsreq); } } if (upstream->tls_session != NULL) SSL_SESSION_free(upstream->tls_session); if (upstream->tls_obj != NULL) { SSL_shutdown(upstream->tls_obj); SSL_free(upstream->tls_obj); } if (upstream->fd != -1) { _getdns_closesocket(upstream->fd); } while (pin) { sha256_pin_t *nextpin = pin->next; GETDNS_FREE(upstreams->mf, pin); pin = nextpin; } upstream->tls_pubkey_pinset = NULL; } GETDNS_FREE(upstreams->mf, upstreams); } void _getdns_upstream_log(getdns_upstream *upstream, uint64_t system, getdns_loglevel_type level, const char *fmt, ...) { va_list args; if (!upstream || !upstream->upstreams || !upstream->upstreams->log.func || !(upstream->upstreams->log.system & system) || level > upstream->upstreams->log.level) return; va_start(args, fmt); upstream->upstreams->log.func( upstream->upstreams->log.userarg, system, level, fmt, args); va_end(args); } void upstream_backoff(getdns_upstream *upstream) { upstream->conn_state = GETDNS_CONN_BACKOFF; /* Increase the backoff interval incrementally up to the tls_backoff_time*/ if (upstream->conn_backoff_interval < upstream->upstreams->tls_backoff_time) { if (upstream->conn_backoff_interval < (UINT16_MAX-1)/2) upstream->conn_backoff_interval *= 2; else upstream->conn_backoff_interval = upstream->upstreams->tls_backoff_time; } if (upstream->conn_backoff_interval < upstream->upstreams->tls_backoff_time) upstream->conn_retry_time = time(NULL) + upstream->conn_backoff_interval; else upstream->conn_retry_time = time(NULL) + upstream->upstreams->tls_backoff_time; upstream->total_responses = 0; upstream->total_timeouts = 0; upstream->conn_completed = 0; upstream->conn_setup_failed = 0; upstream->conn_shutdowns = 0; upstream->conn_backoffs++; _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_NOTICE, "%-40s : !Backing off this upstream - Will retry again in %ds at %s", upstream->addr_str, upstream->conn_backoff_interval, asctime(gmtime(&upstream->conn_retry_time))); } void _getdns_upstream_reset(getdns_upstream *upstream) { /* Back off connections that never got up service at all (probably no TCP service or incompatible TLS version/cipher). Leave choice between working upstreams to the stub. This back-off should be time based for TLS according to RFC7858. For now, use the same basis if we simply can't get TCP service either.*/ /* [TLS1]TODO: This arbitrary logic at the moment - review and improve!*/ /*This is the configured number of retries to attempt*/ uint16_t conn_retries = upstream->upstreams->tls_connection_retries; if (upstream->conn_setup_failed >= conn_retries || ((int)upstream->conn_shutdowns >= conn_retries*GETDNS_TRANSPORT_FAIL_MULT && upstream->total_responses == 0) || (upstream->conn_completed >= conn_retries && upstream->total_responses == 0 && upstream->total_timeouts > GETDNS_TRANSPORT_FAIL_MULT)) { upstream_backoff(upstream); } /* If we didn't backoff it would be nice to reset the conn_backoff_interval if the upstream is working well again otherwise it would get stuck at the tls_backoff_time forever... How about */ if (upstream->conn_state != GETDNS_CONN_BACKOFF && upstream->responses_received > 1) upstream->conn_backoff_interval = 1; // Reset per connection counters upstream->queries_sent = 0; upstream->responses_received = 0; upstream->responses_timeouts = 0; upstream->keepalive_timeout = 0; upstream->keepalive_shutdown = 0; /* Now TLS stuff*/ upstream->tls_auth_state = GETDNS_AUTH_NONE; if (upstream->event.ev && upstream->loop) { upstream->loop->vmt->clear( upstream->loop, &upstream->event); } if (upstream->tls_obj != NULL) { SSL_shutdown(upstream->tls_obj); SSL_free(upstream->tls_obj); upstream->tls_obj = NULL; } if (upstream->fd != -1) { _getdns_closesocket(upstream->fd); upstream->fd = -1; } /* Set connection ready for use again*/ if (upstream->conn_state != GETDNS_CONN_BACKOFF) upstream->conn_state = GETDNS_CONN_CLOSED; } void _getdns_upstream_shutdown(getdns_upstream *upstream) { /* Update total stats for the upstream.*/ upstream->total_responses+=upstream->responses_received; upstream->total_timeouts+=upstream->responses_timeouts; /* Need the last auth state when using session resumption*/ upstream->last_tls_auth_state = upstream->tls_auth_state; /* Keep track of the best auth state this upstream has had*/ if (upstream->tls_auth_state > upstream->best_tls_auth_state) upstream->best_tls_auth_state = upstream->tls_auth_state; _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG, "%-40s : Conn closed: %s - Resps=%6d, Timeouts =%6d, Curr_auth =%7s, Keepalive(ms)=%6d\n", upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), (int)upstream->responses_received, (int)upstream->responses_timeouts, _getdns_auth_str(upstream->tls_auth_state), (int)upstream->keepalive_timeout); _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_INFO, "%-40s : Upstream : %s - Resps=%6d, Timeouts =%6d, Best_auth =%7s\n", upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), (int)upstream->total_responses, (int)upstream->total_timeouts, _getdns_auth_str(upstream->best_tls_auth_state)); _getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_INFO, "%-40s : Upstream : %s - Conns=%6d, Conn_fails=%6d, Conn_shuts=%7d, Backoffs =%6d\n", upstream->addr_str, (upstream->transport == GETDNS_TRANSPORT_TLS ? "TLS" : "TCP"), (int)upstream->conn_completed, (int)upstream->conn_setup_failed, (int)upstream->conn_shutdowns, (int)upstream->conn_backoffs); _getdns_upstream_reset(upstream); } static int tls_is_in_transports_list(getdns_context *context) { size_t i; for (i = 0; i< context->dns_transport_count;i++) { if (context->dns_transports[i] == GETDNS_TRANSPORT_TLS) return 1; } return 0; } static int tls_only_is_in_transports_list(getdns_context *context) { if (context->dns_transport_count != 1) return 0; if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS) return 1; return 0; } static int net_req_query_id_cmp(const void *id1, const void *id2) { /* * old code was: * return (intptr_t)id1 - (intptr_t)id2; *but this is incorrect on 64 bit architectures. */ int ret = 0; if (id1 != id2) { ret = ((intptr_t)id1 < (intptr_t)id2) ? -1 : 1; } return ret; } static getdns_tsig_info const tsig_info[] = { { GETDNS_NO_TSIG, NULL, 0, NULL, 0, 0, 0 } , { GETDNS_HMAC_MD5 , "hmac-md5.sig-alg.reg.int", 24 , (uint8_t *)"\x08hmac-md5\x07sig-alg\x03reg\x03int", 26, 10, 16 } , { GETDNS_NO_TSIG, NULL, 0, NULL, 0, 0, 0 } , { GETDNS_HMAC_SHA1 , "hmac-sha1" , 9 , (uint8_t *)"\x09hmac-sha1" , 11, 10, 20 } , { GETDNS_HMAC_SHA224, "hmac-sha224", 11 , (uint8_t *)"\x0bhmac-sha224", 13, 14, 28 } , { GETDNS_HMAC_SHA256, "hmac-sha256", 11 , (uint8_t *)"\x0bhmac-sha256", 13, 16, 32 } , { GETDNS_HMAC_SHA384, "hmac-sha384", 11 , (uint8_t *)"\x0bhmac-sha384", 13, 24, 48 } , { GETDNS_HMAC_SHA512, "hmac-sha512", 11 , (uint8_t *)"\x0bhmac-sha512", 13, 32, 64 } , { GETDNS_HMAC_MD5 , "hmac-md5" , 8 , (uint8_t *)"\x08hmac-md5" , 10, 10, 16 } }; static size_t const n_tsig_infos = sizeof(tsig_info) / sizeof(getdns_tsig_info); static getdns_tsig_info const * const last_tsig_info = tsig_info + (sizeof(tsig_info) / sizeof(getdns_tsig_info)); const getdns_tsig_info *_getdns_get_tsig_info(getdns_tsig_algo tsig_alg) { return ((unsigned) tsig_alg > n_tsig_infos - 1) || tsig_info[tsig_alg].alg == GETDNS_NO_TSIG ? NULL : &tsig_info[tsig_alg]; } static getdns_tsig_algo _getdns_get_tsig_algo(getdns_bindata *algo) { const getdns_tsig_info *i; if (!algo || algo->size == 0) return GETDNS_NO_TSIG; if (algo->data[algo->size-1] != 0) { /* Unterminated string */ for (i = tsig_info; i < last_tsig_info; i++) if ((algo->size == i->strlen_name || (algo->size - 1 == i->strlen_name && algo->data[algo->size - 1] == '.' ) )&& strncasecmp((const char *)algo->data, i->name, i->strlen_name) == 0) return i->alg; } else if (!_getdns_bindata_is_dname(algo)) { /* Terminated string */ for (i = tsig_info; i < last_tsig_info; i++) if (algo->size - 1 == i->strlen_name && strncasecmp((const char *)algo->data, i->name, i->strlen_name) == 0) return i->alg; } else { /* fqdn, canonical_dname_compare is now safe to use! */ for (i = tsig_info; i < last_tsig_info; i++) if (canonical_dname_compare(algo->data, i->dname) == 0) return i->alg; } return GETDNS_NO_TSIG; } static void upstream_init(getdns_upstream *upstream, getdns_upstreams *parent, struct addrinfo *ai) { upstream->upstreams = parent; upstream->addr_len = ai->ai_addrlen; (void) memcpy(&upstream->addr, ai->ai_addr, ai->ai_addrlen); inet_ntop(upstream->addr.ss_family, upstream_addr(upstream), upstream->addr_str, INET6_ADDRSTRLEN); /* How is this upstream doing on connections? */ upstream->conn_completed = 0; upstream->conn_shutdowns = 0; upstream->conn_setup_failed = 0; upstream->conn_retry_time = 0; upstream->conn_backoff_interval = 1; upstream->conn_backoffs = 0; upstream->total_responses = 0; upstream->total_timeouts = 0; upstream->conn_state = GETDNS_CONN_CLOSED; upstream->queries_sent = 0; upstream->responses_received = 0; upstream->responses_timeouts = 0; upstream->keepalive_shutdown = 0; upstream->keepalive_timeout = 0; /* How is this upstream doing on UDP? */ upstream->to_retry = 1; upstream->back_off = 1; upstream->udp_responses = 0; upstream->udp_timeouts = 0; /* For sharing a socket to this upstream with TCP */ upstream->fd = -1; upstream->tls_obj = NULL; upstream->tls_session = NULL; upstream->transport = GETDNS_TRANSPORT_TCP; upstream->tls_hs_state = GETDNS_HS_NONE; upstream->tls_auth_name[0] = '\0'; upstream->tls_auth_state = GETDNS_AUTH_NONE; upstream->last_tls_auth_state = GETDNS_AUTH_NONE; upstream->best_tls_auth_state = GETDNS_AUTH_NONE; upstream->tls_pubkey_pinset = NULL; upstream->loop = NULL; (void) getdns_eventloop_event_init( &upstream->event, upstream, NULL, NULL, NULL); (void) memset(&upstream->tcp, 0, sizeof(upstream->tcp)); upstream->write_queue = NULL; upstream->write_queue_last = NULL; upstream->finished_dnsreqs = NULL; (void) getdns_eventloop_event_init( &upstream->finished_event, upstream, NULL, NULL, NULL); upstream->has_client_cookie = 0; upstream->has_prev_client_cookie = 0; upstream->has_server_cookie = 0; upstream->tsig_alg = GETDNS_NO_TSIG; upstream->tsig_dname_len = 0; upstream->tsig_size = 0; /* Tracking of network requests on this socket */ _getdns_rbtree_init(&upstream->netreq_by_query_id, net_req_query_id_cmp); } #ifdef USE_WINSOCK /* Read the Windows search suffix and add to context There may or may not be domains and suffixes so do not error if missing */ static int get_dns_suffix_windows(getdns_list *suffix, char* domain) { char *parse, *token, prev_ch; char lszValue[255] = ""; char lszDomain[255] = ""; HKEY hKey; LONG returnStatus; DWORD dwType=REG_SZ; DWORD dwSize=255; returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\TcpIp\\Parameters", 0, KEY_READ, &hKey); if (returnStatus != ERROR_SUCCESS) { /* try windows 9x/me */ returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\VxD\\MSTCP", 0, KEY_READ, &hKey); } if (returnStatus == ERROR_SUCCESS) { returnStatus = RegQueryValueEx(hKey, TEXT("SearchList"), 0, &dwType,(LPBYTE)&lszValue, &dwSize); if (returnStatus == ERROR_SUCCESS) { if ((strlen(lszValue)) > 0) { parse = lszValue; do { parse += strspn(parse, ","); token = parse + strcspn(parse, ","); prev_ch = *token; *token = 0; _getdns_list_append_string(suffix, parse); *token = prev_ch; parse = token; } while (*parse); } } dwSize = 255; returnStatus = RegQueryValueEx(hKey, TEXT("Domain"), 0, &dwType,(LPBYTE)&lszDomain, &dwSize); if (returnStatus == ERROR_SUCCESS) { strcpy_s(domain, dwSize, lszDomain); } RegCloseKey(hKey); } else { return 0; /* no DNS keys or suffixes */ } return 1; } static getdns_return_t set_os_defaults_windows(struct getdns_context *context) { char domain[1024] = ""; size_t upstreams_limit = 10; struct addrinfo hints; struct addrinfo *result; getdns_list *suffix; getdns_upstream *upstream; size_t length; int s; uint32_t info_err = 0; if (context->fchg_resolvconf == NULL) { context->fchg_resolvconf = GETDNS_MALLOC(context->my_mf, struct filechg); if (context->fchg_resolvconf == NULL) return GETDNS_RETURN_MEMORY_ERROR; context->fchg_resolvconf->fn = "InvalidOnWindows"; context->fchg_resolvconf->prevstat = NULL; context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; } _getdns_filechg_check(context, context->fchg_resolvconf); context->upstreams = upstreams_create(context, upstreams_limit); memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ hints.ai_socktype = 0; /* Datagram socket */ hints.ai_flags = AI_NUMERICHOST; /* No reverse name lookups */ hints.ai_protocol = 0; /* Any protocol */ hints.ai_canonname = NULL; hints.ai_addr = NULL; hints.ai_next = NULL; FIXED_INFO *info; ULONG buflen = sizeof(*info); IP_ADDR_STRING *ptr = 0; info = (FIXED_INFO *)malloc(sizeof(FIXED_INFO)); if (info == NULL) return GETDNS_RETURN_GENERIC_ERROR; if ((info_err = GetNetworkParams(info, &buflen)) == ERROR_BUFFER_OVERFLOW) { free(info); info = (FIXED_INFO *)malloc(buflen); if (info == NULL) return GETDNS_RETURN_GENERIC_ERROR; info_err = GetNetworkParams(info, &buflen); } if (info_err == NO_ERROR) { ptr = &info->DnsServerList; *domain = 0; while (ptr) { size_t i; for (i = 0; i < GETDNS_UPSTREAM_TRANSPORTS; i++) { char *port_str = getdns_port_str_array[i]; if ((s = getaddrinfo(ptr->IpAddress.String, port_str, &hints, &result))) continue; if (!result) continue; upstream = &context->upstreams-> upstreams[context->upstreams->count++]; upstream_init(upstream, context->upstreams, result); upstream->transport = getdns_upstream_transports[i]; freeaddrinfo(result); } ptr = ptr->Next; } } if (info != NULL) free(info); suffix = getdns_list_create_with_context(context); if (get_dns_suffix_windows(suffix, domain)) { (void) getdns_list_get_length(suffix, &length); if (*domain != 0) { _getdns_list_append_string(suffix, domain); } (void) getdns_list_get_length(suffix, &length); if (length > 0) { (void )getdns_context_set_suffix(context, suffix); } } getdns_list_destroy(suffix); return GETDNS_RETURN_GOOD; } /* set_os_defaults_windows */ #else static getdns_return_t set_os_defaults(struct getdns_context *context) { FILE *in; char line[1024], domain[1024]; char *parse, *token, prev_ch; size_t upstream_count, length; struct addrinfo hints; struct addrinfo *result; getdns_upstream *upstream; getdns_list *suffix; int s; if(context->fchg_resolvconf == NULL) { context->fchg_resolvconf = GETDNS_MALLOC(context->my_mf, struct filechg); if(context->fchg_resolvconf == NULL) return GETDNS_RETURN_MEMORY_ERROR; context->fchg_resolvconf->fn = "/etc/resolv.conf"; context->fchg_resolvconf->prevstat = NULL; context->fchg_resolvconf->changes = GETDNS_FCHG_NOCHANGES; context->fchg_resolvconf->errors = GETDNS_FCHG_NOERROR; } _getdns_filechg_check(context, context->fchg_resolvconf); in = fopen(context->fchg_resolvconf->fn, "r"); if (!in) return GETDNS_RETURN_GOOD; upstream_count = 0; while (fgets(line, (int)sizeof(line), in)) if (strncmp(line, "nameserver", 10) == 0) upstream_count++; fclose(in); suffix = getdns_list_create_with_context(context); context->upstreams = upstreams_create( context, upstream_count * GETDNS_UPSTREAM_TRANSPORTS); in = fopen(context->fchg_resolvconf->fn, "r"); if (!in) return GETDNS_RETURN_GOOD; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ hints.ai_socktype = 0; /* Datagram socket */ hints.ai_flags = AI_NUMERICHOST; /* No reverse name lookups */ hints.ai_protocol = 0; /* Any protocol */ hints.ai_canonname = NULL; hints.ai_addr = NULL; hints.ai_next = NULL; *domain = 0; while (fgets(line, (int)sizeof(line), in)) { size_t i; line[sizeof(line)-1] = 0; /* parse = line + strspn(line, " \t"); */ /* No leading whitespace */ parse = line; if (strncmp(parse, "domain", 6) == 0) { parse += 6; parse += strspn(parse, " \t"); if (*parse == 0 || *parse == '#') continue; token = parse + strcspn(parse, " \t\r\n"); *token = 0; (void) strlcpy(domain, parse, sizeof(domain)); continue; } if (strncmp(parse, "search", 6) == 0) { parse += 6; do { parse += strspn(parse, " \t"); if (*parse == '#' || *parse == '\n') break; token = parse + strcspn(parse, " \t\r\n"); prev_ch = *token; *token = 0; _getdns_list_append_string(suffix, parse); *token = prev_ch; parse = token; } while (*parse); continue; } if (strncmp(parse, "nameserver", 10) != 0) continue; parse += 10; parse += strspn(parse, " \t"); if (*parse == 0 || *parse == '#') continue; token = parse + strcspn(parse, " \t\r\n"); *token = 0; for (i = 0; i < GETDNS_UPSTREAM_TRANSPORTS; i++) { char *port_str = getdns_port_str_array[i]; if ((s = getaddrinfo(parse, port_str, &hints, &result))) continue; if (!result) continue; upstream = &context->upstreams-> upstreams[context->upstreams->count++]; upstream_init(upstream, context->upstreams, result); upstream->transport = getdns_upstream_transports[i]; freeaddrinfo(result); } } fclose(in); (void) getdns_list_get_length(suffix, &length); if (length == 0 && *domain != 0) _getdns_list_append_string(suffix, domain); (void )getdns_context_set_suffix(context, suffix); getdns_list_destroy(suffix); return GETDNS_RETURN_GOOD; } /* set_os_defaults */ #endif /* compare of transaction ids in DESCENDING order so that 0 comes last */ static int transaction_id_cmp(const void *id1, const void *id2) { if (id1 == NULL && id2 == NULL) { return 0; } else if (id1 == NULL && id2 != NULL) { return 1; } else if (id1 != NULL && id2 == NULL) { return -1; } else { getdns_transaction_t t1 = *((const getdns_transaction_t *) id1); getdns_transaction_t t2 = *((const getdns_transaction_t *) id2); if (t1 == t2) { return 0; } else if (t1 > t2) { return -1; } else { return 1; } } } static void NULL_update_callback( getdns_context *context, getdns_context_code_t code, void *userarg) { (void)context; (void)code; (void)userarg; } static int netreq_expiry_cmp(const void *id1, const void *id2) { getdns_network_req *req1 = (getdns_network_req *)id1; getdns_network_req *req2 = (getdns_network_req *)id2; return req1->owner->expires < req2->owner->expires ? -1 : req1->owner->expires > req2->owner->expires ? 1 : req1 < req2 ? -1 : req1 > req2 ? 1 : 0; } void _getdns_check_expired_pending_netreqs( getdns_context *context, uint64_t *now_ms); static void _getdns_check_expired_pending_netreqs_cb(void *arg) { uint64_t now_ms = 0; _getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms); } static const char *_getdns_default_trust_anchors_url = "http://data.iana.org/root-anchors/root-anchors.xml"; /* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */ static const char *_getdns_default_trust_anchors_verify_CA = "-----BEGIN CERTIFICATE-----\n" "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n" "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n" "BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n" "DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n" "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n" "MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n" "cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n" "G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n" "ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n" "paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n" "MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n" "iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n" "Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n" "DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n" "6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n" "2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n" "15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n" "0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n" "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n" "-----END CERTIFICATE-----\n"; static const char *_getdns_default_trust_anchors_verify_email = "dnssec@iana.org"; /* * getdns_context_create * * Call this to initialize the context that is used in other getdns calls. */ getdns_return_t getdns_context_create_with_extended_memory_functions( struct getdns_context ** context, int set_from_os, void *userarg, void *(*malloc)(void *userarg, size_t), void *(*realloc)(void *userarg, void *, size_t), void (*free)(void *userarg, void *) ) { getdns_return_t r; struct getdns_context *result = NULL; mf_union mf; gldns_buffer gbuf; #ifdef USE_WINSOCK WORD wVersionRequested; #endif if (!context || !malloc || !realloc || !free) return GETDNS_RETURN_INVALID_PARAMETER; /** default init **/ mf.ext.malloc = malloc; result = userarg == MF_PLAIN ? (*mf.pln.malloc)( sizeof(struct getdns_context)) : (*mf.ext.malloc)(userarg, sizeof(struct getdns_context)); if (!result) return GETDNS_RETURN_MEMORY_ERROR; #ifdef USE_WINSOCK /* We need to run WSAStartup() to be able to use getaddrinfo() */ wVersionRequested = MAKEWORD(2, 2); if (WSAStartup(wVersionRequested, &result->wsaData)) { r = GETDNS_RETURN_GENERIC_ERROR; goto error; } #endif result->processing = 0; result->destroying = 0; result->my_mf.mf_arg = userarg; result->my_mf.mf.ext.malloc = malloc; result->my_mf.mf.ext.realloc = realloc; result->my_mf.mf.ext.free = free; result->update_callback = NULL; result->update_callback2 = NULL_update_callback; result->update_userarg = NULL; result->log.func = NULL; result->log.userarg = NULL; result->log.system = 0; result->log.level = GETDNS_LOG_ERR; result->mf.mf_arg = userarg; result->mf.mf.ext.malloc = malloc; result->mf.mf.ext.realloc = realloc; result->mf.mf.ext.free = free; result->resolution_type_set = 0; _getdns_rbtree_init(&result->outbound_requests, transaction_id_cmp); _getdns_rbtree_init(&result->local_hosts, local_host_cmp); _getdns_rbtree_init(&result->pending_netreqs, netreq_expiry_cmp); result->first_pending_netreq = NULL; result->netreqs_in_flight = 0; result->pending_timeout_event.userarg = result; result->pending_timeout_event.read_cb = NULL; result->pending_timeout_event.write_cb = NULL; result->pending_timeout_event.timeout_cb = _getdns_check_expired_pending_netreqs_cb; result->pending_timeout_event.ev = NULL; result->server = NULL; #ifdef HAVE_LIBUNBOUND result->resolution_type = GETDNS_RESOLUTION_RECURSING; #else result->resolution_type = GETDNS_RESOLUTION_STUB; #endif if ((r = create_default_namespaces(result))) goto error; result->timeout = 5000; result->idle_timeout = 0; result->follow_redirects = GETDNS_REDIRECTS_FOLLOW; result->dns_root_servers = NULL; #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) result->root_servers_fn[0] = 0; #endif result->append_name = GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST; result->suffixes = no_suffixes; result->suffixes_len = sizeof(no_suffixes); result->trust_anchors_source = GETDNS_TASRC_NONE; result->can_write_appdata = PROP_UNKNOWN; result->trust_anchors_url = NULL; result->trust_anchors_verify_email = NULL; result->trust_anchors_verify_CA = NULL; result->appdata_dir = NULL; (void) memset(&result->root_ksk, 0, sizeof(result->root_ksk)); (void) memset(&result->a, 0, sizeof(result->a)); (void) memset(&result->aaaa, 0, sizeof(result->aaaa)); result->a.fd = -1; result->aaaa.fd = -1; gldns_buffer_init_vfixed_frm_data(&gbuf, result->trust_anchors_spc , sizeof(result->trust_anchors_spc)); if (!_getdns_parse_ta_file(NULL, &gbuf)) { result->trust_anchors = NULL; result->trust_anchors_len = 0; } else if ((result->trust_anchors_len = gldns_buffer_position(&gbuf)) > sizeof(result->trust_anchors_spc)) { if ((result->trust_anchors = GETDNS_XMALLOC( result->mf, uint8_t, result->trust_anchors_len))) { gldns_buffer_init_frm_data(&gbuf , result->trust_anchors , result->trust_anchors_len); if (!_getdns_parse_ta_file(NULL, &gbuf)) { GETDNS_FREE(result->mf, result->trust_anchors); result->trust_anchors = NULL; result->trust_anchors_len = 0; } else result->trust_anchors_source = GETDNS_TASRC_ZONE; } } else { result->trust_anchors = result->trust_anchors_spc; result->trust_anchors_source = GETDNS_TASRC_ZONE; } result->upstreams = NULL; result->edns_extended_rcode = 0; result->edns_version = 0; result->edns_do_bit = 0; result->edns_client_subnet_private = 0; result->tls_query_padding_blocksize = 1; /* default is to pad queries sensibly */ result->tls_ctx = NULL; result->extension = &result->default_eventloop.loop; _getdns_default_eventloop_init(&result->mf, &result->default_eventloop); _getdns_default_eventloop_init(&result->mf, &result->sync_eventloop); /* request extension defaults */ result->header = NULL; result->add_opt_parameters = NULL; result->add_warning_for_bad_dns = 0; result->dnssec_return_all_statuses = 0; result->dnssec_return_full_validation_chain = 0; result->dnssec_return_only_secure = 0; result->dnssec_return_status = 0; result->dnssec_return_validation_chain = 0; #ifdef DNSSEC_ROADBLOCK_AVOIDANCE result->dnssec_roadblock_avoidance = 0; #endif result->edns_cookies = 0; result->return_api_information = 0; result->return_both_v4_and_v6 = 0; result->return_call_reporting = 0; result->specify_class = GETDNS_RRCLASS_IN; result->sys_ctxt = NULL; result->ta_notify = NULL; /* state data used to detect changes to the system config files */ result->fchg_resolvconf = NULL; result->fchg_hosts = NULL; // resolv.conf does not exist on Windows, handle differently #ifndef USE_WINSOCK if ((set_from_os & 1) && (r = set_os_defaults(result))) goto error; #else if ((set_from_os & 1) && (r = set_os_defaults_windows(result))) goto error; #endif result->dnssec_allowed_skew = 0; result->edns_maximum_udp_payload_size = -1; if ((r = create_default_dns_transports(result))) goto error; result->tls_auth = GETDNS_AUTHENTICATION_NONE; result->tls_auth_min = GETDNS_AUTHENTICATION_NONE; result->round_robin_upstreams = 0; result->tls_backoff_time = 3600; result->tls_connection_retries = 2; result->limit_outstanding_queries = 0; /* unbound context is initialized here */ /* Unbound needs SSL to be init'ed this early when TLS is used. However we * don't know that till later so we will have to do this every time. */ #ifdef HAVE_PTHREAD pthread_mutex_lock(&ssl_init_lock); #else /* XXX implement Windows-style lock here */ #endif /* Only initialise SSL once and ideally in a thread-safe manner */ if (ssl_init == false) { #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) OpenSSL_add_all_algorithms(); SSL_library_init(); #else OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); (void)OPENSSL_init_ssl(0, NULL); #endif ssl_init = true; } #ifdef HAVE_PTHREAD pthread_mutex_unlock(&ssl_init_lock); #else /* XXX implement Windows-style unlock here */ #endif #ifdef HAVE_LIBUNBOUND result->unbound_ctx = NULL; if ((r = rebuild_ub_ctx(result))) goto error; #endif #ifdef HAVE_MDNS_SUPPORT _getdns_mdns_context_init(result); #endif create_local_hosts(result); *context = result; return GETDNS_RETURN_GOOD; error: getdns_context_destroy(result); return r; } /* getdns_context_create_with_extended_memory_functions */ /* * getdns_context_create * * Call this to initialize the context that is used in other getdns calls. */ getdns_return_t getdns_context_create_with_memory_functions(struct getdns_context ** context, int set_from_os, void *(*malloc)(size_t), void *(*realloc)(void *, size_t), void (*free)(void *) ) { mf_union mf; mf.pln.malloc = malloc; mf.pln.realloc = realloc; mf.pln.free = free; return getdns_context_create_with_extended_memory_functions( context, set_from_os, MF_PLAIN, mf.ext.malloc, mf.ext.realloc, mf.ext.free); } /* getdns_context_create */ /* * getdns_context_create * * Call this to initialize the context that is used in other getdns calls. */ getdns_return_t getdns_context_create(struct getdns_context ** context, int set_from_os) { return getdns_context_create_with_memory_functions(context, set_from_os, malloc, realloc, free); } /* getdns_context_create */ /* * getdns_context_destroy * * Call this to dispose of resources associated with a context once you * are done with it. */ void getdns_context_destroy(struct getdns_context *context) { if (context == NULL) return; /* If being destroyed during getdns callback, fail via assert */ assert(context->processing == 0); if (context->destroying) return; context->destroying = 1; if (context->sys_ctxt) getdns_context_destroy(context->sys_ctxt); /* cancel all outstanding requests */ cancel_outstanding_requests(context); /* Destroy listening addresses */ (void) getdns_context_set_listen_addresses(context, NULL, NULL, NULL); /* This needs to be done before cleaning the extension, because there * might be an idle_timeout schedules, which will not get unscheduled * with cancel_outstanding_requests. */ _getdns_upstreams_dereference(context->upstreams); context->sync_eventloop.loop.vmt->cleanup(&context->sync_eventloop.loop); context->extension->vmt->cleanup(context->extension); #ifdef HAVE_LIBUNBOUND if (context->unbound_ctx) ub_ctx_delete(context->unbound_ctx); #endif #ifdef HAVE_MDNS_SUPPORT /* * Release all ressource allocated for MDNS. */ _getdns_mdns_context_destroy(context); #endif if (context->namespaces) GETDNS_FREE(context->my_mf, context->namespaces); if (context->dns_transports) GETDNS_FREE(context->my_mf, context->dns_transports); if(context->fchg_resolvconf) { if(context->fchg_resolvconf->prevstat) GETDNS_FREE(context->my_mf, context->fchg_resolvconf->prevstat); GETDNS_FREE(context->my_mf, context->fchg_resolvconf); } if(context->fchg_hosts) { if(context->fchg_hosts->prevstat) GETDNS_FREE(context->my_mf, context->fchg_hosts->prevstat); GETDNS_FREE(context->my_mf, context->fchg_hosts); } if (context->tls_ctx) SSL_CTX_free(context->tls_ctx); getdns_list_destroy(context->dns_root_servers); #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) if (context->root_servers_fn[0]) unlink(context->root_servers_fn); #endif if (context->suffixes && context->suffixes != no_suffixes) GETDNS_FREE(context->mf, (void *)context->suffixes); if (context->trust_anchors && context->trust_anchors != context->trust_anchors_spc) GETDNS_FREE(context->mf, context->trust_anchors); _getdns_traverse_postorder(&context->local_hosts, destroy_local_host, context); getdns_dict_destroy(context->header); getdns_dict_destroy(context->add_opt_parameters); if (context->trust_anchors_url) GETDNS_FREE(context->mf, context->trust_anchors_url); if (context->trust_anchors_verify_CA) GETDNS_FREE( context->mf , context->trust_anchors_verify_CA); if (context->trust_anchors_verify_email) GETDNS_FREE( context->mf , context->trust_anchors_verify_email); if (context->appdata_dir) GETDNS_FREE(context->mf, context->appdata_dir); #ifdef USE_WINSOCK WSACleanup(); #endif GETDNS_FREE(context->my_mf, context); } /* getdns_context_destroy */ /* * getdns_context_set_context_update_callback * */ getdns_return_t getdns_context_set_context_update_callback(struct getdns_context *context, void (*value) (struct getdns_context *context, getdns_context_code_t changed_item)) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); context->update_callback = value; return GETDNS_RETURN_GOOD; } /* getdns_context_set_context_update_callback */ getdns_return_t getdns_context_set_update_callback(getdns_context *context, void *userarg, void (*cb)(getdns_context *, getdns_context_code_t, void *)) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; context->update_userarg = userarg; context->update_callback2 = cb ? cb : NULL_update_callback; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_update_callback(getdns_context *context, void **userarg, void (**cb)(getdns_context *, getdns_context_code_t, void *)) { if (!context || !userarg || !cb) return GETDNS_RETURN_INVALID_PARAMETER; *userarg = context->update_userarg; *cb = context->update_callback2; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_logfunc(getdns_context *context, void *userarg, uint64_t system, getdns_loglevel_type level, getdns_logfunc_type log) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; context->log.func = log; context->log.userarg = userarg; context->log.system = system; context->log.level = level; if (context->upstreams) { context->upstreams->log = context->log; } return GETDNS_RETURN_GOOD; } void _getdns_context_log(getdns_context *context, uint64_t system, getdns_loglevel_type level, const char *fmt, ...) { va_list args; if (!context || !context->log.func || !(context->log.system & system) || level > context->log.level) return; va_start(args, fmt); context->log.func(context->log.userarg, system, level, fmt, args); va_end(args); } #ifdef HAVE_LIBUNBOUND /* * Helpers to set options on the unbound ctx */ static void set_ub_string_opt(struct getdns_context *ctx, char *opt, char *value) { if (ctx->unbound_ctx) ub_ctx_set_option(ctx->unbound_ctx, opt, value); } static void set_ub_number_opt(struct getdns_context *ctx, char *opt, uint16_t value) { char buffer[64]; snprintf(buffer, 64, "%hu", value); set_ub_string_opt(ctx, opt, buffer); } static void getdns_context_request_count_changed(getdns_context *context) { size_t prev_count; if (context->ub_event_scheduling) { return; } context->ub_event_scheduling++; do { prev_count = context->outbound_requests.count; DEBUG_SCHED("getdns_context_request_count_changed(%d)\n", (int) context->outbound_requests.count); if (context->outbound_requests.count && ! context->ub_event.ev){ DEBUG_SCHED("gc_request_count_changed " "-> ub schedule(el_ev = %p, el_ev->ev = %p)\n", (void *)&context->ub_event, (void *)context->ub_event.ev); #ifndef USE_WINSOCK #ifdef HAVE_UNBOUND_EVENT_API if (!_getdns_ub_loop_enabled(&context->ub_loop)) #endif context->extension->vmt->schedule( context->extension, ub_fd(context->unbound_ctx), TIMEOUT_FOREVER, &context->ub_event); #endif } else if (! context->outbound_requests.count && context->ub_event.ev) { DEBUG_SCHED("gc_request_count_changed " "-> ub clear(el_ev = %p, el_ev->ev = %p)\n", (void *)&context->ub_event, (void *)context->ub_event.ev); #ifndef USE_WINSOCK #ifdef HAVE_UNBOUND_EVENT_API if (!_getdns_ub_loop_enabled(&context->ub_loop)) #endif context->extension->vmt->clear( context->extension, &context->ub_event); #endif } } while (prev_count != context->outbound_requests.count); context->ub_event_scheduling--; } void _getdns_context_ub_read_cb(void *userarg) { getdns_context *context = (getdns_context *)userarg; /* getdns_context_process_async, but without reinvoking an eventloop * (with context->extension->vmt->run*), because we are already * called from a running eventloop. */ if (ub_poll(context->unbound_ctx)) (void) ub_process(context->unbound_ctx); /* No need to handle timeouts. They are handled by the extension. */ getdns_context_request_count_changed(context); } static getdns_return_t rebuild_ub_ctx(struct getdns_context* context) { if (context->unbound_ctx != NULL) { /* cancel all requests and delete */ cancel_outstanding_requests(context); ub_ctx_delete(context->unbound_ctx); context->unbound_ctx = NULL; } /* setup */ #ifdef HAVE_UNBOUND_EVENT_API _getdns_ub_loop_init(&context->ub_loop, &context->mf, context->extension); if (_getdns_ub_loop_enabled(&context->ub_loop)) { context->unbound_ctx = ub_ctx_create_ub_event(&context->ub_loop.super); } else { #endif context->unbound_ctx = ub_ctx_create(); (void) ub_ctx_async(context->unbound_ctx, 1); #ifdef HAVE_UNBOUND_EVENT_API } #endif context->unbound_ta_set = 0; if (!context->unbound_ctx) return GETDNS_RETURN_MEMORY_ERROR; #ifdef HAVE_UNBOUND_EVENT_API ub_ctx_set_option(context->unbound_ctx, "target-fetch-policy:", "0 0 0 0 0"); #endif set_ub_dnssec_allowed_skew(context, context->dnssec_allowed_skew); set_ub_number_opt(context, "edns-buffer-size:", context->edns_maximum_udp_payload_size); set_ub_dns_transport(context); context->ub_event.userarg = context; context->ub_event.read_cb = _getdns_context_ub_read_cb; context->ub_event.write_cb = NULL; context->ub_event.timeout_cb = NULL; context->ub_event.ev = NULL; context->ub_event_scheduling = 0; return GETDNS_RETURN_GOOD; } #else #define set_ub_string_opt(ctx, opt, value) do {} while (0) #define set_ub_number_opt(ctx, opt, value) do {} while (0) #define getdns_context_request_count_changed(context) do {} while (0) #endif /** * Helper to dispatch the updated callback */ static void dispatch_updated(struct getdns_context *context, uint16_t item) { if (context->update_callback2 != NULL_update_callback) context->update_callback2( context, item, context->update_userarg); if (context->update_callback) { context->update_callback(context, item); } } /* * getdns_context_set_resolution_type * */ getdns_return_t getdns_context_set_resolution_type(struct getdns_context *context, getdns_resolution_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (value != GETDNS_RESOLUTION_STUB && value != GETDNS_RESOLUTION_RECURSING) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } #ifndef HAVE_LIBUNBOUND if (value == GETDNS_RESOLUTION_RECURSING) return GETDNS_RETURN_NOT_IMPLEMENTED; #endif #ifndef STUB_NATIVE_DNSSEC if (context->resolution_type_set != 0) { /* already setup */ return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } #endif context->resolution_type = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_RESOLUTION_TYPE); return GETDNS_RETURN_GOOD; } /* getdns_context_set_resolution_type */ /* * getdns_context_set_namespaces * */ getdns_return_t getdns_context_set_namespaces(getdns_context *context, size_t namespace_count, getdns_namespace_t *namespaces) { size_t i; getdns_return_t r = GETDNS_RETURN_GOOD; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (namespace_count == 0 || namespaces == NULL) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; for (i = 0; i < namespace_count; i++) { if (namespaces[i] == GETDNS_NAMESPACE_NETBIOS || #ifndef HAVE_MDNS_SUPPORT namespaces[i] == GETDNS_NAMESPACE_MDNS || #endif namespaces[i] == GETDNS_NAMESPACE_NIS) r = GETDNS_RETURN_NOT_IMPLEMENTED; else if (namespaces[i] != GETDNS_NAMESPACE_DNS && #ifdef HAVE_MDNS_SUPPORT namespaces[i] != GETDNS_NAMESPACE_MDNS && #endif namespaces[i] != GETDNS_NAMESPACE_LOCALNAMES ) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } GETDNS_FREE(context->my_mf, context->namespaces); /** duplicate **/ context->namespaces = GETDNS_XMALLOC( context->my_mf, getdns_namespace_t, namespace_count); (void) memcpy(context->namespaces, namespaces, namespace_count * sizeof(getdns_namespace_t)); context->namespace_count = namespace_count; dispatch_updated(context, GETDNS_CONTEXT_CODE_NAMESPACES); return r; } /* getdns_context_set_namespaces */ static getdns_return_t getdns_set_base_dns_transports( getdns_context *context, size_t transport_count, getdns_transport_list_t *transports) { size_t i; getdns_transport_list_t *new_transports; RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (transport_count == 0 || !transports) return GETDNS_RETURN_INVALID_PARAMETER; /* Check for valid transports and that they are used only once*/ int u=0,t=0,l=0; for(i=0; i1 || t>1 || l>1) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; if (!(new_transports = GETDNS_XMALLOC(context->my_mf, getdns_transport_list_t, transport_count))) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; if (context->dns_transports) GETDNS_FREE(context->my_mf, context->dns_transports); /** duplicate **/ context->dns_transports = new_transports; memcpy(context->dns_transports, transports, transport_count * sizeof(getdns_transport_list_t)); context->dns_transport_count = transport_count; return GETDNS_RETURN_GOOD; } static getdns_return_t set_ub_dns_transport(struct getdns_context* context) { int fallback; size_t i; /* These mappings are not exact because Unbound is configured differently, so just map as close as possible. Not all options can be supported.*/ switch (context->dns_transports[0]) { case GETDNS_TRANSPORT_UDP: set_ub_string_opt(context, "do-udp:", "yes"); if (context->dns_transport_count > 1 && context->dns_transports[1] == GETDNS_TRANSPORT_TCP) set_ub_string_opt(context, "do-tcp:", "yes"); else set_ub_string_opt(context, "do-tcp:", "no"); break; case GETDNS_TRANSPORT_TCP: set_ub_string_opt(context, "do-udp:", "no"); set_ub_string_opt(context, "do-tcp:", "yes"); break; case GETDNS_TRANSPORT_TLS: set_ub_string_opt(context, "do-udp:", "no"); set_ub_string_opt(context, "do-tcp:", "yes"); /* Find out if there is a fallback available. */ fallback = 0; for (i = 1; i < context->dns_transport_count; i++) { if (context->dns_transports[i] == GETDNS_TRANSPORT_TCP) { fallback = 1; break; } else if (context->dns_transports[i] == GETDNS_TRANSPORT_UDP) { set_ub_string_opt(context, "do-udp:", "yes"); set_ub_string_opt(context, "do-tcp:", "no"); fallback = 1; break; } } if (fallback == 0) /* Use TLS if it is the only thing.*/ set_ub_string_opt(context, "ssl-upstream:", "yes"); break; default: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } return GETDNS_RETURN_GOOD; } /* * getdns_context_set_dns_transport * */ getdns_return_t getdns_context_set_dns_transport( getdns_context *context, getdns_transport_t value) { size_t count = 2; getdns_transport_list_t *new_transports; RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (value == GETDNS_TRANSPORT_UDP_ONLY || value == GETDNS_TRANSPORT_TCP_ONLY || value == GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN || value == GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN) count = 1; if (!(new_transports = GETDNS_XMALLOC( context->my_mf, getdns_transport_list_t, count))) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; if (context->dns_transports) GETDNS_FREE(context->my_mf, context->dns_transports); context->dns_transport_count = count; context->dns_transports = new_transports; switch ((int)value) { case GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP: context->dns_transports[0] = GETDNS_TRANSPORT_UDP; context->dns_transports[1] = GETDNS_TRANSPORT_TCP; break; case GETDNS_TRANSPORT_UDP_ONLY: context->dns_transports[0] = GETDNS_TRANSPORT_UDP; break; case GETDNS_TRANSPORT_TCP_ONLY: case GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN: context->dns_transports[0] = GETDNS_TRANSPORT_TCP; break; case GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN: context->dns_transports[0] = GETDNS_TRANSPORT_TLS; break; case GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN: context->dns_transports[0] = GETDNS_TRANSPORT_TLS; context->dns_transports[1] = GETDNS_TRANSPORT_TCP; break; default: return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } /* Note that the call below does not have any effect in unbound after the * ctx is finalised so for recursive mode or stub + dnssec only the first * transport specified on the first query is used. * However the method returns success as otherwise the transport could not * be reset for stub mode. * Also, not all transport options supported in libunbound yet */ if (set_ub_dns_transport(context) != GETDNS_RETURN_GOOD) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } dispatch_updated(context, GETDNS_CONTEXT_CODE_DNS_TRANSPORT); return GETDNS_RETURN_GOOD; } /* * getdns_context_set_dns_transport_list * */ getdns_return_t getdns_context_set_dns_transport_list(getdns_context *context, size_t transport_count, getdns_transport_list_t *transports) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (getdns_set_base_dns_transports(context, transport_count, transports) != GETDNS_RETURN_GOOD) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; /* Note that the call below does not have any effect in unbound after the * ctx is finalised so for recursive mode or stub + dnssec only the first * transport specified on the first query is used. * However the method returns success as otherwise the transport could not * be reset for stub mode. * Also, not all transport options supported in libunbound yet */ if (set_ub_dns_transport(context) != GETDNS_RETURN_GOOD) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } dispatch_updated(context, GETDNS_CONTEXT_CODE_DNS_TRANSPORT); return GETDNS_RETURN_GOOD; } /* getdns_context_set_dns_transport_list */ /* * getdns_context_set_tls_authentication * */ getdns_return_t getdns_context_set_tls_authentication(getdns_context *context, getdns_tls_authentication_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (value != GETDNS_AUTHENTICATION_NONE && value != GETDNS_AUTHENTICATION_REQUIRED) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } context->tls_auth = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_AUTHENTICATION); return GETDNS_RETURN_GOOD; } /* getdns_context_set_tls_authentication_list */ /* * getdns_context_set_round_robin_upstreams * */ getdns_return_t getdns_context_set_round_robin_upstreams(getdns_context *context, uint8_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* only allow 0 or 1 */ if (value != 0 && value != 1) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } context->round_robin_upstreams = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_ROUND_ROBIN_UPSTREAMS); return GETDNS_RETURN_GOOD; } /* getdns_context_set_round_robin_upstreams */ /* * getdns_context_set_tls_backoff_time * */ getdns_return_t getdns_context_set_tls_backoff_time(getdns_context *context, uint16_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* Value is in seconds. Should we have a lower limit? 1 second?*/ context->tls_backoff_time = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME); return GETDNS_RETURN_GOOD; } /* getdns_context_set_tls_backoff_time */ /* * getdns_context_set_tls_connection_retries * */ getdns_return_t getdns_context_set_tls_connection_retries(getdns_context *context, uint16_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* Should we put a sensible upper limit on this? 10?*/ // if (value > 10) { // return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; // } context->tls_connection_retries = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES); return GETDNS_RETURN_GOOD; } /* getdns_context_set_tls_connection retries */ #ifdef HAVE_LIBUNBOUND static void set_ub_limit_outstanding_queries(getdns_context* context, uint16_t value) { /* num-queries-per-thread */ set_ub_number_opt(context, "num-queries-per-thread:", value); } #endif /* * getdns_context_set_limit_outstanding_queries * */ getdns_return_t getdns_context_set_limit_outstanding_queries(struct getdns_context *context, uint16_t limit) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); #ifdef HAVE_LIBUNBOUND set_ub_limit_outstanding_queries(context, limit); #endif if (limit != context->limit_outstanding_queries) { context->limit_outstanding_queries = limit; dispatch_updated(context, GETDNS_CONTEXT_CODE_LIMIT_OUTSTANDING_QUERIES); } return GETDNS_RETURN_GOOD; } /* getdns_context_set_limit_outstanding_queries */ /* * getdns_context_set_timeout * */ getdns_return_t getdns_context_set_timeout(struct getdns_context *context, uint64_t timeout) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (timeout == 0) { return GETDNS_RETURN_INVALID_PARAMETER; } context->timeout = timeout; dispatch_updated(context, GETDNS_CONTEXT_CODE_TIMEOUT); return GETDNS_RETURN_GOOD; } /* getdns_context_set_timeout */ /* * getdns_context_set_idle_timeout * */ getdns_return_t getdns_context_set_idle_timeout(getdns_context *context, uint64_t timeout) { size_t i; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; /* Shuold we enforce maximum based on edns-tcp-keepalive spec? */ /* 0 should be allowed as that is the default.*/ context->idle_timeout = timeout; dispatch_updated(context, GETDNS_CONTEXT_CODE_IDLE_TIMEOUT); if (timeout) return GETDNS_RETURN_GOOD; /* If timeout == 0, call scheduled idle timeout events */ for (i = 0; i < context->upstreams->count; i++) { getdns_upstream *upstream = &context->upstreams->upstreams[i]; if (!upstream->event.ev || !upstream->event.timeout_cb || upstream->event.read_cb || upstream->event.write_cb) continue; GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event); upstream->event.timeout_cb(upstream->event.userarg); } return GETDNS_RETURN_GOOD; } /* getdns_context_set_timeout */ /* * getdns_context_set_follow_redirects * */ getdns_return_t getdns_context_set_follow_redirects( getdns_context *context, getdns_redirects_t value) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (value != GETDNS_REDIRECTS_FOLLOW && value != GETDNS_REDIRECTS_DO_NOT_FOLLOW) return GETDNS_RETURN_INVALID_PARAMETER; context->follow_redirects = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_FOLLOW_REDIRECTS); return GETDNS_RETURN_GOOD; } /* getdns_context_set_follow_redirects */ /* * getdns_context_set_dns_root_servers * */ getdns_return_t getdns_context_set_dns_root_servers( getdns_context *context, getdns_list *addresses) { #ifdef HAVE_LIBUNBOUND # ifndef HAVE_UB_CTX_SET_STUB char tmpfn[FILENAME_MAX] = P_tmpdir "/getdns-root-dns-servers-XXXXXX"; FILE *fh; int fd; size_t dst_len; # endif size_t i; getdns_dict *rr_dict; getdns_return_t r = GETDNS_RETURN_GOOD; getdns_bindata *addr_bd; char dst[2048]; #endif getdns_list *newlist; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (!addresses) { #ifdef HAVE_LIBUNBOUND if (ub_ctx_set_option( context->unbound_ctx, "root-hints:", "")) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; #endif if (context->dns_root_servers) getdns_list_destroy(context->dns_root_servers); context->dns_root_servers = NULL; #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) if (context->root_servers_fn[0]) unlink(context->root_servers_fn); context->root_servers_fn[0] = 0; #endif dispatch_updated( context, GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS); return GETDNS_RETURN_GOOD; } #ifdef HAVE_LIBUNBOUND # ifdef HAVE_UB_CTX_SET_STUB for (i=0; !r; i++) { if (!(r = getdns_list_get_bindata(addresses, i, &addr_bd))) /* success! */ ; else if ((r = getdns_list_get_dict(addresses, i, &rr_dict))) /* Not a bindata, not a dict? ERROR! */ break; else if (getdns_dict_get_bindata( rr_dict, "address_data", &addr_bd) && getdns_dict_get_bindata( rr_dict, "/rdata/ipv4_address", &addr_bd) && getdns_dict_get_bindata( rr_dict, "/rdata/ipv6_address", &addr_bd)) /* Not a parsable address, * pass because we allow root.hint's files as input */ continue; if (addr_bd->size == 16 && inet_ntop(AF_INET6, addr_bd->data, dst, sizeof(dst))) { if (ub_ctx_set_stub(context->unbound_ctx,".",dst,1)) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } } else if (addr_bd->size == 4 && inet_ntop(AF_INET, addr_bd->data, dst, sizeof(dst))) { if (ub_ctx_set_stub(context->unbound_ctx,".",dst,1)) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } } } # else if ((fd = mkstemp(tmpfn)) < 0) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; if (!(fh = fdopen(fd, "w"))) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; for (i=0; !r; i++) { dst_len = sizeof(dst); if (!(r = getdns_list_get_bindata(addresses, i, &addr_bd))) /* success! */ ; else if ((r = getdns_list_get_dict(addresses, i, &rr_dict))) /* Not a bindata, not a dict? ERROR! */ break; else if (!getdns_rr_dict2str_buf(rr_dict, dst, &dst_len)) { fprintf(fh, "%s", dst); continue; } else if (getdns_dict_get_bindata( rr_dict, "address_data", &addr_bd) && getdns_dict_get_bindata( rr_dict, "/rdata/ipv4_address", &addr_bd) && getdns_dict_get_bindata( rr_dict, "/rdata/ipv6_address", &addr_bd)) /* Not a parsable address, * pass because we allow root.hint's files as input */ continue; if (addr_bd->size == 16 && inet_ntop(AF_INET6, addr_bd->data, dst, sizeof(dst))) fprintf(fh,". NS %"PRIsz".root-servers.getdnsapi.net.\n" "%"PRIsz".root-servers.getdnsapi.net. AAAA %s\n", i, i, dst); else if (addr_bd->size == 4 && inet_ntop(AF_INET, addr_bd->data, dst, sizeof(dst))) fprintf(fh,". NS %"PRIsz".root-servers.getdnsapi.net.\n" "%"PRIsz".root-servers.getdnsapi.net. A %s\n", i, i, dst); } fclose(fh); if (ub_ctx_set_option( context->unbound_ctx, "root-hints:", tmpfn)) { unlink(tmpfn); return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } # endif #endif if (_getdns_list_copy(addresses, &newlist)) { #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) unlink(tmpfn); #endif return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } if (context->dns_root_servers) getdns_list_destroy(context->dns_root_servers); context->dns_root_servers = newlist; #if defined(HAVE_LIBUNBOUND) && !defined(HAVE_UB_CTX_SET_STUB) if (context->root_servers_fn[0]) unlink(context->root_servers_fn); (void) memcpy(context->root_servers_fn, tmpfn, strlen(tmpfn)); #endif dispatch_updated(context, GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS); return GETDNS_RETURN_GOOD; } /* getdns_context_set_dns_root_servers */ /* * getdns_context_set_append_name * */ getdns_return_t getdns_context_set_append_name( getdns_context *context, getdns_append_name_t value) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; switch ((int)value) { case GETDNS_APPEND_NAME_ALWAYS: case GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE: case GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE: case GETDNS_APPEND_NAME_NEVER: case GETDNS_APPEND_NAME_TO_SINGLE_LABEL_FIRST: context->append_name = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_APPEND_NAME); return GETDNS_RETURN_GOOD; } return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } /* getdns_context_set_append_name */ /* * getdns_context_set_suffix * */ getdns_return_t getdns_context_set_suffix(getdns_context *context, getdns_list *value) { getdns_return_t r; size_t i; gldns_buffer gbuf; uint8_t buf_spc[1024], *suffixes = NULL; size_t suffixes_len = 0; uint8_t dname[256]; size_t dname_len; char name_spc[1025], *name; getdns_bindata *bindata; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (value == NULL) { if (context->suffixes && context->suffixes != no_suffixes) GETDNS_FREE(context->mf, (void *)context->suffixes); context->suffixes = no_suffixes; context->suffixes_len = sizeof(no_suffixes); return GETDNS_RETURN_GOOD; } gldns_buffer_init_vfixed_frm_data(&gbuf, buf_spc, sizeof(buf_spc)); for (;;) { for ( i = 0 ; !(r = getdns_list_get_bindata(value, i, &bindata)) ; i++) { if (bindata->size == 0 || bindata->size >= sizeof(name_spc)) continue; if (bindata->data[bindata->size-1] != 0) { /* Unterminated string */ (void) memcpy(name_spc, bindata->data, bindata->size); name_spc[bindata->size] = 0; name = name_spc; } else /* Terminated string */ name = (char *)bindata->data; dname_len = sizeof(dname); if (gldns_str2wire_dname_buf(name, dname, &dname_len)) return GETDNS_RETURN_GENERIC_ERROR; gldns_buffer_write_u8(&gbuf, (uint8_t) dname_len); gldns_buffer_write(&gbuf, dname, dname_len); } if (r == GETDNS_RETURN_NO_SUCH_LIST_ITEM) r = GETDNS_RETURN_GOOD; else break; gldns_buffer_write_u8(&gbuf, 1); gldns_buffer_write_u8(&gbuf, 0); if (gldns_buffer_begin(&gbuf) != buf_spc) break; suffixes_len = gldns_buffer_position(&gbuf); if (!(suffixes = GETDNS_XMALLOC( context->mf, uint8_t, suffixes_len))) { r = GETDNS_RETURN_MEMORY_ERROR; break; } if (suffixes_len <= gldns_buffer_limit(&gbuf)) { (void) memcpy (suffixes, buf_spc, suffixes_len); break; } gldns_buffer_init_frm_data(&gbuf, suffixes, suffixes_len); } if (r) { if (gldns_buffer_begin(&gbuf) != buf_spc) GETDNS_FREE(context->mf, suffixes); return r; } if (context->suffixes && context->suffixes != no_suffixes) GETDNS_FREE(context->mf, (void *)context->suffixes); context->suffixes = suffixes; context->suffixes_len = suffixes_len; dispatch_updated(context, GETDNS_CONTEXT_CODE_SUFFIX); return GETDNS_RETURN_GOOD; } /* getdns_context_set_suffix */ /* * getdns_context_set_dnssec_trust_anchors * */ getdns_return_t getdns_context_set_dnssec_trust_anchors( getdns_context *context, getdns_list *value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (context->trust_anchors && context->trust_anchors != context->trust_anchors_spc) GETDNS_FREE(context->mf, context->trust_anchors); if (value) { context->trust_anchors_len = sizeof(context->trust_anchors_spc); context->trust_anchors = _getdns_list2wire(value, context->trust_anchors_spc, &context->trust_anchors_len, &context->mf); context->trust_anchors_source = GETDNS_TASRC_APP; } else { context->trust_anchors = NULL; context->trust_anchors_len = 0; context->trust_anchors_source = GETDNS_TASRC_NONE; } dispatch_updated(context, GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS); return GETDNS_RETURN_GOOD; } /* getdns_context_set_dnssec_trust_anchors */ #ifdef HAVE_LIBUNBOUND static void set_ub_dnssec_allowed_skew(struct getdns_context* context, uint32_t value) { set_ub_number_opt(context, "val-sig-skew-min:", value); set_ub_number_opt(context, "val-sig-skew-max:", value); } #endif /* * getdns_context_set_dnssec_allowed_skew * */ getdns_return_t getdns_context_set_dnssec_allowed_skew(struct getdns_context *context, uint32_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); #ifdef HAVE_LIBUNBOUND set_ub_dnssec_allowed_skew(context, value); #endif if (value != context->dnssec_allowed_skew) { context->dnssec_allowed_skew = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW); } return GETDNS_RETURN_GOOD; } /* getdns_context_set_dnssec_allowed_skew */ /* * getdns_context_set_upstream_recursive_servers * */ getdns_return_t getdns_context_set_upstream_recursive_servers(struct getdns_context *context, struct getdns_list *upstream_list) { getdns_return_t r; size_t count = 0; size_t i; getdns_upstreams *upstreams; char addrstr[1024], portstr[1024], *eos; struct addrinfo hints; RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if ( !upstream_list || (r = getdns_list_get_length(upstream_list, &count)) || count == 0) { _getdns_upstreams_dereference(context->upstreams); context->upstreams = NULL; dispatch_updated(context, GETDNS_CONTEXT_CODE_UPSTREAM_RECURSIVE_SERVERS); } memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ hints.ai_socktype = 0; /* Datagram socket */ hints.ai_flags = AI_NUMERICHOST; /* No reverse name lookups */ hints.ai_protocol = 0; /* Any protocol */ hints.ai_canonname = NULL; hints.ai_addr = NULL; hints.ai_next = NULL; upstreams = upstreams_create( context, count * GETDNS_UPSTREAM_TRANSPORTS); for (i = 0; i < count; i++) { getdns_dict *dict; getdns_bindata *address_type; getdns_bindata *address_data; getdns_bindata *tls_auth_name; struct sockaddr_storage addr; getdns_bindata *scope_id; getdns_upstream *upstream; getdns_bindata *tsig_alg_name, *tsig_name, *tsig_key; getdns_tsig_algo tsig_alg; char tsig_name_str[1024]; uint8_t tsig_dname_spc[256], *tsig_dname; size_t tsig_dname_len; size_t j; if ((r = getdns_list_get_dict(upstream_list, i, &dict))) { dict = NULL; if ((r = getdns_list_get_bindata( upstream_list, i, &address_data))) goto error; if (address_data->size == 4) addr.ss_family = AF_INET; else if (address_data->size == 16) addr.ss_family = AF_INET6; else goto invalid_parameter; } else if ((r = getdns_dict_get_bindata( dict, "address_type",&address_type))) { /* Just address_data is also okay */ if ((r = getdns_dict_get_bindata( dict, "address_data", &address_data))) goto error; if (address_data->size == 4) addr.ss_family = AF_INET; else if (address_data->size == 16) addr.ss_family = AF_INET6; else goto invalid_parameter; } else { if (address_type->size < 4) goto invalid_parameter; else if (!strncmp((char*)address_type->data,"IPv4",4)) addr.ss_family = AF_INET; else if (!strncmp((char*)address_type->data,"IPv6",4)) addr.ss_family = AF_INET6; else goto invalid_parameter; if ((r = getdns_dict_get_bindata( dict, "address_data", &address_data))) goto error; if ((addr.ss_family == AF_INET && address_data->size != 4) || (addr.ss_family == AF_INET6 && address_data->size != 16)) goto invalid_parameter; } if (inet_ntop(addr.ss_family, address_data->data, addrstr, 1024) == NULL) goto invalid_parameter; if (dict && getdns_dict_get_bindata(dict,"scope_id",&scope_id) == GETDNS_RETURN_GOOD) { if (strlen(addrstr) + scope_id->size > 1022) goto invalid_parameter; eos = &addrstr[strlen(addrstr)]; *eos++ = '%'; (void) memcpy(eos, scope_id->data, scope_id->size); eos[scope_id->size] = 0; } tsig_alg_name = tsig_name = tsig_key = NULL; tsig_dname = NULL; tsig_dname_len = 0; if (dict && getdns_dict_get_bindata(dict, "tsig_algorithm", &tsig_alg_name) == GETDNS_RETURN_GOOD) tsig_alg = _getdns_get_tsig_algo(tsig_alg_name); else tsig_alg = GETDNS_HMAC_MD5; if (!dict) tsig_alg = GETDNS_NO_TSIG; /* No name, no TSIG */ else if (getdns_dict_get_bindata( dict, "tsig_name", &tsig_name)) tsig_alg = GETDNS_NO_TSIG; /* No name, no TSIG */ else if (tsig_name->size == 0) tsig_alg = GETDNS_NO_TSIG; else if (tsig_name->data[tsig_name->size - 1] != 0) { /* Unterminated string */ if (tsig_name->size >= sizeof(tsig_name_str) - 1) tsig_alg = GETDNS_NO_TSIG; else { (void) memcpy(tsig_name_str, tsig_name->data , tsig_name->size); tsig_name_str[tsig_name->size] = 0; tsig_dname_len = sizeof(tsig_dname_spc); if (gldns_str2wire_dname_buf(tsig_name_str, tsig_dname_spc, &tsig_dname_len)) tsig_alg = GETDNS_NO_TSIG; else tsig_dname = tsig_dname_spc; } } else if (!_getdns_bindata_is_dname(tsig_name)) { /* Terminated string */ tsig_dname_len = sizeof(tsig_dname_spc); if (gldns_str2wire_dname_buf(tsig_name_str, tsig_dname_spc, &tsig_dname_len)) tsig_alg = GETDNS_NO_TSIG; else tsig_dname = tsig_dname_spc; } else if (tsig_name->size > sizeof(tsig_dname_spc)) tsig_alg = GETDNS_NO_TSIG; else { /* fqdn */ tsig_dname = memcpy(tsig_dname_spc, tsig_name->data , tsig_name->size); tsig_dname_len = tsig_name->size; } if (dict && getdns_dict_get_bindata( dict, "tsig_secret", &tsig_key)) tsig_alg = GETDNS_NO_TSIG; /* No key, no TSIG */ /* Don't check TSIG length contraints here. * Let the upstream decide what is secure enough. */ /* Loop to create upstreams as needed*/ for (j = 0; j < GETDNS_UPSTREAM_TRANSPORTS; j++) { uint32_t port; struct addrinfo *ai; port = getdns_port_array[j]; if (port == GETDNS_PORT_ZERO) continue; if (getdns_upstream_transports[j] != GETDNS_TRANSPORT_TLS) { if (dict) (void) getdns_dict_get_int(dict, "port", &port); } else { if (dict) (void) getdns_dict_get_int(dict, "tls_port", &port); } (void) snprintf(portstr, 1024, "%d", (int)port); if (getaddrinfo(addrstr, portstr, &hints, &ai)) goto invalid_parameter; if (!ai) continue; /* TODO[TLS]: Should probably check that the upstream doesn't * already exist (in case user has specified TLS port explicitly and * to prevent duplicates) */ upstream = &upstreams->upstreams[upstreams->count]; upstream->addr.ss_family = addr.ss_family; upstream_init(upstream, upstreams, ai); upstream->transport = getdns_upstream_transports[j]; if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) { getdns_list *pubkey_pinset = NULL; if (dict && (r = getdns_dict_get_bindata( dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) { if (tls_auth_name->size >= sizeof(upstream->tls_auth_name)) { /* tls_auth_name's are just * domain names and should * thus not be larger than 256 * bytes. */ goto invalid_parameter; } memcpy(upstream->tls_auth_name, (char *)tls_auth_name->data, tls_auth_name->size); upstream->tls_auth_name [tls_auth_name->size] = '\0'; } if (dict && (r = getdns_dict_get_list(dict, "tls_pubkey_pinset", &pubkey_pinset)) == GETDNS_RETURN_GOOD) { /* TODO: what if the user supplies tls_pubkey_pinset with * something other than a list? */ r = _getdns_get_pubkey_pinset_from_list(pubkey_pinset, &(upstreams->mf), &(upstream->tls_pubkey_pinset)); if (r != GETDNS_RETURN_GOOD) goto invalid_parameter; } } if ((upstream->tsig_alg = tsig_alg)) { if (tsig_name) { (void) memcpy(upstream->tsig_dname, tsig_dname, tsig_dname_len); upstream->tsig_dname_len = tsig_dname_len; } else upstream->tsig_dname_len = 0; if (tsig_key) { (void) memcpy(upstream->tsig_key, tsig_key->data, tsig_key->size); upstream->tsig_size = tsig_key->size; } else upstream->tsig_size = 0; } else { upstream->tsig_dname_len = 0; upstream->tsig_size = 0; } upstreams->count++; freeaddrinfo(ai); } } _getdns_upstreams_dereference(context->upstreams); context->upstreams = upstreams; dispatch_updated(context, GETDNS_CONTEXT_CODE_UPSTREAM_RECURSIVE_SERVERS); return GETDNS_RETURN_GOOD; invalid_parameter: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_INVALID_PARAMETER; error: _getdns_upstreams_dereference(upstreams); return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } /* getdns_context_set_upstream_recursive_servers */ /* * getdns_context_unset_edns_maximum_udp_payload_size * */ getdns_return_t getdns_context_unset_edns_maximum_udp_payload_size(getdns_context *context) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; #ifdef HAVE_LIBUNBOUND set_ub_number_opt(context, "edns-buffer-size:", 4096); #endif if (context->edns_maximum_udp_payload_size != -1) { context->edns_maximum_udp_payload_size = -1; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_MAXIMUM_UDP_PAYLOAD_SIZE); } return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_maximum_udp_payload_size */ /* * getdns_context_set_edns_maximum_udp_payload_size * */ getdns_return_t getdns_context_set_edns_maximum_udp_payload_size(struct getdns_context *context, uint16_t value) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; #ifdef HAVE_LIBUNBOUND set_ub_number_opt(context, "edns-buffer-size:", value); #endif if (value != context->edns_maximum_udp_payload_size) { context->edns_maximum_udp_payload_size = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_MAXIMUM_UDP_PAYLOAD_SIZE); } return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_maximum_udp_payload_size */ /* * getdns_context_set_edns_extended_rcode * */ getdns_return_t getdns_context_set_edns_extended_rcode(struct getdns_context *context, uint8_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); context->edns_extended_rcode = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_EXTENDED_RCODE); return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_extended_rcode */ /* * getdns_context_set_edns_version * */ getdns_return_t getdns_context_set_edns_version(struct getdns_context *context, uint8_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); context->edns_version = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_VERSION); return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_version */ /* * getdns_context_set_edns_do_bit * */ getdns_return_t getdns_context_set_edns_do_bit(struct getdns_context *context, uint8_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* only allow 1 */ if (value != 0 && value != 1) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } context->edns_do_bit = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_DO_BIT); return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_do_bit */ /* * getdns_context_set_edns_client_subnet_private * */ getdns_return_t getdns_context_set_edns_client_subnet_private(struct getdns_context *context, uint8_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* only allow 1 */ if (value != 0 && value != 1) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } context->edns_client_subnet_private = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_EDNS_CLIENT_SUBNET_PRIVATE); return GETDNS_RETURN_GOOD; } /* getdns_context_set_edns_client_subnet_private */ /* * getdns_context_set_tls_query_padding_blocksize * */ getdns_return_t getdns_context_set_tls_query_padding_blocksize(struct getdns_context *context, uint16_t value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* only allow values between 0 and MAXIMUM_UPSTREAM_OPTION_SPACE - 4 (4 is for the overhead of the option itself) */ if (value > MAXIMUM_UPSTREAM_OPTION_SPACE - 4) { return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } context->tls_query_padding_blocksize = value; dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE); return GETDNS_RETURN_GOOD; } /* getdns_context_set_tls_query_padding_blocksize */ /* * getdns_context_set_extended_memory_functions * */ getdns_return_t getdns_context_set_extended_memory_functions( struct getdns_context *context, void *userarg, void *(*malloc) (void *userarg, size_t), void *(*realloc) (void *userarg, void *, size_t), void (*free) (void *userarg, void *) ) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (!malloc || !realloc || !free) return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; context->mf.mf_arg = userarg; context->mf.mf.ext.malloc = malloc; context->mf.mf.ext.realloc = realloc; context->mf.mf.ext.free = free; dispatch_updated(context, GETDNS_CONTEXT_CODE_MEMORY_FUNCTIONS); return GETDNS_RETURN_GOOD; } /* getdns_context_set_extended_memory_functions*/ /* * getdns_context_set_memory_functions * */ getdns_return_t getdns_context_set_memory_functions(struct getdns_context *context, void *(*malloc) (size_t), void *(*realloc) (void *, size_t), void (*free) (void *) ) { mf_union mf; mf.pln.malloc = malloc; mf.pln.realloc = realloc; mf.pln.free = free; return getdns_context_set_extended_memory_functions( context, MF_PLAIN, mf.ext.malloc, mf.ext.realloc, mf.ext.free); } /* getdns_context_set_memory_functions*/ void _getdns_context_track_outbound_request(getdns_dns_req *dnsreq) { /* Called only by getdns_general_ns() after successful allocation */ assert(dnsreq); dnsreq->node.key = &(dnsreq->trans_id); if (_getdns_rbtree_insert( &dnsreq->context->outbound_requests, &dnsreq->node)) getdns_context_request_count_changed(dnsreq->context); } void _getdns_context_clear_outbound_request(getdns_dns_req *dnsreq) { if (!dnsreq) return; if (dnsreq->loop && dnsreq->loop->vmt && dnsreq->timeout.timeout_cb) { dnsreq->loop->vmt->clear(dnsreq->loop, &dnsreq->timeout); dnsreq->timeout.timeout_cb = NULL; } /* delete the node from the tree */ if (_getdns_rbtree_delete( &dnsreq->context->outbound_requests, &dnsreq->trans_id)) getdns_context_request_count_changed(dnsreq->context); if (dnsreq->chain) _getdns_cancel_validation_chain(dnsreq); } void _getdns_context_cancel_request(getdns_dns_req *dnsreq) { getdns_network_req *netreq, **netreq_p; DEBUG_SCHED("%s(%p)\n", __FUNC__, (void *)dnsreq); if (!dnsreq) return; _getdns_context_clear_outbound_request(dnsreq); /* cancel network requests */ for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p); netreq_p++) #ifdef HAVE_LIBUNBOUND if (netreq->unbound_id != -1) { ub_cancel(dnsreq->context->unbound_ctx, netreq->unbound_id); netreq->unbound_id = -1; } else #endif _getdns_cancel_stub_request(netreq); /* clean up */ _getdns_dns_req_free(dnsreq); } /* * getdns_cancel_callback * */ getdns_return_t getdns_cancel_callback(getdns_context *context, getdns_transaction_t transaction_id) { getdns_dns_req *dnsreq; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; /* delete the node from the tree */ if (!(dnsreq = (getdns_dns_req *)_getdns_rbtree_delete( &context->outbound_requests, &transaction_id))) return GETDNS_RETURN_UNKNOWN_TRANSACTION; getdns_context_request_count_changed(context); debug_req("CB Cancel ", *dnsreq->netreqs); if (dnsreq->user_callback) { dnsreq->context->processing = 1; dnsreq->user_callback(dnsreq->context, GETDNS_CALLBACK_CANCEL, NULL, dnsreq->user_pointer, dnsreq->trans_id); dnsreq->context->processing = 0; } if (!dnsreq->internal_cb) { /* Not part of chain */ debug_req("Destroy ", *dnsreq->netreqs); _getdns_context_cancel_request(dnsreq); } return GETDNS_RETURN_GOOD; } /* getdns_cancel_callback */ void _getdns_context_request_timed_out(getdns_dns_req *dnsreq) { DEBUG_SCHED("%s(%p)\n", __FUNC__, (void *)dnsreq); debug_req("CB Timeout ", *dnsreq->netreqs); if (dnsreq->user_callback) { dnsreq->context->processing = 1; dnsreq->user_callback(dnsreq->context, GETDNS_CALLBACK_TIMEOUT, _getdns_create_getdns_response(dnsreq), dnsreq->user_pointer, dnsreq->trans_id); dnsreq->context->processing = 0; } _getdns_context_cancel_request(dnsreq); } static void accumulate_outstanding_transactions(_getdns_rbnode_t *node, void* arg) { *(*(getdns_transaction_t**)arg)++ = ((getdns_dns_req*)node)->trans_id; } static void cancel_outstanding_requests(getdns_context* context) { getdns_transaction_t *trans_ids, *tids_a, *tids_i; if (context->outbound_requests.count == 0) return; tids_i = tids_a = trans_ids = GETDNS_XMALLOC(context->my_mf, getdns_transaction_t, context->outbound_requests.count); _getdns_traverse_postorder(&context->outbound_requests, accumulate_outstanding_transactions, &tids_a); while (tids_i < tids_a) { /* We have to cancel by transaction_id because we do not know * what happens when the user_callback is called. It might * delete getdns_dns_req's that were scheduled to be canceled. * The extra lookup with transaction_id makes sure we do not * access freed memory. */ (void) getdns_cancel_callback(context, *tids_i++); } GETDNS_FREE(context->my_mf, trans_ids); } #ifndef STUB_NATIVE_DNSSEC static uint32_t * upstream_scope_id(getdns_upstream *upstream) { return upstream->addr.ss_family == AF_INET ? NULL : (upstream_addr(upstream)[0] == 0xFE && (upstream_addr(upstream)[1] & 0xC0) == 0x80 ? &((struct sockaddr_in6*)&upstream->addr)->sin6_scope_id : NULL); } static void upstream_ntop_buf(getdns_upstream *upstream, char *buf, size_t len) { /* Also possible but prints scope_id by name (nor parsed by unbound) * * getnameinfo((struct sockaddr *)&upstream->addr, upstream->addr_len, * buf, len, NULL, 0, NI_NUMERICHOST) */ (void) inet_ntop(upstream->addr.ss_family, upstream_addr(upstream), buf, len); if (upstream_scope_id(upstream)) (void) snprintf(buf + strlen(buf), len - strlen(buf), "%%%d", (int)*upstream_scope_id(upstream)); else if (upstream_port(upstream) != GETDNS_PORT_DNS && upstream_port(upstream) != GETDNS_PORT_ZERO) (void) snprintf(buf + strlen(buf), len - strlen(buf), "@%d", (int)upstream_port(upstream)); } static getdns_return_t ub_setup_stub(struct ub_ctx *ctx, getdns_context *context) { getdns_return_t r = GETDNS_RETURN_GOOD; size_t i; getdns_upstream *upstream; char addr[1024]; getdns_upstreams *upstreams = context->upstreams; (void) ub_ctx_set_fwd(ctx, NULL); for (i = 0; i < upstreams->count; i++) { upstream = &upstreams->upstreams[i]; /*[TLS]: Use only the TLS subset of upstreams when TLS is the only thing * used. All other cases must currently fallback to TCP for libunbound.*/ if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS && context->dns_transport_count ==1 && upstream->transport != GETDNS_TRANSPORT_TLS) continue; upstream_ntop_buf(upstream, addr, 1024); ub_ctx_set_fwd(ctx, addr); } /* Allow lookups of: */ /* - localhost */ (void)ub_ctx_zone_remove(ctx, "localhost."); /* - reverse IPv4 loopback */ (void)ub_ctx_zone_remove(ctx, "127.in-addr.arpa."); /* - reverse IPv6 loopback */ (void)ub_ctx_zone_remove(ctx, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." "0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."); /* - reverse RFC1918 local use zones */ (void)ub_ctx_zone_remove(ctx, "10.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "16.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "17.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "18.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "19.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "20.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "21.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "22.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "23.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "24.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "25.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "26.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "27.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "28.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "29.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "30.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "31.172.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "168.192.in-addr.arpa."); /* - reverse RFC3330 IP4 this, link-local, testnet and broadcast */ (void)ub_ctx_zone_remove(ctx, "0.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "254.169.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "2.0.192.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "100.51.198.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "113.0.203.in-addr.arpa."); (void)ub_ctx_zone_remove(ctx, "255.255.255.255.in-addr.arpa."); /* - reverse RFC4291 IP6 unspecified */ (void)ub_ctx_zone_remove(ctx, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." "0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."); /* - reverse RFC4193 IPv6 Locally Assigned Local Addresses */ (void)ub_ctx_zone_remove(ctx, "D.F.ip6.arpa."); /* - reverse RFC4291 IPv6 Link Local Addresses */ (void)ub_ctx_zone_remove(ctx, "8.E.F.ip6.arpa."); (void)ub_ctx_zone_remove(ctx, "9.E.F.ip6.arpa."); (void)ub_ctx_zone_remove(ctx, "A.E.F.ip6.arpa."); (void)ub_ctx_zone_remove(ctx, "B.E.F.ip6.arpa."); /* - reverse IPv6 Example Prefix */ (void)ub_ctx_zone_remove(ctx, "8.B.D.0.1.0.0.2.ip6.arpa."); return r; } #endif #ifdef HAVE_LIBUNBOUND static getdns_return_t ub_setup_recursing(struct ub_ctx *ctx, getdns_context *context) { _getdns_rr_iter rr_spc, *rr; char ta_str[8192]; (void) ub_ctx_set_fwd(ctx, NULL); if (!context->unbound_ta_set && context->trust_anchors) { for ( rr = _getdns_rr_iter_init( &rr_spc , context->trust_anchors , context->trust_anchors_len) ; rr ; rr = _getdns_rr_iter_next(rr) ) { (void) gldns_wire2str_rr_buf((UNCONST_UINT8_p)rr->pos, rr->nxt - rr->pos, ta_str, sizeof(ta_str)); (void) ub_ctx_add_ta(ctx, ta_str); } context->unbound_ta_set = 1; } return GETDNS_RETURN_GOOD; } #endif static getdns_return_t _getdns_ns_dns_setup(struct getdns_context *context) { assert(context); switch (context->resolution_type) { case GETDNS_RESOLUTION_STUB: if (!context->upstreams || !context->upstreams->count) return GETDNS_RETURN_GENERIC_ERROR; #ifdef STUB_NATIVE_DNSSEC # ifdef DNSSEC_ROADBLOCK_AVOIDANCE # ifdef HAVE_LIBUNBOUND return ub_setup_recursing(context->unbound_ctx, context); # else /* Return NOT_IMPLEMENTED on query with an * roadblock avoidance extension. */ return GETDNS_RETURN_GOOD; # endif # else return GETDNS_RETURN_GOOD; # endif #else return ub_setup_stub(context->unbound_ctx, context); #endif case GETDNS_RESOLUTION_RECURSING: #ifdef HAVE_LIBUNBOUND return ub_setup_recursing(context->unbound_ctx, context); #else return GETDNS_RETURN_NOT_IMPLEMENTED; #endif } return GETDNS_RETURN_BAD_CONTEXT; } getdns_return_t _getdns_context_prepare_for_resolution(getdns_context *context) { getdns_return_t r; RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (context->destroying) return GETDNS_RETURN_BAD_CONTEXT; /* Transport can in theory be set per query in stub mode */ if (context->resolution_type == GETDNS_RESOLUTION_STUB && tls_is_in_transports_list(context) == 1) { /* Check minimum require authentication level*/ if (tls_only_is_in_transports_list(context) == 1 && context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED) { context->tls_auth_min = GETDNS_AUTHENTICATION_REQUIRED; /* TODO: If no auth data provided for any upstream, fail here */ } else { context->tls_auth_min = GETDNS_AUTHENTICATION_NONE; } if (context->tls_ctx == NULL) { #ifdef HAVE_TLS_v1_2 /* Create client context, use TLS v1.2 only for now */ # ifdef HAVE_TLS_CLIENT_METHOD context->tls_ctx = SSL_CTX_new(TLS_client_method()); # else context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); # endif if(context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; # ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version( context->tls_ctx, TLS1_2_VERSION)) { SSL_CTX_free(context->tls_ctx); context->tls_ctx = NULL; return GETDNS_RETURN_BAD_CONTEXT; } # endif /* Be strict and only use the cipher suites recommended in RFC7525 Unless we later fallback to opportunistic. */ const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) return GETDNS_RETURN_BAD_CONTEXT; /* For strict authentication, we must have local root certs available Set up is done only when the tls_ctx is created (per getdns_context)*/ # ifndef USE_WINSOCK if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { # else if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) { # endif /* USE_WINSOCK */ if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) return GETDNS_RETURN_BAD_CONTEXT; } #else /* HAVE_TLS_v1_2 */ if (tls_only_is_in_transports_list(context) == 1) return GETDNS_RETURN_BAD_CONTEXT; /* A null tls_ctx will make TLS fail and fallback to the other transports will kick-in.*/ #endif /* HAVE_TLS_v1_2 */ } } /* Block use of TLS ONLY in recursive mode as it won't work */ /* Note: If TLS is used in recursive mode this will try TLS on port * 53 so it is blocked here. */ if (context->resolution_type == GETDNS_RESOLUTION_RECURSING && tls_only_is_in_transports_list(context) == 1) return GETDNS_RETURN_BAD_CONTEXT; if (context->resolution_type_set == context->resolution_type) /* already set and no config changes * have caused this to be bad. */ return GETDNS_RETURN_GOOD; /* TODO: respect namespace order (unbound always uses local first if cfg * the spec calls for us to treat the namespace list as ordered * so we need to respect that order */ r = _getdns_ns_dns_setup(context); if (r == GETDNS_RETURN_GOOD) context->resolution_type_set = context->resolution_type; return r; } /* _getdns_context_prepare_for_resolution */ char * _getdns_strdup(const struct mem_funcs *mfs, const char *s) { size_t sz; char *r; if (!s || !(r = GETDNS_XMALLOC(*mfs, char, (sz = strlen(s) + 1)))) return NULL; else return memcpy(r, s, sz); } struct getdns_bindata * _getdns_bindata_copy(struct mem_funcs *mfs, size_t size, const uint8_t *data) { /* Don't know why, but nodata allows * empty bindatas with the python bindings */ static uint8_t nodata[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; struct getdns_bindata *dst; if (!(dst = GETDNS_MALLOC(*mfs, struct getdns_bindata))) return NULL; if ((dst->size = size)) { dst->data = GETDNS_XMALLOC(*mfs, uint8_t, size); if (!dst->data) { GETDNS_FREE(*mfs, dst); return NULL; } (void) memcpy(dst->data, data, size); } else { dst->data = nodata; } return dst; } void _getdns_bindata_destroy(struct mem_funcs *mfs, struct getdns_bindata *bindata) { if (!bindata) return; if (bindata->size) GETDNS_FREE(*mfs, bindata->data); GETDNS_FREE(*mfs, bindata); } /* TODO: Remove next_timeout argument from getdns_context_get_num_pending_requests */ uint32_t getdns_context_get_num_pending_requests(getdns_context* context, struct timeval* next_timeout) { (void)next_timeout; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (context->outbound_requests.count) context->extension->vmt->run_once(context->extension, 0); return context->outbound_requests.count; } /* process async reqs */ getdns_return_t getdns_context_process_async(getdns_context *context) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; context->extension->vmt->run_once(context->extension, 0); return GETDNS_RETURN_GOOD; } void getdns_context_run(getdns_context *context) { context->extension->vmt->run(context->extension); } getdns_return_t getdns_context_detach_eventloop(struct getdns_context* context) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); /* When called from within a callback, do not execute pending * context destroys. * The (other) callback handler will handle it. * * ( because callbacks occur in cancel_outstanding_requests, * and they may destroy the context ) */ /* cancel all outstanding requests */ cancel_outstanding_requests(context); context->extension->vmt->cleanup(context->extension); context->extension = &context->default_eventloop.loop; _getdns_default_eventloop_init(&context->mf, &context->default_eventloop); #ifdef HAVE_UNBOUND_EVENT_API if (_getdns_ub_loop_enabled(&context->ub_loop)) context->ub_loop.extension = context->extension; #endif return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_eventloop(getdns_context* context, getdns_eventloop* loop) { if (!context || !loop) return GETDNS_RETURN_INVALID_PARAMETER; if (context->extension) { cancel_outstanding_requests(context); context->extension->vmt->cleanup(context->extension); } context->extension = loop; #ifdef HAVE_UNBOUND_EVENT_API if (_getdns_ub_loop_enabled(&context->ub_loop)) context->ub_loop.extension = loop; #endif return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_eventloop(getdns_context *context, getdns_eventloop **loop) { if (!context || !loop) return GETDNS_RETURN_INVALID_PARAMETER; if (!context->extension) return GETDNS_RETURN_GENERIC_ERROR; else *loop = context->extension; return GETDNS_RETURN_GOOD; } static size_t _getdns_get_appdata(getdns_context *context, char *path); static getdns_dict* _get_context_settings(getdns_context* context) { getdns_dict *result = getdns_dict_create_with_context(context); getdns_list *list; size_t i; const char *str_value; char appdata_dir[_GETDNS_PATH_MAX] = ""; if (!result) return NULL; /* int fields */ /* the timeouts are stored as uint64, but the value maximum used in practice is 6553500ms, so we just trim the value to be on the safe side. */ if ( getdns_dict_set_int(result, "timeout", (context->timeout > 0xFFFFFFFFull) ? 0xFFFFFFFF: (uint32_t) context->timeout) || getdns_dict_set_int(result, "idle_timeout", (context->idle_timeout > 0xFFFFFFFFull) ? 0xFFFFFFFF : (uint32_t) context->idle_timeout) || getdns_dict_set_int(result, "limit_outstanding_queries", context->limit_outstanding_queries) || getdns_dict_set_int(result, "dnssec_allowed_skew", context->dnssec_allowed_skew) || getdns_dict_set_int(result, "follow_redirects", context->follow_redirects) || ( context->edns_maximum_udp_payload_size != -1 && getdns_dict_set_int(result, "edns_maximum_udp_payload_size", context->edns_maximum_udp_payload_size)) || getdns_dict_set_int(result, "edns_client_subnet_private", context->edns_client_subnet_private) || getdns_dict_set_int(result, "edns_extended_rcode", context->edns_extended_rcode) || getdns_dict_set_int(result, "edns_version", context->edns_version) || getdns_dict_set_int(result, "edns_do_bit", context->edns_do_bit) || getdns_dict_set_int(result, "append_name", context->append_name) || getdns_dict_set_int(result, "tls_authentication", context->tls_auth) || getdns_dict_set_int(result, "round_robin_upstreams", context->round_robin_upstreams) || getdns_dict_set_int(result, "tls_backoff_time", context->tls_backoff_time) || getdns_dict_set_int(result, "tls_connection_retries", context->tls_connection_retries) || getdns_dict_set_int(result, "tls_query_padding_blocksize", context->tls_query_padding_blocksize) || getdns_dict_set_int(result, "resolution_type", context->resolution_type) ) goto error; /* list fields */ if (getdns_context_get_suffix(context, &list)) goto error; if (_getdns_dict_set_this_list(result, "suffix", list)) { getdns_list_destroy(list); goto error; } if (getdns_context_get_upstream_recursive_servers(context, &list)) goto error; if (_getdns_dict_set_this_list( result, "upstream_recursive_servers", list)) { getdns_list_destroy(list); goto error; } if (getdns_context_get_dnssec_trust_anchors(context, &list)) ; /* pass */ else if (list && _getdns_dict_set_this_list( result, "dnssec_trust_anchors", list)) { getdns_list_destroy(list); goto error; } if (context->dns_transport_count > 0) { /* create a namespace list */ if (!(list = getdns_list_create_with_context(context))) goto error; for (i = 0; i < context->dns_transport_count; ++i) { if (getdns_list_set_int(list, i, context->dns_transports[i])) { getdns_list_destroy(list); goto error; } } if (_getdns_dict_set_this_list( result, "dns_transport_list", list)) { getdns_list_destroy(list); goto error; } } if (context->namespace_count > 0) { /* create a namespace list */ if (!(list = getdns_list_create_with_context(context))) goto error; for (i = 0; i < context->namespace_count; ++i) { if (getdns_list_set_int(list, i, context->namespaces[i])) { getdns_list_destroy(list); goto error; } } if (_getdns_dict_set_this_list(result, "namespaces", list)) { getdns_list_destroy(list); return NULL; } } (void) _getdns_get_appdata(context, appdata_dir); (void) getdns_dict_util_set_string(result, "appdata_dir", appdata_dir); if (!getdns_context_get_trust_anchors_url(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_url", str_value); if (!getdns_context_get_trust_anchors_verify_CA(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_CA", str_value); if (!getdns_context_get_trust_anchors_verify_email(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "trust_anchors_verify_email", str_value); return result; error: getdns_dict_destroy(result); return NULL; } getdns_dict* getdns_context_get_api_information(getdns_context* context) { getdns_dict* result; getdns_dict* settings; if ((result = getdns_dict_create_with_context(context)) && ! getdns_dict_util_set_string( result, "version_string", GETDNS_VERSION) && ! getdns_dict_set_int( result, "version_number", getdns_get_version_number()) && ! getdns_dict_util_set_string( result, "api_version_string", getdns_get_api_version()) && ! getdns_dict_set_int( result, "api_version_number", getdns_get_api_version_number()) && ! getdns_dict_util_set_string( result, "implementation_string", PACKAGE_URL) && ! getdns_dict_util_set_string( result, "compilation_comment", GETDNS_COMPILATION_COMMENT) && ! getdns_dict_util_set_string( result, "trust_anchor_file", TRUST_ANCHOR_FILE) && ! getdns_dict_set_int( result, "resolution_type", context->resolution_type) && (settings = _get_context_settings(context))) { if (!_getdns_dict_set_this_dict(result,"all_context",settings)) return result; getdns_dict_destroy(settings); } getdns_dict_destroy(result); return NULL; } getdns_return_t getdns_context_set_return_dnssec_status(getdns_context* context, int enabled) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); if (enabled != GETDNS_EXTENSION_TRUE && enabled != GETDNS_EXTENSION_FALSE) { return GETDNS_RETURN_INVALID_PARAMETER; } context->dnssec_return_status = enabled == GETDNS_EXTENSION_TRUE; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_use_threads(getdns_context* context, int use_threads) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); int r = 0; if (context->resolution_type_set != 0) { /* already setup */ return GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } #ifdef HAVE_LIBUNBOUND if (use_threads) r = ub_ctx_async(context->unbound_ctx, 1); else r = ub_ctx_async(context->unbound_ctx, 0); #else (void)use_threads; #endif return r == 0 ? GETDNS_RETURN_GOOD : GETDNS_RETURN_CONTEXT_UPDATE_FAIL; } getdns_return_t _getdns_context_local_namespace_resolve( getdns_dns_req *dnsreq, getdns_dict **response) { getdns_context *context = dnsreq->context; host_name_addrs *hnas; uint8_t lookup[256]; getdns_list empty_list = { 0, 0, NULL, { NULL, {{ NULL, NULL, NULL }}}}; getdns_bindata bindata; getdns_list *jaa; size_t i; getdns_dict *addr; int ipv4 = dnsreq->netreqs[0]->request_type == GETDNS_RRTYPE_A || (dnsreq->netreqs[1] && dnsreq->netreqs[1]->request_type == GETDNS_RRTYPE_A); int ipv6 = dnsreq->netreqs[0]->request_type == GETDNS_RRTYPE_AAAA || (dnsreq->netreqs[1] && dnsreq->netreqs[1]->request_type == GETDNS_RRTYPE_AAAA); if (!ipv4 && !ipv6) return GETDNS_RETURN_GENERIC_ERROR; /*Do the lookup*/ (void)memcpy(lookup, dnsreq->name, dnsreq->name_len); canonicalize_dname(lookup); if (!(hnas = (host_name_addrs *) _getdns_rbtree_search(&context->local_hosts, lookup))) return GETDNS_RETURN_GENERIC_ERROR; if (!hnas->ipv4addrs && (!ipv6 || !hnas->ipv6addrs)) return GETDNS_RETURN_GENERIC_ERROR; if (!hnas->ipv6addrs && (!ipv4 || !hnas->ipv4addrs)) return GETDNS_RETURN_GENERIC_ERROR; if (!(*response = getdns_dict_create_with_context(context))) return GETDNS_RETURN_GENERIC_ERROR; bindata.size = dnsreq->name_len; bindata.data = dnsreq->name; if (getdns_dict_set_bindata(*response, "canonical_name", &bindata)) goto error; empty_list.mf = context->mf; if (getdns_dict_set_list(*response, "replies_full", &empty_list)) goto error; if (getdns_dict_set_list(*response, "replies_tree", &empty_list)) goto error; if (getdns_dict_set_int(*response, "status", GETDNS_RESPSTATUS_GOOD)) goto error; if (!ipv4 || !hnas->ipv4addrs) { if (getdns_dict_set_list(*response, "just_address_answers", hnas->ipv6addrs)) goto error; return GETDNS_RETURN_GOOD; } else if (!ipv6 || !hnas->ipv6addrs) { if (getdns_dict_set_list(*response, "just_address_answers", hnas->ipv4addrs)) goto error; return GETDNS_RETURN_GOOD; } if (!(jaa = getdns_list_create_with_context(context))) goto error; for (i = 0; !getdns_list_get_dict(hnas->ipv4addrs, i, &addr); i++) if (_getdns_list_append_dict(jaa, addr)) break; for (i = 0; !getdns_list_get_dict(hnas->ipv6addrs, i, &addr); i++) if (_getdns_list_append_dict(jaa, addr)) break; if (!_getdns_dict_set_this_list(*response, "just_address_answers", jaa)) return GETDNS_RETURN_GOOD; else getdns_list_destroy(jaa); error: getdns_dict_destroy(*response); return GETDNS_RETURN_GENERIC_ERROR; } struct mem_funcs * priv_getdns_context_mf(getdns_context *context) { return &context->mf; } /** begin getters **/ getdns_return_t getdns_context_get_resolution_type(getdns_context *context, getdns_resolution_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->resolution_type; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_namespaces(getdns_context *context, size_t* namespace_count, getdns_namespace_t **namespaces) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(namespace_count, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(namespaces, GETDNS_RETURN_INVALID_PARAMETER); *namespace_count = context->namespace_count; if (!context->namespace_count) { *namespaces = NULL; return GETDNS_RETURN_GOOD; } // use normal malloc here so users can do normal free *namespaces = malloc(context->namespace_count * sizeof(getdns_namespace_t)); memcpy(*namespaces, context->namespaces, context->namespace_count * sizeof(getdns_namespace_t)); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_dns_transport(getdns_context *context, getdns_transport_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); int count = context->dns_transport_count; getdns_transport_list_t *transports = context->dns_transports; if (!count) return GETDNS_RETURN_WRONG_TYPE_REQUESTED; /* Best effort mapping for backwards compatibility*/ if (transports[0] == GETDNS_TRANSPORT_UDP) { if (count == 1) *value = GETDNS_TRANSPORT_UDP_ONLY; else if (count == 2 && transports[1] == GETDNS_TRANSPORT_TCP) *value = GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP; else return GETDNS_RETURN_WRONG_TYPE_REQUESTED; } if (transports[0] == GETDNS_TRANSPORT_TCP) { if (count == 1) *value = GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN; } if (transports[0] == GETDNS_TRANSPORT_TLS) { if (count == 1) *value = GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN; else if (count == 2 && transports[1] == GETDNS_TRANSPORT_TCP) *value = GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN; else return GETDNS_RETURN_WRONG_TYPE_REQUESTED; } return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_dns_transport_list(getdns_context *context, size_t* transport_count, getdns_transport_list_t **transports) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(transport_count, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(transports, GETDNS_RETURN_INVALID_PARAMETER); *transport_count = context->dns_transport_count; if (!context->dns_transport_count) { *transports = NULL; return GETDNS_RETURN_GOOD; } // use normal malloc here so users can do normal free *transports = malloc(context->dns_transport_count * sizeof(getdns_transport_list_t)); memcpy(*transports, context->dns_transports, context->dns_transport_count * sizeof(getdns_transport_list_t)); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_tls_authentication(getdns_context *context, getdns_tls_authentication_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->tls_auth; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_round_robin_upstreams(getdns_context *context, uint8_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->round_robin_upstreams; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_tls_backoff_time(getdns_context *context, uint16_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->tls_backoff_time; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_tls_connection_retries(getdns_context *context, uint16_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->tls_connection_retries; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_limit_outstanding_queries(getdns_context *context, uint16_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->limit_outstanding_queries; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_timeout(getdns_context *context, uint64_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->timeout; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_idle_timeout(getdns_context *context, uint64_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->idle_timeout; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_follow_redirects( getdns_context *context, getdns_redirects_t* value) { if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER; *value = context->follow_redirects; return GETDNS_RETURN_NOT_IMPLEMENTED; } getdns_return_t getdns_context_get_dns_root_servers(getdns_context *context, getdns_list **value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = NULL; if (context->dns_root_servers) return _getdns_list_copy(context->dns_root_servers, value); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_append_name(getdns_context *context, getdns_append_name_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->append_name; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_suffix(getdns_context *context, getdns_list **value) { size_t dname_len; const uint8_t *dname; char name[1024]; getdns_return_t r = GETDNS_RETURN_GOOD; getdns_list *list; if (!context || !value) return GETDNS_RETURN_INVALID_PARAMETER; if (!(list = getdns_list_create_with_context(context))) return GETDNS_RETURN_MEMORY_ERROR; assert(context->suffixes); dname_len = context->suffixes[0]; dname = context->suffixes + 1; while (dname_len && *dname) { if (! gldns_wire2str_dname_buf((UNCONST_UINT8_p) dname, dname_len, name, sizeof(name))) { r = GETDNS_RETURN_GENERIC_ERROR; break; } if ((r = _getdns_list_append_string(list, name))) break; dname += dname_len; dname_len = *dname++; } if (r) getdns_list_destroy(list); else *value = list; return r; } getdns_return_t getdns_context_get_dnssec_trust_anchors( getdns_context *context, getdns_list **value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); if (context->trust_anchors) { if ((*value = getdns_list_create_with_context(context))) _getdns_wire2list( context->trust_anchors , context->trust_anchors_len , *value); else return GETDNS_RETURN_MEMORY_ERROR; } else *value = NULL; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_dnssec_allowed_skew(getdns_context *context, uint32_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->dnssec_allowed_skew; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_upstream_recursive_servers(getdns_context *context, getdns_list **upstreams_r) { size_t i; getdns_list *upstreams; getdns_return_t r; if (!context || !upstreams_r) return GETDNS_RETURN_INVALID_PARAMETER; if (!(upstreams = getdns_list_create_with_context(context))) return GETDNS_RETURN_MEMORY_ERROR; if (!context->upstreams || context->upstreams->count == 0) { *upstreams_r = upstreams; return GETDNS_RETURN_GOOD; } r = GETDNS_RETURN_GOOD; i = 0; while (!r && i < context->upstreams->count) { size_t j; getdns_dict *d; getdns_upstream *upstream = &context->upstreams->upstreams[i]; getdns_bindata bindata; const getdns_tsig_info *tsig_info; if (!(d = sockaddr_dict(context, (struct sockaddr*)&upstream->addr))) { r = GETDNS_RETURN_MEMORY_ERROR; break; } if (upstream->tsig_alg) { tsig_info = _getdns_get_tsig_info(upstream->tsig_alg); if ((r = _getdns_dict_set_const_bindata( d, "tsig_algorithm", tsig_info->dname_len, tsig_info->dname))) break; if (upstream->tsig_dname_len) { bindata.data = upstream->tsig_dname; bindata.size = upstream->tsig_dname_len; if ((r = getdns_dict_set_bindata( d, "tsig_name", &bindata))) break; } if (upstream->tsig_size) { bindata.data = upstream->tsig_key; bindata.size = upstream->tsig_size; if ((r = getdns_dict_set_bindata( d, "tsig_secret", &bindata))) break; } } for ( j = 1, i++ ; j < GETDNS_UPSTREAM_TRANSPORTS && i < context->upstreams->count ; j++, i++) { upstream = &context->upstreams->upstreams[i]; if (upstream->transport == GETDNS_TRANSPORT_UDP && upstream_port(upstream) != getdns_port_array[j] && (r = getdns_dict_set_int(d, "port", (uint32_t)upstream_port(upstream)))) break; if (upstream->transport == GETDNS_TRANSPORT_TLS) { if (upstream_port(upstream) != getdns_port_array[j] && (r = getdns_dict_set_int(d, "tls_port", (uint32_t) upstream_port(upstream)))) break; if (upstream->tls_auth_name[0] != '\0' && (r = getdns_dict_util_set_string(d, "tls_auth_name", upstream->tls_auth_name))) break; if (upstream->tls_pubkey_pinset) { getdns_list *pins = NULL; if ((_getdns_get_pubkey_pinset_list(context, upstream->tls_pubkey_pinset, &pins) == GETDNS_RETURN_GOOD) && (r = _getdns_dict_set_this_list(d, "tls_pubkey_pinset", pins))) { getdns_list_destroy(pins); break; } } } } if (!r) if (!(r = _getdns_list_append_this_dict(upstreams, d))) d = NULL; getdns_dict_destroy(d); } if (r) getdns_list_destroy(upstreams); else *upstreams_r = upstreams; return r; } getdns_return_t getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context, uint16_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->edns_maximum_udp_payload_size == -1 ? 0 : context->edns_maximum_udp_payload_size; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_edns_extended_rcode(getdns_context *context, uint8_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->edns_extended_rcode; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_edns_version(getdns_context *context, uint8_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->edns_version; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->edns_do_bit; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->edns_client_subnet_private; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value) { RETURN_IF_NULL(context, GETDNS_RETURN_INVALID_PARAMETER); RETURN_IF_NULL(value, GETDNS_RETURN_INVALID_PARAMETER); *value = context->tls_query_padding_blocksize; return GETDNS_RETURN_GOOD; } static int _streq(const getdns_bindata *name, const char *str) { if (strlen(str) != name->size) return 0; else return strncmp((const char *)name->data, str, name->size) == 0; } static getdns_return_t _get_list_or_read_file(const getdns_dict *config_dict, const char *setting, getdns_list **r_list, int *destroy_list) { getdns_bindata *fn_bd; char fn[FILENAME_MAX]; FILE *fh; getdns_return_t r; assert(r_list); assert(destroy_list); *destroy_list = 0; if (!(r = getdns_dict_get_list(config_dict, setting, r_list))) return GETDNS_RETURN_GOOD; else if ((r = getdns_dict_get_bindata(config_dict, setting, &fn_bd))) return r; else if (fn_bd->size >= FILENAME_MAX) return GETDNS_RETURN_INVALID_PARAMETER; (void)memcpy(fn, fn_bd->data, fn_bd->size); fn[fn_bd->size] = 0; if (!(fh = fopen(fn, "r"))) return GETDNS_RETURN_GENERIC_ERROR; if (!(r = getdns_fp2rr_list(fh, r_list, NULL, 3600))) *destroy_list = 1; fclose(fh); return r; } #define CONTEXT_SETTING_INT(X) \ } else if (_streq(setting, #X)) { \ if (!(r = getdns_dict_get_int(config_dict, #X , &n))) \ r = getdns_context_set_ ## X (context, n); #define CONTEXT_SETTING_LIST(X) \ } else if (_streq(setting, #X)) { \ if (!(r = getdns_dict_get_list(config_dict, #X , &list))) \ r = getdns_context_set_ ## X (context, list); #define CONTEXT_SETTING_LIST_OR_ZONEFILE(X) \ } else if (_streq(setting, #X)) { \ if (!(r = _get_list_or_read_file( \ config_dict, #X , &list, &destroy_list))) \ r = getdns_context_set_ ## X(context, list); \ if (destroy_list) getdns_list_destroy(list); #define CONTEXT_SETTING_ARRAY(X, T) \ } else if (_streq(setting, #X )) { \ if (!(r = getdns_dict_get_list(config_dict, #X , &list)) && \ !(r = getdns_list_get_length(list, &count))) { \ for (i=0; iX = 1; \ else if (n == GETDNS_EXTENSION_FALSE) context->X = 0; \ else r = GETDNS_RETURN_INVALID_PARAMETER; \ } #define CONTEXT_SETTING_STRING(X) \ } else if (_streq(setting, #X )) { \ if (!(r = getdns_dict_get_bindata(config_dict, #X , &bd))) \ r = getdns_context_set_ ## X( \ context, (char *)bd->data); static getdns_return_t _getdns_context_config_setting(getdns_context *context, const getdns_dict *config_dict, const getdns_bindata *setting) { getdns_return_t r = GETDNS_RETURN_GOOD; getdns_dict *dict; getdns_list *list; getdns_namespace_t namespaces[100]; getdns_transport_list_t dns_transport_list[100]; size_t count, i; uint32_t n; getdns_bindata *bd; int destroy_list = 0; if (_streq(setting, "all_context")) { if (!(r = getdns_dict_get_dict(config_dict, "all_context", &dict))) r = getdns_context_config(context, dict); CONTEXT_SETTING_INT(resolution_type) CONTEXT_SETTING_ARRAY(namespaces, namespace) CONTEXT_SETTING_INT(dns_transport) CONTEXT_SETTING_ARRAY(dns_transport_list, transport_list) CONTEXT_SETTING_INT(idle_timeout) CONTEXT_SETTING_INT(limit_outstanding_queries) CONTEXT_SETTING_INT(timeout) CONTEXT_SETTING_INT(follow_redirects) CONTEXT_SETTING_LIST_OR_ZONEFILE(dns_root_servers) CONTEXT_SETTING_INT(append_name) CONTEXT_SETTING_LIST(suffix) CONTEXT_SETTING_LIST_OR_ZONEFILE(dnssec_trust_anchors) CONTEXT_SETTING_INT(dnssec_allowed_skew) CONTEXT_SETTING_LIST(upstream_recursive_servers) CONTEXT_SETTING_INT(edns_maximum_udp_payload_size) CONTEXT_SETTING_INT(edns_extended_rcode) CONTEXT_SETTING_INT(edns_version) CONTEXT_SETTING_INT(edns_do_bit) /***************************************/ /**** ****/ /**** Unofficial context settings ****/ /**** ****/ /***************************************/ CONTEXT_SETTING_INT(edns_client_subnet_private) CONTEXT_SETTING_INT(tls_authentication) CONTEXT_SETTING_INT(round_robin_upstreams) CONTEXT_SETTING_INT(tls_backoff_time) CONTEXT_SETTING_INT(tls_connection_retries) CONTEXT_SETTING_INT(tls_query_padding_blocksize) CONTEXT_SETTING_STRING(trust_anchors_url) CONTEXT_SETTING_STRING(trust_anchors_verify_CA) CONTEXT_SETTING_STRING(trust_anchors_verify_email) CONTEXT_SETTING_STRING(appdata_dir) /**************************************/ /**** ****/ /**** Default extensions setting ****/ /**** ****/ /**************************************/ EXTENSION_SETTING_BOOL(add_warning_for_bad_dns) EXTENSION_SETTING_BOOL(dnssec_return_all_statuses) EXTENSION_SETTING_BOOL(dnssec_return_full_validation_chain) EXTENSION_SETTING_BOOL(dnssec_return_only_secure) EXTENSION_SETTING_BOOL(dnssec_return_status) EXTENSION_SETTING_BOOL(dnssec_return_validation_chain) #if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) EXTENSION_SETTING_BOOL(dnssec_roadblock_avoidance) #endif #ifdef EDNS_COOKIES EXTENSION_SETTING_BOOL(edns_cookies) #endif EXTENSION_SETTING_BOOL(return_api_information) EXTENSION_SETTING_BOOL(return_both_v4_and_v6) EXTENSION_SETTING_BOOL(return_call_reporting) } else if (_streq(setting, "add_opt_parameters")) { if (!(r = getdns_dict_get_dict(config_dict, "add_opt_parameters" , &dict))) { if (context->add_opt_parameters) getdns_dict_destroy(context->add_opt_parameters); context->add_opt_parameters = NULL; r = _getdns_dict_copy(dict, &context->add_opt_parameters); } } else if (_streq(setting, "header")) { if (!(r = getdns_dict_get_dict(config_dict, "header" , &dict))) { if (context->header) getdns_dict_destroy(context->header); if (!(context->header = getdns_dict_create_with_context(context))) r = GETDNS_RETURN_MEMORY_ERROR; else r = getdns_dict_set_dict( context->header, "header", dict); } } else if (_streq(setting, "specify_class")) { if (!(r = getdns_dict_get_int( config_dict, "specify_class" , &n))) context->specify_class = (uint16_t)n; /************************************/ /**** ****/ /**** Ignored context settings ****/ /**** ****/ /************************************/ } else if (!_streq(setting, "implementation_string") && !_streq(setting, "version_string") && !_streq(setting, "version_number") && !_streq(setting, "api_version_string") && !_streq(setting, "api_version_number") && !_streq(setting, "trust_anchor_file") && !_streq(setting, "compilation_comment") ) { r = GETDNS_RETURN_NOT_IMPLEMENTED; } return r; } getdns_return_t getdns_context_config(getdns_context *context, const getdns_dict *config_dict) { getdns_list *settings; getdns_return_t r; getdns_bindata *setting; size_t i; if ((r = getdns_dict_get_names(config_dict, &settings))) return r; for (i = 0; !(r = getdns_list_get_bindata(settings,i,&setting)); i++) { if ((r = _getdns_context_config_setting( context, config_dict, setting))) break; } if (r == GETDNS_RETURN_NO_SUCH_LIST_ITEM) r = GETDNS_RETURN_GOOD; getdns_list_destroy(settings); return r; } static size_t _getdns_get_appdata(getdns_context *context, char *path) { size_t len = 0; #ifdef USE_WINSOCK # define SLASHTOK '\\' # define APPDATA_SUBDIR "getdns" if (context->appdata_dir) { (void) strcpy(path, context->appdata_dir); len = strlen(path); } else if (! SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA | CSIDL_FLAG_CREATE, NULL, 0, path))) DEBUG_ANCHOR("ERROR %s(): Could not get %%AppData%% directory\n" , __FUNC__); else if ((len = strlen(path)) + sizeof(APPDATA_SUBDIR) + 2 >= _GETDNS_PATH_MAX) DEBUG_ANCHOR("ERROR %s(): Home path too long for appdata\n" , __FUNC__); #else # define SLASHTOK '/' # define APPDATA_SUBDIR ".getdns" struct passwd *p = getpwuid(getuid()); char *home = NULL; if (context->appdata_dir) { (void) strcpy(path, context->appdata_dir); len = strlen(path); } else if (!(home = p ? p->pw_dir : getenv("HOME"))) DEBUG_ANCHOR("ERROR %s(): Could not get home directory\n" , __FUNC__); else if ((len = strlen(home)) + sizeof(APPDATA_SUBDIR) + 2 >= _GETDNS_PATH_MAX) DEBUG_ANCHOR("ERROR %s(): Home path too long for appdata\n" , __FUNC__); else if (!strcpy(path, home)) ; /* strcpy returns path always */ #endif else { if (len == 0 || ( path[len - 1] != '/' && path[len - 1] != '\\')) { path[len++] = SLASHTOK; path[len ] = '\0'; } (void) strcpy(path + len, APPDATA_SUBDIR); len += sizeof(APPDATA_SUBDIR) - 1; } if (len) { if (path[len - 1] == '/' || path[len - 1] == '\\') { path[--len] = '\0'; } if (0 > #ifdef USE_WINSOCK mkdir(path) #else mkdir(path, 0755) #endif && errno != EEXIST) DEBUG_ANCHOR("ERROR %s(): Could not mkdir %s: %s\n" , __FUNC__, path, strerror(errno)); else { path[len++] = SLASHTOK; path[len ] = '\0'; return len; } } return 0; } FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn) { char path[_GETDNS_PATH_MAX]; FILE *f = NULL; size_t len; (void) context; if (!(len = _getdns_get_appdata(context, path))) DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n" , __FUNC__); else if (len + strlen(fn) >= sizeof(path)) DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__); else if (!strcpy(path + len, fn)) ; /* strcpy returns path + len always */ else if (!(f = fopen(path, "r"))) DEBUG_ANCHOR("ERROR %s(): Opening \"%s\": %s\n" , __FUNC__, path, strerror(errno)); return f; } uint8_t *_getdns_context_get_priv_file(getdns_context *context, const char *fn, uint8_t *buf, size_t buf_len, size_t *file_sz) { FILE *f = NULL; if (!(f = _getdns_context_get_priv_fp(context, fn))) ; /* pass */ else if ((*file_sz = fread(buf, 1, buf_len, f)) < (buf_len - 1) && feof(f)) { buf[*file_sz] = 0; (void) fclose(f); return buf; } else if (fseek(f, 0, SEEK_END) < 0) DEBUG_ANCHOR("ERROR %s(): Determining size of \"%s\": %s\n" , __FUNC__, fn, strerror(errno)); else if (!(buf = GETDNS_XMALLOC( context->mf, uint8_t, (buf_len = ftell(f) + 1)))) DEBUG_ANCHOR("ERROR %s(): Allocating %d memory for \"%s\"\n" , __FUNC__, (int)buf_len, fn); else { rewind(f); if ((*file_sz = fread(buf, 1, buf_len, f)) >= buf_len || !feof(f)) { GETDNS_FREE(context->mf, buf); DEBUG_ANCHOR("ERROR %s(): Reading \"%s\": %s\n" , __FUNC__, fn, strerror(errno)); } else { buf[*file_sz] = 0; (void) fclose(f); return buf; } } if (f) (void) fclose(f); return NULL; } int _getdns_context_write_priv_file(getdns_context *context, const char *fn, getdns_bindata *content) { char path[_GETDNS_PATH_MAX], tmpfn[_GETDNS_PATH_MAX]; int fd = -1; FILE *f = NULL; size_t len; if (!(len = _getdns_get_appdata(context, path))) DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n" , __FUNC__); else if (len + 6 >= sizeof(tmpfn) || len + strlen(fn) >= sizeof(path)) DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__); else if (snprintf(tmpfn, sizeof(tmpfn), "%sXXXXXX", path) < 0) DEBUG_ANCHOR("ERROR %s(): Creating temporary filename template\n" , __FUNC__); else if (!strcpy(path + len, fn)) ; /* strcpy returns path + len always */ else if ((fd = mkstemp(tmpfn)) < 0) DEBUG_ANCHOR("ERROR %s(): Creating temporary file: %s\n" , __FUNC__, strerror(errno)); else if (!(f = fdopen(fd, "w"))) DEBUG_ANCHOR("ERROR %s(): Opening temporary file: %s\n" , __FUNC__, strerror(errno)); else if (fwrite(content->data, 1, content->size, f) < content->size) DEBUG_ANCHOR("ERROR %s(): Writing temporary file: %s\n" , __FUNC__, strerror(errno)); else if (fclose(f) < 0) DEBUG_ANCHOR("ERROR %s(): Closing temporary file: %s\n" , __FUNC__, strerror(errno)); else if (rename(tmpfn, path) < 0) DEBUG_ANCHOR("ERROR %s(): Renaming temporary file: %s\n" , __FUNC__, strerror(errno)); else { context->can_write_appdata = PROP_ABLE; return 1; } if (f) (void) fclose(f); else if (fd >= 0) (void) close(fd); context->can_write_appdata = PROP_UNABLE; return 0; } int _getdns_context_can_write_appdata(getdns_context *context) { char test_fn[30], path[_GETDNS_PATH_MAX]; size_t len; getdns_bindata test_content = { 4, (void *)"TEST" }; if (context->can_write_appdata == PROP_ABLE) return 1; else if (context->can_write_appdata == PROP_UNABLE) return 0; (void) snprintf( test_fn, sizeof(test_fn) , "write-test-%d.tmp", arc4random()); if (!_getdns_context_write_priv_file(context, test_fn, &test_content)) return 0; if (!(len = _getdns_get_appdata(context, path))) DEBUG_ANCHOR("ERROR %s(): Could nog get application data path\n" , __FUNC__); else if (len + strlen(test_fn) >= sizeof(path)) DEBUG_ANCHOR("ERROR %s(): Application data too long\n", __FUNC__); else if (!strcpy(path + len, test_fn)) ; /* strcpy returns path + len always */ else if (unlink(path) < 0) DEBUG_ANCHOR("ERROR %s(): Unlinking write test file \"%s\": %s\n" , __FUNC__, path, strerror(errno)); return 1; } getdns_return_t getdns_context_set_trust_anchors_url( getdns_context *context, const char *url) { const char *path; size_t path_len; if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (url) { if (! ((url[0] == 'h' || url[0] == 'H') && (url[1] == 't' || url[1] == 'T') && (url[2] == 't' || url[2] == 'T') && (url[3] == 'p' || url[3] == 'P') && url[4] == ':' && url[5] == '/' && url[6] == '/' && (path = strchr(url + 7, '/')))) return GETDNS_RETURN_NOT_IMPLEMENTED; path_len = strlen(path); if (! ( path_len >= 5 && path[path_len - 4] == '.' && ( path[path_len - 3] == 'x' || path[path_len - 3] == 'X') && ( path[path_len - 2] == 'm' || path[path_len - 2] == 'M') && ( path[path_len - 1] == 'l' || path[path_len - 1] == 'L'))) return GETDNS_RETURN_NOT_IMPLEMENTED; } if (context->trust_anchors_url) GETDNS_FREE(context->mf, context->trust_anchors_url); context->trust_anchors_url = _getdns_strdup(&context->mf, url); dispatch_updated(context, GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_trust_anchors_url( getdns_context *context, const char **url) { if (!context || !url) return GETDNS_RETURN_INVALID_PARAMETER; *url = context && context->trust_anchors_url ? context->trust_anchors_url : _getdns_default_trust_anchors_url; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_trust_anchors_verify_CA( getdns_context *context, const char *verify_CA) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (context->trust_anchors_verify_CA) GETDNS_FREE(context->mf, context->trust_anchors_verify_CA); context->trust_anchors_verify_CA = _getdns_strdup(&context->mf, verify_CA); dispatch_updated( context , GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_trust_anchors_verify_CA( getdns_context *context, const char **verify_CA) { if (!verify_CA) return GETDNS_RETURN_INVALID_PARAMETER; *verify_CA = context && context->trust_anchors_verify_CA ? context->trust_anchors_verify_CA : _getdns_default_trust_anchors_verify_CA; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_trust_anchors_verify_email( getdns_context *context, const char *verify_email) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (context->trust_anchors_verify_email) GETDNS_FREE(context->mf, context->trust_anchors_verify_email); context->trust_anchors_verify_email = _getdns_strdup(&context->mf, verify_email); dispatch_updated( context , GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL); return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_get_trust_anchors_verify_email( getdns_context *context, const char **verify_email) { if (!verify_email) return GETDNS_RETURN_INVALID_PARAMETER; *verify_email = context && context->trust_anchors_verify_email ? context->trust_anchors_verify_email : _getdns_default_trust_anchors_verify_email; return GETDNS_RETURN_GOOD; } getdns_return_t getdns_context_set_appdata_dir( getdns_context *context, const char *appdata_dir) { if (!context) return GETDNS_RETURN_INVALID_PARAMETER; if (context->appdata_dir) GETDNS_FREE(context->mf, context->appdata_dir); context->appdata_dir = _getdns_strdup(&context->mf, appdata_dir); dispatch_updated(context, GETDNS_CONTEXT_CODE_APPDATA_DIR); return GETDNS_RETURN_GOOD; } /* context.c */