ipsecmod.c revision 1.1.1.2
1 1.1 christos /* 2 1.1 christos * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module 3 1.1 christos * 4 1.1 christos * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 1.1 christos * 6 1.1 christos * This software is open source. 7 1.1 christos * 8 1.1 christos * Redistribution and use in source and binary forms, with or without 9 1.1 christos * modification, are permitted provided that the following conditions 10 1.1 christos * are met: 11 1.1 christos * 12 1.1 christos * Redistributions of source code must retain the above copyright notice, 13 1.1 christos * this list of conditions and the following disclaimer. 14 1.1 christos * 15 1.1 christos * Redistributions in binary form must reproduce the above copyright notice, 16 1.1 christos * this list of conditions and the following disclaimer in the documentation 17 1.1 christos * and/or other materials provided with the distribution. 18 1.1 christos * 19 1.1 christos * Neither the name of the NLNET LABS nor the names of its contributors may 20 1.1 christos * be used to endorse or promote products derived from this software without 21 1.1 christos * specific prior written permission. 22 1.1 christos * 23 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 1.1 christos * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 1.1 christos * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 1.1 christos * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 1.1 christos * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 1.1 christos * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 1.1 christos * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 1.1 christos * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 1.1 christos * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 1.1 christos * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 1.1 christos * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 1.1 christos */ 35 1.1 christos 36 1.1 christos /** 37 1.1 christos * \file 38 1.1 christos * 39 1.1 christos * This file contains a module that facilitates opportunistic IPsec. It does so 40 1.1 christos * by also quering for the IPSECKEY for A/AAAA queries and calling a 41 1.1 christos * configurable hook (eg. signaling an IKE daemon) before replying. 42 1.1 christos */ 43 1.1 christos 44 1.1 christos #include "config.h" 45 1.1 christos #ifdef USE_IPSECMOD 46 1.1 christos #include "ipsecmod/ipsecmod.h" 47 1.1 christos #include "ipsecmod/ipsecmod-whitelist.h" 48 1.1 christos #include "util/fptr_wlist.h" 49 1.1 christos #include "util/regional.h" 50 1.1 christos #include "util/net_help.h" 51 1.1 christos #include "util/config_file.h" 52 1.1 christos #include "services/cache/dns.h" 53 1.1 christos #include "sldns/wire2str.h" 54 1.1 christos 55 1.1 christos /** Apply configuration to ipsecmod module 'global' state. */ 56 1.1 christos static int 57 1.1 christos ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg) 58 1.1 christos { 59 1.1 christos if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) { 60 1.1 christos log_err("ipsecmod: missing ipsecmod-hook."); 61 1.1 christos return 0; 62 1.1 christos } 63 1.1 christos if(cfg->ipsecmod_whitelist && 64 1.1 christos !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg)) 65 1.1 christos return 0; 66 1.1 christos return 1; 67 1.1 christos } 68 1.1 christos 69 1.1 christos int 70 1.1 christos ipsecmod_init(struct module_env* env, int id) 71 1.1 christos { 72 1.1 christos struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1, 73 1.1 christos sizeof(struct ipsecmod_env)); 74 1.1 christos if(!ipsecmod_env) { 75 1.1 christos log_err("malloc failure"); 76 1.1 christos return 0; 77 1.1 christos } 78 1.1 christos env->modinfo[id] = (void*)ipsecmod_env; 79 1.1 christos ipsecmod_env->whitelist = NULL; 80 1.1 christos if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) { 81 1.1 christos log_err("ipsecmod: could not apply configuration settings."); 82 1.1 christos return 0; 83 1.1 christos } 84 1.1 christos return 1; 85 1.1 christos } 86 1.1 christos 87 1.1 christos void 88 1.1 christos ipsecmod_deinit(struct module_env* env, int id) 89 1.1 christos { 90 1.1 christos struct ipsecmod_env* ipsecmod_env; 91 1.1 christos if(!env || !env->modinfo[id]) 92 1.1 christos return; 93 1.1 christos ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id]; 94 1.1 christos /* Free contents. */ 95 1.1 christos ipsecmod_whitelist_delete(ipsecmod_env->whitelist); 96 1.1 christos free(ipsecmod_env); 97 1.1 christos env->modinfo[id] = NULL; 98 1.1 christos } 99 1.1 christos 100 1.1 christos /** New query for ipsecmod. */ 101 1.1 christos static int 102 1.1 christos ipsecmod_new(struct module_qstate* qstate, int id) 103 1.1 christos { 104 1.1 christos struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc( 105 1.1 christos qstate->region, sizeof(struct ipsecmod_qstate)); 106 1.1 christos memset(iq, 0, sizeof(*iq)); 107 1.1 christos qstate->minfo[id] = iq; 108 1.1 christos if(!iq) 109 1.1 christos return 0; 110 1.1 christos /* Initialise it. */ 111 1.1 christos iq->enabled = qstate->env->cfg->ipsecmod_enabled; 112 1.1 christos iq->is_whitelisted = ipsecmod_domain_is_whitelisted( 113 1.1 christos (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname, 114 1.1 christos qstate->qinfo.qname_len, qstate->qinfo.qclass); 115 1.1 christos return 1; 116 1.1 christos } 117 1.1 christos 118 1.1 christos /** 119 1.1 christos * Exit module with an error status. 120 1.1 christos * @param qstate: query state 121 1.1 christos * @param id: module id. 122 1.1 christos */ 123 1.1 christos static void 124 1.1 christos ipsecmod_error(struct module_qstate* qstate, int id) 125 1.1 christos { 126 1.1 christos qstate->ext_state[id] = module_error; 127 1.1 christos qstate->return_rcode = LDNS_RCODE_SERVFAIL; 128 1.1 christos } 129 1.1 christos 130 1.1 christos /** 131 1.1 christos * Generate a request for the IPSECKEY. 132 1.1 christos * 133 1.1 christos * @param qstate: query state that is the parent. 134 1.1 christos * @param id: module id. 135 1.1 christos * @param name: what name to query for. 136 1.1 christos * @param namelen: length of name. 137 1.1 christos * @param qtype: query type. 138 1.1 christos * @param qclass: query class. 139 1.1 christos * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 140 1.1 christos * @return false on alloc failure. 141 1.1 christos */ 142 1.1 christos static int 143 1.1 christos generate_request(struct module_qstate* qstate, int id, uint8_t* name, 144 1.1 christos size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags) 145 1.1 christos { 146 1.1 christos struct module_qstate* newq; 147 1.1 christos struct query_info ask; 148 1.1 christos ask.qname = name; 149 1.1 christos ask.qname_len = namelen; 150 1.1 christos ask.qtype = qtype; 151 1.1 christos ask.qclass = qclass; 152 1.1 christos ask.local_alias = NULL; 153 1.1 christos log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask); 154 1.1 christos fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); 155 1.1 christos if(!(*qstate->env->attach_sub)(qstate, &ask, 156 1.1 christos (uint16_t)(BIT_RD|flags), 0, 0, &newq)){ 157 1.1 christos log_err("Could not generate request: out of memory"); 158 1.1 christos return 0; 159 1.1 christos } 160 1.1 christos qstate->ext_state[id] = module_wait_subquery; 161 1.1 christos return 1; 162 1.1 christos } 163 1.1 christos 164 1.1 christos /** 165 1.1 christos * Prepare the data and call the hook. 166 1.1 christos * 167 1.1 christos * @param qstate: query state. 168 1.1 christos * @param iq: ipsecmod qstate. 169 1.1 christos * @param ie: ipsecmod environment. 170 1.1 christos * @return true on success, false otherwise. 171 1.1 christos */ 172 1.1 christos static int 173 1.1 christos call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, 174 1.1 christos struct ipsecmod_env* ATTR_UNUSED(ie)) 175 1.1 christos { 176 1.1 christos size_t slen, tempdata_len, tempstring_len, i; 177 1.1 christos char str[65535], *s, *tempstring; 178 1.1 christos int w; 179 1.1 christos struct ub_packed_rrset_key* rrset_key; 180 1.1 christos struct packed_rrset_data* rrset_data; 181 1.1 christos uint8_t *tempdata; 182 1.1 christos 183 1.1 christos /* Check if a shell is available */ 184 1.1 christos if(system(NULL) == 0) { 185 1.1 christos log_err("ipsecmod: no shell available for ipsecmod-hook"); 186 1.1 christos return 0; 187 1.1 christos } 188 1.1 christos 189 1.1 christos /* Zero the buffer. */ 190 1.1 christos s = str; 191 1.1 christos slen = sizeof(str); 192 1.1 christos memset(s, 0, slen); 193 1.1 christos 194 1.1 christos /* Copy the hook into the buffer. */ 195 1.1 christos sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); 196 1.1 christos /* Put space into the buffer. */ 197 1.1 christos sldns_str_print(&s, &slen, " "); 198 1.1 christos /* Copy the qname into the buffer. */ 199 1.1 christos tempstring = sldns_wire2str_dname(qstate->qinfo.qname, 200 1.1 christos qstate->qinfo.qname_len); 201 1.1 christos if(!tempstring) { 202 1.1 christos log_err("ipsecmod: out of memory when calling the hook"); 203 1.1 christos return 0; 204 1.1 christos } 205 1.1 christos sldns_str_print(&s, &slen, "\"%s\"", tempstring); 206 1.1 christos free(tempstring); 207 1.1 christos /* Put space into the buffer. */ 208 1.1 christos sldns_str_print(&s, &slen, " "); 209 1.1 christos /* Copy the IPSECKEY TTL into the buffer. */ 210 1.1 christos rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 211 1.1 christos sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); 212 1.1 christos /* Put space into the buffer. */ 213 1.1 christos sldns_str_print(&s, &slen, " "); 214 1.1 christos /* Copy the A/AAAA record(s) into the buffer. Start and end this section 215 1.1 christos * with a double quote. */ 216 1.1 christos rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 217 1.1 christos qstate->return_msg->rep); 218 1.1 christos rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 219 1.1 christos sldns_str_print(&s, &slen, "\""); 220 1.1 christos for(i=0; i<rrset_data->count; i++) { 221 1.1 christos if(i > 0) { 222 1.1 christos /* Put space into the buffer. */ 223 1.1 christos sldns_str_print(&s, &slen, " "); 224 1.1 christos } 225 1.1 christos /* Ignore the first two bytes, they are the rr_data len. */ 226 1.1 christos w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, 227 1.1 christos rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); 228 1.1 christos if(w < 0) { 229 1.1 christos /* Error in printout. */ 230 1.1 christos return -1; 231 1.1 christos } else if((size_t)w >= slen) { 232 1.1 christos s = NULL; /* We do not want str to point outside of buffer. */ 233 1.1 christos slen = 0; 234 1.1 christos return -1; 235 1.1 christos } else { 236 1.1 christos s += w; 237 1.1 christos slen -= w; 238 1.1 christos } 239 1.1 christos } 240 1.1 christos sldns_str_print(&s, &slen, "\""); 241 1.1 christos /* Put space into the buffer. */ 242 1.1 christos sldns_str_print(&s, &slen, " "); 243 1.1 christos /* Copy the IPSECKEY record(s) into the buffer. Start and end this section 244 1.1 christos * with a double quote. */ 245 1.1 christos sldns_str_print(&s, &slen, "\""); 246 1.1 christos rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 247 1.1 christos for(i=0; i<rrset_data->count; i++) { 248 1.1 christos if(i > 0) { 249 1.1 christos /* Put space into the buffer. */ 250 1.1 christos sldns_str_print(&s, &slen, " "); 251 1.1 christos } 252 1.1 christos /* Ignore the first two bytes, they are the rr_data len. */ 253 1.1 christos tempdata = rrset_data->rr_data[i] + 2; 254 1.1 christos tempdata_len = rrset_data->rr_len[i] - 2; 255 1.1 christos /* Save the buffer pointers. */ 256 1.1 christos tempstring = s; tempstring_len = slen; 257 1.1 christos w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, 258 1.1 christos NULL, 0); 259 1.1 christos /* There was an error when parsing the IPSECKEY; reset the buffer 260 1.1 christos * pointers to their previous values. */ 261 1.1 christos if(w == -1){ 262 1.1 christos s = tempstring; slen = tempstring_len; 263 1.1 christos } 264 1.1 christos } 265 1.1 christos sldns_str_print(&s, &slen, "\""); 266 1.1 christos verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); 267 1.1 christos /* ipsecmod-hook should return 0 on success. */ 268 1.1 christos if(system(str) != 0) 269 1.1 christos return 0; 270 1.1 christos return 1; 271 1.1 christos } 272 1.1 christos 273 1.1 christos /** 274 1.1 christos * Handle an ipsecmod module event with a query 275 1.1 christos * @param qstate: query state (from the mesh), passed between modules. 276 1.1 christos * contains qstate->env module environment with global caches and so on. 277 1.1 christos * @param iq: query state specific for this module. per-query. 278 1.1 christos * @param ie: environment specific for this module. global. 279 1.1 christos * @param id: module id. 280 1.1 christos */ 281 1.1 christos static void 282 1.1 christos ipsecmod_handle_query(struct module_qstate* qstate, 283 1.1 christos struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id) 284 1.1 christos { 285 1.1 christos struct ub_packed_rrset_key* rrset_key; 286 1.1 christos struct packed_rrset_data* rrset_data; 287 1.1 christos size_t i; 288 1.1 christos /* Pass to next module if we are not enabled and whitelisted. */ 289 1.1 christos if(!(iq->enabled && iq->is_whitelisted)) { 290 1.1 christos qstate->ext_state[id] = module_wait_module; 291 1.1 christos return; 292 1.1 christos } 293 1.1 christos /* New query, check if the query is for an A/AAAA record and disable 294 1.1 christos * caching for other modules. */ 295 1.1 christos if(!iq->ipseckey_done) { 296 1.1 christos if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || 297 1.1 christos qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) { 298 1.1 christos char type[16]; 299 1.1 christos sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 300 1.1 christos sizeof(type)); 301 1.1 christos verbose(VERB_ALGO, "ipsecmod: query for %s; engaging", 302 1.1 christos type); 303 1.1 christos qstate->no_cache_store = 1; 304 1.1 christos } 305 1.1 christos /* Pass request to next module. */ 306 1.1 christos qstate->ext_state[id] = module_wait_module; 307 1.1 christos return; 308 1.1 christos } 309 1.1 christos /* IPSECKEY subquery is finished. */ 310 1.1 christos /* We have an IPSECKEY answer. */ 311 1.1 christos if(iq->ipseckey_rrset) { 312 1.1 christos rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 313 1.1 christos if(rrset_data) { 314 1.1 christos /* If bogus return SERVFAIL. */ 315 1.1 christos if(!qstate->env->cfg->ipsecmod_ignore_bogus && 316 1.1 christos rrset_data->security == sec_status_bogus) { 317 1.1 christos log_err("ipsecmod: bogus IPSECKEY"); 318 1.1 christos ipsecmod_error(qstate, id); 319 1.1 christos return; 320 1.1 christos } 321 1.1 christos /* We have a valid IPSECKEY reply, call hook. */ 322 1.1 christos if(!call_hook(qstate, iq, ie) && 323 1.1 christos qstate->env->cfg->ipsecmod_strict) { 324 1.1 christos log_err("ipsecmod: ipsecmod-hook failed"); 325 1.1 christos ipsecmod_error(qstate, id); 326 1.1 christos return; 327 1.1 christos } 328 1.1 christos /* Make sure the A/AAAA's TTL is equal/less than the 329 1.1 christos * ipsecmod_max_ttl. */ 330 1.1 christos rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 331 1.1 christos qstate->return_msg->rep); 332 1.1 christos rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 333 1.1 christos if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 334 1.1 christos /* Update TTL for rrset to fixed value. */ 335 1.1 christos rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl; 336 1.1 christos for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++) 337 1.1 christos rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl; 338 1.1 christos /* Also update reply_info's TTL */ 339 1.1 christos if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 340 1.1 christos qstate->return_msg->rep->ttl = 341 1.1 christos qstate->env->cfg->ipsecmod_max_ttl; 342 1.1 christos qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC( 343 1.1 christos qstate->return_msg->rep->ttl); 344 1.1.1.2 christos qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl + 345 1.1.1.2 christos qstate->env->cfg->serve_expired_ttl; 346 1.1 christos } 347 1.1 christos } 348 1.1 christos } 349 1.1 christos } 350 1.1 christos /* Store A/AAAA in cache. */ 351 1.1 christos if(!dns_cache_store(qstate->env, &qstate->qinfo, 352 1.1 christos qstate->return_msg->rep, 0, qstate->prefetch_leeway, 353 1.1 christos 0, qstate->region, qstate->query_flags)) { 354 1.1 christos log_err("ipsecmod: out of memory caching record"); 355 1.1 christos } 356 1.1 christos qstate->ext_state[id] = module_finished; 357 1.1 christos } 358 1.1 christos 359 1.1 christos /** 360 1.1 christos * Handle an ipsecmod module event with a response from the iterator. 361 1.1 christos * @param qstate: query state (from the mesh), passed between modules. 362 1.1 christos * contains qstate->env module environment with global caches and so on. 363 1.1 christos * @param iq: query state specific for this module. per-query. 364 1.1 christos * @param ie: environment specific for this module. global. 365 1.1 christos * @param id: module id. 366 1.1 christos */ 367 1.1 christos static void 368 1.1 christos ipsecmod_handle_response(struct module_qstate* qstate, 369 1.1 christos struct ipsecmod_qstate* ATTR_UNUSED(iq), 370 1.1 christos struct ipsecmod_env* ATTR_UNUSED(ie), int id) 371 1.1 christos { 372 1.1 christos /* Pass to previous module if we are not enabled and whitelisted. */ 373 1.1 christos if(!(iq->enabled && iq->is_whitelisted)) { 374 1.1 christos qstate->ext_state[id] = module_finished; 375 1.1 christos return; 376 1.1 christos } 377 1.1 christos /* check if the response is for an A/AAAA query. */ 378 1.1 christos if((qstate->qinfo.qtype == LDNS_RR_TYPE_A || 379 1.1 christos qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) && 380 1.1 christos /* check that we had an answer for the A/AAAA query. */ 381 1.1 christos qstate->return_msg && 382 1.1 christos reply_find_answer_rrset(&qstate->return_msg->qinfo, 383 1.1 christos qstate->return_msg->rep) && 384 1.1 christos /* check that another module didn't SERVFAIL. */ 385 1.1 christos qstate->return_rcode == LDNS_RCODE_NOERROR) { 386 1.1 christos char type[16]; 387 1.1 christos sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 388 1.1 christos sizeof(type)); 389 1.1 christos verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY " 390 1.1 christos "subquery", type); 391 1.1 christos /* generate an IPSECKEY query. */ 392 1.1 christos if(!generate_request(qstate, id, qstate->qinfo.qname, 393 1.1 christos qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY, 394 1.1 christos qstate->qinfo.qclass, 0)) { 395 1.1 christos log_err("ipsecmod: could not generate subquery."); 396 1.1 christos ipsecmod_error(qstate, id); 397 1.1 christos } 398 1.1 christos return; 399 1.1 christos } 400 1.1 christos /* we are done with the query. */ 401 1.1 christos qstate->ext_state[id] = module_finished; 402 1.1 christos } 403 1.1 christos 404 1.1 christos void 405 1.1 christos ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id, 406 1.1 christos struct outbound_entry* outbound) 407 1.1 christos { 408 1.1 christos struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id]; 409 1.1 christos struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 410 1.1 christos verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s", 411 1.1 christos id, strextstate(qstate->ext_state[id]), strmodulevent(event)); 412 1.1 christos if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query", 413 1.1 christos &qstate->qinfo); 414 1.1 christos 415 1.1 christos /* create ipsecmod_qstate. */ 416 1.1 christos if((event == module_event_new || event == module_event_pass) && 417 1.1 christos iq == NULL) { 418 1.1 christos if(!ipsecmod_new(qstate, id)) { 419 1.1 christos ipsecmod_error(qstate, id); 420 1.1 christos return; 421 1.1 christos } 422 1.1 christos iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 423 1.1 christos } 424 1.1 christos if(iq && (event == module_event_pass || event == module_event_new)) { 425 1.1 christos ipsecmod_handle_query(qstate, iq, ie, id); 426 1.1 christos return; 427 1.1 christos } 428 1.1 christos if(iq && (event == module_event_moddone)) { 429 1.1 christos ipsecmod_handle_response(qstate, iq, ie, id); 430 1.1 christos return; 431 1.1 christos } 432 1.1 christos if(iq && outbound) { 433 1.1 christos /* cachedb does not need to process responses at this time 434 1.1 christos * ignore it. 435 1.1 christos cachedb_process_response(qstate, iq, ie, id, outbound, event); 436 1.1 christos */ 437 1.1 christos return; 438 1.1 christos } 439 1.1 christos if(event == module_event_error) { 440 1.1 christos verbose(VERB_ALGO, "got called with event error, giving up"); 441 1.1 christos ipsecmod_error(qstate, id); 442 1.1 christos return; 443 1.1 christos } 444 1.1 christos if(!iq && (event == module_event_moddone)) { 445 1.1 christos /* during priming, module done but we never started. */ 446 1.1 christos qstate->ext_state[id] = module_finished; 447 1.1 christos return; 448 1.1 christos } 449 1.1 christos 450 1.1 christos log_err("ipsecmod: bad event %s", strmodulevent(event)); 451 1.1 christos ipsecmod_error(qstate, id); 452 1.1 christos return; 453 1.1 christos } 454 1.1 christos 455 1.1 christos void 456 1.1 christos ipsecmod_inform_super(struct module_qstate* qstate, int id, 457 1.1 christos struct module_qstate* super) 458 1.1 christos { 459 1.1 christos struct ipsecmod_qstate* siq; 460 1.1 christos log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is", 461 1.1 christos &qstate->qinfo); 462 1.1 christos log_query_info(VERB_ALGO, "super is", &super->qinfo); 463 1.1 christos siq = (struct ipsecmod_qstate*)super->minfo[id]; 464 1.1 christos if(!siq) { 465 1.1 christos verbose(VERB_ALGO, "super has no ipsecmod state"); 466 1.1 christos return; 467 1.1 christos } 468 1.1 christos 469 1.1 christos if(qstate->return_msg) { 470 1.1 christos struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset( 471 1.1 christos &qstate->return_msg->qinfo, qstate->return_msg->rep); 472 1.1 christos if(rrset_key) { 473 1.1 christos /* We have an answer. */ 474 1.1 christos /* Copy to super's region. */ 475 1.1 christos rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0); 476 1.1 christos siq->ipseckey_rrset = rrset_key; 477 1.1 christos if(!rrset_key) { 478 1.1 christos log_err("ipsecmod: out of memory."); 479 1.1 christos } 480 1.1 christos } 481 1.1 christos } 482 1.1 christos /* Notify super to proceed. */ 483 1.1 christos siq->ipseckey_done = 1; 484 1.1 christos } 485 1.1 christos 486 1.1 christos void 487 1.1 christos ipsecmod_clear(struct module_qstate* qstate, int id) 488 1.1 christos { 489 1.1 christos if(!qstate) 490 1.1 christos return; 491 1.1 christos qstate->minfo[id] = NULL; 492 1.1 christos } 493 1.1 christos 494 1.1 christos size_t 495 1.1 christos ipsecmod_get_mem(struct module_env* env, int id) 496 1.1 christos { 497 1.1 christos struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id]; 498 1.1 christos if(!ie) 499 1.1 christos return 0; 500 1.1 christos return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist); 501 1.1 christos } 502 1.1 christos 503 1.1 christos /** 504 1.1 christos * The ipsecmod function block 505 1.1 christos */ 506 1.1 christos static struct module_func_block ipsecmod_block = { 507 1.1 christos "ipsecmod", 508 1.1 christos &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate, 509 1.1 christos &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem 510 1.1 christos }; 511 1.1 christos 512 1.1 christos struct module_func_block* 513 1.1 christos ipsecmod_get_funcblock(void) 514 1.1 christos { 515 1.1 christos return &ipsecmod_block; 516 1.1 christos } 517 1.1 christos #endif /* USE_IPSECMOD */ 518
Indexes created Thu Apr 02 00:23:07 UTC 2026