search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
In routerlist_assert_ok(), check r2 before taking &(r2->cache_info)
[tor.git] / src / or / dnsserv.c
blobecd45be77c29f5b3b174ac7bffaa335f97ee54c2
1 /* Copyright (c) 2007-2013, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 /**
5 * \file dnsserv.c \brief Implements client-side DNS proxy server code. Note:
6 * this is the DNS Server code, not the Server DNS code. Confused? This code
7 * runs on client-side, and acts as a DNS server. The code in dns.c, on the
8 * other hand, runs on Tor servers, and acts as a DNS client.
9 **/
10
11 #include "or.h"
12 #include "dnsserv.h"
13 #include "config.h"
14 #include "connection.h"
15 #include "connection_edge.h"
16 #include "control.h"
17 #include "main.h"
18 #include "policies.h"
19 #ifdef HAVE_EVENT2_DNS_H
20 #include <event2/dns.h>
21 #include <event2/dns_compat.h>
22 /* XXXX this implies we want an improved evdns */
23 #include <event2/dns_struct.h>
24 #else
25 #include "eventdns.h"
26 #endif
27
28 /** Helper function: called by evdns whenever the client sends a request to our
29 * DNSPort. We need to eventually answer the request <b>req</b>.
30 */
31 static void
32 evdns_server_callback(struct evdns_server_request *req, void *data_)
33 {
34 const listener_connection_t *listener = data_;
35 entry_connection_t *entry_conn;
36 edge_connection_t *conn;
37 int i = 0;
38 struct evdns_server_question *q = NULL, *supported_q = NULL;
39 struct sockaddr_storage addr;
40 struct sockaddr *sa;
41 int addrlen;
42 tor_addr_t tor_addr;
43 uint16_t port;
44 int err = DNS_ERR_NONE;
45 char *q_name;
46
47 tor_assert(req);
48
49 log_info(LD_APP, "Got a new DNS request!");
50
51 req->flags |= 0x80; /* set RA */
52
53 /* First, check whether the requesting address matches our SOCKSPolicy. */
54 if ((addrlen = evdns_server_request_get_requesting_addr(req,
55 (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
56 log_warn(LD_APP, "Couldn't get requesting address.");
57 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
58 return;
59 }
60 (void) addrlen;
61 sa = (struct sockaddr*) &addr;
62 if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
63 log_warn(LD_APP, "Requesting address wasn't recognized.");
64 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
65 return;
66 }
67
68 if (!socks_policy_permits_address(&tor_addr)) {
69 log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
70 evdns_server_request_respond(req, DNS_ERR_REFUSED);
71 return;
72 }
73
74 /* Now, let's find the first actual question of a type we can answer in this
75 * DNS request. It makes us a little noncompliant to act like this; we
76 * should fix that eventually if it turns out to make a difference for
77 * anybody. */
78 if (req->nquestions == 0) {
79 log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
80 evdns_server_request_respond(req, 0);
81 return;
82 }
83 if (req->nquestions > 1) {
84 log_info(LD_APP, "Got a DNS request with more than one question; I only "
85 "handle one question at a time for now. Skipping the extras.");
86 }
87 for (i = 0; i < req->nquestions; ++i) {
88 if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)
89 continue;
90 if (! q)
91 q = req->questions[i];
92 switch (req->questions[i]->type) {
93 case EVDNS_TYPE_A:
94 case EVDNS_TYPE_AAAA:
95 case EVDNS_TYPE_PTR:
96 /* We always pick the first one of these questions, if there is
97 one. */
98 if (! supported_q)
99 supported_q = q;
100 break;
101 default:
102 break;
103 }
104 }
105 if (supported_q)
106 q = supported_q;
107 if (!q) {
108 log_info(LD_APP, "None of the questions we got were ones we're willing "
109 "to support. Sending NOTIMPL.");
110 evdns_server_request_respond(req, DNS_ERR_NOTIMPL);
111 return;
112 }
113
114 /* Make sure the name isn't too long: This should be impossible, I think. */
115 if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
116 err = DNS_ERR_FORMAT;
117
118 if (err != DNS_ERR_NONE || !supported_q) {
119 /* We got an error? There's no question we're willing to answer? Then
120 * send back an answer immediately; we're done. */
121 evdns_server_request_respond(req, err);
122 return;
123 }
124
125 /* Make a new dummy AP connection, and attach the request to it. */
126 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
127 conn = ENTRY_TO_EDGE_CONN(entry_conn);
128 TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;
129 conn->is_dns_request = 1;
130
131 tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
132 TO_CONN(conn)->port = port;
133 TO_CONN(conn)->address = tor_dup_addr(&tor_addr);
134
135 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||
136 q->type == EVDNS_QTYPE_ALL) {
137 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
138 } else {
139 tor_assert(q->type == EVDNS_TYPE_PTR);
140 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
141 }
142
143 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {
144 entry_conn->ipv4_traffic_ok = 1;
145 entry_conn->ipv6_traffic_ok = 0;
146 entry_conn->prefer_ipv6_traffic = 0;
147 } else if (q->type == EVDNS_TYPE_AAAA) {
148 entry_conn->ipv4_traffic_ok = 0;
149 entry_conn->ipv6_traffic_ok = 1;
150 entry_conn->prefer_ipv6_traffic = 1;
151 }
152
153 strlcpy(entry_conn->socks_request->address, q->name,
154 sizeof(entry_conn->socks_request->address));
155
156 entry_conn->socks_request->listener_type = listener->base_.type;
157 entry_conn->dns_server_request = req;
158 entry_conn->isolation_flags = listener->isolation_flags;
159 entry_conn->session_group = listener->session_group;
160 entry_conn->nym_epoch = get_signewnym_epoch();
161
162 if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {
163 log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
164 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
165 connection_free(ENTRY_TO_CONN(entry_conn));
166 return;
167 }
168
169 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
170
171 /* Now, unless a controller asked us to leave streams unattached,
172 * throw the connection over to get rewritten (which will
173 * answer it immediately if it's in the cache, or completely bogus, or
174 * automapped), and then attached to a circuit. */
175 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
176 escaped_safe_str_client(q->name));
177 q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
178 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
179 /* Now, the connection is marked if it was bad. */
180
181 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
182 escaped_safe_str_client(q_name));
183 tor_free(q_name);
184 }
185
186 /** Helper function: called whenever the client sends a resolve request to our
187 * controller. We need to eventually answer the request <b>req</b>.
188 * Returns 0 if the controller will be getting (or has gotten) an event in
189 * response; -1 if we couldn't launch the request.
190 */
191 int
192 dnsserv_launch_request(const char *name, int reverse,
193 control_connection_t *control_conn)
194 {
195 entry_connection_t *entry_conn;
196 edge_connection_t *conn;
197 char *q_name;
198
199 /* Make a new dummy AP connection, and attach the request to it. */
200 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
201 conn = ENTRY_TO_EDGE_CONN(entry_conn);
202 conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;
203
204 tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);
205 #ifdef AF_UNIX
206 /*
207 * The control connection can be AF_UNIX and if so tor_dup_addr will
208 * unhelpfully say "<unknown address type>"; say "(Tor_internal)"
209 * instead.
210 */
211 if (control_conn->base_.socket_family == AF_UNIX) {
212 TO_CONN(conn)->port = 0;
213 TO_CONN(conn)->address = tor_strdup("(Tor_internal)");
214 } else {
215 TO_CONN(conn)->port = control_conn->base_.port;
216 TO_CONN(conn)->address = tor_dup_addr(&control_conn->base_.addr);
217 }
218 #else
219 TO_CONN(conn)->port = control_conn->base_.port;
220 TO_CONN(conn)->address = tor_dup_addr(&control_conn->base_.addr);
221 #endif
222
223 if (reverse)
224 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
225 else
226 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
227
228 conn->is_dns_request = 1;
229
230 strlcpy(entry_conn->socks_request->address, name,
231 sizeof(entry_conn->socks_request->address));
232
233 entry_conn->socks_request->listener_type = CONN_TYPE_CONTROL_LISTENER;
234 entry_conn->original_dest_address = tor_strdup(name);
235 entry_conn->session_group = SESSION_GROUP_CONTROL_RESOLVE;
236 entry_conn->nym_epoch = get_signewnym_epoch();
237 entry_conn->isolation_flags = ISO_DEFAULT;
238
239 if (connection_add(TO_CONN(conn))<0) {
240 log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
241 connection_free(TO_CONN(conn));
242 return -1;
243 }
244
245 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
246
247 /* Now, unless a controller asked us to leave streams unattached,
248 * throw the connection over to get rewritten (which will
249 * answer it immediately if it's in the cache, or completely bogus, or
250 * automapped), and then attached to a circuit. */
251 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
252 escaped_safe_str_client(name));
253 q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
254 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
255 /* Now, the connection is marked if it was bad. */
256
257 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
258 escaped_safe_str_client(q_name));
259 tor_free(q_name);
260 return 0;
261 }
262
263 /** If there is a pending request on <b>conn</b> that's waiting for an answer,
264 * send back an error and free the request. */
265 void
266 dnsserv_reject_request(entry_connection_t *conn)
267 {
268 if (conn->dns_server_request) {
269 evdns_server_request_respond(conn->dns_server_request,
270 DNS_ERR_SERVERFAILED);
271 conn->dns_server_request = NULL;
272 }
273 }
274
275 /** Look up the original name that corresponds to 'addr' in req. We use this
276 * to preserve case in order to facilitate people using 0x20-hacks to avoid
277 * DNS poisoning. */
278 static const char *
279 evdns_get_orig_address(const struct evdns_server_request *req,
280 int rtype, const char *addr)
281 {
282 int i, type;
283
284 switch (rtype) {
285 case RESOLVED_TYPE_IPV4:
286 type = EVDNS_TYPE_A;
287 break;
288 case RESOLVED_TYPE_HOSTNAME:
289 type = EVDNS_TYPE_PTR;
290 break;
291 case RESOLVED_TYPE_IPV6:
292 type = EVDNS_TYPE_AAAA;
293 break;
294 default:
295 tor_fragile_assert();
296 return addr;
297 }
298
299 for (i = 0; i < req->nquestions; ++i) {
300 const struct evdns_server_question *q = req->questions[i];
301 if (q->type == type && !strcasecmp(q->name, addr))
302 return q->name;
303 }
304 return addr;
305 }
306
307 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an
308 * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
309 * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
310 * any caching; that's handled elsewhere. */
311 void
312 dnsserv_resolved(entry_connection_t *conn,
313 int answer_type,
314 size_t answer_len,
315 const char *answer,
316 int ttl)
317 {
318 struct evdns_server_request *req = conn->dns_server_request;
319 const char *name;
320 int err = DNS_ERR_NONE;
321 if (!req)
322 return;
323 name = evdns_get_orig_address(req, answer_type,
324 conn->socks_request->address);
325
326 /* XXXX Re-do; this is dumb. */
327 if (ttl < 60)
328 ttl = 60;
329
330 /* The evdns interface is: add a bunch of reply items (corresponding to one
331 * or more of the questions in the request); then, call
332 * evdns_server_request_respond. */
333 if (answer_type == RESOLVED_TYPE_IPV6) {
334 evdns_server_request_add_aaaa_reply(req,
335 name,
336 1, answer, ttl);
337 } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&
338 conn->socks_request->command == SOCKS_COMMAND_RESOLVE) {
339 evdns_server_request_add_a_reply(req,
340 name,
341 1, answer, ttl);
342 } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&
343 answer_len < 256 &&
344 conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {
345 char *ans = tor_strndup(answer, answer_len);
346 evdns_server_request_add_ptr_reply(req, NULL,
347 name,
348 ans, ttl);
349 tor_free(ans);
350 } else if (answer_type == RESOLVED_TYPE_ERROR) {
351 err = DNS_ERR_NOTEXIST;
352 } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
353 err = DNS_ERR_SERVERFAILED;
354 }
355
356 evdns_server_request_respond(req, err);
357
358 conn->dns_server_request = NULL;
359 }
360
361 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which
362 * must be an AP_DNS_LISTENER */
363 void
364 dnsserv_configure_listener(connection_t *conn)
365 {
366 listener_connection_t *listener_conn;
367 tor_assert(conn);
368 tor_assert(SOCKET_OK(conn->s));
369 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
370
371 listener_conn = TO_LISTENER_CONN(conn);
372 listener_conn->dns_server_port =
373 tor_evdns_add_server_port(conn->s, 0, evdns_server_callback,
374 listener_conn);
375 }
376
377 /** Free the evdns server port for <b>conn</b>, which must be an
378 * AP_DNS_LISTENER. */
379 void
380 dnsserv_close_listener(connection_t *conn)
381 {
382 listener_connection_t *listener_conn;
383 tor_assert(conn);
384 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
385
386 listener_conn = TO_LISTENER_CONN(conn);
387
388 if (listener_conn->dns_server_port) {
389 evdns_close_server_port(listener_conn->dns_server_port);
390 listener_conn->dns_server_port = NULL;
391 }
392 }
393
The Onion Router