search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Cache control file
[tor/appveyor.git] / src / or / dnsserv.c
blob7e344deeab2f00b364f83c95bda5cb93a2913a61
1 /* Copyright (c) 2007-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 /**
5 * \file dnsserv.c
6 * \brief Implements client-side DNS proxy server code.
7 *
8 * When a user enables the DNSPort configuration option to have their local
9 * Tor client handle DNS requests, this module handles it. It functions as a
10 * "DNS Server" on the client side, which client applications use.
11 *
12 * Inbound DNS requests are represented as entry_connection_t here (since
13 * that's how Tor represents client-side streams), which are kept associated
14 * with an evdns_server_request structure as exposed by Libevent's
15 * evdns code.
16 *
17 * Upon receiving a DNS request, libevent calls our evdns_server_callback()
18 * function here, which causes this module to create an entry_connection_t
19 * request as appropriate. Later, when that request is answered,
20 * connection_edge.c calls dnsserv_resolved() so we can finish up and tell the
21 * DNS client.
22 **/
23
24 #include "or.h"
25 #include "dnsserv.h"
26 #include "config.h"
27 #include "connection.h"
28 #include "connection_edge.h"
29 #include "control.h"
30 #include "main.h"
31 #include "policies.h"
32 #include <event2/dns.h>
33 #include <event2/dns_compat.h>
34 /* XXXX this implies we want an improved evdns */
35 #include <event2/dns_struct.h>
36
37 /** Helper function: called by evdns whenever the client sends a request to our
38 * DNSPort. We need to eventually answer the request <b>req</b>.
39 */
40 static void
41 evdns_server_callback(struct evdns_server_request *req, void *data_)
42 {
43 const listener_connection_t *listener = data_;
44 entry_connection_t *entry_conn;
45 edge_connection_t *conn;
46 int i = 0;
47 struct evdns_server_question *q = NULL, *supported_q = NULL;
48 struct sockaddr_storage addr;
49 struct sockaddr *sa;
50 int addrlen;
51 tor_addr_t tor_addr;
52 uint16_t port;
53 int err = DNS_ERR_NONE;
54 char *q_name;
55
56 tor_assert(req);
57
58 log_info(LD_APP, "Got a new DNS request!");
59
60 req->flags |= 0x80; /* set RA */
61
62 /* First, check whether the requesting address matches our SOCKSPolicy. */
63 if ((addrlen = evdns_server_request_get_requesting_addr(req,
64 (struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
65 log_warn(LD_APP, "Couldn't get requesting address.");
66 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
67 return;
68 }
69 (void) addrlen;
70 sa = (struct sockaddr*) &addr;
71 if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
72 log_warn(LD_APP, "Requesting address wasn't recognized.");
73 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
74 return;
75 }
76
77 if (!socks_policy_permits_address(&tor_addr)) {
78 log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
79 evdns_server_request_respond(req, DNS_ERR_REFUSED);
80 return;
81 }
82
83 /* Now, let's find the first actual question of a type we can answer in this
84 * DNS request. It makes us a little noncompliant to act like this; we
85 * should fix that eventually if it turns out to make a difference for
86 * anybody. */
87 if (req->nquestions == 0) {
88 log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
89 evdns_server_request_respond(req, 0);
90 return;
91 }
92 if (req->nquestions > 1) {
93 log_info(LD_APP, "Got a DNS request with more than one question; I only "
94 "handle one question at a time for now. Skipping the extras.");
95 }
96 for (i = 0; i < req->nquestions; ++i) {
97 if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)
98 continue;
99 switch (req->questions[i]->type) {
100 case EVDNS_TYPE_A:
101 case EVDNS_TYPE_AAAA:
102 case EVDNS_TYPE_PTR:
103 /* We always pick the first one of these questions, if there is
104 one. */
105 if (! supported_q)
106 supported_q = req->questions[i];
107 break;
108 default:
109 break;
110 }
111 }
112 if (supported_q)
113 q = supported_q;
114 if (!q) {
115 log_info(LD_APP, "None of the questions we got were ones we're willing "
116 "to support. Sending NOTIMPL.");
117 evdns_server_request_respond(req, DNS_ERR_NOTIMPL);
118 return;
119 }
120
121 /* Make sure the name isn't too long: This should be impossible, I think. */
122 if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
123 err = DNS_ERR_FORMAT;
124
125 if (err != DNS_ERR_NONE || !supported_q) {
126 /* We got an error? There's no question we're willing to answer? Then
127 * send back an answer immediately; we're done. */
128 evdns_server_request_respond(req, err);
129 return;
130 }
131
132 /* Make a new dummy AP connection, and attach the request to it. */
133 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
134 conn = ENTRY_TO_EDGE_CONN(entry_conn);
135 CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
136 TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;
137 conn->is_dns_request = 1;
138
139 tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
140 TO_CONN(conn)->port = port;
141 TO_CONN(conn)->address = tor_addr_to_str_dup(&tor_addr);
142
143 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||
144 q->type == EVDNS_QTYPE_ALL) {
145 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
146 } else {
147 tor_assert(q->type == EVDNS_TYPE_PTR);
148 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
149 }
150
151 /* This serves our DNS port so enable DNS request by default. */
152 entry_conn->entry_cfg.dns_request = 1;
153 if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {
154 entry_conn->entry_cfg.ipv4_traffic = 1;
155 entry_conn->entry_cfg.ipv6_traffic = 0;
156 entry_conn->entry_cfg.prefer_ipv6 = 0;
157 } else if (q->type == EVDNS_TYPE_AAAA) {
158 entry_conn->entry_cfg.ipv4_traffic = 0;
159 entry_conn->entry_cfg.ipv6_traffic = 1;
160 entry_conn->entry_cfg.prefer_ipv6 = 1;
161 }
162
163 strlcpy(entry_conn->socks_request->address, q->name,
164 sizeof(entry_conn->socks_request->address));
165
166 entry_conn->socks_request->listener_type = listener->base_.type;
167 entry_conn->dns_server_request = req;
168 entry_conn->entry_cfg.isolation_flags = listener->entry_cfg.isolation_flags;
169 entry_conn->entry_cfg.session_group = listener->entry_cfg.session_group;
170 entry_conn->nym_epoch = get_signewnym_epoch();
171
172 if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {
173 log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
174 evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
175 connection_free_(ENTRY_TO_CONN(entry_conn));
176 return;
177 }
178
179 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
180
181 /* Now, unless a controller asked us to leave streams unattached,
182 * throw the connection over to get rewritten (which will
183 * answer it immediately if it's in the cache, or completely bogus, or
184 * automapped), and then attached to a circuit. */
185 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
186 escaped_safe_str_client(q->name));
187 q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
188 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
189 /* Now, the connection is marked if it was bad. */
190
191 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
192 escaped_safe_str_client(q_name));
193 tor_free(q_name);
194 }
195
196 /** Helper function: called whenever the client sends a resolve request to our
197 * controller. We need to eventually answer the request <b>req</b>.
198 * Returns 0 if the controller will be getting (or has gotten) an event in
199 * response; -1 if we couldn't launch the request.
200 */
201 int
202 dnsserv_launch_request(const char *name, int reverse,
203 control_connection_t *control_conn)
204 {
205 entry_connection_t *entry_conn;
206 edge_connection_t *conn;
207 char *q_name;
208
209 /* Make a new dummy AP connection, and attach the request to it. */
210 entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
211 entry_conn->entry_cfg.dns_request = 1;
212 conn = ENTRY_TO_EDGE_CONN(entry_conn);
213 CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
214 conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;
215
216 tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);
217 #ifdef AF_UNIX
218 /*
219 * The control connection can be AF_UNIX and if so tor_addr_to_str_dup will
220 * unhelpfully say "<unknown address type>"; say "(Tor_internal)"
221 * instead.
222 */
223 if (control_conn->base_.socket_family == AF_UNIX) {
224 TO_CONN(conn)->port = 0;
225 TO_CONN(conn)->address = tor_strdup("(Tor_internal)");
226 } else {
227 TO_CONN(conn)->port = control_conn->base_.port;
228 TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
229 }
230 #else /* !(defined(AF_UNIX)) */
231 TO_CONN(conn)->port = control_conn->base_.port;
232 TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
233 #endif /* defined(AF_UNIX) */
234
235 if (reverse)
236 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
237 else
238 entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
239
240 conn->is_dns_request = 1;
241
242 strlcpy(entry_conn->socks_request->address, name,
243 sizeof(entry_conn->socks_request->address));
244
245 entry_conn->socks_request->listener_type = CONN_TYPE_CONTROL_LISTENER;
246 entry_conn->original_dest_address = tor_strdup(name);
247 entry_conn->entry_cfg.session_group = SESSION_GROUP_CONTROL_RESOLVE;
248 entry_conn->nym_epoch = get_signewnym_epoch();
249 entry_conn->entry_cfg.isolation_flags = ISO_DEFAULT;
250
251 if (connection_add(TO_CONN(conn))<0) {
252 log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
253 connection_free_(TO_CONN(conn));
254 return -1;
255 }
256
257 control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
258
259 /* Now, unless a controller asked us to leave streams unattached,
260 * throw the connection over to get rewritten (which will
261 * answer it immediately if it's in the cache, or completely bogus, or
262 * automapped), and then attached to a circuit. */
263 log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
264 escaped_safe_str_client(name));
265 q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
266 connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
267 /* Now, the connection is marked if it was bad. */
268
269 log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
270 escaped_safe_str_client(q_name));
271 tor_free(q_name);
272 return 0;
273 }
274
275 /** If there is a pending request on <b>conn</b> that's waiting for an answer,
276 * send back an error and free the request. */
277 void
278 dnsserv_reject_request(entry_connection_t *conn)
279 {
280 if (conn->dns_server_request) {
281 evdns_server_request_respond(conn->dns_server_request,
282 DNS_ERR_SERVERFAILED);
283 conn->dns_server_request = NULL;
284 }
285 }
286
287 /** Look up the original name that corresponds to 'addr' in req. We use this
288 * to preserve case in order to facilitate clients using 0x20-hacks to avoid
289 * DNS poisoning. */
290 static const char *
291 evdns_get_orig_address(const struct evdns_server_request *req,
292 int rtype, const char *addr)
293 {
294 int i, type;
295
296 switch (rtype) {
297 case RESOLVED_TYPE_IPV4:
298 type = EVDNS_TYPE_A;
299 break;
300 case RESOLVED_TYPE_HOSTNAME:
301 type = EVDNS_TYPE_PTR;
302 break;
303 case RESOLVED_TYPE_IPV6:
304 type = EVDNS_TYPE_AAAA;
305 break;
306 case RESOLVED_TYPE_ERROR:
307 case RESOLVED_TYPE_ERROR_TRANSIENT:
308 /* Addr doesn't matter, since we're not sending it back in the reply.*/
309 return addr;
310 default:
311 tor_fragile_assert();
312 return addr;
313 }
314
315 for (i = 0; i < req->nquestions; ++i) {
316 const struct evdns_server_question *q = req->questions[i];
317 if (q->type == type && !strcasecmp(q->name, addr))
318 return q->name;
319 }
320 return addr;
321 }
322
323 /** Tell the dns request waiting for an answer on <b>conn</b> that we have an
324 * answer of type <b>answer_type</b> (RESOLVE_TYPE_IPV4/IPV6/ERR), of length
325 * <b>answer_len</b>, in <b>answer</b>, with TTL <b>ttl</b>. Doesn't do
326 * any caching; that's handled elsewhere. */
327 void
328 dnsserv_resolved(entry_connection_t *conn,
329 int answer_type,
330 size_t answer_len,
331 const char *answer,
332 int ttl)
333 {
334 struct evdns_server_request *req = conn->dns_server_request;
335 const char *name;
336 int err = DNS_ERR_NONE;
337 if (!req)
338 return;
339 name = evdns_get_orig_address(req, answer_type,
340 conn->socks_request->address);
341
342 /* XXXX Re-do; this is dumb. */
343 if (ttl < 60)
344 ttl = 60;
345
346 /* The evdns interface is: add a bunch of reply items (corresponding to one
347 * or more of the questions in the request); then, call
348 * evdns_server_request_respond. */
349 if (answer_type == RESOLVED_TYPE_IPV6) {
350 evdns_server_request_add_aaaa_reply(req,
351 name,
352 1, answer, ttl);
353 } else if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4 &&
354 conn->socks_request->command == SOCKS_COMMAND_RESOLVE) {
355 evdns_server_request_add_a_reply(req,
356 name,
357 1, answer, ttl);
358 } else if (answer_type == RESOLVED_TYPE_HOSTNAME &&
359 answer_len < 256 &&
360 conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR) {
361 char *ans = tor_strndup(answer, answer_len);
362 evdns_server_request_add_ptr_reply(req, NULL,
363 name,
364 ans, ttl);
365 tor_free(ans);
366 } else if (answer_type == RESOLVED_TYPE_ERROR) {
367 err = DNS_ERR_NOTEXIST;
368 } else { /* answer_type == RESOLVED_TYPE_ERROR_TRANSIENT */
369 err = DNS_ERR_SERVERFAILED;
370 }
371
372 evdns_server_request_respond(req, err);
373
374 conn->dns_server_request = NULL;
375 }
376
377 /** Set up the evdns server port for the UDP socket on <b>conn</b>, which
378 * must be an AP_DNS_LISTENER */
379 void
380 dnsserv_configure_listener(connection_t *conn)
381 {
382 listener_connection_t *listener_conn;
383 tor_assert(conn);
384 tor_assert(SOCKET_OK(conn->s));
385 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
386
387 listener_conn = TO_LISTENER_CONN(conn);
388 listener_conn->dns_server_port =
389 tor_evdns_add_server_port(conn->s, 0, evdns_server_callback,
390 listener_conn);
391 }
392
393 /** Free the evdns server port for <b>conn</b>, which must be an
394 * AP_DNS_LISTENER. */
395 void
396 dnsserv_close_listener(connection_t *conn)
397 {
398 listener_connection_t *listener_conn;
399 tor_assert(conn);
400 tor_assert(conn->type == CONN_TYPE_AP_DNS_LISTENER);
401
402 listener_conn = TO_LISTENER_CONN(conn);
403
404 if (listener_conn->dns_server_port) {
405 evdns_close_server_port(listener_conn->dns_server_port);
406 listener_conn->dns_server_port = NULL;
407 }
408 }
409
Add tor CI config for AppVeyor