diff options
Diffstat (limited to 'src/service/dns')
-rw-r--r-- | src/service/dns/.gitignore | 7 | ||||
-rw-r--r-- | src/service/dns/Makefile.am | 83 | ||||
-rw-r--r-- | src/service/dns/dns.conf.in | 34 | ||||
-rw-r--r-- | src/service/dns/dns.h | 99 | ||||
-rw-r--r-- | src/service/dns/dns_api.c | 381 | ||||
-rw-r--r-- | src/service/dns/gnunet-dns-monitor.c | 411 | ||||
-rw-r--r-- | src/service/dns/gnunet-dns-redirector.c | 267 | ||||
-rw-r--r-- | src/service/dns/gnunet-helper-dns.c | 1195 | ||||
-rw-r--r-- | src/service/dns/gnunet-service-dns.c | 1272 | ||||
-rw-r--r-- | src/service/dns/gnunet-zonewalk.c | 616 | ||||
-rw-r--r-- | src/service/dns/meson.build | 63 | ||||
-rwxr-xr-x | src/service/dns/test_gnunet_dns.sh | 68 |
12 files changed, 4496 insertions, 0 deletions
diff --git a/src/service/dns/.gitignore b/src/service/dns/.gitignore new file mode 100644 index 000000000..d3a62470e --- /dev/null +++ b/src/service/dns/.gitignore | |||
@@ -0,0 +1,7 @@ | |||
1 | gnunet-service-dns | ||
2 | gnunet-dns-monitor | ||
3 | gnunet-dns-redirector | ||
4 | gnunet-helper-dns | ||
5 | test_hexcoder | ||
6 | gnunet-zoneimport | ||
7 | gnunet-zonewalk | ||
diff --git a/src/service/dns/Makefile.am b/src/service/dns/Makefile.am new file mode 100644 index 000000000..0d07b9e5e --- /dev/null +++ b/src/service/dns/Makefile.am | |||
@@ -0,0 +1,83 @@ | |||
1 | # This Makefile.am is in the public domain | ||
2 | AM_CPPFLAGS = -I$(top_srcdir)/src/include | ||
3 | |||
4 | if USE_COVERAGE | ||
5 | AM_CFLAGS = --coverage -O0 | ||
6 | endif | ||
7 | |||
8 | pkgcfgdir= $(pkgdatadir)/config.d/ | ||
9 | |||
10 | libexecdir= $(pkglibdir)/libexec/ | ||
11 | |||
12 | plugindir = $(libdir)/gnunet | ||
13 | |||
14 | pkgcfg_DATA = \ | ||
15 | dns.conf | ||
16 | |||
17 | if LINUX | ||
18 | HIJACKBIN = gnunet-helper-dns | ||
19 | endif | ||
20 | |||
21 | lib_LTLIBRARIES = \ | ||
22 | libgnunetdns.la | ||
23 | |||
24 | libexec_PROGRAMS = \ | ||
25 | gnunet-service-dns $(HIJACKBIN) | ||
26 | |||
27 | noinst_PROGRAMS = \ | ||
28 | gnunet-dns-monitor \ | ||
29 | gnunet-dns-redirector \ | ||
30 | gnunet-zonewalk | ||
31 | |||
32 | if LINUX | ||
33 | check_SCRIPTS = \ | ||
34 | test_gnunet_dns.sh | ||
35 | endif | ||
36 | |||
37 | gnunet_helper_dns_SOURCES = \ | ||
38 | gnunet-helper-dns.c | ||
39 | |||
40 | |||
41 | gnunet_dns_monitor_SOURCES = \ | ||
42 | gnunet-dns-monitor.c | ||
43 | gnunet_dns_monitor_LDADD = \ | ||
44 | libgnunetdns.la \ | ||
45 | $(top_builddir)/src/lib/util/libgnunetutil.la \ | ||
46 | $(GN_LIBINTL) | ||
47 | |||
48 | gnunet_zonewalk_SOURCES = \ | ||
49 | gnunet-zonewalk.c | ||
50 | gnunet_zonewalk_LDADD = \ | ||
51 | $(top_builddir)/src/lib/util/libgnunetutil.la \ | ||
52 | $(GN_LIBINTL) | ||
53 | |||
54 | gnunet_dns_redirector_SOURCES = \ | ||
55 | gnunet-dns-redirector.c | ||
56 | gnunet_dns_redirector_LDADD = \ | ||
57 | libgnunetdns.la \ | ||
58 | $(top_builddir)/src/lib/util/libgnunetutil.la \ | ||
59 | $(GN_LIBINTL) | ||
60 | |||
61 | gnunet_service_dns_SOURCES = \ | ||
62 | gnunet-service-dns.c | ||
63 | gnunet_service_dns_LDADD = \ | ||
64 | $(top_builddir)/src/service/statistics/libgnunetstatistics.la \ | ||
65 | $(top_builddir)/src/lib/util/libgnunetutil.la \ | ||
66 | $(GN_LIBINTL) | ||
67 | |||
68 | libgnunetdns_la_SOURCES = \ | ||
69 | dns_api.c dns.h | ||
70 | libgnunetdns_la_LIBADD = \ | ||
71 | $(top_builddir)/src/lib/util/libgnunetutil.la $(XLIB) | ||
72 | libgnunetdns_la_LDFLAGS = \ | ||
73 | $(GN_LIBINTL) \ | ||
74 | $(GN_LIB_LDFLAGS) \ | ||
75 | -version-info 0:0:0 | ||
76 | |||
77 | if ENABLE_TEST_RUN | ||
78 | AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME; | ||
79 | TESTS = $(check_PROGRAMS) $(check_SCRIPTS) | ||
80 | endif | ||
81 | |||
82 | EXTRA_DIST = \ | ||
83 | $(check_SCRIPTS) | ||
diff --git a/src/service/dns/dns.conf.in b/src/service/dns/dns.conf.in new file mode 100644 index 000000000..39f260813 --- /dev/null +++ b/src/service/dns/dns.conf.in | |||
@@ -0,0 +1,34 @@ | |||
1 | [dns] | ||
2 | START_ON_DEMAND = @START_ON_DEMAND@ | ||
3 | HOSTNAME = localhost | ||
4 | BINARY = gnunet-service-dns | ||
5 | UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-dns.sock | ||
6 | @UNIXONLY@ PORT = 2122 | ||
7 | # Access to this service can compromise all DNS queries in this | ||
8 | # system. Thus access should be restricted to the same UID. | ||
9 | # (see https://gnunet.org/gnunet-access-control-model) | ||
10 | UNIX_MATCH_UID = YES | ||
11 | UNIX_MATCH_GID = YES | ||
12 | |||
13 | # As there is no sufficiently restrictive access control for TCP, | ||
14 | # we never use it, even if @UNIXONLY@ is not set (just to be safe) | ||
15 | @UNIXONLY@ PORT = 0 | ||
16 | |||
17 | # Name of the virtual interface we use to intercept DNS traffic. | ||
18 | IFNAME = gnunet-dns | ||
19 | |||
20 | # Use RFC 3849-style documentation IPv6 address (RFC 4773 might provide an alternative in the future) | ||
21 | # FIXME: or just default to a site-local address scope as we do for VPN!? | ||
22 | IPV6ADDR = 2001:DB8::1 | ||
23 | IPV6PREFIX = 126 | ||
24 | |||
25 | # Use RFC 3927-style link-local address | ||
26 | IPV4ADDR = 169.254.1.1 | ||
27 | IPV4MASK = 255.255.0.0 | ||
28 | |||
29 | # Enable GNUnet-wide DNS-EXIT service by setting this value to the IP address (IPv4 or IPv6) | ||
30 | # of a DNS resolver to use. Only works if "PROVIDE_EXIT" is also set to YES. Must absolutely | ||
31 | # NOT be an address of any of GNUnet's virtual tunnel interfaces. Use a well-known | ||
32 | # public DNS resolver or your ISP's resolver from /etc/resolv.conf. | ||
33 | DNS_EXIT = 8.8.8.8 | ||
34 | |||
diff --git a/src/service/dns/dns.h b/src/service/dns/dns.h new file mode 100644 index 000000000..515012079 --- /dev/null +++ b/src/service/dns/dns.h | |||
@@ -0,0 +1,99 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet | ||
3 | Copyright (C) 2012 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file dns/dns.h | ||
23 | * @brief IPC messages between DNS API and DNS service | ||
24 | * @author Christian Grothoff | ||
25 | */ | ||
26 | #ifndef DNS_H | ||
27 | #define DNS_H | ||
28 | |||
29 | GNUNET_NETWORK_STRUCT_BEGIN | ||
30 | |||
31 | |||
32 | /** | ||
33 | * Message from client to DNS service to register itself. | ||
34 | */ | ||
35 | struct GNUNET_DNS_Register | ||
36 | { | ||
37 | /** | ||
38 | * Header of type #GNUNET_MESSAGE_TYPE_DNS_CLIENT_INIT | ||
39 | */ | ||
40 | struct GNUNET_MessageHeader header; | ||
41 | |||
42 | /** | ||
43 | * NBO encoding of `enum GNUNET_DNS_Flags` for the client. | ||
44 | */ | ||
45 | uint32_t flags GNUNET_PACKED; | ||
46 | }; | ||
47 | |||
48 | |||
49 | /** | ||
50 | * Message from DNS service to client: please handle a request. | ||
51 | */ | ||
52 | struct GNUNET_DNS_Request | ||
53 | { | ||
54 | /** | ||
55 | * Header of type #GNUNET_MESSAGE_TYPE_DNS_CLIENT_REQUEST | ||
56 | */ | ||
57 | struct GNUNET_MessageHeader header; | ||
58 | |||
59 | /** | ||
60 | * Always zero. | ||
61 | */ | ||
62 | uint32_t reserved GNUNET_PACKED; | ||
63 | |||
64 | /** | ||
65 | * Unique request ID. | ||
66 | */ | ||
67 | uint64_t request_id GNUNET_PACKED; | ||
68 | |||
69 | /* followed by original DNS request (without UDP header) */ | ||
70 | }; | ||
71 | |||
72 | |||
73 | /** | ||
74 | * Message from client to DNS service: here is my reply. | ||
75 | */ | ||
76 | struct GNUNET_DNS_Response | ||
77 | { | ||
78 | /** | ||
79 | * Header of type #GNUNET_MESSAGE_TYPE_DNS_CLIENT_RESPONSE | ||
80 | */ | ||
81 | struct GNUNET_MessageHeader header; | ||
82 | |||
83 | /** | ||
84 | * Zero to drop, 1 for no change (no payload), 2 for update (message has payload). | ||
85 | */ | ||
86 | uint32_t drop_flag GNUNET_PACKED; | ||
87 | |||
88 | /** | ||
89 | * Unique request ID. | ||
90 | */ | ||
91 | uint64_t request_id GNUNET_PACKED; | ||
92 | |||
93 | /* followed by original DNS request (without UDP header) */ | ||
94 | }; | ||
95 | |||
96 | |||
97 | GNUNET_NETWORK_STRUCT_END | ||
98 | |||
99 | #endif | ||
diff --git a/src/service/dns/dns_api.c b/src/service/dns/dns_api.c new file mode 100644 index 000000000..b0bbb894f --- /dev/null +++ b/src/service/dns/dns_api.c | |||
@@ -0,0 +1,381 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet | ||
3 | Copyright (C) 2012, 2016 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file dns/dns_api.c | ||
23 | * @brief API to access the DNS service. | ||
24 | * @author Christian Grothoff | ||
25 | */ | ||
26 | #include "platform.h" | ||
27 | #include "gnunet_dns_service.h" | ||
28 | #include "dns.h" | ||
29 | |||
30 | |||
31 | /** | ||
32 | * Handle to identify an individual DNS request. | ||
33 | */ | ||
34 | struct GNUNET_DNS_RequestHandle | ||
35 | { | ||
36 | /** | ||
37 | * Handle to DNS API. | ||
38 | */ | ||
39 | struct GNUNET_DNS_Handle *dh; | ||
40 | |||
41 | /** | ||
42 | * Stored in network byte order (as for us, it is just a random number). | ||
43 | */ | ||
44 | uint64_t request_id; | ||
45 | |||
46 | /** | ||
47 | * Re-connect counter, to make sure we did not reconnect in the meantime. | ||
48 | */ | ||
49 | uint32_t generation; | ||
50 | }; | ||
51 | |||
52 | |||
53 | /** | ||
54 | * DNS handle | ||
55 | */ | ||
56 | struct GNUNET_DNS_Handle | ||
57 | { | ||
58 | /** | ||
59 | * Connection to DNS service, or NULL. | ||
60 | */ | ||
61 | struct GNUNET_MQ_Handle *mq; | ||
62 | |||
63 | /** | ||
64 | * Configuration to use. | ||
65 | */ | ||
66 | const struct GNUNET_CONFIGURATION_Handle *cfg; | ||
67 | |||
68 | /** | ||
69 | * Function to call to get replies. | ||
70 | */ | ||
71 | GNUNET_DNS_RequestHandler rh; | ||
72 | |||
73 | /** | ||
74 | * Closure for @e rh. | ||
75 | */ | ||
76 | void *rh_cls; | ||
77 | |||
78 | /** | ||
79 | * Task to reconnect to the service. | ||
80 | */ | ||
81 | struct GNUNET_SCHEDULER_Task *reconnect_task; | ||
82 | |||
83 | /** | ||
84 | * Re-connect counter, to make sure we did not reconnect in the meantime. | ||
85 | */ | ||
86 | uint32_t generation; | ||
87 | |||
88 | /** | ||
89 | * Flags for events we care about. | ||
90 | */ | ||
91 | enum GNUNET_DNS_Flags flags; | ||
92 | |||
93 | /** | ||
94 | * Number of GNUNET_DNS_RequestHandles we have outstanding. Must be 0 before | ||
95 | * we can be disconnected. | ||
96 | */ | ||
97 | unsigned int pending_requests; | ||
98 | }; | ||
99 | |||
100 | |||
101 | /** | ||
102 | * Reconnect to the DNS service. | ||
103 | * | ||
104 | * @param cls handle with the connection to connect | ||
105 | */ | ||
106 | static void | ||
107 | reconnect (void *cls); | ||
108 | |||
109 | |||
110 | /** | ||
111 | * Drop the existing connection and reconnect to the DNS service. | ||
112 | * | ||
113 | * @param dh handle with the connection | ||
114 | */ | ||
115 | static void | ||
116 | force_reconnect (struct GNUNET_DNS_Handle *dh) | ||
117 | { | ||
118 | if (NULL != dh->mq) | ||
119 | { | ||
120 | GNUNET_MQ_destroy (dh->mq); | ||
121 | dh->mq = NULL; | ||
122 | } | ||
123 | dh->reconnect_task = | ||
124 | GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS, | ||
125 | &reconnect, | ||
126 | dh); | ||
127 | } | ||
128 | |||
129 | |||
130 | /** | ||
131 | * Generic error handler, called with the appropriate error code and | ||
132 | * the same closure specified at the creation of the message queue. | ||
133 | * Not every message queue implementation supports an error handler. | ||
134 | * | ||
135 | * @param cls closure with the `struct GNUNET_DNS_Handle *` | ||
136 | * @param error error code | ||
137 | */ | ||
138 | static void | ||
139 | mq_error_handler (void *cls, | ||
140 | enum GNUNET_MQ_Error error) | ||
141 | { | ||
142 | struct GNUNET_DNS_Handle *dh = cls; | ||
143 | |||
144 | force_reconnect (dh); | ||
145 | } | ||
146 | |||
147 | |||
148 | /** | ||
149 | * This receives packets from the DNS service and calls the application to | ||
150 | * check that the request is well-formed | ||
151 | * | ||
152 | * @param cls the struct GNUNET_DNS_Handle | ||
153 | * @param req message from the service (request) | ||
154 | */ | ||
155 | static int | ||
156 | check_request (void *cls, | ||
157 | const struct GNUNET_DNS_Request *req) | ||
158 | { | ||
159 | if (0 != ntohl (req->reserved)) | ||
160 | { | ||
161 | GNUNET_break (0); | ||
162 | return GNUNET_SYSERR; | ||
163 | } | ||
164 | return GNUNET_OK; | ||
165 | } | ||
166 | |||
167 | |||
168 | /** | ||
169 | * This receives packets from the DNS service and calls the application to | ||
170 | * handle it. | ||
171 | * | ||
172 | * @param cls the `struct GNUNET_DNS_Handle *` | ||
173 | * @param req message from the service (request) | ||
174 | */ | ||
175 | static void | ||
176 | handle_request (void *cls, | ||
177 | const struct GNUNET_DNS_Request *req) | ||
178 | { | ||
179 | struct GNUNET_DNS_Handle *dh = cls; | ||
180 | size_t payload_length = ntohs (req->header.size) - sizeof(*req); | ||
181 | struct GNUNET_DNS_RequestHandle *rh; | ||
182 | |||
183 | rh = GNUNET_new (struct GNUNET_DNS_RequestHandle); | ||
184 | rh->dh = dh; | ||
185 | rh->request_id = req->request_id; | ||
186 | rh->generation = dh->generation; | ||
187 | dh->pending_requests++; | ||
188 | dh->rh (dh->rh_cls, | ||
189 | rh, | ||
190 | payload_length, | ||
191 | (const char *) &req[1]); | ||
192 | } | ||
193 | |||
194 | |||
195 | static void | ||
196 | reconnect (void *cls) | ||
197 | { | ||
198 | struct GNUNET_DNS_Handle *dh = cls; | ||
199 | struct GNUNET_MQ_MessageHandler handlers[] = { | ||
200 | GNUNET_MQ_hd_var_size (request, | ||
201 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_REQUEST, | ||
202 | struct GNUNET_DNS_Request, | ||
203 | dh), | ||
204 | GNUNET_MQ_handler_end () | ||
205 | }; | ||
206 | struct GNUNET_MQ_Envelope *env; | ||
207 | struct GNUNET_DNS_Register *msg; | ||
208 | |||
209 | dh->reconnect_task = NULL; | ||
210 | dh->mq = GNUNET_CLIENT_connect (dh->cfg, | ||
211 | "dns", | ||
212 | handlers, | ||
213 | &mq_error_handler, | ||
214 | dh); | ||
215 | if (NULL == dh->mq) | ||
216 | return; | ||
217 | dh->generation++; | ||
218 | env = GNUNET_MQ_msg (msg, | ||
219 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_INIT); | ||
220 | msg->flags = htonl (dh->flags); | ||
221 | GNUNET_MQ_send (dh->mq, | ||
222 | env); | ||
223 | } | ||
224 | |||
225 | |||
226 | /** | ||
227 | * If a GNUNET_DNS_RequestHandler calls this function, the request is | ||
228 | * given to other clients or the global DNS for resolution. Once a | ||
229 | * global response has been obtained, the request handler is AGAIN | ||
230 | * called to give it a chance to observe and modify the response after | ||
231 | * the "normal" resolution. It is not legal for the request handler | ||
232 | * to call this function if a response is already present. | ||
233 | * | ||
234 | * @param rh request that should now be forwarded | ||
235 | */ | ||
236 | void | ||
237 | GNUNET_DNS_request_forward (struct GNUNET_DNS_RequestHandle *rh) | ||
238 | { | ||
239 | struct GNUNET_MQ_Envelope *env; | ||
240 | struct GNUNET_DNS_Response *resp; | ||
241 | |||
242 | GNUNET_assert (0 < rh->dh->pending_requests--); | ||
243 | if (rh->generation != rh->dh->generation) | ||
244 | { | ||
245 | GNUNET_free (rh); | ||
246 | return; | ||
247 | } | ||
248 | env = GNUNET_MQ_msg (resp, | ||
249 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_RESPONSE); | ||
250 | resp->drop_flag = htonl (1); | ||
251 | resp->request_id = rh->request_id; | ||
252 | GNUNET_MQ_send (rh->dh->mq, | ||
253 | env); | ||
254 | GNUNET_free (rh); | ||
255 | } | ||
256 | |||
257 | |||
258 | /** | ||
259 | * If a GNUNET_DNS_RequestHandler calls this function, the request is | ||
260 | * to be dropped and no response should be generated. | ||
261 | * | ||
262 | * @param rh request that should now be dropped | ||
263 | */ | ||
264 | void | ||
265 | GNUNET_DNS_request_drop (struct GNUNET_DNS_RequestHandle *rh) | ||
266 | { | ||
267 | struct GNUNET_MQ_Envelope *env; | ||
268 | struct GNUNET_DNS_Response *resp; | ||
269 | |||
270 | GNUNET_assert (0 < rh->dh->pending_requests--); | ||
271 | if (rh->generation != rh->dh->generation) | ||
272 | { | ||
273 | GNUNET_free (rh); | ||
274 | return; | ||
275 | } | ||
276 | env = GNUNET_MQ_msg (resp, | ||
277 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_RESPONSE); | ||
278 | resp->request_id = rh->request_id; | ||
279 | resp->drop_flag = htonl (0); | ||
280 | GNUNET_MQ_send (rh->dh->mq, | ||
281 | env); | ||
282 | GNUNET_free (rh); | ||
283 | } | ||
284 | |||
285 | |||
286 | /** | ||
287 | * If a GNUNET_DNS_RequestHandler calls this function, the request is | ||
288 | * supposed to be answered with the data provided to this call (with | ||
289 | * the modifications the function might have made). | ||
290 | * | ||
291 | * @param rh request that should now be answered | ||
292 | * @param reply_length size of @a reply (uint16_t to force sane size) | ||
293 | * @param reply reply data | ||
294 | */ | ||
295 | void | ||
296 | GNUNET_DNS_request_answer (struct GNUNET_DNS_RequestHandle *rh, | ||
297 | uint16_t reply_length, | ||
298 | const char *reply) | ||
299 | { | ||
300 | struct GNUNET_MQ_Envelope *env; | ||
301 | struct GNUNET_DNS_Response *resp; | ||
302 | |||
303 | GNUNET_assert (0 < rh->dh->pending_requests--); | ||
304 | if (rh->generation != rh->dh->generation) | ||
305 | { | ||
306 | GNUNET_free (rh); | ||
307 | return; | ||
308 | } | ||
309 | if (reply_length + sizeof(struct GNUNET_DNS_Response) | ||
310 | >= GNUNET_MAX_MESSAGE_SIZE) | ||
311 | { | ||
312 | GNUNET_break (0); | ||
313 | GNUNET_free (rh); | ||
314 | return; | ||
315 | } | ||
316 | env = GNUNET_MQ_msg_extra (resp, | ||
317 | reply_length, | ||
318 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_RESPONSE); | ||
319 | resp->drop_flag = htonl (2); | ||
320 | resp->request_id = rh->request_id; | ||
321 | GNUNET_memcpy (&resp[1], | ||
322 | reply, | ||
323 | reply_length); | ||
324 | GNUNET_MQ_send (rh->dh->mq, | ||
325 | env); | ||
326 | GNUNET_free (rh); | ||
327 | } | ||
328 | |||
329 | |||
330 | /** | ||
331 | * Connect to the service-dns | ||
332 | * | ||
333 | * @param cfg configuration to use | ||
334 | * @param flags when to call @a rh | ||
335 | * @param rh function to call with DNS requests | ||
336 | * @param rh_cls closure to pass to @a rh | ||
337 | * @return DNS handle | ||
338 | */ | ||
339 | struct GNUNET_DNS_Handle * | ||
340 | GNUNET_DNS_connect (const struct GNUNET_CONFIGURATION_Handle *cfg, | ||
341 | enum GNUNET_DNS_Flags flags, | ||
342 | GNUNET_DNS_RequestHandler rh, | ||
343 | void *rh_cls) | ||
344 | { | ||
345 | struct GNUNET_DNS_Handle *dh; | ||
346 | |||
347 | dh = GNUNET_new (struct GNUNET_DNS_Handle); | ||
348 | dh->cfg = cfg; | ||
349 | dh->flags = flags; | ||
350 | dh->rh = rh; | ||
351 | dh->rh_cls = rh_cls; | ||
352 | dh->reconnect_task = GNUNET_SCHEDULER_add_now (&reconnect, dh); | ||
353 | return dh; | ||
354 | } | ||
355 | |||
356 | |||
357 | /** | ||
358 | * Disconnect from the DNS service. | ||
359 | * | ||
360 | * @param dh DNS handle | ||
361 | */ | ||
362 | void | ||
363 | GNUNET_DNS_disconnect (struct GNUNET_DNS_Handle *dh) | ||
364 | { | ||
365 | if (NULL != dh->mq) | ||
366 | { | ||
367 | GNUNET_MQ_destroy (dh->mq); | ||
368 | dh->mq = NULL; | ||
369 | } | ||
370 | if (NULL != dh->reconnect_task) | ||
371 | { | ||
372 | GNUNET_SCHEDULER_cancel (dh->reconnect_task); | ||
373 | dh->reconnect_task = NULL; | ||
374 | } | ||
375 | /* make sure client has no pending requests left over! */ | ||
376 | GNUNET_break (0 == dh->pending_requests); | ||
377 | GNUNET_free (dh); | ||
378 | } | ||
379 | |||
380 | |||
381 | /* end of dns_api.c */ | ||
diff --git a/src/service/dns/gnunet-dns-monitor.c b/src/service/dns/gnunet-dns-monitor.c new file mode 100644 index 000000000..afdb336f0 --- /dev/null +++ b/src/service/dns/gnunet-dns-monitor.c | |||
@@ -0,0 +1,411 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2011 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file src/dns/gnunet-dns-monitor.c | ||
23 | * @brief Tool to monitor DNS queries | ||
24 | * @author Christian Grothoff | ||
25 | */ | ||
26 | |||
27 | #include "platform.h" | ||
28 | #include "gnunet_util_lib.h" | ||
29 | #include "gnunet_dns_service.h" | ||
30 | |||
31 | /** | ||
32 | * Handle to transport service. | ||
33 | */ | ||
34 | static struct GNUNET_DNS_Handle *handle; | ||
35 | |||
36 | /** | ||
37 | * Option -i. | ||
38 | */ | ||
39 | static int inbound_only; | ||
40 | |||
41 | /** | ||
42 | * Option -o. | ||
43 | */ | ||
44 | static int outbound_only; | ||
45 | |||
46 | /** | ||
47 | * Global return value (0 success). | ||
48 | */ | ||
49 | static int ret; | ||
50 | |||
51 | /** | ||
52 | * Selected level of verbosity. | ||
53 | */ | ||
54 | static unsigned int verbosity; | ||
55 | |||
56 | |||
57 | /** | ||
58 | * Convert numeric DNS record type to a string. | ||
59 | * | ||
60 | * @param type type to convert | ||
61 | * @return type as string, only valid until the next call to this function | ||
62 | */ | ||
63 | static const char * | ||
64 | get_type (uint16_t type) | ||
65 | { | ||
66 | static char buf[6]; | ||
67 | |||
68 | switch (type) | ||
69 | { | ||
70 | case GNUNET_DNSPARSER_TYPE_A: return "A"; | ||
71 | |||
72 | case GNUNET_DNSPARSER_TYPE_NS: return "NS"; | ||
73 | |||
74 | case GNUNET_DNSPARSER_TYPE_CNAME: return "CNAME"; | ||
75 | |||
76 | case GNUNET_DNSPARSER_TYPE_SOA: return "SOA"; | ||
77 | |||
78 | case GNUNET_DNSPARSER_TYPE_PTR: return "PTR"; | ||
79 | |||
80 | case GNUNET_DNSPARSER_TYPE_MX: return "MX"; | ||
81 | |||
82 | case GNUNET_DNSPARSER_TYPE_TXT: return "TXT"; | ||
83 | |||
84 | case GNUNET_DNSPARSER_TYPE_AAAA: return "AAAA"; | ||
85 | |||
86 | case GNUNET_DNSPARSER_TYPE_SRV: return "SRV"; | ||
87 | |||
88 | case GNUNET_DNSPARSER_TYPE_URI: return "URI"; | ||
89 | } | ||
90 | GNUNET_snprintf (buf, sizeof(buf), "%u", (unsigned int) type); | ||
91 | return buf; | ||
92 | } | ||
93 | |||
94 | |||
95 | /** | ||
96 | * Convert numeric DNS record class to a string. | ||
97 | * | ||
98 | * @param class class to convert | ||
99 | * @return class as string, only valid until the next call to this function | ||
100 | */ | ||
101 | static const char * | ||
102 | get_class (uint16_t class) | ||
103 | { | ||
104 | static char buf[6]; | ||
105 | |||
106 | switch (class) | ||
107 | { | ||
108 | case GNUNET_TUN_DNS_CLASS_INTERNET: return "IN"; | ||
109 | |||
110 | case GNUNET_TUN_DNS_CLASS_CHAOS: return "CHAOS"; | ||
111 | |||
112 | case GNUNET_TUN_DNS_CLASS_HESIOD: return "HESIOD"; | ||
113 | } | ||
114 | GNUNET_snprintf (buf, sizeof(buf), "%u", (unsigned int) class); | ||
115 | return buf; | ||
116 | } | ||
117 | |||
118 | |||
119 | /** | ||
120 | * Output the given DNS query to stdout. | ||
121 | * | ||
122 | * @param query query to display. | ||
123 | */ | ||
124 | static void | ||
125 | display_query (const struct GNUNET_DNSPARSER_Query *query) | ||
126 | { | ||
127 | fprintf (stdout, | ||
128 | "\t\t%s %s: %s\n", | ||
129 | get_class (query->dns_traffic_class), | ||
130 | get_type (query->type), | ||
131 | query->name); | ||
132 | } | ||
133 | |||
134 | |||
135 | /** | ||
136 | * Output the given DNS record to stdout. | ||
137 | * | ||
138 | * @param record record to display. | ||
139 | */ | ||
140 | static void | ||
141 | display_record (const struct GNUNET_DNSPARSER_Record *record) | ||
142 | { | ||
143 | const char *format; | ||
144 | char buf[INET6_ADDRSTRLEN]; | ||
145 | char *tmp; | ||
146 | |||
147 | tmp = NULL; | ||
148 | switch (record->type) | ||
149 | { | ||
150 | case GNUNET_DNSPARSER_TYPE_A: | ||
151 | if (record->data.raw.data_len != sizeof(struct in_addr)) | ||
152 | format = "<invalid>"; | ||
153 | else | ||
154 | format = inet_ntop (AF_INET, record->data.raw.data, buf, sizeof(buf)); | ||
155 | break; | ||
156 | |||
157 | case GNUNET_DNSPARSER_TYPE_AAAA: | ||
158 | if (record->data.raw.data_len != sizeof(struct in6_addr)) | ||
159 | format = "<invalid>"; | ||
160 | else | ||
161 | format = inet_ntop (AF_INET6, record->data.raw.data, buf, sizeof(buf)); | ||
162 | break; | ||
163 | |||
164 | case GNUNET_DNSPARSER_TYPE_NS: | ||
165 | case GNUNET_DNSPARSER_TYPE_CNAME: | ||
166 | case GNUNET_DNSPARSER_TYPE_PTR: | ||
167 | format = record->data.hostname; | ||
168 | break; | ||
169 | |||
170 | case GNUNET_DNSPARSER_TYPE_SOA: | ||
171 | if (NULL == record->data.soa) | ||
172 | format = "<invalid>"; | ||
173 | else | ||
174 | { | ||
175 | GNUNET_asprintf (&tmp, | ||
176 | "origin: %s, mail: %s, serial = %u, refresh = %u s, retry = %u s, expire = %u s, minimum = %u s", | ||
177 | record->data.soa->mname, | ||
178 | record->data.soa->rname, | ||
179 | (unsigned int) record->data.soa->serial, | ||
180 | (unsigned int) record->data.soa->refresh, | ||
181 | (unsigned int) record->data.soa->retry, | ||
182 | (unsigned int) record->data.soa->expire, | ||
183 | (unsigned int) record->data.soa->minimum_ttl); | ||
184 | format = tmp; | ||
185 | } | ||
186 | break; | ||
187 | |||
188 | case GNUNET_DNSPARSER_TYPE_MX: | ||
189 | if (record->data.mx == NULL) | ||
190 | format = "<invalid>"; | ||
191 | else | ||
192 | { | ||
193 | GNUNET_asprintf (&tmp, | ||
194 | "%u: %s", | ||
195 | record->data.mx->preference, | ||
196 | record->data.mx->mxhost); | ||
197 | format = tmp; | ||
198 | } | ||
199 | break; | ||
200 | |||
201 | case GNUNET_DNSPARSER_TYPE_SRV: | ||
202 | if (NULL == record->data.srv) | ||
203 | format = "<invalid>"; | ||
204 | else | ||
205 | { | ||
206 | GNUNET_asprintf (&tmp, | ||
207 | "priority %u, weight = %u, port = %u, target = %s", | ||
208 | (unsigned int) record->data.srv->priority, | ||
209 | (unsigned int) record->data.srv->weight, | ||
210 | (unsigned int) record->data.srv->port, | ||
211 | record->data.srv->target); | ||
212 | format = tmp; | ||
213 | } | ||
214 | break; | ||
215 | |||
216 | case GNUNET_DNSPARSER_TYPE_URI: | ||
217 | if (NULL == record->data.uri) | ||
218 | format = "<invalid>"; | ||
219 | else | ||
220 | { | ||
221 | GNUNET_asprintf (&tmp, | ||
222 | "priority %u, weight = %u, target = \"%s\"", | ||
223 | (unsigned int) record->data.uri->priority, | ||
224 | (unsigned int) record->data.uri->weight, | ||
225 | record->data.uri->target); | ||
226 | format = tmp; | ||
227 | } | ||
228 | break; | ||
229 | |||
230 | |||
231 | case GNUNET_DNSPARSER_TYPE_TXT: | ||
232 | GNUNET_asprintf (&tmp, | ||
233 | "%.*s", | ||
234 | (unsigned int) record->data.raw.data_len, | ||
235 | (char*) record->data.raw.data); | ||
236 | format = tmp; | ||
237 | break; | ||
238 | |||
239 | default: | ||
240 | format = "<payload>"; | ||
241 | break; | ||
242 | } | ||
243 | fprintf (stdout, | ||
244 | "\t\t%s %s: %s = %s (%u s)\n", | ||
245 | get_class (record->dns_traffic_class), | ||
246 | get_type (record->type), | ||
247 | record->name, | ||
248 | format, | ||
249 | (unsigned int) (GNUNET_TIME_absolute_get_remaining ( | ||
250 | record->expiration_time).rel_value_us / 1000LL | ||
251 | / 1000LL)); | ||
252 | GNUNET_free (tmp); | ||
253 | } | ||
254 | |||
255 | |||
256 | /** | ||
257 | * Signature of a function that is called whenever the DNS service | ||
258 | * encounters a DNS request and needs to do something with it. The | ||
259 | * function has then the chance to generate or modify the response by | ||
260 | * calling one of the three "GNUNET_DNS_request_*" continuations. | ||
261 | * | ||
262 | * When a request is intercepted, this function is called first to | ||
263 | * give the client a chance to do the complete address resolution; | ||
264 | * "rdata" will be NULL for this first call for a DNS request, unless | ||
265 | * some other client has already filled in a response. | ||
266 | * | ||
267 | * If multiple clients exist, all of them are called before the global | ||
268 | * DNS. The global DNS is only called if all of the clients' | ||
269 | * functions call GNUNET_DNS_request_forward. Functions that call | ||
270 | * GNUNET_DNS_request_forward will be called again before a final | ||
271 | * response is returned to the application. If any of the clients' | ||
272 | * functions call GNUNET_DNS_request_drop, the response is dropped. | ||
273 | * | ||
274 | * @param cls closure | ||
275 | * @param rh request handle to user for reply | ||
276 | * @param request_length number of bytes in request | ||
277 | * @param request udp payload of the DNS request | ||
278 | */ | ||
279 | static void | ||
280 | display_request (void *cls, | ||
281 | struct GNUNET_DNS_RequestHandle *rh, | ||
282 | size_t request_length, | ||
283 | const char *request) | ||
284 | { | ||
285 | static const char *return_codes[] = { | ||
286 | "No error", "Format error", "Server failure", "Name error", | ||
287 | "Not implemented", "Refused", "YXDomain", "YXRRset", | ||
288 | "NXRRset", "NOT AUTH", "NOT ZONE", "<invalid>", | ||
289 | "<invalid>", "<invalid>", "<invalid>", "<invalid>" | ||
290 | }; | ||
291 | static const char *op_codes[] = { | ||
292 | "Query", "Inverse query", "Status", "<invalid>", | ||
293 | "<invalid>", "<invalid>", "<invalid>", "<invalid>", | ||
294 | "<invalid>", "<invalid>", "<invalid>", "<invalid>", | ||
295 | "<invalid>", "<invalid>", "<invalid>", "<invalid>" | ||
296 | }; | ||
297 | struct GNUNET_DNSPARSER_Packet *p; | ||
298 | unsigned int i; | ||
299 | |||
300 | p = GNUNET_DNSPARSER_parse (request, request_length); | ||
301 | if (NULL == p) | ||
302 | { | ||
303 | fprintf (stderr, "Received malformed DNS packet!\n"); | ||
304 | // FIXME: drop instead? | ||
305 | GNUNET_DNS_request_forward (rh); | ||
306 | return; | ||
307 | } | ||
308 | fprintf (stdout, | ||
309 | "%s with ID: %5u Flags: %s%s%s%s%s%s, Return Code: %s, Opcode: %s\n", | ||
310 | p->flags.query_or_response ? "Response" : "Query", | ||
311 | p->id, | ||
312 | p->flags.recursion_desired ? "RD " : "", | ||
313 | p->flags.message_truncated ? "MT " : "", | ||
314 | p->flags.authoritative_answer ? "AA " : "", | ||
315 | p->flags.checking_disabled ? "CD " : "", | ||
316 | p->flags.authenticated_data ? "AD " : "", | ||
317 | p->flags.recursion_available ? "RA " : "", | ||
318 | return_codes[p->flags.return_code & 15], | ||
319 | op_codes[p->flags.opcode & 15]); | ||
320 | if (p->num_queries > 0) | ||
321 | fprintf (stdout, | ||
322 | "\tQueries:\n"); | ||
323 | for (i = 0; i < p->num_queries; i++) | ||
324 | display_query (&p->queries[i]); | ||
325 | |||
326 | if (p->num_answers > 0) | ||
327 | fprintf (stdout, | ||
328 | "\tAnswers:\n"); | ||
329 | for (i = 0; i < p->num_answers; i++) | ||
330 | display_record (&p->answers[i]); | ||
331 | fprintf (stdout, "\n"); | ||
332 | GNUNET_DNSPARSER_free_packet (p); | ||
333 | GNUNET_DNS_request_forward (rh); | ||
334 | } | ||
335 | |||
336 | |||
337 | /** | ||
338 | * Shutdown. | ||
339 | */ | ||
340 | static void | ||
341 | do_disconnect (void *cls) | ||
342 | { | ||
343 | if (NULL != handle) | ||
344 | { | ||
345 | GNUNET_DNS_disconnect (handle); | ||
346 | handle = NULL; | ||
347 | } | ||
348 | } | ||
349 | |||
350 | |||
351 | /** | ||
352 | * Main function that will be run by the scheduler. | ||
353 | * | ||
354 | * @param cls closure | ||
355 | * @param args remaining command-line arguments | ||
356 | * @param cfgfile name of the configuration file used (for saving, can be NULL!) | ||
357 | * @param cfg configuration | ||
358 | */ | ||
359 | static void | ||
360 | run (void *cls, char *const *args, const char *cfgfile, | ||
361 | const struct GNUNET_CONFIGURATION_Handle *cfg) | ||
362 | { | ||
363 | enum GNUNET_DNS_Flags flags; | ||
364 | |||
365 | flags = GNUNET_DNS_FLAG_REQUEST_MONITOR | GNUNET_DNS_FLAG_RESPONSE_MONITOR; | ||
366 | if (inbound_only | outbound_only) | ||
367 | flags = 0; | ||
368 | if (inbound_only) | ||
369 | flags |= GNUNET_DNS_FLAG_REQUEST_MONITOR; | ||
370 | if (outbound_only) | ||
371 | flags |= GNUNET_DNS_FLAG_RESPONSE_MONITOR; | ||
372 | handle = | ||
373 | GNUNET_DNS_connect (cfg, | ||
374 | flags, | ||
375 | &display_request, | ||
376 | NULL); | ||
377 | GNUNET_SCHEDULER_add_shutdown (&do_disconnect, NULL); | ||
378 | } | ||
379 | |||
380 | |||
381 | int | ||
382 | main (int argc, char *const *argv) | ||
383 | { | ||
384 | struct GNUNET_GETOPT_CommandLineOption options[] = { | ||
385 | GNUNET_GETOPT_option_flag ('i', | ||
386 | "inbound-only", | ||
387 | gettext_noop ("only monitor DNS queries"), | ||
388 | &inbound_only), | ||
389 | |||
390 | GNUNET_GETOPT_option_flag ('o', | ||
391 | "outbound-only", | ||
392 | gettext_noop ("only monitor DNS queries"), | ||
393 | &outbound_only), | ||
394 | |||
395 | GNUNET_GETOPT_option_verbose (&verbosity), | ||
396 | GNUNET_GETOPT_OPTION_END | ||
397 | }; | ||
398 | |||
399 | if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv)) | ||
400 | return 2; | ||
401 | ret = (GNUNET_OK == | ||
402 | GNUNET_PROGRAM_run (argc, argv, "gnunet-dns-monitor", | ||
403 | gettext_noop | ||
404 | ("Monitor DNS queries."), options, | ||
405 | &run, NULL)) ? ret : 1; | ||
406 | GNUNET_free_nz ((void *) argv); | ||
407 | return ret; | ||
408 | } | ||
409 | |||
410 | |||
411 | /* end of gnunet-dns-monitor.c */ | ||
diff --git a/src/service/dns/gnunet-dns-redirector.c b/src/service/dns/gnunet-dns-redirector.c new file mode 100644 index 000000000..045207f8c --- /dev/null +++ b/src/service/dns/gnunet-dns-redirector.c | |||
@@ -0,0 +1,267 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2011 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file src/dns/gnunet-dns-redirector.c | ||
23 | * @brief Tool to change DNS replies (for testing) | ||
24 | * @author Christian Grothoff | ||
25 | */ | ||
26 | |||
27 | #include "platform.h" | ||
28 | #include "gnunet_util_lib.h" | ||
29 | #include "gnunet_dns_service.h" | ||
30 | |||
31 | /** | ||
32 | * Handle to DNS service. | ||
33 | */ | ||
34 | static struct GNUNET_DNS_Handle *handle; | ||
35 | |||
36 | /** | ||
37 | * New target for A records. | ||
38 | */ | ||
39 | static char *n4; | ||
40 | |||
41 | /** | ||
42 | * New target for AAAA records. | ||
43 | */ | ||
44 | static char *n6; | ||
45 | |||
46 | /** | ||
47 | * Global return value (0 success). | ||
48 | */ | ||
49 | static int ret; | ||
50 | |||
51 | /** | ||
52 | * Selected level of verbosity. | ||
53 | */ | ||
54 | static unsigned int verbosity; | ||
55 | |||
56 | |||
57 | /** | ||
58 | * Modify the given DNS record. | ||
59 | * | ||
60 | * @param record record to modify | ||
61 | */ | ||
62 | static void | ||
63 | modify_record (const struct GNUNET_DNSPARSER_Record *record) | ||
64 | { | ||
65 | char buf[INET6_ADDRSTRLEN]; | ||
66 | |||
67 | switch (record->type) | ||
68 | { | ||
69 | case GNUNET_DNSPARSER_TYPE_A: | ||
70 | if (record->data.raw.data_len != sizeof(struct in_addr)) | ||
71 | return; | ||
72 | if (NULL != n4) | ||
73 | { | ||
74 | if (verbosity > 1) | ||
75 | fprintf (stderr, | ||
76 | "Changing A record from `%s' to `%s'\n", | ||
77 | inet_ntop (AF_INET, record->data.raw.data, buf, sizeof(buf)), | ||
78 | n4); | ||
79 | GNUNET_assert (1 == inet_pton (AF_INET, n4, record->data.raw.data)); | ||
80 | } | ||
81 | break; | ||
82 | |||
83 | case GNUNET_DNSPARSER_TYPE_AAAA: | ||
84 | if (record->data.raw.data_len != sizeof(struct in6_addr)) | ||
85 | return; | ||
86 | if (NULL != n6) | ||
87 | { | ||
88 | if (verbosity > 1) | ||
89 | fprintf (stderr, | ||
90 | "Changing AAAA record from `%s' to `%s'\n", | ||
91 | inet_ntop (AF_INET6, record->data.raw.data, buf, sizeof(buf)), | ||
92 | n6); | ||
93 | GNUNET_assert (1 == inet_pton (AF_INET6, n6, record->data.raw.data)); | ||
94 | } | ||
95 | break; | ||
96 | |||
97 | case GNUNET_DNSPARSER_TYPE_NS: | ||
98 | case GNUNET_DNSPARSER_TYPE_CNAME: | ||
99 | case GNUNET_DNSPARSER_TYPE_PTR: | ||
100 | case GNUNET_DNSPARSER_TYPE_SOA: | ||
101 | case GNUNET_DNSPARSER_TYPE_MX: | ||
102 | case GNUNET_DNSPARSER_TYPE_TXT: | ||
103 | break; | ||
104 | |||
105 | default: | ||
106 | break; | ||
107 | } | ||
108 | } | ||
109 | |||
110 | |||
111 | /** | ||
112 | * Signature of a function that is called whenever the DNS service | ||
113 | * encounters a DNS request and needs to do something with it. The | ||
114 | * function has then the chance to generate or modify the response by | ||
115 | * calling one of the three "GNUNET_DNS_request_*" continuations. | ||
116 | * | ||
117 | * When a request is intercepted, this function is called first to | ||
118 | * give the client a chance to do the complete address resolution; | ||
119 | * "rdata" will be NULL for this first call for a DNS request, unless | ||
120 | * some other client has already filled in a response. | ||
121 | * | ||
122 | * If multiple clients exist, all of them are called before the global | ||
123 | * DNS. The global DNS is only called if all of the clients' | ||
124 | * functions call GNUNET_DNS_request_forward. Functions that call | ||
125 | * GNUNET_DNS_request_forward will be called again before a final | ||
126 | * response is returned to the application. If any of the clients' | ||
127 | * functions call GNUNET_DNS_request_drop, the response is dropped. | ||
128 | * | ||
129 | * @param cls closure | ||
130 | * @param rh request handle to user for reply | ||
131 | * @param request_length number of bytes in request | ||
132 | * @param request udp payload of the DNS request | ||
133 | */ | ||
134 | static void | ||
135 | modify_request (void *cls, | ||
136 | struct GNUNET_DNS_RequestHandle *rh, | ||
137 | size_t request_length, | ||
138 | const char *request) | ||
139 | { | ||
140 | struct GNUNET_DNSPARSER_Packet *p; | ||
141 | unsigned int i; | ||
142 | char *buf; | ||
143 | size_t len; | ||
144 | int ret; | ||
145 | |||
146 | p = GNUNET_DNSPARSER_parse (request, request_length); | ||
147 | if (NULL == p) | ||
148 | { | ||
149 | fprintf (stderr, "Received malformed DNS packet, leaving it untouched\n"); | ||
150 | GNUNET_DNS_request_forward (rh); | ||
151 | return; | ||
152 | } | ||
153 | for (i = 0; i < p->num_answers; i++) | ||
154 | modify_record (&p->answers[i]); | ||
155 | buf = NULL; | ||
156 | ret = GNUNET_DNSPARSER_pack (p, 1024, &buf, &len); | ||
157 | GNUNET_DNSPARSER_free_packet (p); | ||
158 | if (GNUNET_OK != ret) | ||
159 | { | ||
160 | if (GNUNET_NO == ret) | ||
161 | fprintf (stderr, | ||
162 | "Modified DNS response did not fit, keeping old response\n"); | ||
163 | else | ||
164 | GNUNET_break (0); /* our modifications should have been sane! */ | ||
165 | GNUNET_DNS_request_forward (rh); | ||
166 | } | ||
167 | else | ||
168 | { | ||
169 | if (verbosity > 0) | ||
170 | fprintf (stdout, | ||
171 | "Injecting modified DNS response\n"); | ||
172 | GNUNET_DNS_request_answer (rh, len, buf); | ||
173 | } | ||
174 | GNUNET_free (buf); | ||
175 | } | ||
176 | |||
177 | |||
178 | /** | ||
179 | * Shutdown. | ||
180 | */ | ||
181 | static void | ||
182 | do_disconnect (void *cls) | ||
183 | { | ||
184 | if (NULL != handle) | ||
185 | { | ||
186 | GNUNET_DNS_disconnect (handle); | ||
187 | handle = NULL; | ||
188 | } | ||
189 | } | ||
190 | |||
191 | |||
192 | /** | ||
193 | * Main function that will be run by the scheduler. | ||
194 | * | ||
195 | * @param cls closure | ||
196 | * @param args remaining command-line arguments | ||
197 | * @param cfgfile name of the configuration file used (for saving, can be NULL!) | ||
198 | * @param cfg configuration | ||
199 | */ | ||
200 | static void | ||
201 | run (void *cls, char *const *args, const char *cfgfile, | ||
202 | const struct GNUNET_CONFIGURATION_Handle *cfg) | ||
203 | { | ||
204 | struct in_addr i4; | ||
205 | struct in6_addr i6; | ||
206 | |||
207 | if ((n4 != NULL) && | ||
208 | (1 != inet_pton (AF_INET, n4, &i4))) | ||
209 | { | ||
210 | fprintf (stderr, | ||
211 | "`%s' is nto a valid IPv4 address!\n", | ||
212 | n4); | ||
213 | return; | ||
214 | } | ||
215 | if ((n6 != NULL) && | ||
216 | (1 != inet_pton (AF_INET6, n6, &i6))) | ||
217 | { | ||
218 | fprintf (stderr, | ||
219 | "`%s' is nto a valid IPv6 address!\n", | ||
220 | n6); | ||
221 | return; | ||
222 | } | ||
223 | |||
224 | handle = | ||
225 | GNUNET_DNS_connect (cfg, | ||
226 | GNUNET_DNS_FLAG_POST_RESOLUTION, | ||
227 | &modify_request, | ||
228 | NULL); | ||
229 | GNUNET_SCHEDULER_add_shutdown (&do_disconnect, NULL); | ||
230 | } | ||
231 | |||
232 | |||
233 | int | ||
234 | main (int argc, char *const *argv) | ||
235 | { | ||
236 | struct GNUNET_GETOPT_CommandLineOption options[] = { | ||
237 | GNUNET_GETOPT_option_string ('4', | ||
238 | "ipv4", | ||
239 | "IPV4", | ||
240 | gettext_noop ("set A records"), | ||
241 | &n4), | ||
242 | |||
243 | GNUNET_GETOPT_option_string ('6', | ||
244 | "ipv4", | ||
245 | "IPV6", | ||
246 | gettext_noop ("set AAAA records"), | ||
247 | &n6), | ||
248 | |||
249 | GNUNET_GETOPT_option_verbose (&verbosity), | ||
250 | GNUNET_GETOPT_OPTION_END | ||
251 | }; | ||
252 | |||
253 | if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv)) | ||
254 | return 2; | ||
255 | |||
256 | ret = (GNUNET_OK == | ||
257 | GNUNET_PROGRAM_run (argc, argv, "gnunet-dns-redirector", | ||
258 | gettext_noop | ||
259 | ("Change DNS replies to point elsewhere."), | ||
260 | options, | ||
261 | &run, NULL)) ? ret : 1; | ||
262 | GNUNET_free_nz ((void *) argv); | ||
263 | return ret; | ||
264 | } | ||
265 | |||
266 | |||
267 | /* end of gnunet-dns-redirector.c */ | ||
diff --git a/src/service/dns/gnunet-helper-dns.c b/src/service/dns/gnunet-helper-dns.c new file mode 100644 index 000000000..54443cd7a --- /dev/null +++ b/src/service/dns/gnunet-helper-dns.c | |||
@@ -0,0 +1,1195 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2010, 2011, 2012 Christian Grothoff | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file dns/gnunet-helper-dns.c | ||
23 | * @brief helper to install firewall rules to hijack all DNS traffic | ||
24 | * and send it to our virtual interface (except for DNS traffic | ||
25 | * that originates on the specified port). We then | ||
26 | * allow interacting with our virtual interface via stdin/stdout. | ||
27 | * @author Philipp Tölke | ||
28 | * @author Christian Grothoff | ||
29 | * | ||
30 | * This program alters the Linux firewall rules so that DNS traffic | ||
31 | * that ordinarily exits the system can be intercepted and managed by | ||
32 | * a virtual interface. In order to achieve this, DNS traffic is | ||
33 | * marked with the DNS_MARK given in below and re-routed to a custom | ||
34 | * table with the DNS_TABLE ID given below. Systems and | ||
35 | * administrators must take care to not cause conflicts with these | ||
36 | * values (it was deemed safest to hardcode them as passing these | ||
37 | * values as arguments might permit messing with arbitrary firewall | ||
38 | * rules, which would be dangerous). Traffic coming from the same | ||
39 | * group ID as the effective group ID that this process is running | ||
40 | * as is not intercepted. | ||
41 | * | ||
42 | * The code first sets up the virtual interface, then begins to | ||
43 | * redirect the DNS traffic to it, and then on errors or SIGTERM shuts | ||
44 | * down the virtual interface and removes the rules for the traffic | ||
45 | * redirection. | ||
46 | * | ||
47 | * | ||
48 | * Note that having this binary SUID is only partially safe: it will | ||
49 | * allow redirecting (and intercepting / mangling) of all DNS traffic | ||
50 | * originating from this system by any user who is able to run it. | ||
51 | * Furthermore, this code will make it trivial to DoS all DNS traffic | ||
52 | * originating from the current system, simply by sending it to | ||
53 | * nowhere (redirect stdout to /dev/null). | ||
54 | * | ||
55 | * Naturally, neither of these problems can be helped as this is the | ||
56 | * fundamental purpose of the binary. Certifying that this code is | ||
57 | * "safe" thus only means that it doesn't allow anything else (such | ||
58 | * as local priv. escalation, etc.). | ||
59 | * | ||
60 | * The following list of people have reviewed this code and considered | ||
61 | * it safe (within specifications) since the last modification (if you | ||
62 | * reviewed it, please have your name added to the list): | ||
63 | * | ||
64 | * - Christian Grothoff | ||
65 | */ | ||
66 | #include "platform.h" | ||
67 | |||
68 | #ifdef IF_TUN_HDR | ||
69 | #include IF_TUN_HDR | ||
70 | #endif | ||
71 | |||
72 | /** | ||
73 | * Need 'struct GNUNET_MessageHeader'. | ||
74 | */ | ||
75 | #include "gnunet_util_lib.h" | ||
76 | #include "gnunet_common.h" | ||
77 | |||
78 | /** | ||
79 | * Need DNS message types. | ||
80 | */ | ||
81 | #include "gnunet_protocols.h" | ||
82 | |||
83 | /** | ||
84 | * Maximum size of a GNUnet message (GNUNET_MAX_MESSAGE_SIZE) | ||
85 | */ | ||
86 | #define MAX_SIZE 65536 | ||
87 | |||
88 | #if ! HAVE_DECL_STRUCT_IN6_IFREQ | ||
89 | /** | ||
90 | * This is in linux/include/net/ipv6.h, but not always exported... | ||
91 | */ | ||
92 | struct in6_ifreq | ||
93 | { | ||
94 | struct in6_addr ifr6_addr; | ||
95 | uint32_t ifr6_prefixlen; | ||
96 | unsigned int ifr6_ifindex; | ||
97 | }; | ||
98 | #endif | ||
99 | |||
100 | /** | ||
101 | * Name and full path of IPTABLES binary. | ||
102 | */ | ||
103 | static const char *sbin_iptables; | ||
104 | |||
105 | /** | ||
106 | * Name and full path of IPTABLES binary. | ||
107 | */ | ||
108 | static const char *sbin_ip6tables; | ||
109 | |||
110 | /** | ||
111 | * Name and full path of sysctl binary | ||
112 | */ | ||
113 | static const char *sbin_sysctl; | ||
114 | |||
115 | /** | ||
116 | * Name and full path of IPTABLES binary. | ||
117 | */ | ||
118 | static const char *sbin_ip; | ||
119 | |||
120 | /** | ||
121 | * Port for DNS traffic. | ||
122 | */ | ||
123 | #define DNS_PORT "53" | ||
124 | |||
125 | /** | ||
126 | * Marker we set for our hijacked DNS traffic. We use GNUnet's | ||
127 | * port (2086) plus the DNS port (53) in HEX to make a 32-bit mark | ||
128 | * (which is hopefully long enough to not collide); so | ||
129 | * 0x08260035 = 136708149 (hopefully unique enough...). | ||
130 | */ | ||
131 | #define DNS_MARK "136708149" | ||
132 | |||
133 | /** | ||
134 | * Table we use for our DNS rules. 0-255 is the range and | ||
135 | * 0, 253, 254 and 255 are already reserved. As this is about | ||
136 | * DNS and as "53" is likely (fingers crossed!) high enough to | ||
137 | * not usually conflict with a normal user's setup, we use 53 | ||
138 | * to give a hint that this has something to do with DNS. | ||
139 | */ | ||
140 | #define DNS_TABLE "53" | ||
141 | |||
142 | |||
143 | /** | ||
144 | * Control pipe for shutdown via signal. [0] is the read end, | ||
145 | * [1] is the write end. | ||
146 | */ | ||
147 | static int cpipe[2]; | ||
148 | |||
149 | |||
150 | /** | ||
151 | * Signal handler called to initiate "nice" shutdown. Signals select | ||
152 | * loop via non-bocking pipe 'cpipe'. | ||
153 | * | ||
154 | * @param signal signal number of the signal (not used) | ||
155 | */ | ||
156 | static void | ||
157 | signal_handler (int signal) | ||
158 | { | ||
159 | /* ignore return value, as the signal handler could theoretically | ||
160 | be called many times before the shutdown can actually happen */ | ||
161 | (void) write (cpipe[1], "K", 1); | ||
162 | } | ||
163 | |||
164 | |||
165 | /** | ||
166 | * Open '/dev/null' and make the result the given | ||
167 | * file descriptor. | ||
168 | * | ||
169 | * @param target_fd desired FD to point to /dev/null | ||
170 | * @param flags open flags (O_RDONLY, O_WRONLY) | ||
171 | */ | ||
172 | static void | ||
173 | open_dev_null (int target_fd, | ||
174 | int flags) | ||
175 | { | ||
176 | int fd; | ||
177 | |||
178 | fd = open ("/dev/null", flags); | ||
179 | if (-1 == fd) | ||
180 | abort (); | ||
181 | if (fd == target_fd) | ||
182 | return; | ||
183 | if (-1 == dup2 (fd, target_fd)) | ||
184 | { | ||
185 | (void) close (fd); | ||
186 | abort (); | ||
187 | } | ||
188 | (void) close (fd); | ||
189 | } | ||
190 | |||
191 | |||
192 | /** | ||
193 | * Run the given command and wait for it to complete. | ||
194 | * | ||
195 | * @param file name of the binary to run | ||
196 | * @param cmd command line arguments (as given to 'execv') | ||
197 | * @return 0 on success, 1 on any error | ||
198 | */ | ||
199 | static int | ||
200 | fork_and_exec (const char *file, | ||
201 | char *const cmd[]) | ||
202 | { | ||
203 | int status; | ||
204 | pid_t pid; | ||
205 | pid_t ret; | ||
206 | |||
207 | pid = fork (); | ||
208 | if (-1 == pid) | ||
209 | { | ||
210 | fprintf (stderr, | ||
211 | "fork failed: %s\n", | ||
212 | strerror (errno)); | ||
213 | return 1; | ||
214 | } | ||
215 | if (0 == pid) | ||
216 | { | ||
217 | /* we are the child process */ | ||
218 | /* close stdin/stdout to not cause interference | ||
219 | with the helper's main protocol! */ | ||
220 | (void) close (0); | ||
221 | open_dev_null (0, O_RDONLY); | ||
222 | (void) close (1); | ||
223 | open_dev_null (1, O_WRONLY); | ||
224 | (void) execv (file, cmd); | ||
225 | /* can only get here on error */ | ||
226 | fprintf (stderr, | ||
227 | "exec `%s' failed: %s\n", | ||
228 | file, | ||
229 | strerror (errno)); | ||
230 | _exit (1); | ||
231 | } | ||
232 | /* keep running waitpid as long as the only error we get is 'EINTR' */ | ||
233 | while ((-1 == (ret = waitpid (pid, &status, 0))) && | ||
234 | (errno == EINTR)) | ||
235 | ; | ||
236 | if (-1 == ret) | ||
237 | { | ||
238 | fprintf (stderr, | ||
239 | "waitpid failed: %s\n", | ||
240 | strerror (errno)); | ||
241 | return 1; | ||
242 | } | ||
243 | if (! (WIFEXITED (status) && (0 == WEXITSTATUS (status)))) | ||
244 | return 1; | ||
245 | /* child process completed and returned success, we're happy */ | ||
246 | return 0; | ||
247 | } | ||
248 | |||
249 | |||
250 | /** | ||
251 | * Creates a tun-interface called @a dev; | ||
252 | * | ||
253 | * @param dev is assumed to point to a char[IFNAMSIZ] | ||
254 | * if *dev == '\\0', uses the name supplied by the kernel; | ||
255 | * @return the fd to the tun or -1 on error | ||
256 | */ | ||
257 | static int | ||
258 | init_tun (char *dev) | ||
259 | { | ||
260 | struct ifreq ifr; | ||
261 | int fd; | ||
262 | |||
263 | if (NULL == dev) | ||
264 | { | ||
265 | errno = EINVAL; | ||
266 | return -1; | ||
267 | } | ||
268 | |||
269 | if (-1 == (fd = open ("/dev/net/tun", O_RDWR))) | ||
270 | { | ||
271 | fprintf (stderr, "Error opening `%s': %s\n", "/dev/net/tun", | ||
272 | strerror (errno)); | ||
273 | return -1; | ||
274 | } | ||
275 | |||
276 | if (fd >= FD_SETSIZE) | ||
277 | { | ||
278 | fprintf (stderr, "File descriptor to large: %d", fd); | ||
279 | (void) close (fd); | ||
280 | return -1; | ||
281 | } | ||
282 | |||
283 | memset (&ifr, 0, sizeof(ifr)); | ||
284 | ifr.ifr_flags = IFF_TUN; | ||
285 | |||
286 | if ('\0' != *dev) | ||
287 | strncpy (ifr.ifr_name, dev, IFNAMSIZ); | ||
288 | |||
289 | if (-1 == ioctl (fd, TUNSETIFF, (void *) &ifr)) | ||
290 | { | ||
291 | fprintf (stderr, "Error with ioctl on `%s': %s\n", "/dev/net/tun", | ||
292 | strerror (errno)); | ||
293 | (void) close (fd); | ||
294 | return -1; | ||
295 | } | ||
296 | strcpy (dev, ifr.ifr_name); | ||
297 | return fd; | ||
298 | } | ||
299 | |||
300 | |||
301 | /** | ||
302 | * @brief Sets the IPv6-Address given in @a address on the interface @a dev | ||
303 | * | ||
304 | * @param dev the interface to configure | ||
305 | * @param address the IPv6-Address | ||
306 | * @param prefix_len the length of the network-prefix | ||
307 | */ | ||
308 | static void | ||
309 | set_address6 (const char *dev, const char *address, unsigned long prefix_len) | ||
310 | { | ||
311 | struct ifreq ifr; | ||
312 | struct in6_ifreq ifr6; | ||
313 | struct sockaddr_in6 sa6; | ||
314 | int fd; | ||
315 | |||
316 | /* | ||
317 | * parse the new address | ||
318 | */ | ||
319 | memset (&sa6, 0, sizeof(struct sockaddr_in6)); | ||
320 | sa6.sin6_family = AF_INET6; | ||
321 | if (1 != inet_pton (AF_INET6, address, sa6.sin6_addr.s6_addr)) | ||
322 | { | ||
323 | fprintf (stderr, | ||
324 | "Failed to parse IPv6 address `%s': %s\n", | ||
325 | address, | ||
326 | strerror (errno)); | ||
327 | exit (1); | ||
328 | } | ||
329 | |||
330 | if (-1 == (fd = socket (PF_INET6, SOCK_DGRAM, 0))) | ||
331 | { | ||
332 | fprintf (stderr, | ||
333 | "Error creating IPv6 socket: %s (ignored)\n", | ||
334 | strerror (errno)); | ||
335 | /* ignore error, maybe only IPv4 works on this system! */ | ||
336 | return; | ||
337 | } | ||
338 | |||
339 | memset (&ifr, 0, sizeof(struct ifreq)); | ||
340 | /* | ||
341 | * Get the index of the if | ||
342 | */ | ||
343 | strncpy (ifr.ifr_name, dev, IFNAMSIZ); | ||
344 | if (-1 == ioctl (fd, SIOGIFINDEX, &ifr)) | ||
345 | { | ||
346 | fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno)); | ||
347 | (void) close (fd); | ||
348 | exit (1); | ||
349 | } | ||
350 | |||
351 | memset (&ifr6, 0, sizeof(struct in6_ifreq)); | ||
352 | ifr6.ifr6_addr = sa6.sin6_addr; | ||
353 | ifr6.ifr6_ifindex = ifr.ifr_ifindex; | ||
354 | ifr6.ifr6_prefixlen = prefix_len; | ||
355 | |||
356 | /* | ||
357 | * Set the address | ||
358 | */ | ||
359 | if (-1 == ioctl (fd, SIOCSIFADDR, &ifr6)) | ||
360 | { | ||
361 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
362 | strerror (errno)); | ||
363 | (void) close (fd); | ||
364 | exit (1); | ||
365 | } | ||
366 | |||
367 | /* | ||
368 | * Get the flags | ||
369 | */ | ||
370 | if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr)) | ||
371 | { | ||
372 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
373 | strerror (errno)); | ||
374 | (void) close (fd); | ||
375 | exit (1); | ||
376 | } | ||
377 | |||
378 | /* | ||
379 | * Add the UP and RUNNING flags | ||
380 | */ | ||
381 | ifr.ifr_flags |= IFF_UP | IFF_RUNNING; | ||
382 | if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr)) | ||
383 | { | ||
384 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
385 | strerror (errno)); | ||
386 | (void) close (fd); | ||
387 | exit (1); | ||
388 | } | ||
389 | |||
390 | if (0 != close (fd)) | ||
391 | { | ||
392 | fprintf (stderr, "close failed: %s\n", strerror (errno)); | ||
393 | exit (1); | ||
394 | } | ||
395 | } | ||
396 | |||
397 | |||
398 | /** | ||
399 | * @brief Sets the IPv4-Address given in @a address on the interface @a dev | ||
400 | * | ||
401 | * @param dev the interface to configure | ||
402 | * @param address the IPv4-Address | ||
403 | * @param mask the netmask | ||
404 | */ | ||
405 | static void | ||
406 | set_address4 (const char *dev, const char *address, const char *mask) | ||
407 | { | ||
408 | int fd; | ||
409 | struct sockaddr_in *addr; | ||
410 | struct ifreq ifr; | ||
411 | |||
412 | memset (&ifr, 0, sizeof(struct ifreq)); | ||
413 | addr = (struct sockaddr_in *) &(ifr.ifr_addr); | ||
414 | addr->sin_family = AF_INET; | ||
415 | |||
416 | /* | ||
417 | * Parse the address | ||
418 | */ | ||
419 | if (1 != inet_pton (AF_INET, address, &addr->sin_addr.s_addr)) | ||
420 | { | ||
421 | fprintf (stderr, | ||
422 | "Failed to parse IPv4 address `%s': %s\n", | ||
423 | address, | ||
424 | strerror (errno)); | ||
425 | exit (1); | ||
426 | } | ||
427 | |||
428 | if (-1 == (fd = socket (PF_INET, SOCK_DGRAM, 0))) | ||
429 | { | ||
430 | fprintf (stderr, | ||
431 | "Error creating IPv4 socket: %s\n", | ||
432 | strerror (errno)); | ||
433 | exit (1); | ||
434 | } | ||
435 | |||
436 | strncpy (ifr.ifr_name, dev, IFNAMSIZ); | ||
437 | |||
438 | /* | ||
439 | * Set the address | ||
440 | */ | ||
441 | if (-1 == ioctl (fd, SIOCSIFADDR, &ifr)) | ||
442 | { | ||
443 | fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno)); | ||
444 | (void) close (fd); | ||
445 | exit (1); | ||
446 | } | ||
447 | |||
448 | /* | ||
449 | * Parse the netmask | ||
450 | */ | ||
451 | addr = (struct sockaddr_in *) &(ifr.ifr_netmask); | ||
452 | if (1 != inet_pton (AF_INET, mask, &addr->sin_addr.s_addr)) | ||
453 | { | ||
454 | fprintf (stderr, "Failed to parse address `%s': %s\n", mask, | ||
455 | strerror (errno)); | ||
456 | (void) close (fd); | ||
457 | exit (1); | ||
458 | } | ||
459 | |||
460 | /* | ||
461 | * Set the netmask | ||
462 | */ | ||
463 | if (-1 == ioctl (fd, SIOCSIFNETMASK, &ifr)) | ||
464 | { | ||
465 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
466 | strerror (errno)); | ||
467 | (void) close (fd); | ||
468 | exit (1); | ||
469 | } | ||
470 | |||
471 | /* | ||
472 | * Get the flags | ||
473 | */ | ||
474 | if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr)) | ||
475 | { | ||
476 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
477 | strerror (errno)); | ||
478 | (void) close (fd); | ||
479 | exit (1); | ||
480 | } | ||
481 | |||
482 | /* | ||
483 | * Add the UP and RUNNING flags | ||
484 | */ | ||
485 | ifr.ifr_flags |= IFF_UP | IFF_RUNNING; | ||
486 | if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr)) | ||
487 | { | ||
488 | fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__, | ||
489 | strerror (errno)); | ||
490 | (void) close (fd); | ||
491 | exit (1); | ||
492 | } | ||
493 | |||
494 | if (0 != close (fd)) | ||
495 | { | ||
496 | fprintf (stderr, "close failed: %s\n", strerror (errno)); | ||
497 | (void) close (fd); | ||
498 | exit (1); | ||
499 | } | ||
500 | } | ||
501 | |||
502 | |||
503 | /** | ||
504 | * Start forwarding to and from the tunnel. This function runs with | ||
505 | * "reduced" privileges (saved UID is still 0, but effective UID is | ||
506 | * the real user ID). | ||
507 | * | ||
508 | * @param fd_tun tunnel FD | ||
509 | */ | ||
510 | static void | ||
511 | run (int fd_tun) | ||
512 | { | ||
513 | /* | ||
514 | * The buffer filled by reading from fd_tun | ||
515 | */ | ||
516 | unsigned char buftun[MAX_SIZE]; | ||
517 | ssize_t buftun_size = 0; | ||
518 | unsigned char *buftun_read = NULL; | ||
519 | |||
520 | /* | ||
521 | * The buffer filled by reading from stdin | ||
522 | */ | ||
523 | unsigned char bufin[MAX_SIZE]; | ||
524 | ssize_t bufin_size = 0; | ||
525 | size_t bufin_rpos = 0; | ||
526 | unsigned char *bufin_read = NULL; | ||
527 | fd_set fds_w; | ||
528 | fd_set fds_r; | ||
529 | int max; | ||
530 | |||
531 | while (1) | ||
532 | { | ||
533 | FD_ZERO (&fds_w); | ||
534 | FD_ZERO (&fds_r); | ||
535 | |||
536 | /* | ||
537 | * We are supposed to read and the buffer is empty | ||
538 | * -> select on read from tun | ||
539 | */ | ||
540 | if (0 == buftun_size) | ||
541 | FD_SET (fd_tun, &fds_r); | ||
542 | |||
543 | /* | ||
544 | * We are supposed to read and the buffer is not empty | ||
545 | * -> select on write to stdout | ||
546 | */ | ||
547 | if (0 < buftun_size) | ||
548 | FD_SET (1, &fds_w); | ||
549 | |||
550 | /* | ||
551 | * We are supposed to write and the buffer is empty | ||
552 | * -> select on read from stdin | ||
553 | */ | ||
554 | if (NULL == bufin_read) | ||
555 | FD_SET (0, &fds_r); | ||
556 | |||
557 | /* | ||
558 | * We are supposed to write and the buffer is not empty | ||
559 | * -> select on write to tun | ||
560 | */ | ||
561 | if (NULL != bufin_read) | ||
562 | FD_SET (fd_tun, &fds_w); | ||
563 | |||
564 | FD_SET (cpipe[0], &fds_r); | ||
565 | max = (fd_tun > cpipe[0]) ? fd_tun : cpipe[0]; | ||
566 | |||
567 | int r = select (max + 1, &fds_r, &fds_w, NULL, NULL); | ||
568 | |||
569 | if (-1 == r) | ||
570 | { | ||
571 | if (EINTR == errno) | ||
572 | continue; | ||
573 | fprintf (stderr, "select failed: %s\n", strerror (errno)); | ||
574 | return; | ||
575 | } | ||
576 | |||
577 | if (r > 0) | ||
578 | { | ||
579 | if (FD_ISSET (cpipe[0], &fds_r)) | ||
580 | return; /* aborted by signal */ | ||
581 | |||
582 | if (FD_ISSET (fd_tun, &fds_r)) | ||
583 | { | ||
584 | buftun_size = | ||
585 | read (fd_tun, buftun + sizeof(struct GNUNET_MessageHeader), | ||
586 | MAX_SIZE - sizeof(struct GNUNET_MessageHeader)); | ||
587 | if (-1 == buftun_size) | ||
588 | { | ||
589 | if ((errno == EINTR) || | ||
590 | (errno == EAGAIN)) | ||
591 | { | ||
592 | buftun_size = 0; | ||
593 | continue; | ||
594 | } | ||
595 | fprintf (stderr, "read-error: %s\n", strerror (errno)); | ||
596 | return; | ||
597 | } | ||
598 | if (0 == buftun_size) | ||
599 | { | ||
600 | fprintf (stderr, "EOF on tun\n"); | ||
601 | return; | ||
602 | } | ||
603 | buftun_read = buftun; | ||
604 | { | ||
605 | struct GNUNET_MessageHeader *hdr = | ||
606 | (struct GNUNET_MessageHeader *) buftun; | ||
607 | buftun_size += sizeof(struct GNUNET_MessageHeader); | ||
608 | hdr->type = htons (GNUNET_MESSAGE_TYPE_DNS_HELPER); | ||
609 | hdr->size = htons (buftun_size); | ||
610 | } | ||
611 | } | ||
612 | else if (FD_ISSET (1, &fds_w)) | ||
613 | { | ||
614 | ssize_t written = write (1, buftun_read, buftun_size); | ||
615 | |||
616 | if (-1 == written) | ||
617 | { | ||
618 | if ((errno == EINTR) || | ||
619 | (errno == EAGAIN)) | ||
620 | continue; | ||
621 | fprintf (stderr, "write-error to stdout: %s\n", strerror (errno)); | ||
622 | return; | ||
623 | } | ||
624 | if (0 == written) | ||
625 | { | ||
626 | fprintf (stderr, "write returned 0\n"); | ||
627 | return; | ||
628 | } | ||
629 | buftun_size -= written; | ||
630 | buftun_read += written; | ||
631 | } | ||
632 | |||
633 | if (FD_ISSET (0, &fds_r)) | ||
634 | { | ||
635 | bufin_size = read (0, bufin + bufin_rpos, MAX_SIZE - bufin_rpos); | ||
636 | if (-1 == bufin_size) | ||
637 | { | ||
638 | bufin_read = NULL; | ||
639 | if ((errno == EINTR) || | ||
640 | (errno == EAGAIN)) | ||
641 | continue; | ||
642 | fprintf (stderr, "read-error: %s\n", strerror (errno)); | ||
643 | return; | ||
644 | } | ||
645 | if (0 == bufin_size) | ||
646 | { | ||
647 | bufin_read = NULL; | ||
648 | fprintf (stderr, "EOF on stdin\n"); | ||
649 | return; | ||
650 | } | ||
651 | { | ||
652 | struct GNUNET_MessageHeader *hdr; | ||
653 | |||
654 | PROCESS_BUFFER: | ||
655 | bufin_rpos += bufin_size; | ||
656 | if (bufin_rpos < sizeof(struct GNUNET_MessageHeader)) | ||
657 | continue; | ||
658 | hdr = (struct GNUNET_MessageHeader *) bufin; | ||
659 | if (ntohs (hdr->type) != GNUNET_MESSAGE_TYPE_DNS_HELPER) | ||
660 | { | ||
661 | fprintf (stderr, "protocol violation!\n"); | ||
662 | return; | ||
663 | } | ||
664 | if (ntohs (hdr->size) > bufin_rpos) | ||
665 | continue; | ||
666 | bufin_read = bufin + sizeof(struct GNUNET_MessageHeader); | ||
667 | bufin_size = ntohs (hdr->size) - sizeof(struct GNUNET_MessageHeader); | ||
668 | bufin_rpos -= bufin_size + sizeof(struct GNUNET_MessageHeader); | ||
669 | } | ||
670 | } | ||
671 | else if (FD_ISSET (fd_tun, &fds_w)) | ||
672 | { | ||
673 | ssize_t written = write (fd_tun, bufin_read, bufin_size); | ||
674 | |||
675 | if (-1 == written) | ||
676 | { | ||
677 | if ((errno == EINTR) || | ||
678 | (errno == EAGAIN)) | ||
679 | continue; | ||
680 | fprintf (stderr, "write-error to tun: %s\n", strerror (errno)); | ||
681 | return; | ||
682 | } | ||
683 | if (0 == written) | ||
684 | { | ||
685 | fprintf (stderr, "write returned 0\n"); | ||
686 | return; | ||
687 | } | ||
688 | { | ||
689 | bufin_size -= written; | ||
690 | bufin_read += written; | ||
691 | if (0 == bufin_size) | ||
692 | { | ||
693 | memmove (bufin, bufin_read, bufin_rpos); | ||
694 | bufin_read = NULL; /* start reading again */ | ||
695 | bufin_size = 0; | ||
696 | goto PROCESS_BUFFER; | ||
697 | } | ||
698 | } | ||
699 | } | ||
700 | } | ||
701 | } | ||
702 | } | ||
703 | |||
704 | |||
705 | /** | ||
706 | * Main function of "gnunet-helper-dns", which opens a VPN tunnel interface, | ||
707 | * redirects all outgoing DNS traffic (except from the specified port) to that | ||
708 | * interface and then passes traffic from and to the interface via stdin/stdout. | ||
709 | * | ||
710 | * Once stdin/stdout close or have other errors, the tunnel is closed and the | ||
711 | * DNS traffic redirection is stopped. | ||
712 | * | ||
713 | * @param argc number of arguments | ||
714 | * @param argv 0: binary name (should be "gnunet-helper-vpn") | ||
715 | * 1: tunnel interface name (typically "gnunet-dns") | ||
716 | * 2: IPv6 address for the tunnel ("FE80::1") | ||
717 | * 3: IPv6 netmask length in bits ("64") | ||
718 | * 4: IPv4 address for the tunnel ("1.2.3.4") | ||
719 | * 5: IPv4 netmask ("255.255.0.0") | ||
720 | * 6: skip sysctl, routing and iptables setup ("0") | ||
721 | * @return 0 on success, otherwise code indicating type of error: | ||
722 | * 1 wrong number of arguments | ||
723 | * 2 invalid arguments (i.e. port number / prefix length wrong) | ||
724 | * 3 iptables not executable | ||
725 | * 4 ip not executable | ||
726 | * 5 failed to initialize tunnel interface | ||
727 | * 6 failed to initialize control pipe | ||
728 | * 8 failed to change routing table, cleanup successful | ||
729 | * 9-23 failed to change routing table and failed to undo some changes to routing table | ||
730 | * 24 failed to drop privs | ||
731 | * 25-39 failed to drop privs and then failed to undo some changes to routing table | ||
732 | * 40 failed to regain privs | ||
733 | * 41-55 failed to regain prisv and then failed to undo some changes to routing table | ||
734 | * 254 insufficient privileges | ||
735 | * 255 failed to handle kill signal properly | ||
736 | */ | ||
737 | int | ||
738 | main (int argc, char *const*argv) | ||
739 | { | ||
740 | int r; | ||
741 | char dev[IFNAMSIZ]; | ||
742 | char mygid[32]; | ||
743 | int fd_tun; | ||
744 | uid_t uid; | ||
745 | int nortsetup = 0; | ||
746 | |||
747 | if (7 != argc) | ||
748 | { | ||
749 | fprintf (stderr, "Fatal: must supply 6 arguments!\n"); | ||
750 | return 1; | ||
751 | } | ||
752 | |||
753 | /* assert privs so we can modify the firewall rules! */ | ||
754 | uid = getuid (); | ||
755 | #ifdef HAVE_SETRESUID | ||
756 | if (0 != setresuid (uid, 0, 0)) | ||
757 | { | ||
758 | fprintf (stderr, "Failed to setresuid to root: %s\n", strerror (errno)); | ||
759 | return 254; | ||
760 | } | ||
761 | #else | ||
762 | if (0 != seteuid (0)) | ||
763 | { | ||
764 | fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno)); | ||
765 | return 254; | ||
766 | } | ||
767 | #endif | ||
768 | if (0 == strncmp (argv[6], "1", 2)) | ||
769 | nortsetup = 1; | ||
770 | |||
771 | if (0 == nortsetup) | ||
772 | { | ||
773 | /* verify that the binaries we care about are executable */ | ||
774 | #ifdef IPTABLES | ||
775 | if (0 == access (IPTABLES, X_OK)) | ||
776 | sbin_iptables = IPTABLES; | ||
777 | else | ||
778 | #endif | ||
779 | if (0 == access ("/sbin/iptables", X_OK)) | ||
780 | sbin_iptables = "/sbin/iptables"; | ||
781 | else if (0 == access ("/usr/sbin/iptables", X_OK)) | ||
782 | sbin_iptables = "/usr/sbin/iptables"; | ||
783 | else | ||
784 | { | ||
785 | fprintf (stderr, | ||
786 | "Fatal: executable iptables not found in approved directories: %s\n", | ||
787 | strerror (errno)); | ||
788 | return 3; | ||
789 | } | ||
790 | #ifdef IP6TABLES | ||
791 | if (0 == access (IP6TABLES, X_OK)) | ||
792 | sbin_ip6tables = IP6TABLES; | ||
793 | else | ||
794 | #endif | ||
795 | if (0 == access ("/sbin/ip6tables", X_OK)) | ||
796 | sbin_ip6tables = "/sbin/ip6tables"; | ||
797 | else if (0 == access ("/usr/sbin/ip6tables", X_OK)) | ||
798 | sbin_ip6tables = "/usr/sbin/ip6tables"; | ||
799 | else | ||
800 | { | ||
801 | fprintf (stderr, | ||
802 | "Fatal: executable ip6tables not found in approved directories: %s\n", | ||
803 | strerror (errno)); | ||
804 | return 3; | ||
805 | } | ||
806 | #ifdef PATH_TO_IP | ||
807 | if (0 == access (PATH_TO_IP, X_OK)) | ||
808 | sbin_ip = PATH_TO_IP; | ||
809 | else | ||
810 | #endif | ||
811 | if (0 == access ("/sbin/ip", X_OK)) | ||
812 | sbin_ip = "/sbin/ip"; | ||
813 | else if (0 == access ("/usr/sbin/ip", X_OK)) | ||
814 | sbin_ip = "/usr/sbin/ip"; | ||
815 | else if (0 == access ("/bin/ip", X_OK)) /* gentoo has it there */ | ||
816 | sbin_ip = "/bin/ip"; | ||
817 | else | ||
818 | { | ||
819 | fprintf (stderr, | ||
820 | "Fatal: executable ip not found in approved directories: %s\n", | ||
821 | strerror (errno)); | ||
822 | return 4; | ||
823 | } | ||
824 | #ifdef SYSCTL | ||
825 | if (0 == access (SYSCTL, X_OK)) | ||
826 | sbin_sysctl = SYSCTL; | ||
827 | else | ||
828 | #endif | ||
829 | if (0 == access ("/sbin/sysctl", X_OK)) | ||
830 | sbin_sysctl = "/sbin/sysctl"; | ||
831 | else if (0 == access ("/usr/sbin/sysctl", X_OK)) | ||
832 | sbin_sysctl = "/usr/sbin/sysctl"; | ||
833 | else | ||
834 | { | ||
835 | fprintf (stderr, | ||
836 | "Fatal: executable sysctl not found in approved directories: %s\n", | ||
837 | strerror (errno)); | ||
838 | return 5; | ||
839 | } | ||
840 | } | ||
841 | |||
842 | /* setup 'mygid' string */ | ||
843 | snprintf (mygid, sizeof(mygid), "%d", (int) getegid ()); | ||
844 | |||
845 | /* do not die on SIGPIPE */ | ||
846 | if (SIG_ERR == signal (SIGPIPE, SIG_IGN)) | ||
847 | { | ||
848 | fprintf (stderr, "Failed to protect against SIGPIPE: %s\n", | ||
849 | strerror (errno)); | ||
850 | return 7; | ||
851 | } | ||
852 | |||
853 | /* setup pipe to shutdown nicely on SIGINT */ | ||
854 | if (0 != pipe (cpipe)) | ||
855 | { | ||
856 | fprintf (stderr, | ||
857 | "Fatal: could not setup control pipe: %s\n", | ||
858 | strerror (errno)); | ||
859 | return 6; | ||
860 | } | ||
861 | if (cpipe[0] >= FD_SETSIZE) | ||
862 | { | ||
863 | fprintf (stderr, "Pipe file descriptor to large: %d", cpipe[0]); | ||
864 | (void) close (cpipe[0]); | ||
865 | (void) close (cpipe[1]); | ||
866 | return 6; | ||
867 | } | ||
868 | { | ||
869 | /* make pipe non-blocking, as we theoretically could otherwise block | ||
870 | in the signal handler */ | ||
871 | int flags = fcntl (cpipe[1], F_GETFL); | ||
872 | if (-1 == flags) | ||
873 | { | ||
874 | fprintf (stderr, "Failed to read flags for pipe: %s", strerror (errno)); | ||
875 | (void) close (cpipe[0]); | ||
876 | (void) close (cpipe[1]); | ||
877 | return 6; | ||
878 | } | ||
879 | flags |= O_NONBLOCK; | ||
880 | if (0 != fcntl (cpipe[1], F_SETFL, flags)) | ||
881 | { | ||
882 | fprintf (stderr, "Failed to make pipe non-blocking: %s", strerror ( | ||
883 | errno)); | ||
884 | (void) close (cpipe[0]); | ||
885 | (void) close (cpipe[1]); | ||
886 | return 6; | ||
887 | } | ||
888 | } | ||
889 | if ((SIG_ERR == signal (SIGTERM, &signal_handler)) || | ||
890 | #if (SIGTERM != GNUNET_TERM_SIG) | ||
891 | (SIG_ERR == signal (GNUNET_TERM_SIG, &signal_handler)) || | ||
892 | #endif | ||
893 | (SIG_ERR == signal (SIGINT, &signal_handler)) || | ||
894 | (SIG_ERR == signal (SIGHUP, &signal_handler))) | ||
895 | { | ||
896 | fprintf (stderr, | ||
897 | "Fatal: could not initialize signal handler: %s\n", | ||
898 | strerror (errno)); | ||
899 | (void) close (cpipe[0]); | ||
900 | (void) close (cpipe[1]); | ||
901 | return 7; | ||
902 | } | ||
903 | |||
904 | |||
905 | /* get interface name */ | ||
906 | strncpy (dev, argv[1], IFNAMSIZ); | ||
907 | dev[IFNAMSIZ - 1] = '\0'; | ||
908 | |||
909 | /* Disable rp filtering */ | ||
910 | if (0 == nortsetup) | ||
911 | { | ||
912 | char *const sysctl_args[] = { "sysctl", "-w", | ||
913 | "net.ipv4.conf.all.rp_filter=0", NULL }; | ||
914 | char *const sysctl_args2[] = { "sysctl", "-w", | ||
915 | "net.ipv4.conf.default.rp_filter=0", NULL }; | ||
916 | if ((0 != fork_and_exec (sbin_sysctl, sysctl_args)) || | ||
917 | (0 != fork_and_exec (sbin_sysctl, sysctl_args2))) | ||
918 | { | ||
919 | fprintf (stderr, | ||
920 | "Failed to disable rp filtering.\n"); | ||
921 | return 5; | ||
922 | } | ||
923 | } | ||
924 | |||
925 | |||
926 | /* now open virtual interface (first part that requires root) */ | ||
927 | if (-1 == (fd_tun = init_tun (dev))) | ||
928 | { | ||
929 | fprintf (stderr, "Fatal: could not initialize tun-interface\n"); | ||
930 | (void) signal (SIGTERM, SIG_IGN); | ||
931 | #if (SIGTERM != GNUNET_TERM_SIG) | ||
932 | (void) signal (GNUNET_TERM_SIG, SIG_IGN); | ||
933 | #endif | ||
934 | (void) signal (SIGINT, SIG_IGN); | ||
935 | (void) signal (SIGHUP, SIG_IGN); | ||
936 | (void) close (cpipe[0]); | ||
937 | (void) close (cpipe[1]); | ||
938 | return 5; | ||
939 | } | ||
940 | |||
941 | /* now set interface addresses */ | ||
942 | { | ||
943 | const char *address = argv[2]; | ||
944 | long prefix_len = atol (argv[3]); | ||
945 | |||
946 | if ((prefix_len < 1) || (prefix_len > 127)) | ||
947 | { | ||
948 | fprintf (stderr, "Fatal: prefix_len out of range\n"); | ||
949 | (void) signal (SIGTERM, SIG_IGN); | ||
950 | #if (SIGTERM != GNUNET_TERM_SIG) | ||
951 | (void) signal (GNUNET_TERM_SIG, SIG_IGN); | ||
952 | #endif | ||
953 | (void) signal (SIGINT, SIG_IGN); | ||
954 | (void) signal (SIGHUP, SIG_IGN); | ||
955 | (void) close (cpipe[0]); | ||
956 | (void) close (cpipe[1]); | ||
957 | return 2; | ||
958 | } | ||
959 | set_address6 (dev, address, prefix_len); | ||
960 | } | ||
961 | |||
962 | { | ||
963 | const char *address = argv[4]; | ||
964 | const char *mask = argv[5]; | ||
965 | |||
966 | set_address4 (dev, address, mask); | ||
967 | } | ||
968 | |||
969 | |||
970 | /* update routing tables -- next part why we need SUID! */ | ||
971 | /* Forward everything from our EGID (which should only be held | ||
972 | by the 'gnunet-service-dns') and with destination | ||
973 | to port 53 on UDP, without hijacking */ | ||
974 | if (0 == nortsetup) | ||
975 | { | ||
976 | r = 8; /* failed to fully setup routing table */ | ||
977 | { | ||
978 | char *const mangle_args[] = { | ||
979 | "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p", | ||
980 | "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", | ||
981 | "ACCEPT", NULL | ||
982 | }; | ||
983 | if (0 != fork_and_exec (sbin_iptables, mangle_args)) | ||
984 | goto cleanup_rest; | ||
985 | } | ||
986 | { | ||
987 | char *const mangle_args[] = { | ||
988 | "ip6tables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p", | ||
989 | "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", | ||
990 | "ACCEPT", NULL | ||
991 | }; | ||
992 | if (0 != fork_and_exec (sbin_ip6tables, mangle_args)) | ||
993 | goto cleanup_mangle_1b; | ||
994 | } | ||
995 | /* Mark all of the other DNS traffic using our mark DNS_MARK, | ||
996 | unless it is on a link-local IPv6 address, which we cannot support. */ | ||
997 | { | ||
998 | char *const mark_args[] = { | ||
999 | "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", | ||
1000 | "udp", "--dport", DNS_PORT, | ||
1001 | "-j", "MARK", "--set-mark", DNS_MARK, | ||
1002 | NULL | ||
1003 | }; | ||
1004 | if (0 != fork_and_exec (sbin_iptables, mark_args)) | ||
1005 | goto cleanup_mangle_1; | ||
1006 | } | ||
1007 | { | ||
1008 | char *const mark_args[] = { | ||
1009 | "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", | ||
1010 | "udp", "--dport", DNS_PORT, | ||
1011 | "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ | ||
1012 | "-j", "MARK", "--set-mark", DNS_MARK, | ||
1013 | NULL | ||
1014 | }; | ||
1015 | if (0 != fork_and_exec (sbin_ip6tables, mark_args)) | ||
1016 | goto cleanup_mark_2b; | ||
1017 | } | ||
1018 | /* Forward all marked DNS traffic to our DNS_TABLE */ | ||
1019 | { | ||
1020 | char *const forward_args[] = { | ||
1021 | "ip", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | ||
1022 | }; | ||
1023 | if (0 != fork_and_exec (sbin_ip, forward_args)) | ||
1024 | goto cleanup_mark_2; | ||
1025 | } | ||
1026 | { | ||
1027 | char *const forward_args[] = { | ||
1028 | "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | ||
1029 | }; | ||
1030 | if (0 != fork_and_exec (sbin_ip, forward_args)) | ||
1031 | goto cleanup_forward_3b; | ||
1032 | } | ||
1033 | /* Finally, add rule in our forwarding table to pass to our virtual interface */ | ||
1034 | { | ||
1035 | char *const route_args[] = { | ||
1036 | "ip", "route", "add", "default", "dev", dev, | ||
1037 | "table", DNS_TABLE, NULL | ||
1038 | }; | ||
1039 | if (0 != fork_and_exec (sbin_ip, route_args)) | ||
1040 | goto cleanup_forward_3; | ||
1041 | } | ||
1042 | { | ||
1043 | char *const route_args[] = { | ||
1044 | "ip", "-6", "route", "add", "default", "dev", dev, | ||
1045 | "table", DNS_TABLE, NULL | ||
1046 | }; | ||
1047 | if (0 != fork_and_exec (sbin_ip, route_args)) | ||
1048 | goto cleanup_route_4b; | ||
1049 | } | ||
1050 | } | ||
1051 | |||
1052 | /* drop privs *except* for the saved UID; this is not perfect, but better | ||
1053 | than doing nothing */ | ||
1054 | #ifdef HAVE_SETRESUID | ||
1055 | if (0 != setresuid (uid, uid, 0)) | ||
1056 | { | ||
1057 | fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno)); | ||
1058 | r = 24; | ||
1059 | goto cleanup_route_4; | ||
1060 | } | ||
1061 | #else | ||
1062 | /* Note: no 'setuid' here as we must keep our saved UID as root */ | ||
1063 | if (0 != seteuid (uid)) | ||
1064 | { | ||
1065 | fprintf (stderr, "Failed to seteuid: %s\n", strerror (errno)); | ||
1066 | r = 24; | ||
1067 | goto cleanup_route_4; | ||
1068 | } | ||
1069 | #endif | ||
1070 | |||
1071 | r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */ | ||
1072 | |||
1073 | /* now forward until we hit a problem */ | ||
1074 | run (fd_tun); | ||
1075 | |||
1076 | /* now need to regain privs so we can remove the firewall rules we added! */ | ||
1077 | #ifdef HAVE_SETRESUID | ||
1078 | if (0 != setresuid (uid, 0, 0)) | ||
1079 | { | ||
1080 | fprintf (stderr, "Failed to setresuid back to root: %s\n", strerror ( | ||
1081 | errno)); | ||
1082 | r = 40; | ||
1083 | goto cleanup_route_4; | ||
1084 | } | ||
1085 | #else | ||
1086 | if (0 != seteuid (0)) | ||
1087 | { | ||
1088 | fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno)); | ||
1089 | r = 40; | ||
1090 | goto cleanup_route_4; | ||
1091 | } | ||
1092 | #endif | ||
1093 | |||
1094 | /* update routing tables again -- this is why we could not fully drop privs */ | ||
1095 | /* now undo updating of routing tables; normal exit or clean-up-on-error case */ | ||
1096 | cleanup_route_4: | ||
1097 | if (0 == nortsetup) | ||
1098 | { | ||
1099 | char *const route_clean_args[] = { | ||
1100 | "ip", "-6", "route", "del", "default", "dev", dev, | ||
1101 | "table", DNS_TABLE, NULL | ||
1102 | }; | ||
1103 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) | ||
1104 | r += 1; | ||
1105 | } | ||
1106 | cleanup_route_4b: | ||
1107 | if (0 == nortsetup) | ||
1108 | { | ||
1109 | char *const route_clean_args[] = { | ||
1110 | "ip", "route", "del", "default", "dev", dev, | ||
1111 | "table", DNS_TABLE, NULL | ||
1112 | }; | ||
1113 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) | ||
1114 | r += 1; | ||
1115 | } | ||
1116 | cleanup_forward_3: | ||
1117 | if (0 == nortsetup) | ||
1118 | { | ||
1119 | char *const forward_clean_args[] = { | ||
1120 | "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | ||
1121 | }; | ||
1122 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) | ||
1123 | r += 2; | ||
1124 | } | ||
1125 | cleanup_forward_3b: | ||
1126 | if (0 == nortsetup) | ||
1127 | { | ||
1128 | char *const forward_clean_args[] = { | ||
1129 | "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | ||
1130 | }; | ||
1131 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) | ||
1132 | r += 2; | ||
1133 | } | ||
1134 | cleanup_mark_2: | ||
1135 | if (0 == nortsetup) | ||
1136 | { | ||
1137 | char *const mark_clean_args[] = { | ||
1138 | "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | ||
1139 | "--dport", DNS_PORT, | ||
1140 | "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ | ||
1141 | "-j", "MARK", "--set-mark", DNS_MARK, NULL | ||
1142 | }; | ||
1143 | if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args)) | ||
1144 | r += 4; | ||
1145 | } | ||
1146 | cleanup_mark_2b: | ||
1147 | if (0 == nortsetup) | ||
1148 | { | ||
1149 | char *const mark_clean_args[] = { | ||
1150 | "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | ||
1151 | "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL | ||
1152 | }; | ||
1153 | if (0 != fork_and_exec (sbin_iptables, mark_clean_args)) | ||
1154 | r += 4; | ||
1155 | } | ||
1156 | cleanup_mangle_1: | ||
1157 | if (0 == nortsetup) | ||
1158 | { | ||
1159 | char *const mangle_clean_args[] = { | ||
1160 | "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | ||
1161 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", | ||
1162 | NULL | ||
1163 | }; | ||
1164 | if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args)) | ||
1165 | r += 8; | ||
1166 | } | ||
1167 | cleanup_mangle_1b: | ||
1168 | if (0 == nortsetup) | ||
1169 | { | ||
1170 | char *const mangle_clean_args[] = { | ||
1171 | "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | ||
1172 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", | ||
1173 | NULL | ||
1174 | }; | ||
1175 | if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) | ||
1176 | r += 8; | ||
1177 | } | ||
1178 | |||
1179 | cleanup_rest: | ||
1180 | /* close virtual interface */ | ||
1181 | (void) close (fd_tun); | ||
1182 | /* remove signal handler so we can close the pipes */ | ||
1183 | (void) signal (SIGTERM, SIG_IGN); | ||
1184 | #if (SIGTERM != GNUNET_TERM_SIG) | ||
1185 | (void) signal (GNUNET_TERM_SIG, SIG_IGN); | ||
1186 | #endif | ||
1187 | (void) signal (SIGINT, SIG_IGN); | ||
1188 | (void) signal (SIGHUP, SIG_IGN); | ||
1189 | (void) close (cpipe[0]); | ||
1190 | (void) close (cpipe[1]); | ||
1191 | return r; | ||
1192 | } | ||
1193 | |||
1194 | |||
1195 | /* end of gnunet-helper-dns.c */ | ||
diff --git a/src/service/dns/gnunet-service-dns.c b/src/service/dns/gnunet-service-dns.c new file mode 100644 index 000000000..24566ae21 --- /dev/null +++ b/src/service/dns/gnunet-service-dns.c | |||
@@ -0,0 +1,1272 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2012 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file dns/gnunet-service-dns.c | ||
23 | * @brief service to intercept and modify DNS queries (and replies) of this system | ||
24 | * @author Christian Grothoff | ||
25 | * | ||
26 | * For "secure" interaction with the legacy DNS system, we permit | ||
27 | * replies only to arrive within a 5s window (and they must match | ||
28 | * ports, IPs and request IDs). Furthermore, we let the OS pick a | ||
29 | * source port, opening up to 128 sockets per address family (IPv4 or | ||
30 | * IPv6). Those sockets are closed if they are not in use for 5s | ||
31 | * (which means they will be freshly randomized afterwards). For new | ||
32 | * requests, we pick a random slot in the array with 128 socket slots | ||
33 | * (and re-use an existing socket if the slot is still in use). Thus | ||
34 | * each request will be given one of 128 random source ports, and the | ||
35 | * 128 random source ports will also change "often" (less often if the | ||
36 | * system is very busy, each time if we are mostly idle). At the same | ||
37 | * time, the system will never use more than 256 UDP sockets. | ||
38 | */ | ||
39 | #include "platform.h" | ||
40 | #include "gnunet_util_lib.h" | ||
41 | #include "gnunet_applications.h" | ||
42 | #include "gnunet_constants.h" | ||
43 | #include "gnunet_protocols.h" | ||
44 | #include "gnunet_signatures.h" | ||
45 | #include "dns.h" | ||
46 | #include "gnunet_dns_service.h" | ||
47 | #include "gnunet_statistics_service.h" | ||
48 | |||
49 | /** | ||
50 | * Port number for DNS | ||
51 | */ | ||
52 | #define DNS_PORT 53 | ||
53 | |||
54 | |||
55 | /** | ||
56 | * Generic logging shorthand | ||
57 | */ | ||
58 | #define LOG(kind, ...) \ | ||
59 | GNUNET_log_from (kind, "dns", __VA_ARGS__); | ||
60 | |||
61 | |||
62 | /** | ||
63 | * Phases each request goes through. | ||
64 | */ | ||
65 | enum RequestPhase | ||
66 | { | ||
67 | /** | ||
68 | * Request has just been received. | ||
69 | */ | ||
70 | RP_INIT, | ||
71 | |||
72 | /** | ||
73 | * Showing the request to all monitor clients. If | ||
74 | * client list is empty, will enter QUERY phase. | ||
75 | */ | ||
76 | RP_REQUEST_MONITOR, | ||
77 | |||
78 | /** | ||
79 | * Showing the request to PRE-RESOLUTION clients to find an answer. | ||
80 | * If client list is empty, will trigger global DNS request. | ||
81 | */ | ||
82 | RP_QUERY, | ||
83 | |||
84 | /** | ||
85 | * Global Internet query is now pending. | ||
86 | */ | ||
87 | RP_INTERNET_DNS, | ||
88 | |||
89 | /** | ||
90 | * Client (or global DNS request) has resulted in a response. | ||
91 | * Forward to all POST-RESOLUTION clients. If client list is empty, | ||
92 | * will enter RESPONSE_MONITOR phase. | ||
93 | */ | ||
94 | RP_MODIFY, | ||
95 | |||
96 | /** | ||
97 | * Showing the request to all monitor clients. If | ||
98 | * client list is empty, give the result to the hijacker (and be done). | ||
99 | */ | ||
100 | RP_RESPONSE_MONITOR, | ||
101 | |||
102 | /** | ||
103 | * Some client has told us to drop the request. | ||
104 | */ | ||
105 | RP_DROP | ||
106 | }; | ||
107 | |||
108 | |||
109 | /** | ||
110 | * Entry we keep for each client. | ||
111 | */ | ||
112 | struct ClientRecord | ||
113 | { | ||
114 | /** | ||
115 | * Kept in doubly-linked list. | ||
116 | */ | ||
117 | struct ClientRecord *next; | ||
118 | |||
119 | /** | ||
120 | * Kept in doubly-linked list. | ||
121 | */ | ||
122 | struct ClientRecord *prev; | ||
123 | |||
124 | /** | ||
125 | * Handle to the client. | ||
126 | */ | ||
127 | struct GNUNET_SERVICE_Client *client; | ||
128 | |||
129 | /** | ||
130 | * Message queue to talk to @a client. | ||
131 | */ | ||
132 | struct GNUNET_MQ_Handle *mq; | ||
133 | |||
134 | /** | ||
135 | * Flags for the client. | ||
136 | */ | ||
137 | enum GNUNET_DNS_Flags flags; | ||
138 | }; | ||
139 | |||
140 | |||
141 | /** | ||
142 | * Entry we keep for each active request. | ||
143 | */ | ||
144 | struct RequestRecord | ||
145 | { | ||
146 | /** | ||
147 | * List of clients that still need to see this request (each entry | ||
148 | * is set to NULL when the client is done). | ||
149 | */ | ||
150 | struct ClientRecord **client_wait_list; | ||
151 | |||
152 | /** | ||
153 | * Payload of the UDP packet (the UDP payload), can be either query | ||
154 | * or already the response. | ||
155 | */ | ||
156 | char *payload; | ||
157 | |||
158 | /** | ||
159 | * Socket we are using to transmit this request (must match if we receive | ||
160 | * a response). | ||
161 | */ | ||
162 | struct GNUNET_DNSSTUB_RequestSocket *rs; | ||
163 | |||
164 | /** | ||
165 | * Source address of the original request (for sending response). | ||
166 | */ | ||
167 | struct sockaddr_storage src_addr; | ||
168 | |||
169 | /** | ||
170 | * Destination address of the original request (for potential use as exit). | ||
171 | */ | ||
172 | struct sockaddr_storage dst_addr; | ||
173 | |||
174 | /** | ||
175 | * ID of this request, also basis for hashing. Lowest 16 bit will | ||
176 | * be our message ID when doing a global DNS request and our index | ||
177 | * into the 'requests' array. | ||
178 | */ | ||
179 | uint64_t request_id; | ||
180 | |||
181 | /** | ||
182 | * Number of bytes in payload. | ||
183 | */ | ||
184 | size_t payload_length; | ||
185 | |||
186 | /** | ||
187 | * Length of the @e client_wait_list. | ||
188 | */ | ||
189 | unsigned int client_wait_list_length; | ||
190 | |||
191 | /** | ||
192 | * In which phase this this request? | ||
193 | */ | ||
194 | enum RequestPhase phase; | ||
195 | }; | ||
196 | |||
197 | |||
198 | /** | ||
199 | * Global return value from 'main'. | ||
200 | */ | ||
201 | static int global_ret; | ||
202 | |||
203 | /** | ||
204 | * The configuration to use | ||
205 | */ | ||
206 | static const struct GNUNET_CONFIGURATION_Handle *cfg; | ||
207 | |||
208 | /** | ||
209 | * Statistics. | ||
210 | */ | ||
211 | static struct GNUNET_STATISTICS_Handle *stats; | ||
212 | |||
213 | /** | ||
214 | * Handle to DNS hijacker helper process ("gnunet-helper-dns"). | ||
215 | */ | ||
216 | static struct GNUNET_HELPER_Handle *hijacker; | ||
217 | |||
218 | /** | ||
219 | * Command-line arguments we are giving to the hijacker process. | ||
220 | */ | ||
221 | static char *helper_argv[8]; | ||
222 | |||
223 | /** | ||
224 | * Head of DLL of clients we consult. | ||
225 | */ | ||
226 | static struct ClientRecord *clients_head; | ||
227 | |||
228 | /** | ||
229 | * Tail of DLL of clients we consult. | ||
230 | */ | ||
231 | static struct ClientRecord *clients_tail; | ||
232 | |||
233 | /** | ||
234 | * Array of all open requests. | ||
235 | */ | ||
236 | static struct RequestRecord requests[UINT16_MAX + 1]; | ||
237 | |||
238 | /** | ||
239 | * Generator for unique request IDs. | ||
240 | */ | ||
241 | static uint64_t request_id_gen; | ||
242 | |||
243 | /** | ||
244 | * Handle to the DNS Stub resolver. | ||
245 | */ | ||
246 | static struct GNUNET_DNSSTUB_Context *dnsstub; | ||
247 | |||
248 | |||
249 | /** | ||
250 | * We're done processing a DNS request, free associated memory. | ||
251 | * | ||
252 | * @param rr request to clean up | ||
253 | */ | ||
254 | static void | ||
255 | cleanup_rr (struct RequestRecord *rr) | ||
256 | { | ||
257 | GNUNET_free (rr->payload); | ||
258 | rr->payload = NULL; | ||
259 | rr->payload_length = 0; | ||
260 | GNUNET_array_grow (rr->client_wait_list, | ||
261 | rr->client_wait_list_length, | ||
262 | 0); | ||
263 | } | ||
264 | |||
265 | |||
266 | /** | ||
267 | * Task run during shutdown. | ||
268 | * | ||
269 | * @param cls unused | ||
270 | */ | ||
271 | static void | ||
272 | cleanup_task (void *cls GNUNET_UNUSED) | ||
273 | { | ||
274 | if (NULL != hijacker) | ||
275 | { | ||
276 | GNUNET_HELPER_stop (hijacker, GNUNET_NO); | ||
277 | hijacker = NULL; | ||
278 | } | ||
279 | for (unsigned int i = 0; i < 8; i++) | ||
280 | GNUNET_free (helper_argv[i]); | ||
281 | for (unsigned int i = 0; i <= UINT16_MAX; i++) | ||
282 | cleanup_rr (&requests[i]); | ||
283 | if (NULL != stats) | ||
284 | { | ||
285 | GNUNET_STATISTICS_destroy (stats, | ||
286 | GNUNET_NO); | ||
287 | stats = NULL; | ||
288 | } | ||
289 | if (NULL != dnsstub) | ||
290 | { | ||
291 | GNUNET_DNSSTUB_stop (dnsstub); | ||
292 | dnsstub = NULL; | ||
293 | } | ||
294 | } | ||
295 | |||
296 | |||
297 | /** | ||
298 | * We're done with some request, finish processing. | ||
299 | * | ||
300 | * @param rr request send to the network or just clean up. | ||
301 | */ | ||
302 | static void | ||
303 | request_done (struct RequestRecord *rr) | ||
304 | { | ||
305 | struct GNUNET_MessageHeader *hdr; | ||
306 | size_t reply_len; | ||
307 | uint16_t source_port; | ||
308 | uint16_t destination_port; | ||
309 | |||
310 | GNUNET_array_grow (rr->client_wait_list, | ||
311 | rr->client_wait_list_length, | ||
312 | 0); | ||
313 | if (RP_RESPONSE_MONITOR != rr->phase) | ||
314 | { | ||
315 | /* no response, drop */ | ||
316 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
317 | "Got no response for request %llu, dropping\n", | ||
318 | (unsigned long long) rr->request_id); | ||
319 | cleanup_rr (rr); | ||
320 | return; | ||
321 | } | ||
322 | |||
323 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
324 | "Transmitting response for request %llu\n", | ||
325 | (unsigned long long) rr->request_id); | ||
326 | /* send response via hijacker */ | ||
327 | reply_len = sizeof(struct GNUNET_MessageHeader); | ||
328 | reply_len += sizeof(struct GNUNET_TUN_Layer2PacketHeader); | ||
329 | switch (rr->src_addr.ss_family) | ||
330 | { | ||
331 | case AF_INET: | ||
332 | reply_len += sizeof(struct GNUNET_TUN_IPv4Header); | ||
333 | break; | ||
334 | |||
335 | case AF_INET6: | ||
336 | reply_len += sizeof(struct GNUNET_TUN_IPv6Header); | ||
337 | break; | ||
338 | |||
339 | default: | ||
340 | GNUNET_break (0); | ||
341 | cleanup_rr (rr); | ||
342 | return; | ||
343 | } | ||
344 | reply_len += sizeof(struct GNUNET_TUN_UdpHeader); | ||
345 | reply_len += rr->payload_length; | ||
346 | if (reply_len >= GNUNET_MAX_MESSAGE_SIZE) | ||
347 | { | ||
348 | /* response too big, drop */ | ||
349 | GNUNET_break (0); /* how can this be? */ | ||
350 | cleanup_rr (rr); | ||
351 | return; | ||
352 | } | ||
353 | { | ||
354 | char buf[reply_len] GNUNET_ALIGN; | ||
355 | size_t off; | ||
356 | struct GNUNET_TUN_IPv4Header ip4; | ||
357 | struct GNUNET_TUN_IPv6Header ip6; | ||
358 | |||
359 | /* first, GNUnet message header */ | ||
360 | hdr = (struct GNUNET_MessageHeader*) buf; | ||
361 | hdr->type = htons (GNUNET_MESSAGE_TYPE_DNS_HELPER); | ||
362 | hdr->size = htons ((uint16_t) reply_len); | ||
363 | off = sizeof(struct GNUNET_MessageHeader); | ||
364 | |||
365 | /* first, TUN header */ | ||
366 | { | ||
367 | struct GNUNET_TUN_Layer2PacketHeader tun; | ||
368 | |||
369 | tun.flags = htons (0); | ||
370 | if (rr->src_addr.ss_family == AF_INET) | ||
371 | tun.proto = htons (ETH_P_IPV4); | ||
372 | else | ||
373 | tun.proto = htons (ETH_P_IPV6); | ||
374 | GNUNET_memcpy (&buf[off], | ||
375 | &tun, | ||
376 | sizeof(struct GNUNET_TUN_Layer2PacketHeader)); | ||
377 | off += sizeof(struct GNUNET_TUN_Layer2PacketHeader); | ||
378 | } | ||
379 | |||
380 | /* now IP header */ | ||
381 | switch (rr->src_addr.ss_family) | ||
382 | { | ||
383 | case AF_INET: | ||
384 | { | ||
385 | struct sockaddr_in *src = (struct sockaddr_in *) &rr->src_addr; | ||
386 | struct sockaddr_in *dst = (struct sockaddr_in *) &rr->dst_addr; | ||
387 | |||
388 | source_port = dst->sin_port; | ||
389 | destination_port = src->sin_port; | ||
390 | GNUNET_TUN_initialize_ipv4_header (&ip4, | ||
391 | IPPROTO_UDP, | ||
392 | reply_len - off - sizeof(struct | ||
393 | GNUNET_TUN_IPv4Header), | ||
394 | &dst->sin_addr, | ||
395 | &src->sin_addr); | ||
396 | GNUNET_memcpy (&buf[off], | ||
397 | &ip4, | ||
398 | sizeof(ip4)); | ||
399 | off += sizeof(ip4); | ||
400 | } | ||
401 | break; | ||
402 | |||
403 | case AF_INET6: | ||
404 | { | ||
405 | struct sockaddr_in6 *src = (struct sockaddr_in6 *) &rr->src_addr; | ||
406 | struct sockaddr_in6 *dst = (struct sockaddr_in6 *) &rr->dst_addr; | ||
407 | |||
408 | source_port = dst->sin6_port; | ||
409 | destination_port = src->sin6_port; | ||
410 | GNUNET_TUN_initialize_ipv6_header (&ip6, | ||
411 | IPPROTO_UDP, | ||
412 | reply_len - off - sizeof(struct | ||
413 | GNUNET_TUN_IPv6Header), | ||
414 | &dst->sin6_addr, | ||
415 | &src->sin6_addr); | ||
416 | GNUNET_memcpy (&buf[off], | ||
417 | &ip6, | ||
418 | sizeof(ip6)); | ||
419 | off += sizeof(ip6); | ||
420 | } | ||
421 | break; | ||
422 | |||
423 | default: | ||
424 | GNUNET_assert (0); | ||
425 | } | ||
426 | |||
427 | /* now UDP header */ | ||
428 | { | ||
429 | struct GNUNET_TUN_UdpHeader udp; | ||
430 | |||
431 | udp.source_port = source_port; | ||
432 | udp.destination_port = destination_port; | ||
433 | udp.len = htons (reply_len - off); | ||
434 | if (AF_INET == rr->src_addr.ss_family) | ||
435 | GNUNET_TUN_calculate_udp4_checksum (&ip4, | ||
436 | &udp, | ||
437 | rr->payload, | ||
438 | rr->payload_length); | ||
439 | else | ||
440 | GNUNET_TUN_calculate_udp6_checksum (&ip6, | ||
441 | &udp, | ||
442 | rr->payload, | ||
443 | rr->payload_length); | ||
444 | GNUNET_memcpy (&buf[off], | ||
445 | &udp, | ||
446 | sizeof(udp)); | ||
447 | off += sizeof(udp); | ||
448 | } | ||
449 | |||
450 | /* now DNS payload */ | ||
451 | { | ||
452 | GNUNET_memcpy (&buf[off], rr->payload, rr->payload_length); | ||
453 | off += rr->payload_length; | ||
454 | } | ||
455 | /* final checks & sending */ | ||
456 | GNUNET_assert (off == reply_len); | ||
457 | (void) GNUNET_HELPER_send (hijacker, | ||
458 | hdr, | ||
459 | GNUNET_YES, | ||
460 | NULL, NULL); | ||
461 | GNUNET_STATISTICS_update (stats, | ||
462 | gettext_noop ( | ||
463 | "# DNS requests answered via TUN interface"), | ||
464 | 1, GNUNET_NO); | ||
465 | } | ||
466 | /* clean up, we're done */ | ||
467 | cleanup_rr (rr); | ||
468 | } | ||
469 | |||
470 | |||
471 | /** | ||
472 | * Show the payload of the given request record to the client | ||
473 | * (and wait for a response). | ||
474 | * | ||
475 | * @param rr request to send to client | ||
476 | * @param cr client to send the response to | ||
477 | */ | ||
478 | static void | ||
479 | send_request_to_client (struct RequestRecord *rr, | ||
480 | struct ClientRecord *cr) | ||
481 | { | ||
482 | struct GNUNET_MQ_Envelope *env; | ||
483 | struct GNUNET_DNS_Request *req; | ||
484 | |||
485 | if (sizeof(struct GNUNET_DNS_Request) + rr->payload_length >= | ||
486 | GNUNET_MAX_MESSAGE_SIZE) | ||
487 | { | ||
488 | GNUNET_break (0); | ||
489 | cleanup_rr (rr); | ||
490 | return; | ||
491 | } | ||
492 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
493 | "Sending information about request %llu to local client\n", | ||
494 | (unsigned long long) rr->request_id); | ||
495 | env = GNUNET_MQ_msg_extra (req, | ||
496 | rr->payload_length, | ||
497 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_REQUEST); | ||
498 | req->reserved = htonl (0); | ||
499 | req->request_id = rr->request_id; | ||
500 | GNUNET_memcpy (&req[1], | ||
501 | rr->payload, | ||
502 | rr->payload_length); | ||
503 | GNUNET_MQ_send (cr->mq, | ||
504 | env); | ||
505 | } | ||
506 | |||
507 | |||
508 | /** | ||
509 | * Callback called from DNSSTUB resolver when a resolution | ||
510 | * succeeded. | ||
511 | * | ||
512 | * @param cls NULL | ||
513 | * @param dns the response itself | ||
514 | * @param r number of bytes in dns | ||
515 | */ | ||
516 | static void | ||
517 | process_dns_result (void *cls, | ||
518 | const struct GNUNET_TUN_DnsHeader *dns, | ||
519 | size_t r); | ||
520 | |||
521 | |||
522 | /** | ||
523 | * A client has completed its processing for this | ||
524 | * request. Move on. | ||
525 | * | ||
526 | * @param rr request to process further | ||
527 | */ | ||
528 | static void | ||
529 | next_phase (struct RequestRecord *rr) | ||
530 | { | ||
531 | struct ClientRecord *cr; | ||
532 | int nz; | ||
533 | |||
534 | if (rr->phase == RP_DROP) | ||
535 | { | ||
536 | cleanup_rr (rr); | ||
537 | return; | ||
538 | } | ||
539 | nz = -1; | ||
540 | for (unsigned int j = 0; j < rr->client_wait_list_length; j++) | ||
541 | { | ||
542 | if (NULL != rr->client_wait_list[j]) | ||
543 | { | ||
544 | nz = (int) j; | ||
545 | break; | ||
546 | } | ||
547 | } | ||
548 | if (-1 != nz) | ||
549 | { | ||
550 | send_request_to_client (rr, | ||
551 | rr->client_wait_list[nz]); | ||
552 | return; | ||
553 | } | ||
554 | /* done with current phase, advance! */ | ||
555 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
556 | "Request %llu now in phase %d\n", | ||
557 | (unsigned long long) rr->request_id, | ||
558 | rr->phase); | ||
559 | switch (rr->phase) | ||
560 | { | ||
561 | case RP_INIT: | ||
562 | rr->phase = RP_REQUEST_MONITOR; | ||
563 | for (cr = clients_head; NULL != cr; cr = cr->next) | ||
564 | { | ||
565 | if (0 != (cr->flags & GNUNET_DNS_FLAG_REQUEST_MONITOR)) | ||
566 | GNUNET_array_append (rr->client_wait_list, | ||
567 | rr->client_wait_list_length, | ||
568 | cr); | ||
569 | } | ||
570 | next_phase (rr); | ||
571 | return; | ||
572 | |||
573 | case RP_REQUEST_MONITOR: | ||
574 | rr->phase = RP_QUERY; | ||
575 | for (cr = clients_head; NULL != cr; cr = cr->next) | ||
576 | { | ||
577 | if (0 != (cr->flags & GNUNET_DNS_FLAG_PRE_RESOLUTION)) | ||
578 | GNUNET_array_append (rr->client_wait_list, | ||
579 | rr->client_wait_list_length, | ||
580 | cr); | ||
581 | } | ||
582 | next_phase (rr); | ||
583 | return; | ||
584 | |||
585 | case RP_QUERY: | ||
586 | #if 0 | ||
587 | /* TODO: optionally, use this to forward DNS requests to the | ||
588 | * original* DNS server instead of the one we have configured... | ||
589 | (but then we need to create a fresh dnsstub for each request | ||
590 | * and* manage the timeout) */ | ||
591 | switch (rr->dst_addr.ss_family) | ||
592 | { | ||
593 | case AF_INET: | ||
594 | salen = sizeof(struct sockaddr_in); | ||
595 | sa = (const struct sockaddr *) &rr->dst_addr; | ||
596 | break; | ||
597 | |||
598 | case AF_INET6: | ||
599 | salen = sizeof(struct sockaddr_in6); | ||
600 | sa = (const struct sockaddr *) &rr->dst_addr; | ||
601 | break; | ||
602 | |||
603 | default: | ||
604 | GNUNET_assert (0); | ||
605 | } | ||
606 | #endif | ||
607 | rr->phase = RP_INTERNET_DNS; | ||
608 | rr->rs = GNUNET_DNSSTUB_resolve (dnsstub, | ||
609 | rr->payload, | ||
610 | rr->payload_length, | ||
611 | &process_dns_result, | ||
612 | NULL); | ||
613 | if (NULL == rr->rs) | ||
614 | { | ||
615 | GNUNET_STATISTICS_update (stats, | ||
616 | gettext_noop ( | ||
617 | "# DNS exit failed (failed to open socket)"), | ||
618 | 1, | ||
619 | GNUNET_NO); | ||
620 | cleanup_rr (rr); | ||
621 | return; | ||
622 | } | ||
623 | return; | ||
624 | |||
625 | case RP_INTERNET_DNS: | ||
626 | rr->phase = RP_MODIFY; | ||
627 | for (cr = clients_head; NULL != cr; cr = cr->next) | ||
628 | { | ||
629 | if (0 != (cr->flags & GNUNET_DNS_FLAG_POST_RESOLUTION)) | ||
630 | GNUNET_array_append (rr->client_wait_list, | ||
631 | rr->client_wait_list_length, | ||
632 | cr); | ||
633 | } | ||
634 | next_phase (rr); | ||
635 | return; | ||
636 | |||
637 | case RP_MODIFY: | ||
638 | rr->phase = RP_RESPONSE_MONITOR; | ||
639 | for (cr = clients_head; NULL != cr; cr = cr->next) | ||
640 | { | ||
641 | if (0 != (cr->flags & GNUNET_DNS_FLAG_RESPONSE_MONITOR)) | ||
642 | GNUNET_array_append (rr->client_wait_list, | ||
643 | rr->client_wait_list_length, | ||
644 | cr); | ||
645 | } | ||
646 | next_phase (rr); | ||
647 | return; | ||
648 | |||
649 | case RP_RESPONSE_MONITOR: | ||
650 | request_done (rr); | ||
651 | break; | ||
652 | |||
653 | case RP_DROP: | ||
654 | cleanup_rr (rr); | ||
655 | break; | ||
656 | |||
657 | default: | ||
658 | GNUNET_break (0); | ||
659 | cleanup_rr (rr); | ||
660 | break; | ||
661 | } | ||
662 | } | ||
663 | |||
664 | |||
665 | /** | ||
666 | * A client connected, setup our data structures. | ||
667 | * | ||
668 | * @param cls unused | ||
669 | * @param client handle of client that connected | ||
670 | * @param mq message queue to talk to @a client | ||
671 | * @return our `struct ClientRecord` | ||
672 | */ | ||
673 | static void * | ||
674 | client_connect_cb (void *cls, | ||
675 | struct GNUNET_SERVICE_Client *client, | ||
676 | struct GNUNET_MQ_Handle *mq) | ||
677 | { | ||
678 | struct ClientRecord *cr = cls; | ||
679 | |||
680 | cr = GNUNET_new (struct ClientRecord); | ||
681 | cr->client = client; | ||
682 | cr->mq = mq; | ||
683 | GNUNET_CONTAINER_DLL_insert (clients_head, | ||
684 | clients_tail, | ||
685 | cr); | ||
686 | return cr; | ||
687 | } | ||
688 | |||
689 | |||
690 | /** | ||
691 | * A client disconnected, clean up after it. | ||
692 | * | ||
693 | * @param cls unused | ||
694 | * @param client handle of client that disconnected | ||
695 | * @param app_ctx our `struct ClientRecord` | ||
696 | */ | ||
697 | static void | ||
698 | client_disconnect_cb (void *cls, | ||
699 | struct GNUNET_SERVICE_Client *client, | ||
700 | void *app_ctx) | ||
701 | { | ||
702 | struct ClientRecord *cr = app_ctx; | ||
703 | struct RequestRecord *rr; | ||
704 | |||
705 | GNUNET_CONTAINER_DLL_remove (clients_head, | ||
706 | clients_tail, | ||
707 | cr); | ||
708 | for (unsigned int i = 0; i < UINT16_MAX; i++) | ||
709 | { | ||
710 | rr = &requests[i]; | ||
711 | if (0 == rr->client_wait_list_length) | ||
712 | continue; /* not in use */ | ||
713 | for (unsigned int j = 0; j < rr->client_wait_list_length; j++) | ||
714 | { | ||
715 | if (rr->client_wait_list[j] == cr) | ||
716 | { | ||
717 | rr->client_wait_list[j] = NULL; | ||
718 | next_phase (rr); | ||
719 | } | ||
720 | } | ||
721 | } | ||
722 | GNUNET_free (cr); | ||
723 | } | ||
724 | |||
725 | |||
726 | /** | ||
727 | * Callback called from DNSSTUB resolver when a resolution | ||
728 | * succeeded. | ||
729 | * | ||
730 | * @param cls NULL | ||
731 | * @param dns the response itself | ||
732 | * @param r number of bytes in dns | ||
733 | */ | ||
734 | static void | ||
735 | process_dns_result (void *cls, | ||
736 | const struct GNUNET_TUN_DnsHeader *dns, | ||
737 | size_t r) | ||
738 | { | ||
739 | struct RequestRecord *rr; | ||
740 | |||
741 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
742 | "Processing DNS result from stub resolver\n"); | ||
743 | GNUNET_assert (NULL == cls); | ||
744 | if (NULL == dns) | ||
745 | return; /* ignore */ | ||
746 | |||
747 | rr = &requests[dns->id]; | ||
748 | if (rr->phase != RP_INTERNET_DNS) | ||
749 | { | ||
750 | /* unexpected / bogus reply */ | ||
751 | GNUNET_STATISTICS_update (stats, | ||
752 | gettext_noop ( | ||
753 | "# External DNS response discarded (no matching request)"), | ||
754 | 1, GNUNET_NO); | ||
755 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
756 | "Received DNS reply that does not match any pending request. Dropping.\n"); | ||
757 | return; | ||
758 | } | ||
759 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
760 | "Got a response from the stub resolver for DNS request %llu intercepted locally!\n", | ||
761 | (unsigned long long) rr->request_id); | ||
762 | GNUNET_free (rr->payload); | ||
763 | rr->payload = GNUNET_malloc (r); | ||
764 | GNUNET_memcpy (rr->payload, | ||
765 | dns, | ||
766 | r); | ||
767 | rr->payload_length = r; | ||
768 | next_phase (rr); | ||
769 | } | ||
770 | |||
771 | |||
772 | /** | ||
773 | * We got a new client. Make sure all new DNS requests pass by its desk. | ||
774 | * | ||
775 | * @param cls the client | ||
776 | * @param reg the init message | ||
777 | */ | ||
778 | static void | ||
779 | handle_client_init (void *cls, | ||
780 | const struct GNUNET_DNS_Register *reg) | ||
781 | { | ||
782 | struct ClientRecord *cr = cls; | ||
783 | |||
784 | cr->flags = (enum GNUNET_DNS_Flags) ntohl (reg->flags); | ||
785 | GNUNET_SERVICE_client_continue (cr->client); | ||
786 | } | ||
787 | |||
788 | |||
789 | /** | ||
790 | * Check a response from a client. | ||
791 | * | ||
792 | * @param cls the client | ||
793 | * @param resp the response | ||
794 | * @return #GNUNET_OK (always fine) | ||
795 | */ | ||
796 | static int | ||
797 | check_client_response (void *cls, | ||
798 | const struct GNUNET_DNS_Response *resp) | ||
799 | { | ||
800 | return GNUNET_OK; /* any payload is acceptable */ | ||
801 | } | ||
802 | |||
803 | |||
804 | /** | ||
805 | * Handle a response from a client. | ||
806 | * | ||
807 | * @param cls the client | ||
808 | * @param resp the response | ||
809 | */ | ||
810 | static void | ||
811 | handle_client_response (void *cls, | ||
812 | const struct GNUNET_DNS_Response *resp) | ||
813 | { | ||
814 | struct ClientRecord *cr = cls; | ||
815 | struct RequestRecord *rr; | ||
816 | uint16_t msize; | ||
817 | uint16_t off; | ||
818 | |||
819 | msize = ntohs (resp->header.size); | ||
820 | off = (uint16_t) resp->request_id; | ||
821 | rr = &requests[off]; | ||
822 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
823 | "Received DNS response with ID %llu from local client!\n", | ||
824 | (unsigned long long) resp->request_id); | ||
825 | if (rr->request_id != resp->request_id) | ||
826 | { | ||
827 | GNUNET_STATISTICS_update (stats, | ||
828 | gettext_noop ( | ||
829 | "# Client response discarded (no matching request)"), | ||
830 | 1, | ||
831 | GNUNET_NO); | ||
832 | GNUNET_SERVICE_client_continue (cr->client); | ||
833 | return; | ||
834 | } | ||
835 | for (unsigned int i = 0; i < rr->client_wait_list_length; i++) | ||
836 | { | ||
837 | if (NULL == rr->client_wait_list[i]) | ||
838 | continue; | ||
839 | if (rr->client_wait_list[i] != cr) | ||
840 | continue; | ||
841 | rr->client_wait_list[i] = NULL; | ||
842 | switch (ntohl (resp->drop_flag)) | ||
843 | { | ||
844 | case 0: /* drop */ | ||
845 | rr->phase = RP_DROP; | ||
846 | break; | ||
847 | |||
848 | case 1: /* no change */ | ||
849 | break; | ||
850 | |||
851 | case 2: /* update */ | ||
852 | msize -= sizeof(struct GNUNET_DNS_Response); | ||
853 | if ((sizeof(struct GNUNET_TUN_DnsHeader) > msize) || | ||
854 | (RP_REQUEST_MONITOR == rr->phase) || | ||
855 | (RP_RESPONSE_MONITOR == rr->phase)) | ||
856 | { | ||
857 | GNUNET_break (0); | ||
858 | GNUNET_SERVICE_client_drop (cr->client); | ||
859 | next_phase (rr); | ||
860 | return; | ||
861 | } | ||
862 | GNUNET_free (rr->payload); | ||
863 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | ||
864 | "Changing DNS reply according to client specifications\n"); | ||
865 | rr->payload = GNUNET_malloc (msize); | ||
866 | rr->payload_length = msize; | ||
867 | GNUNET_memcpy (rr->payload, &resp[1], msize); | ||
868 | if (rr->phase == RP_QUERY) | ||
869 | { | ||
870 | /* clear wait list, we're moving to MODIFY phase next */ | ||
871 | GNUNET_array_grow (rr->client_wait_list, | ||
872 | rr->client_wait_list_length, | ||
873 | 0); | ||
874 | } | ||
875 | /* if query changed to answer, move past DNS resolution phase... */ | ||
876 | if ((RP_QUERY == rr->phase) && | ||
877 | (rr->payload_length > sizeof(struct GNUNET_TUN_DnsHeader)) && | ||
878 | ( ((struct GNUNET_TUN_DnsFlags*) &(((struct | ||
879 | GNUNET_TUN_DnsHeader*) rr-> | ||
880 | payload)->flags))-> | ||
881 | query_or_response == 1) ) | ||
882 | { | ||
883 | rr->phase = RP_INTERNET_DNS; | ||
884 | GNUNET_array_grow (rr->client_wait_list, | ||
885 | rr->client_wait_list_length, | ||
886 | 0); | ||
887 | } | ||
888 | break; | ||
889 | } | ||
890 | next_phase (rr); | ||
891 | GNUNET_SERVICE_client_continue (cr->client); | ||
892 | return; | ||
893 | } | ||
894 | /* odd, client was not on our list for the request, that ought | ||
895 | to be an error */ | ||
896 | GNUNET_break (0); | ||
897 | GNUNET_SERVICE_client_drop (cr->client); | ||
898 | } | ||
899 | |||
900 | |||
901 | /** | ||
902 | * Functions with this signature are called whenever a complete | ||
903 | * message is received by the tokenizer from the DNS hijack process. | ||
904 | * | ||
905 | * @param cls closure | ||
906 | * @param message the actual message, a DNS request we should handle | ||
907 | */ | ||
908 | static int | ||
909 | process_helper_messages (void *cls, | ||
910 | const struct GNUNET_MessageHeader *message) | ||
911 | { | ||
912 | uint16_t msize; | ||
913 | const struct GNUNET_TUN_Layer2PacketHeader *tun; | ||
914 | const struct GNUNET_TUN_IPv4Header *ip4; | ||
915 | const struct GNUNET_TUN_IPv6Header *ip6; | ||
916 | const struct GNUNET_TUN_UdpHeader *udp; | ||
917 | const struct GNUNET_TUN_DnsHeader *dns; | ||
918 | struct RequestRecord *rr; | ||
919 | struct sockaddr_in *srca4; | ||
920 | struct sockaddr_in6 *srca6; | ||
921 | struct sockaddr_in *dsta4; | ||
922 | struct sockaddr_in6 *dsta6; | ||
923 | |||
924 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
925 | "Intercepted message via DNS hijacker\n"); | ||
926 | msize = ntohs (message->size); | ||
927 | if (msize < sizeof(struct GNUNET_MessageHeader) + sizeof(struct | ||
928 | GNUNET_TUN_Layer2PacketHeader) | ||
929 | + sizeof(struct GNUNET_TUN_IPv4Header)) | ||
930 | { | ||
931 | /* non-IP packet received on TUN!? */ | ||
932 | GNUNET_break (0); | ||
933 | return GNUNET_OK; | ||
934 | } | ||
935 | msize -= sizeof(struct GNUNET_MessageHeader); | ||
936 | tun = (const struct GNUNET_TUN_Layer2PacketHeader *) &message[1]; | ||
937 | msize -= sizeof(struct GNUNET_TUN_Layer2PacketHeader); | ||
938 | switch (ntohs (tun->proto)) | ||
939 | { | ||
940 | case ETH_P_IPV4: | ||
941 | ip4 = (const struct GNUNET_TUN_IPv4Header *) &tun[1]; | ||
942 | ip6 = NULL; /* make compiler happy */ | ||
943 | if ((msize < sizeof(struct GNUNET_TUN_IPv4Header)) || | ||
944 | (ip4->version != 4) || | ||
945 | (ip4->header_length != sizeof(struct GNUNET_TUN_IPv4Header) / 4) || | ||
946 | (ntohs (ip4->total_length) != msize) || | ||
947 | (ip4->protocol != IPPROTO_UDP)) | ||
948 | { | ||
949 | /* non-IP/UDP packet received on TUN (or with options) */ | ||
950 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
951 | _ ("Received malformed IPv4-UDP packet on TUN interface.\n")); | ||
952 | return GNUNET_OK; | ||
953 | } | ||
954 | udp = (const struct GNUNET_TUN_UdpHeader*) &ip4[1]; | ||
955 | msize -= sizeof(struct GNUNET_TUN_IPv4Header); | ||
956 | break; | ||
957 | |||
958 | case ETH_P_IPV6: | ||
959 | ip4 = NULL; /* make compiler happy */ | ||
960 | ip6 = (const struct GNUNET_TUN_IPv6Header *) &tun[1]; | ||
961 | if ((msize < sizeof(struct GNUNET_TUN_IPv6Header)) || | ||
962 | (ip6->version != 6) || | ||
963 | (ntohs (ip6->payload_length) != msize - sizeof(struct | ||
964 | GNUNET_TUN_IPv6Header)) | ||
965 | || | ||
966 | (ip6->next_header != IPPROTO_UDP)) | ||
967 | { | ||
968 | /* non-IP/UDP packet received on TUN (or with extensions) */ | ||
969 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
970 | _ ("Received malformed IPv6-UDP packet on TUN interface.\n")); | ||
971 | return GNUNET_OK; | ||
972 | } | ||
973 | udp = (const struct GNUNET_TUN_UdpHeader *) &ip6[1]; | ||
974 | msize -= sizeof(struct GNUNET_TUN_IPv6Header); | ||
975 | break; | ||
976 | |||
977 | default: | ||
978 | /* non-IP packet received on TUN!? */ | ||
979 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | ||
980 | _ ( | ||
981 | "Got non-IP packet with %u bytes and protocol %u from TUN\n"), | ||
982 | (unsigned int) msize, | ||
983 | ntohs (tun->proto)); | ||
984 | return GNUNET_OK; | ||
985 | } | ||
986 | if ((msize <= sizeof(struct GNUNET_TUN_UdpHeader) + sizeof(struct | ||
987 | GNUNET_TUN_DnsHeader)) | ||
988 | || | ||
989 | (DNS_PORT != ntohs (udp->destination_port))) | ||
990 | { | ||
991 | /* non-DNS packet received on TUN, ignore */ | ||
992 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
993 | _ ("DNS interceptor got non-DNS packet (dropped)\n")); | ||
994 | GNUNET_STATISTICS_update (stats, | ||
995 | gettext_noop ( | ||
996 | "# Non-DNS UDP packet received via TUN interface"), | ||
997 | 1, GNUNET_NO); | ||
998 | return GNUNET_OK; | ||
999 | } | ||
1000 | msize -= sizeof(struct GNUNET_TUN_UdpHeader); | ||
1001 | dns = (const struct GNUNET_TUN_DnsHeader*) &udp[1]; | ||
1002 | rr = &requests[dns->id]; | ||
1003 | |||
1004 | /* clean up from previous request */ | ||
1005 | GNUNET_free (rr->payload); | ||
1006 | rr->payload = NULL; | ||
1007 | GNUNET_array_grow (rr->client_wait_list, | ||
1008 | rr->client_wait_list_length, | ||
1009 | 0); | ||
1010 | |||
1011 | /* setup new request */ | ||
1012 | rr->phase = RP_INIT; | ||
1013 | switch (ntohs (tun->proto)) | ||
1014 | { | ||
1015 | case ETH_P_IPV4: | ||
1016 | { | ||
1017 | srca4 = (struct sockaddr_in*) &rr->src_addr; | ||
1018 | dsta4 = (struct sockaddr_in*) &rr->dst_addr; | ||
1019 | memset (srca4, 0, sizeof(struct sockaddr_in)); | ||
1020 | memset (dsta4, 0, sizeof(struct sockaddr_in)); | ||
1021 | srca4->sin_family = AF_INET; | ||
1022 | dsta4->sin_family = AF_INET; | ||
1023 | srca4->sin_addr = ip4->source_address; | ||
1024 | dsta4->sin_addr = ip4->destination_address; | ||
1025 | srca4->sin_port = udp->source_port; | ||
1026 | dsta4->sin_port = udp->destination_port; | ||
1027 | #if HAVE_SOCKADDR_IN_SIN_LEN | ||
1028 | srca4->sin_len = sizeof(struct sockaddr_in); | ||
1029 | dsta4->sin_len = sizeof(struct sockaddr_in); | ||
1030 | #endif | ||
1031 | } | ||
1032 | break; | ||
1033 | |||
1034 | case ETH_P_IPV6: | ||
1035 | { | ||
1036 | srca6 = (struct sockaddr_in6*) &rr->src_addr; | ||
1037 | dsta6 = (struct sockaddr_in6*) &rr->dst_addr; | ||
1038 | memset (srca6, 0, sizeof(struct sockaddr_in6)); | ||
1039 | memset (dsta6, 0, sizeof(struct sockaddr_in6)); | ||
1040 | srca6->sin6_family = AF_INET6; | ||
1041 | dsta6->sin6_family = AF_INET6; | ||
1042 | srca6->sin6_addr = ip6->source_address; | ||
1043 | dsta6->sin6_addr = ip6->destination_address; | ||
1044 | srca6->sin6_port = udp->source_port; | ||
1045 | dsta6->sin6_port = udp->destination_port; | ||
1046 | #if HAVE_SOCKADDR_IN_SIN_LEN | ||
1047 | srca6->sin6_len = sizeof(struct sockaddr_in6); | ||
1048 | dsta6->sin6_len = sizeof(struct sockaddr_in6); | ||
1049 | #endif | ||
1050 | } | ||
1051 | break; | ||
1052 | |||
1053 | default: | ||
1054 | GNUNET_assert (0); | ||
1055 | } | ||
1056 | rr->payload = GNUNET_malloc (msize); | ||
1057 | rr->payload_length = msize; | ||
1058 | GNUNET_memcpy (rr->payload, dns, msize); | ||
1059 | rr->request_id = dns->id | (request_id_gen << 16); | ||
1060 | request_id_gen++; | ||
1061 | LOG (GNUNET_ERROR_TYPE_DEBUG, | ||
1062 | "Creating new DNS request %llu\n", | ||
1063 | (unsigned long long) rr->request_id); | ||
1064 | GNUNET_STATISTICS_update (stats, | ||
1065 | gettext_noop ( | ||
1066 | "# DNS requests received via TUN interface"), | ||
1067 | 1, GNUNET_NO); | ||
1068 | /* start request processing state machine */ | ||
1069 | next_phase (rr); | ||
1070 | return GNUNET_OK; | ||
1071 | } | ||
1072 | |||
1073 | |||
1074 | /** | ||
1075 | * @param cls closure | ||
1076 | * @param cfg_ configuration to use | ||
1077 | * @param service the initialized service | ||
1078 | */ | ||
1079 | static void | ||
1080 | run (void *cls, | ||
1081 | const struct GNUNET_CONFIGURATION_Handle *cfg_, | ||
1082 | struct GNUNET_SERVICE_Handle *service) | ||
1083 | { | ||
1084 | char *ifc_name; | ||
1085 | char *ipv4addr; | ||
1086 | char *ipv4mask; | ||
1087 | char *ipv6addr; | ||
1088 | char *ipv6prefix; | ||
1089 | char *dns_exit; | ||
1090 | char *binary; | ||
1091 | int nortsetup; | ||
1092 | |||
1093 | cfg = cfg_; | ||
1094 | stats = GNUNET_STATISTICS_create ("dns", cfg); | ||
1095 | GNUNET_SCHEDULER_add_shutdown (&cleanup_task, | ||
1096 | cls); | ||
1097 | dnsstub = GNUNET_DNSSTUB_start (128); | ||
1098 | /* TODO: support multiple DNS_EXIT servers being configured */ | ||
1099 | /* TODO: see above TODO on using DNS server from original packet. | ||
1100 | Not sure which is best... */ | ||
1101 | dns_exit = NULL; | ||
1102 | if ((GNUNET_OK != | ||
1103 | GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1104 | "dns", | ||
1105 | "DNS_EXIT", | ||
1106 | &dns_exit)) || | ||
1107 | (GNUNET_OK != | ||
1108 | GNUNET_DNSSTUB_add_dns_ip (dnsstub, | ||
1109 | dns_exit))) | ||
1110 | { | ||
1111 | GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, | ||
1112 | "dns", | ||
1113 | "DNS_EXIT", | ||
1114 | _ ("need a valid IPv4 or IPv6 address\n")); | ||
1115 | GNUNET_free (dns_exit); | ||
1116 | } | ||
1117 | binary = GNUNET_OS_get_suid_binary_path (cfg, "gnunet-helper-dns"); | ||
1118 | |||
1119 | if (GNUNET_YES != | ||
1120 | GNUNET_OS_check_helper_binary (binary, | ||
1121 | GNUNET_YES, | ||
1122 | NULL)) // TODO: once we have a windows-testcase, add test parameters here | ||
1123 | { | ||
1124 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
1125 | _ ("`%s' is not SUID or the path is invalid, " | ||
1126 | "will not run DNS interceptor\n"), | ||
1127 | binary); | ||
1128 | global_ret = 1; | ||
1129 | GNUNET_free (binary); | ||
1130 | return; | ||
1131 | } | ||
1132 | GNUNET_free (binary); | ||
1133 | |||
1134 | helper_argv[0] = GNUNET_strdup ("gnunet-dns"); | ||
1135 | if (GNUNET_SYSERR == | ||
1136 | GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1137 | "dns", | ||
1138 | "IFNAME", | ||
1139 | &ifc_name)) | ||
1140 | { | ||
1141 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1142 | "No entry 'IFNAME' in configuration!\n"); | ||
1143 | GNUNET_free (binary); | ||
1144 | GNUNET_SCHEDULER_shutdown (); | ||
1145 | return; | ||
1146 | } | ||
1147 | helper_argv[1] = ifc_name; | ||
1148 | if ((GNUNET_SYSERR == | ||
1149 | GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1150 | "dns", | ||
1151 | "IPV6ADDR", | ||
1152 | &ipv6addr))) | ||
1153 | { | ||
1154 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1155 | "No entry 'IPV6ADDR' in configuration!\n"); | ||
1156 | GNUNET_free (binary); | ||
1157 | GNUNET_SCHEDULER_shutdown (); | ||
1158 | return; | ||
1159 | } | ||
1160 | helper_argv[2] = ipv6addr; | ||
1161 | if (GNUNET_SYSERR == | ||
1162 | GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1163 | "dns", | ||
1164 | "IPV6PREFIX", | ||
1165 | &ipv6prefix)) | ||
1166 | { | ||
1167 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1168 | "No entry 'IPV6PREFIX' in configuration!\n"); | ||
1169 | GNUNET_free (binary); | ||
1170 | GNUNET_SCHEDULER_shutdown (); | ||
1171 | return; | ||
1172 | } | ||
1173 | helper_argv[3] = ipv6prefix; | ||
1174 | |||
1175 | if (GNUNET_SYSERR == | ||
1176 | GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1177 | "dns", | ||
1178 | "IPV4ADDR", | ||
1179 | &ipv4addr)) | ||
1180 | { | ||
1181 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1182 | "No entry 'IPV4ADDR' in configuration!\n"); | ||
1183 | GNUNET_free (binary); | ||
1184 | GNUNET_SCHEDULER_shutdown (); | ||
1185 | return; | ||
1186 | } | ||
1187 | helper_argv[4] = ipv4addr; | ||
1188 | if (GNUNET_SYSERR == | ||
1189 | GNUNET_CONFIGURATION_get_value_string (cfg, "dns", "IPV4MASK", | ||
1190 | &ipv4mask)) | ||
1191 | { | ||
1192 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1193 | "No entry 'IPV4MASK' in configuration!\n"); | ||
1194 | GNUNET_free (binary); | ||
1195 | GNUNET_SCHEDULER_shutdown (); | ||
1196 | return; | ||
1197 | } | ||
1198 | helper_argv[5] = ipv4mask; | ||
1199 | |||
1200 | nortsetup = GNUNET_CONFIGURATION_get_value_yesno (cfg, "dns", | ||
1201 | "SKIP_ROUTING_SETUP"); | ||
1202 | if (GNUNET_YES == nortsetup) | ||
1203 | helper_argv[6] = GNUNET_strdup ("1"); | ||
1204 | else | ||
1205 | helper_argv[6] = GNUNET_strdup ("0"); | ||
1206 | |||
1207 | helper_argv[7] = NULL; | ||
1208 | hijacker = GNUNET_HELPER_start (GNUNET_NO, | ||
1209 | binary, | ||
1210 | helper_argv, | ||
1211 | &process_helper_messages, | ||
1212 | NULL, NULL); | ||
1213 | GNUNET_free (binary); | ||
1214 | } | ||
1215 | |||
1216 | |||
1217 | /** | ||
1218 | * Define "main" method using service macro. | ||
1219 | */ | ||
1220 | GNUNET_SERVICE_MAIN | ||
1221 | ("dns", | ||
1222 | GNUNET_SERVICE_OPTION_NONE, | ||
1223 | &run, | ||
1224 | &client_connect_cb, | ||
1225 | &client_disconnect_cb, | ||
1226 | NULL, | ||
1227 | GNUNET_MQ_hd_fixed_size (client_init, | ||
1228 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_INIT, | ||
1229 | struct GNUNET_DNS_Register, | ||
1230 | NULL), | ||
1231 | GNUNET_MQ_hd_var_size (client_response, | ||
1232 | GNUNET_MESSAGE_TYPE_DNS_CLIENT_RESPONSE, | ||
1233 | struct GNUNET_DNS_Response, | ||
1234 | NULL), | ||
1235 | GNUNET_MQ_handler_end ()); | ||
1236 | |||
1237 | |||
1238 | /* FIXME: this might need a port on systems without 'getresgid' */ | ||
1239 | #if HAVE_GETRESGID | ||
1240 | /** | ||
1241 | * Enable use of SGID capabilities on POSIX | ||
1242 | */ | ||
1243 | void __attribute__ ((constructor)) | ||
1244 | GNUNET_DNS_init () | ||
1245 | { | ||
1246 | gid_t rgid; | ||
1247 | gid_t egid; | ||
1248 | gid_t sgid; | ||
1249 | |||
1250 | if (-1 == getresgid (&rgid, | ||
1251 | &egid, | ||
1252 | &sgid)) | ||
1253 | { | ||
1254 | fprintf (stderr, | ||
1255 | "getresgid failed: %s\n", | ||
1256 | strerror (errno)); | ||
1257 | } | ||
1258 | else if (sgid != rgid) | ||
1259 | { | ||
1260 | if (-1 == setregid (sgid, | ||
1261 | sgid)) | ||
1262 | fprintf (stderr, | ||
1263 | "setregid failed: %s\n", | ||
1264 | strerror (errno)); | ||
1265 | } | ||
1266 | } | ||
1267 | |||
1268 | |||
1269 | #endif | ||
1270 | |||
1271 | |||
1272 | /* end of gnunet-service-dns.c */ | ||
diff --git a/src/service/dns/gnunet-zonewalk.c b/src/service/dns/gnunet-zonewalk.c new file mode 100644 index 000000000..f4b676d6c --- /dev/null +++ b/src/service/dns/gnunet-zonewalk.c | |||
@@ -0,0 +1,616 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet | ||
3 | Copyright (C) 2018 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file src/dns/gnunet-zoneimport.c | ||
23 | * @brief import a DNS zone for analysis, brute force | ||
24 | * @author Christian Grothoff | ||
25 | */ | ||
26 | #include "platform.h" | ||
27 | #include <gnunet_util_lib.h> | ||
28 | |||
29 | /** | ||
30 | * Request we should make. | ||
31 | */ | ||
32 | struct Request | ||
33 | { | ||
34 | /** | ||
35 | * Requests are kept in a DLL. | ||
36 | */ | ||
37 | struct Request *next; | ||
38 | |||
39 | /** | ||
40 | * Requests are kept in a DLL. | ||
41 | */ | ||
42 | struct Request *prev; | ||
43 | |||
44 | /** | ||
45 | * Socket used to make the request, NULL if not active. | ||
46 | */ | ||
47 | struct GNUNET_DNSSTUB_RequestSocket *rs; | ||
48 | |||
49 | /** | ||
50 | * Raw DNS query. | ||
51 | */ | ||
52 | void *raw; | ||
53 | |||
54 | /** | ||
55 | * Number of bytes in @e raw. | ||
56 | */ | ||
57 | size_t raw_len; | ||
58 | |||
59 | /** | ||
60 | * Hostname we are resolving. | ||
61 | */ | ||
62 | char *hostname; | ||
63 | |||
64 | /** | ||
65 | * When did we last issue this request? | ||
66 | */ | ||
67 | time_t time; | ||
68 | |||
69 | /** | ||
70 | * How often did we issue this query? | ||
71 | */ | ||
72 | int issue_num; | ||
73 | |||
74 | /** | ||
75 | * random 16-bit DNS query identifier. | ||
76 | */ | ||
77 | uint16_t id; | ||
78 | }; | ||
79 | |||
80 | |||
81 | /** | ||
82 | * Context for DNS resolution. | ||
83 | */ | ||
84 | static struct GNUNET_DNSSTUB_Context *ctx; | ||
85 | |||
86 | /** | ||
87 | * The number of queries that are outstanding | ||
88 | */ | ||
89 | static unsigned int pending; | ||
90 | |||
91 | /** | ||
92 | * Number of lookups we performed overall. | ||
93 | */ | ||
94 | static unsigned int lookups; | ||
95 | |||
96 | /** | ||
97 | * Number of lookups that failed. | ||
98 | */ | ||
99 | static unsigned int failures; | ||
100 | |||
101 | /** | ||
102 | * Number of records we found. | ||
103 | */ | ||
104 | static unsigned int records; | ||
105 | |||
106 | /** | ||
107 | * Head of DLL of all requests to perform. | ||
108 | */ | ||
109 | static struct Request *req_head; | ||
110 | |||
111 | /** | ||
112 | * Tail of DLL of all requests to perform. | ||
113 | */ | ||
114 | static struct Request *req_tail; | ||
115 | |||
116 | /** | ||
117 | * Main task. | ||
118 | */ | ||
119 | static struct GNUNET_SCHEDULER_Task *t; | ||
120 | |||
121 | /** | ||
122 | * Maximum number of queries pending at the same time. | ||
123 | */ | ||
124 | #define THRESH 20 | ||
125 | |||
126 | /** | ||
127 | * TIME_THRESH is in usecs. How quickly do we submit fresh queries. | ||
128 | * Used as an additional throttle. | ||
129 | */ | ||
130 | #define TIME_THRESH 10 | ||
131 | |||
132 | /** | ||
133 | * How often do we retry a query before giving up for good? | ||
134 | */ | ||
135 | #define MAX_RETRIES 5 | ||
136 | |||
137 | |||
138 | /** | ||
139 | * We received @a rec for @a req. Remember the answer. | ||
140 | * | ||
141 | * @param req request | ||
142 | * @param rec response | ||
143 | */ | ||
144 | static void | ||
145 | process_record (struct Request *req, | ||
146 | struct GNUNET_DNSPARSER_Record *rec) | ||
147 | { | ||
148 | char buf[INET6_ADDRSTRLEN]; | ||
149 | |||
150 | records++; | ||
151 | switch (rec->type) | ||
152 | { | ||
153 | case GNUNET_DNSPARSER_TYPE_A: | ||
154 | fprintf (stdout, | ||
155 | "%s A %s\n", | ||
156 | req->hostname, | ||
157 | inet_ntop (AF_INET, | ||
158 | rec->data.raw.data, | ||
159 | buf, | ||
160 | sizeof(buf))); | ||
161 | break; | ||
162 | |||
163 | case GNUNET_DNSPARSER_TYPE_AAAA: | ||
164 | fprintf (stdout, | ||
165 | "%s AAAA %s\n", | ||
166 | req->hostname, | ||
167 | inet_ntop (AF_INET6, | ||
168 | rec->data.raw.data, | ||
169 | buf, | ||
170 | sizeof(buf))); | ||
171 | break; | ||
172 | |||
173 | case GNUNET_DNSPARSER_TYPE_NS: | ||
174 | fprintf (stdout, | ||
175 | "%s NS %s\n", | ||
176 | req->hostname, | ||
177 | rec->data.hostname); | ||
178 | break; | ||
179 | |||
180 | case GNUNET_DNSPARSER_TYPE_CNAME: | ||
181 | fprintf (stdout, | ||
182 | "%s CNAME %s\n", | ||
183 | req->hostname, | ||
184 | rec->data.hostname); | ||
185 | break; | ||
186 | |||
187 | case GNUNET_DNSPARSER_TYPE_MX: | ||
188 | fprintf (stdout, | ||
189 | "%s MX %u %s\n", | ||
190 | req->hostname, | ||
191 | (unsigned int) rec->data.mx->preference, | ||
192 | rec->data.mx->mxhost); | ||
193 | break; | ||
194 | |||
195 | case GNUNET_DNSPARSER_TYPE_SOA: | ||
196 | fprintf (stdout, | ||
197 | "%s SOA %s %s %u %u %u %u %u\n", | ||
198 | req->hostname, | ||
199 | rec->data.soa->mname, | ||
200 | rec->data.soa->rname, | ||
201 | (unsigned int) rec->data.soa->serial, | ||
202 | (unsigned int) rec->data.soa->refresh, | ||
203 | (unsigned int) rec->data.soa->retry, | ||
204 | (unsigned int) rec->data.soa->expire, | ||
205 | (unsigned int) rec->data.soa->minimum_ttl); | ||
206 | break; | ||
207 | |||
208 | case GNUNET_DNSPARSER_TYPE_SRV: | ||
209 | fprintf (stdout, | ||
210 | "%s SRV %s %u %u %u\n", | ||
211 | req->hostname, | ||
212 | rec->data.srv->target, | ||
213 | rec->data.srv->priority, | ||
214 | rec->data.srv->weight, | ||
215 | rec->data.srv->port); | ||
216 | break; | ||
217 | |||
218 | case GNUNET_DNSPARSER_TYPE_URI: | ||
219 | fprintf (stdout, | ||
220 | "%s URI \"%s\" %u %u\n", | ||
221 | req->hostname, | ||
222 | rec->data.uri->target, | ||
223 | rec->data.uri->priority, | ||
224 | rec->data.uri->weight); | ||
225 | break; | ||
226 | |||
227 | case GNUNET_DNSPARSER_TYPE_PTR: | ||
228 | fprintf (stdout, | ||
229 | "%s PTR %s\n", | ||
230 | req->hostname, | ||
231 | rec->data.hostname); | ||
232 | break; | ||
233 | |||
234 | case GNUNET_DNSPARSER_TYPE_TXT: | ||
235 | fprintf (stdout, | ||
236 | "%s TXT %.*s\n", | ||
237 | req->hostname, | ||
238 | (int) rec->data.raw.data_len, | ||
239 | (char *) rec->data.raw.data); | ||
240 | break; | ||
241 | |||
242 | case GNUNET_DNSPARSER_TYPE_DNAME: | ||
243 | fprintf (stdout, | ||
244 | "%s DNAME %s\n", | ||
245 | req->hostname, | ||
246 | rec->data.hostname); | ||
247 | break; | ||
248 | |||
249 | /* obscure records */ | ||
250 | case GNUNET_DNSPARSER_TYPE_AFSDB: | ||
251 | case GNUNET_DNSPARSER_TYPE_NAPTR: | ||
252 | case GNUNET_DNSPARSER_TYPE_APL: | ||
253 | case GNUNET_DNSPARSER_TYPE_DHCID: | ||
254 | case GNUNET_DNSPARSER_TYPE_HIP: | ||
255 | case GNUNET_DNSPARSER_TYPE_LOC: | ||
256 | case GNUNET_DNSPARSER_TYPE_RP: | ||
257 | case GNUNET_DNSPARSER_TYPE_TKEY: | ||
258 | case GNUNET_DNSPARSER_TYPE_TSIG: | ||
259 | case GNUNET_DNSPARSER_TYPE_TA: | ||
260 | |||
261 | /* DNSSEC */ | ||
262 | case GNUNET_DNSPARSER_TYPE_DS: | ||
263 | case GNUNET_DNSPARSER_TYPE_RRSIG: | ||
264 | case GNUNET_DNSPARSER_TYPE_NSEC: | ||
265 | case GNUNET_DNSPARSER_TYPE_DNSKEY: | ||
266 | case GNUNET_DNSPARSER_TYPE_NSEC3: | ||
267 | case GNUNET_DNSPARSER_TYPE_NSEC3PARAM: | ||
268 | case GNUNET_DNSPARSER_TYPE_CDS: | ||
269 | case GNUNET_DNSPARSER_TYPE_CDNSKEY: | ||
270 | |||
271 | /* DNSSEC payload */ | ||
272 | case GNUNET_DNSPARSER_TYPE_CERT: | ||
273 | case GNUNET_DNSPARSER_TYPE_SSHFP: | ||
274 | case GNUNET_DNSPARSER_TYPE_IPSECKEY: | ||
275 | case GNUNET_DNSPARSER_TYPE_TLSA: | ||
276 | case GNUNET_DNSPARSER_TYPE_SMIMEA: | ||
277 | case GNUNET_DNSPARSER_TYPE_OPENPGPKEY: | ||
278 | |||
279 | /* obsolete records */ | ||
280 | case GNUNET_DNSPARSER_TYPE_SIG: | ||
281 | case GNUNET_DNSPARSER_TYPE_KEY: | ||
282 | case GNUNET_DNSPARSER_TYPE_KX: | ||
283 | { | ||
284 | char *base32; | ||
285 | |||
286 | base32 = GNUNET_STRINGS_data_to_string_alloc (rec->data.raw.data, | ||
287 | rec->data.raw.data_len); | ||
288 | fprintf (stdout, | ||
289 | "%s (%u) %s\n", | ||
290 | req->hostname, | ||
291 | rec->type, | ||
292 | base32); | ||
293 | GNUNET_free (base32); | ||
294 | } | ||
295 | break; | ||
296 | |||
297 | default: | ||
298 | fprintf (stderr, | ||
299 | "Unsupported type %u\n", | ||
300 | (unsigned int) rec->type); | ||
301 | break; | ||
302 | } | ||
303 | } | ||
304 | |||
305 | |||
306 | /** | ||
307 | * Function called with the result of a DNS resolution. | ||
308 | * | ||
309 | * @param cls closure with the `struct Request` | ||
310 | * @param dns dns response, never NULL | ||
311 | * @param dns_len number of bytes in @a dns | ||
312 | */ | ||
313 | static void | ||
314 | process_result (void *cls, | ||
315 | const struct GNUNET_TUN_DnsHeader *dns, | ||
316 | size_t dns_len) | ||
317 | { | ||
318 | struct Request *req = cls; | ||
319 | struct GNUNET_DNSPARSER_Packet *p; | ||
320 | |||
321 | if (NULL == dns) | ||
322 | { | ||
323 | /* stub gave up */ | ||
324 | pending--; | ||
325 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
326 | "Stub gave up on DNS reply for `%s'\n", | ||
327 | req->hostname); | ||
328 | GNUNET_CONTAINER_DLL_remove (req_head, | ||
329 | req_tail, | ||
330 | req); | ||
331 | if (req->issue_num > MAX_RETRIES) | ||
332 | { | ||
333 | failures++; | ||
334 | GNUNET_free (req->hostname); | ||
335 | GNUNET_free (req->raw); | ||
336 | GNUNET_free (req); | ||
337 | return; | ||
338 | } | ||
339 | GNUNET_CONTAINER_DLL_insert_tail (req_head, | ||
340 | req_tail, | ||
341 | req); | ||
342 | req->rs = NULL; | ||
343 | return; | ||
344 | } | ||
345 | if (req->id != dns->id) | ||
346 | return; | ||
347 | pending--; | ||
348 | GNUNET_DNSSTUB_resolve_cancel (req->rs); | ||
349 | req->rs = NULL; | ||
350 | GNUNET_CONTAINER_DLL_remove (req_head, | ||
351 | req_tail, | ||
352 | req); | ||
353 | p = GNUNET_DNSPARSER_parse ((const char *) dns, | ||
354 | dns_len); | ||
355 | if (NULL == p) | ||
356 | { | ||
357 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
358 | "Failed to parse DNS reply for `%s'\n", | ||
359 | req->hostname); | ||
360 | if (req->issue_num > MAX_RETRIES) | ||
361 | { | ||
362 | failures++; | ||
363 | GNUNET_free (req->hostname); | ||
364 | GNUNET_free (req->raw); | ||
365 | GNUNET_free (req); | ||
366 | return; | ||
367 | } | ||
368 | GNUNET_CONTAINER_DLL_insert_tail (req_head, | ||
369 | req_tail, | ||
370 | req); | ||
371 | return; | ||
372 | } | ||
373 | for (unsigned int i = 0; i < p->num_answers; i++) | ||
374 | { | ||
375 | struct GNUNET_DNSPARSER_Record *rs = &p->answers[i]; | ||
376 | |||
377 | process_record (req, | ||
378 | rs); | ||
379 | } | ||
380 | for (unsigned int i = 0; i < p->num_authority_records; i++) | ||
381 | { | ||
382 | struct GNUNET_DNSPARSER_Record *rs = &p->authority_records[i]; | ||
383 | |||
384 | process_record (req, | ||
385 | rs); | ||
386 | } | ||
387 | for (unsigned int i = 0; i < p->num_additional_records; i++) | ||
388 | { | ||
389 | struct GNUNET_DNSPARSER_Record *rs = &p->additional_records[i]; | ||
390 | |||
391 | process_record (req, | ||
392 | rs); | ||
393 | } | ||
394 | GNUNET_DNSPARSER_free_packet (p); | ||
395 | GNUNET_free (req->hostname); | ||
396 | GNUNET_free (req->raw); | ||
397 | GNUNET_free (req); | ||
398 | } | ||
399 | |||
400 | |||
401 | /** | ||
402 | * Submit a request to DNS unless we need to slow down because | ||
403 | * we are at the rate limit. | ||
404 | * | ||
405 | * @param req request to submit | ||
406 | * @return #GNUNET_OK if request was submitted | ||
407 | * #GNUNET_NO if request was already submitted | ||
408 | * #GNUNET_SYSERR if we are at the rate limit | ||
409 | */ | ||
410 | static int | ||
411 | submit_req (struct Request *req) | ||
412 | { | ||
413 | static struct timeval last_request; | ||
414 | struct timeval now; | ||
415 | |||
416 | if (NULL != req->rs) | ||
417 | return GNUNET_NO; /* already submitted */ | ||
418 | gettimeofday (&now, | ||
419 | NULL); | ||
420 | if ((((now.tv_sec - last_request.tv_sec) == 0) && | ||
421 | ((now.tv_usec - last_request.tv_usec) < TIME_THRESH)) || | ||
422 | (pending >= THRESH)) | ||
423 | return GNUNET_SYSERR; | ||
424 | GNUNET_assert (NULL == req->rs); | ||
425 | req->rs = GNUNET_DNSSTUB_resolve (ctx, | ||
426 | req->raw, | ||
427 | req->raw_len, | ||
428 | &process_result, | ||
429 | req); | ||
430 | GNUNET_assert (NULL != req->rs); | ||
431 | req->issue_num++; | ||
432 | last_request = now; | ||
433 | lookups++; | ||
434 | pending++; | ||
435 | req->time = time (NULL); | ||
436 | return GNUNET_OK; | ||
437 | } | ||
438 | |||
439 | |||
440 | /** | ||
441 | * Process as many requests as possible from the queue. | ||
442 | * | ||
443 | * @param cls NULL | ||
444 | */ | ||
445 | static void | ||
446 | process_queue (void *cls) | ||
447 | { | ||
448 | (void) cls; | ||
449 | t = NULL; | ||
450 | for (struct Request *req = req_head; | ||
451 | NULL != req; | ||
452 | req = req->next) | ||
453 | { | ||
454 | if (GNUNET_SYSERR == submit_req (req)) | ||
455 | break; | ||
456 | } | ||
457 | if (NULL != req_head) | ||
458 | t = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MILLISECONDS, | ||
459 | &process_queue, | ||
460 | NULL); | ||
461 | else | ||
462 | GNUNET_SCHEDULER_shutdown (); | ||
463 | } | ||
464 | |||
465 | |||
466 | /** | ||
467 | * Clean up and terminate the process. | ||
468 | * | ||
469 | * @param cls NULL | ||
470 | */ | ||
471 | static void | ||
472 | do_shutdown (void *cls) | ||
473 | { | ||
474 | (void) cls; | ||
475 | if (NULL != t) | ||
476 | { | ||
477 | GNUNET_SCHEDULER_cancel (t); | ||
478 | t = NULL; | ||
479 | } | ||
480 | GNUNET_DNSSTUB_stop (ctx); | ||
481 | ctx = NULL; | ||
482 | } | ||
483 | |||
484 | |||
485 | /** | ||
486 | * Process requests from the queue, then if the queue is | ||
487 | * not empty, try again. | ||
488 | * | ||
489 | * @param cls NULL | ||
490 | */ | ||
491 | static void | ||
492 | run (void *cls) | ||
493 | { | ||
494 | (void) cls; | ||
495 | |||
496 | GNUNET_SCHEDULER_add_shutdown (&do_shutdown, | ||
497 | NULL); | ||
498 | t = GNUNET_SCHEDULER_add_now (&process_queue, | ||
499 | NULL); | ||
500 | } | ||
501 | |||
502 | |||
503 | /** | ||
504 | * Add @a hostname to the list of requests to be made. | ||
505 | * | ||
506 | * @param hostname name to resolve | ||
507 | */ | ||
508 | static void | ||
509 | queue (const char *hostname) | ||
510 | { | ||
511 | struct GNUNET_DNSPARSER_Packet p; | ||
512 | struct GNUNET_DNSPARSER_Query q; | ||
513 | struct Request *req; | ||
514 | char *raw; | ||
515 | size_t raw_size; | ||
516 | int ret; | ||
517 | |||
518 | if (GNUNET_OK != | ||
519 | GNUNET_DNSPARSER_check_name (hostname)) | ||
520 | { | ||
521 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
522 | "Refusing invalid hostname `%s'\n", | ||
523 | hostname); | ||
524 | return; | ||
525 | } | ||
526 | q.name = (char *) hostname; | ||
527 | q.type = GNUNET_DNSPARSER_TYPE_NS; | ||
528 | q.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET; | ||
529 | |||
530 | memset (&p, | ||
531 | 0, | ||
532 | sizeof(p)); | ||
533 | p.num_queries = 1; | ||
534 | p.queries = &q; | ||
535 | p.id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, | ||
536 | UINT16_MAX); | ||
537 | ret = GNUNET_DNSPARSER_pack (&p, | ||
538 | UINT16_MAX, | ||
539 | &raw, | ||
540 | &raw_size); | ||
541 | if (GNUNET_OK != ret) | ||
542 | { | ||
543 | if (GNUNET_NO == ret) | ||
544 | GNUNET_free (raw); | ||
545 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
546 | "Failed to pack query for hostname `%s'\n", | ||
547 | hostname); | ||
548 | return; | ||
549 | } | ||
550 | |||
551 | req = GNUNET_new (struct Request); | ||
552 | req->hostname = strdup (hostname); | ||
553 | req->raw = raw; | ||
554 | req->raw_len = raw_size; | ||
555 | req->id = p.id; | ||
556 | GNUNET_CONTAINER_DLL_insert_tail (req_head, | ||
557 | req_tail, | ||
558 | req); | ||
559 | } | ||
560 | |||
561 | |||
562 | /** | ||
563 | * Call with IP address of resolver to query. | ||
564 | * | ||
565 | * @param argc should be 2 | ||
566 | * @param argv[1] should contain IP address | ||
567 | * @return 0 on success | ||
568 | */ | ||
569 | int | ||
570 | main (int argc, | ||
571 | char **argv) | ||
572 | { | ||
573 | char hn[256]; | ||
574 | |||
575 | if (2 != argc) | ||
576 | { | ||
577 | fprintf (stderr, | ||
578 | "Missing required configuration argument\n"); | ||
579 | return -1; | ||
580 | } | ||
581 | ctx = GNUNET_DNSSTUB_start (256); | ||
582 | if (NULL == ctx) | ||
583 | { | ||
584 | fprintf (stderr, | ||
585 | "Failed to initialize GNUnet DNS STUB\n"); | ||
586 | return 1; | ||
587 | } | ||
588 | if (GNUNET_OK != | ||
589 | GNUNET_DNSSTUB_add_dns_ip (ctx, | ||
590 | argv[1])) | ||
591 | { | ||
592 | fprintf (stderr, | ||
593 | "Failed to use `%s' for DNS resolver\n", | ||
594 | argv[1]); | ||
595 | return 1; | ||
596 | } | ||
597 | |||
598 | while (NULL != | ||
599 | fgets (hn, | ||
600 | sizeof(hn), | ||
601 | stdin)) | ||
602 | { | ||
603 | if (strlen (hn) > 0) | ||
604 | hn[strlen (hn) - 1] = '\0'; /* eat newline */ | ||
605 | queue (hn); | ||
606 | } | ||
607 | GNUNET_SCHEDULER_run (&run, | ||
608 | NULL); | ||
609 | fprintf (stderr, | ||
610 | "Did %u lookups, found %u records, %u lookups failed, %u pending on shutdown\n", | ||
611 | lookups, | ||
612 | records, | ||
613 | failures, | ||
614 | pending); | ||
615 | return 0; | ||
616 | } | ||
diff --git a/src/service/dns/meson.build b/src/service/dns/meson.build new file mode 100644 index 000000000..81fecd32a --- /dev/null +++ b/src/service/dns/meson.build | |||
@@ -0,0 +1,63 @@ | |||
1 | libgnunetdns_src = ['dns_api.c'] | ||
2 | |||
3 | gnunetservicedns_src = ['gnunet-service-dns.c'] | ||
4 | gnunetdnsredirector_src = ['gnunet-dns-monitor.c'] | ||
5 | gnunetdnsmonitor_src = ['gnunet-dns-redirector.c'] | ||
6 | |||
7 | configure_file(input : 'dns.conf.in', | ||
8 | output : 'dns.conf', | ||
9 | configuration : cdata, | ||
10 | install: true, | ||
11 | install_dir: pkgcfgdir) | ||
12 | |||
13 | if get_option('monolith') | ||
14 | foreach p : libgnunetdns_src + gnunetservicedns_src | ||
15 | gnunet_src += 'dns/' + p | ||
16 | endforeach | ||
17 | endif | ||
18 | |||
19 | libgnunetdns = library('gnunetdns', | ||
20 | libgnunetdns_src, | ||
21 | soversion: '0', | ||
22 | version: '0.0.0', | ||
23 | dependencies: libgnunetutil_dep, | ||
24 | include_directories: [incdir, configuration_inc], | ||
25 | install: true, | ||
26 | install_dir: get_option('libdir')) | ||
27 | libgnunetdns_dep = declare_dependency(link_with : libgnunetdns) | ||
28 | pkg.generate(libgnunetdns, url: 'https://www.gnunet.org', | ||
29 | description : 'Provides API to access GNUnet\'s DNS service (to intercept and manipulate DNS queries)') | ||
30 | |||
31 | executable ('gnunet-service-dns', | ||
32 | gnunetservicedns_src, | ||
33 | dependencies: [libgnunetdns_dep, libgnunetutil_dep, | ||
34 | libgnunetstatistics_dep], | ||
35 | include_directories: [incdir, configuration_inc], | ||
36 | install: true, | ||
37 | install_dir: get_option('libdir')/'gnunet'/'libexec') | ||
38 | executable ('gnunet-dns-monitor', | ||
39 | gnunetdnsmonitor_src, | ||
40 | dependencies: [libgnunetdns_dep, libgnunetutil_dep, libgnunetdns_dep], | ||
41 | include_directories: [incdir, configuration_inc], | ||
42 | install: false) | ||
43 | |||
44 | executable ('gnunet-dns-redirector', | ||
45 | gnunetdnsredirector_src, | ||
46 | dependencies: [libgnunetdns_dep, libgnunetutil_dep, libgnunetdns_dep], | ||
47 | include_directories: [incdir, configuration_inc], | ||
48 | install: false) | ||
49 | |||
50 | if host_machine.system() == 'linux' | ||
51 | executable ('gnunet-helper-dns', | ||
52 | ['gnunet-helper-dns.c'], | ||
53 | dependencies: [libgnunetdns_dep, libgnunetutil_dep, libgnunetdns_dep], | ||
54 | include_directories: [incdir, configuration_inc], | ||
55 | install: true, | ||
56 | install_dir: get_option('libdir')/'gnunet'/'libexec') | ||
57 | |||
58 | test_dns = configure_file(input : 'test_gnunet_dns.sh', | ||
59 | output : 'test_gnunet_dns.sh', | ||
60 | copy: true) | ||
61 | |||
62 | test('test_gnunet_gns', test_dns, suite: 'dns', workdir: meson.current_build_dir()) | ||
63 | endif | ||
diff --git a/src/service/dns/test_gnunet_dns.sh b/src/service/dns/test_gnunet_dns.sh new file mode 100755 index 000000000..e0fcb711d --- /dev/null +++ b/src/service/dns/test_gnunet_dns.sh | |||
@@ -0,0 +1,68 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | ME=`whoami` | ||
4 | if [ "$ME" != "root" ] | ||
5 | then | ||
6 | echo "This test only works if run as root. Skipping." | ||
7 | exit 77 | ||
8 | fi | ||
9 | if ! which sudo > /dev/null | ||
10 | then | ||
11 | echo "This test requires sudo. Skipping." | ||
12 | exit 77 | ||
13 | fi | ||
14 | if [ ! -x `which sudo` ] | ||
15 | then | ||
16 | echo "This test requires sudo. Skipping." | ||
17 | exit 77 | ||
18 | fi | ||
19 | if ! which nslookup > /dev/null | ||
20 | then | ||
21 | echo "This test requires nslookup. Skipping." | ||
22 | exit 77 | ||
23 | fi | ||
24 | if [ ! -x `which nslookup` ] | ||
25 | then | ||
26 | echo "This test requires nslookup. Skipping." | ||
27 | exit 77 | ||
28 | fi | ||
29 | if [ ! -x `which iptables` ] | ||
30 | then | ||
31 | echo "This test requires iptables. Skipping." | ||
32 | exit 77 | ||
33 | fi | ||
34 | if ! iptables -t mangle --list > /dev/null 2>&1 | ||
35 | then | ||
36 | echo "This test requires iptables with 'mangle' support. Skipping." | ||
37 | exit 77 | ||
38 | fi | ||
39 | if grep % /etc/resolv.conf > /dev/null 2>&1 | ||
40 | then | ||
41 | echo "This system seems to use a DNS server on an IPv6 link-local address, which is not supported. Skipping." | ||
42 | exit 77 | ||
43 | fi | ||
44 | |||
45 | if test ! `id nobody`; | ||
46 | then | ||
47 | echo "This tests requires a user account 'nobody'. Skipping." | ||
48 | exit 77 | ||
49 | fi | ||
50 | |||
51 | export PATH=".:$PATH" | ||
52 | gnunet-service-dns -c dns.conf & | ||
53 | gnunet-dns-redirector -c dns.conf -4 127.0.0.1 & | ||
54 | sleep 1 | ||
55 | # need to run 'nslookup' as 'nobody', as gnunet-service-dns runs as root | ||
56 | # and thus 'root' is excepted from DNS interception! | ||
57 | LO=`sudo -u nobody nslookup -type=A gnunet.org | grep Address | tail -n1` | ||
58 | if [ "$LO" != "Address: 127.0.0.1" ] | ||
59 | then | ||
60 | echo "Fail: got address $LO, wanted 127.0.0.1" | ||
61 | ret=1 | ||
62 | else | ||
63 | echo "Test run, with success." | ||
64 | ret=0 | ||
65 | fi | ||
66 | # TODO: jobs is a possible bashism. Fix. | ||
67 | kill `jobs -p` | ||
68 | exit $ret | ||