1 /*
2 * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
3 *
4 * Copyright (c) 2017, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains a module that facilitates opportunistic IPsec. It does so
40 * by also querying for the IPSECKEY for A/AAAA queries and calling a
41 * configurable hook (eg. signaling an IKE daemon) before replying.
42 */
43
44 #include "config.h"
45 #ifdef USE_IPSECMOD
46 #include "ipsecmod/ipsecmod.h"
47 #include "ipsecmod/ipsecmod-whitelist.h"
48 #include "util/fptr_wlist.h"
49 #include "util/regional.h"
50 #include "util/net_help.h"
51 #include "util/config_file.h"
52 #include "services/cache/dns.h"
53 #include "sldns/wire2str.h"
54
55 /** Apply configuration to ipsecmod module 'global' state. */
56 static int
ipsecmod_apply_cfg(struct ipsecmod_env * ipsecmod_env,struct config_file * cfg)57 ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
58 {
59 if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
60 log_err("ipsecmod: missing ipsecmod-hook.");
61 return 0;
62 }
63 if(cfg->ipsecmod_whitelist &&
64 !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
65 return 0;
66 return 1;
67 }
68
69 int
ipsecmod_init(struct module_env * env,int id)70 ipsecmod_init(struct module_env* env, int id)
71 {
72 struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
73 sizeof(struct ipsecmod_env));
74 if(!ipsecmod_env) {
75 log_err("malloc failure");
76 return 0;
77 }
78 env->modinfo[id] = (void*)ipsecmod_env;
79 ipsecmod_env->whitelist = NULL;
80 if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
81 log_err("ipsecmod: could not apply configuration settings.");
82 return 0;
83 }
84 return 1;
85 }
86
87 void
ipsecmod_deinit(struct module_env * env,int id)88 ipsecmod_deinit(struct module_env* env, int id)
89 {
90 struct ipsecmod_env* ipsecmod_env;
91 if(!env || !env->modinfo[id])
92 return;
93 ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
94 /* Free contents. */
95 ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
96 free(ipsecmod_env);
97 env->modinfo[id] = NULL;
98 }
99
100 /** New query for ipsecmod. */
101 static int
ipsecmod_new(struct module_qstate * qstate,int id)102 ipsecmod_new(struct module_qstate* qstate, int id)
103 {
104 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
105 qstate->region, sizeof(struct ipsecmod_qstate));
106 qstate->minfo[id] = iq;
107 if(!iq)
108 return 0;
109 /* Initialise it. */
110 memset(iq, 0, sizeof(*iq));
111 iq->enabled = qstate->env->cfg->ipsecmod_enabled;
112 iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
113 (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
114 qstate->qinfo.qname_len, qstate->qinfo.qclass);
115 return 1;
116 }
117
118 /**
119 * Exit module with an error status.
120 * @param qstate: query state
121 * @param id: module id.
122 */
123 static void
ipsecmod_error(struct module_qstate * qstate,int id)124 ipsecmod_error(struct module_qstate* qstate, int id)
125 {
126 qstate->ext_state[id] = module_error;
127 qstate->return_rcode = LDNS_RCODE_SERVFAIL;
128 }
129
130 /**
131 * Generate a request for the IPSECKEY.
132 *
133 * @param qstate: query state that is the parent.
134 * @param id: module id.
135 * @param name: what name to query for.
136 * @param namelen: length of name.
137 * @param qtype: query type.
138 * @param qclass: query class.
139 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
140 * @return false on alloc failure.
141 */
142 static int
generate_request(struct module_qstate * qstate,int id,uint8_t * name,size_t namelen,uint16_t qtype,uint16_t qclass,uint16_t flags)143 generate_request(struct module_qstate* qstate, int id, uint8_t* name,
144 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
145 {
146 struct module_qstate* newq;
147 struct query_info ask;
148 ask.qname = name;
149 ask.qname_len = namelen;
150 ask.qtype = qtype;
151 ask.qclass = qclass;
152 ask.local_alias = NULL;
153 log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
154
155 /* Explicitly check for cycle before trying to attach. Will result in
156 * cleaner error message. The attach_sub code also checks for cycle but the
157 * message will be out of memory in both cases then. */
158 fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle));
159 if((*qstate->env->detect_cycle)(qstate, &ask,
160 (uint16_t)(BIT_RD|flags), 0, 0)) {
161 verbose(VERB_ALGO, "Could not generate request: cycle detected");
162 return 0;
163 }
164
165 fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
166 if(!(*qstate->env->attach_sub)(qstate, &ask,
167 (uint16_t)(BIT_RD|flags), 0, 0, &newq)){
168 log_err("Could not generate request: out of memory");
169 return 0;
170 }
171 qstate->ext_state[id] = module_wait_subquery;
172 return 1;
173 }
174
175 /**
176 * Check if the string passed is a valid domain name with safe characters to
177 * pass to a shell.
178 * This will only allow:
179 * - digits
180 * - alphas
181 * - hyphen (not at the start)
182 * - dot (not at the start, or the only character)
183 * - underscore
184 * @param s: pointer to the string.
185 * @param slen: string's length.
186 * @return true if s only contains safe characters; false otherwise.
187 */
188 static int
domainname_has_safe_characters(char * s,size_t slen)189 domainname_has_safe_characters(char* s, size_t slen) {
190 size_t i;
191 for(i = 0; i < slen; i++) {
192 if(s[i] == '\0') return 1;
193 if((s[i] == '-' && i != 0)
194 || (s[i] == '.' && (i != 0 || s[1] == '\0'))
195 || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
196 || (s[i] >= 'A' && s[i] <= 'Z')
197 || (s[i] >= 'a' && s[i] <= 'z')) {
198 continue;
199 }
200 return 0;
201 }
202 return 1;
203 }
204
205 /**
206 * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
207 * a shell.
208 * This is only relevant for checking the gateway when the gateway type is 3
209 * (domainname).
210 * @param s: pointer to the string.
211 * @param slen: string's length.
212 * @return true if s contains only safe characters; false otherwise.
213 */
214 static int
ipseckey_has_safe_characters(char * s,size_t slen)215 ipseckey_has_safe_characters(char* s, size_t slen) {
216 int precedence, gateway_type, algorithm;
217 char* gateway;
218 gateway = (char*)calloc(slen, sizeof(char));
219 if(!gateway) {
220 log_err("ipsecmod: out of memory when calling the hook");
221 return 0;
222 }
223 if(sscanf(s, "%d %d %d %s ",
224 &precedence, &gateway_type, &algorithm, gateway) != 4) {
225 free(gateway);
226 return 0;
227 }
228 if(gateway_type != 3) {
229 free(gateway);
230 return 1;
231 }
232 if(domainname_has_safe_characters(gateway, slen)) {
233 free(gateway);
234 return 1;
235 }
236 free(gateway);
237 return 0;
238 }
239
240 /**
241 * Prepare the data and call the hook.
242 *
243 * @param qstate: query state.
244 * @param iq: ipsecmod qstate.
245 * @param ie: ipsecmod environment.
246 * @return true on success, false otherwise.
247 */
248 static int
call_hook(struct module_qstate * qstate,struct ipsecmod_qstate * iq,struct ipsecmod_env * ATTR_UNUSED (ie))249 call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
250 struct ipsecmod_env* ATTR_UNUSED(ie))
251 {
252 size_t slen, tempdata_len, tempstring_len, i;
253 char str[65535], *s, *tempstring;
254 int w = 0, w_temp, qtype;
255 struct ub_packed_rrset_key* rrset_key;
256 struct packed_rrset_data* rrset_data;
257 uint8_t *tempdata;
258
259 /* Check if a shell is available */
260 if(system(NULL) == 0) {
261 log_err("ipsecmod: no shell available for ipsecmod-hook");
262 return 0;
263 }
264
265 /* Zero the buffer. */
266 s = str;
267 slen = sizeof(str);
268 memset(s, 0, slen);
269
270 /* Copy the hook into the buffer. */
271 w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
272 /* Put space into the buffer. */
273 w += sldns_str_print(&s, &slen, " ");
274 /* Copy the qname into the buffer. */
275 tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
276 qstate->qinfo.qname_len);
277 if(!tempstring) {
278 log_err("ipsecmod: out of memory when calling the hook");
279 return 0;
280 }
281 if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
282 log_err("ipsecmod: qname has unsafe characters");
283 free(tempstring);
284 return 0;
285 }
286 w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
287 free(tempstring);
288 /* Put space into the buffer. */
289 w += sldns_str_print(&s, &slen, " ");
290 /* Copy the IPSECKEY TTL into the buffer. */
291 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
292 w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
293 /* Put space into the buffer. */
294 w += sldns_str_print(&s, &slen, " ");
295 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
296 qstate->return_msg->rep);
297 /* Double check that the records are indeed A/AAAA.
298 * This should never happen as this function is only executed for A/AAAA
299 * queries but make sure we don't pass anything other than A/AAAA to the
300 * shell. */
301 qtype = ntohs(rrset_key->rk.type);
302 if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
303 log_err("ipsecmod: Answer is not of A or AAAA type");
304 return 0;
305 }
306 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
307 /* Copy the A/AAAA record(s) into the buffer. Start and end this section
308 * with a double quote. */
309 w += sldns_str_print(&s, &slen, "\"");
310 for(i=0; i<rrset_data->count; i++) {
311 if(i > 0) {
312 /* Put space into the buffer. */
313 w += sldns_str_print(&s, &slen, " ");
314 }
315 /* Ignore the first two bytes, they are the rr_data len. */
316 w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
317 rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
318 if(w_temp < 0) {
319 /* Error in printout. */
320 log_err("ipsecmod: Error in printing IP address");
321 return 0;
322 } else if((size_t)w_temp >= slen) {
323 s = NULL; /* We do not want str to point outside of buffer. */
324 slen = 0;
325 log_err("ipsecmod: shell command too long");
326 return 0;
327 } else {
328 s += w_temp;
329 slen -= w_temp;
330 w += w_temp;
331 }
332 }
333 w += sldns_str_print(&s, &slen, "\"");
334 /* Put space into the buffer. */
335 w += sldns_str_print(&s, &slen, " ");
336 /* Copy the IPSECKEY record(s) into the buffer. Start and end this section
337 * with a double quote. */
338 w += sldns_str_print(&s, &slen, "\"");
339 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
340 for(i=0; i<rrset_data->count; i++) {
341 if(i > 0) {
342 /* Put space into the buffer. */
343 w += sldns_str_print(&s, &slen, " ");
344 }
345 /* Ignore the first two bytes, they are the rr_data len. */
346 tempdata = rrset_data->rr_data[i] + 2;
347 tempdata_len = rrset_data->rr_len[i] - 2;
348 /* Save the buffer pointers. */
349 tempstring = s; tempstring_len = slen;
350 w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
351 &slen, NULL, 0, NULL);
352 /* There was an error when parsing the IPSECKEY; reset the buffer
353 * pointers to their previous values. */
354 if(w_temp == -1) {
355 s = tempstring; slen = tempstring_len;
356 } else if(w_temp > 0) {
357 if(!ipseckey_has_safe_characters(
358 tempstring, tempstring_len - slen)) {
359 log_err("ipsecmod: ipseckey has unsafe characters");
360 return 0;
361 }
362 w += w_temp;
363 }
364 }
365 w += sldns_str_print(&s, &slen, "\"");
366 if(w >= (int)sizeof(str)) {
367 log_err("ipsecmod: shell command too long");
368 return 0;
369 }
370 verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
371 /* ipsecmod-hook should return 0 on success. */
372 if(system(str) != 0)
373 return 0;
374 return 1;
375 }
376
377 /**
378 * Handle an ipsecmod module event with a query
379 * @param qstate: query state (from the mesh), passed between modules.
380 * contains qstate->env module environment with global caches and so on.
381 * @param iq: query state specific for this module. per-query.
382 * @param ie: environment specific for this module. global.
383 * @param id: module id.
384 */
385 static void
ipsecmod_handle_query(struct module_qstate * qstate,struct ipsecmod_qstate * iq,struct ipsecmod_env * ie,int id)386 ipsecmod_handle_query(struct module_qstate* qstate,
387 struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
388 {
389 struct ub_packed_rrset_key* rrset_key;
390 struct packed_rrset_data* rrset_data;
391 size_t i;
392 /* Pass to next module if we are not enabled and whitelisted. */
393 if(!(iq->enabled && iq->is_whitelisted)) {
394 qstate->ext_state[id] = module_wait_module;
395 return;
396 }
397 /* New query, check if the query is for an A/AAAA record and disable
398 * caching for other modules. */
399 if(!iq->ipseckey_done) {
400 if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
401 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
402 char type[16];
403 sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
404 sizeof(type));
405 verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
406 type);
407 qstate->no_cache_store = 1;
408 }
409 /* Pass request to next module. */
410 qstate->ext_state[id] = module_wait_module;
411 return;
412 }
413 /* IPSECKEY subquery is finished. */
414 /* We have an IPSECKEY answer. */
415 if(iq->ipseckey_rrset) {
416 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
417 if(rrset_data) {
418 /* If bogus return SERVFAIL. */
419 if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
420 rrset_data->security == sec_status_bogus) {
421 log_err("ipsecmod: bogus IPSECKEY");
422 errinf(qstate, "ipsecmod: bogus IPSECKEY");
423 ipsecmod_error(qstate, id);
424 return;
425 }
426 /* We have a valid IPSECKEY reply, call hook. */
427 if(!call_hook(qstate, iq, ie) &&
428 qstate->env->cfg->ipsecmod_strict) {
429 log_err("ipsecmod: ipsecmod-hook failed");
430 errinf(qstate, "ipsecmod: ipsecmod-hook failed");
431 ipsecmod_error(qstate, id);
432 return;
433 }
434 /* Make sure the A/AAAA's TTL is equal/less than the
435 * ipsecmod_max_ttl. */
436 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
437 qstate->return_msg->rep);
438 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
439 if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
440 /* Update TTL for rrset to fixed value. */
441 rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
442 for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
443 rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
444 /* Also update reply_info's TTL */
445 if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
446 qstate->return_msg->rep->ttl =
447 qstate->env->cfg->ipsecmod_max_ttl;
448 qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
449 qstate->return_msg->rep->ttl);
450 qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl +
451 qstate->env->cfg->serve_expired_ttl;
452 }
453 }
454 }
455 }
456 /* Store A/AAAA in cache. */
457 if(!dns_cache_store(qstate->env, &qstate->qinfo,
458 qstate->return_msg->rep, 0, qstate->prefetch_leeway,
459 0, qstate->region, qstate->query_flags, qstate->qstarttime)) {
460 log_err("ipsecmod: out of memory caching record");
461 }
462 qstate->ext_state[id] = module_finished;
463 }
464
465 /**
466 * Handle an ipsecmod module event with a response from the iterator.
467 * @param qstate: query state (from the mesh), passed between modules.
468 * contains qstate->env module environment with global caches and so on.
469 * @param iq: query state specific for this module. per-query.
470 * @param ie: environment specific for this module. global.
471 * @param id: module id.
472 */
473 static void
ipsecmod_handle_response(struct module_qstate * qstate,struct ipsecmod_qstate * ATTR_UNUSED (iq),struct ipsecmod_env * ATTR_UNUSED (ie),int id)474 ipsecmod_handle_response(struct module_qstate* qstate,
475 struct ipsecmod_qstate* ATTR_UNUSED(iq),
476 struct ipsecmod_env* ATTR_UNUSED(ie), int id)
477 {
478 /* Pass to previous module if we are not enabled and whitelisted. */
479 if(!(iq->enabled && iq->is_whitelisted)) {
480 qstate->ext_state[id] = module_finished;
481 return;
482 }
483 /* check if the response is for an A/AAAA query. */
484 if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
485 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
486 /* check that we had an answer for the A/AAAA query. */
487 qstate->return_msg &&
488 reply_find_answer_rrset(&qstate->return_msg->qinfo,
489 qstate->return_msg->rep) &&
490 /* check that another module didn't SERVFAIL. */
491 qstate->return_rcode == LDNS_RCODE_NOERROR) {
492 char type[16];
493 sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
494 sizeof(type));
495 verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
496 "subquery", type);
497 /* generate an IPSECKEY query. */
498 if(!generate_request(qstate, id, qstate->qinfo.qname,
499 qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
500 qstate->qinfo.qclass, 0)) {
501 log_err("ipsecmod: could not generate subquery.");
502 errinf(qstate, "ipsecmod: could not generate subquery.");
503 ipsecmod_error(qstate, id);
504 }
505 return;
506 }
507 /* we are done with the query. */
508 qstate->ext_state[id] = module_finished;
509 }
510
511 void
ipsecmod_operate(struct module_qstate * qstate,enum module_ev event,int id,struct outbound_entry * outbound)512 ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
513 struct outbound_entry* outbound)
514 {
515 struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
516 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
517 verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
518 id, strextstate(qstate->ext_state[id]), strmodulevent(event));
519 if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
520 &qstate->qinfo);
521
522 /* create ipsecmod_qstate. */
523 if((event == module_event_new || event == module_event_pass) &&
524 iq == NULL) {
525 if(!ipsecmod_new(qstate, id)) {
526 errinf(qstate, "ipsecmod: could not ipsecmod_new");
527 ipsecmod_error(qstate, id);
528 return;
529 }
530 iq = (struct ipsecmod_qstate*)qstate->minfo[id];
531 }
532 if(iq && (event == module_event_pass || event == module_event_new)) {
533 ipsecmod_handle_query(qstate, iq, ie, id);
534 return;
535 }
536 if(iq && (event == module_event_moddone)) {
537 ipsecmod_handle_response(qstate, iq, ie, id);
538 return;
539 }
540 if(iq && outbound) {
541 /* cachedb does not need to process responses at this time
542 * ignore it.
543 cachedb_process_response(qstate, iq, ie, id, outbound, event);
544 */
545 return;
546 }
547 if(event == module_event_error) {
548 verbose(VERB_ALGO, "got called with event error, giving up");
549 errinf(qstate, "ipsecmod: got called with event error");
550 ipsecmod_error(qstate, id);
551 return;
552 }
553 if(!iq && (event == module_event_moddone)) {
554 /* during priming, module done but we never started. */
555 qstate->ext_state[id] = module_finished;
556 return;
557 }
558
559 log_err("ipsecmod: bad event %s", strmodulevent(event));
560 errinf(qstate, "ipsecmod: operate got bad event");
561 ipsecmod_error(qstate, id);
562 return;
563 }
564
565 void
ipsecmod_inform_super(struct module_qstate * qstate,int id,struct module_qstate * super)566 ipsecmod_inform_super(struct module_qstate* qstate, int id,
567 struct module_qstate* super)
568 {
569 struct ipsecmod_qstate* siq;
570 log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
571 &qstate->qinfo);
572 log_query_info(VERB_ALGO, "super is", &super->qinfo);
573 siq = (struct ipsecmod_qstate*)super->minfo[id];
574 if(!siq) {
575 verbose(VERB_ALGO, "super has no ipsecmod state");
576 return;
577 }
578
579 if(qstate->return_msg) {
580 struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
581 &qstate->return_msg->qinfo, qstate->return_msg->rep);
582 if(rrset_key) {
583 /* We have an answer. */
584 /* Copy to super's region. */
585 rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
586 siq->ipseckey_rrset = rrset_key;
587 if(!rrset_key) {
588 log_err("ipsecmod: out of memory.");
589 }
590 }
591 }
592 /* Notify super to proceed. */
593 siq->ipseckey_done = 1;
594 }
595
596 void
ipsecmod_clear(struct module_qstate * qstate,int id)597 ipsecmod_clear(struct module_qstate* qstate, int id)
598 {
599 if(!qstate)
600 return;
601 qstate->minfo[id] = NULL;
602 }
603
604 size_t
ipsecmod_get_mem(struct module_env * env,int id)605 ipsecmod_get_mem(struct module_env* env, int id)
606 {
607 struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
608 if(!ie)
609 return 0;
610 return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
611 }
612
613 /**
614 * The ipsecmod function block
615 */
616 static struct module_func_block ipsecmod_block = {
617 "ipsecmod",
618 &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
619 &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
620 };
621
622 struct module_func_block*
ipsecmod_get_funcblock(void)623 ipsecmod_get_funcblock(void)
624 {
625 return &ipsecmod_block;
626 }
627 #endif /* USE_IPSECMOD */
628