summaryrefslogtreecommitdiffstats
path: root/lib/resolve.h
blob: a2d5ec9dbd3b599f55141e538b198ccf9712bb19 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
/*  Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz>
 *  SPDX-License-Identifier: GPL-3.0-or-later
 */

#pragma once

#include <netinet/in.h>
#include <sys/socket.h>
#include <libknot/packet/pkt.h>

#include "lib/cookies/control.h"
#include "lib/cookies/lru_cache.h"
#include "lib/layer.h"
#include "lib/generic/array.h"
#include "lib/selection.h"
#include "lib/rplan.h"
#include "lib/module.h"
#include "lib/cache/api.h"

/**
 * @file resolve.h
 * @brief The API provides an API providing a "consumer-producer"-like interface to enable
 * user to plug it into existing event loop or I/O code.
 *
 * # Example usage of the iterative API:
 *
 * @code{.c}
 *
 * // Create request and its memory pool
 * struct kr_request req = {
 * 	.pool = {
 * 		.ctx = mp_new (4096),
 * 		.alloc = (mm_alloc_t) mp_alloc
 * 	}
 * };
 *
 * // Setup and provide input query
 * int state = kr_resolve_begin(&req, ctx);
 * state = kr_resolve_consume(&req, query);
 *
 * // Generate answer
 * while (state == KR_STATE_PRODUCE) {
 *
 *     // Additional query generate, do the I/O and pass back answer
 *     state = kr_resolve_produce(&req, &addr, &type, query);
 *     while (state == KR_STATE_CONSUME) {
 *         int ret = sendrecv(addr, proto, query, resp);
 *
 *         // If I/O fails, make "resp" empty
 *         state = kr_resolve_consume(&request, addr, resp);
 *         knot_pkt_clear(resp);
 *     }
 *     knot_pkt_clear(query);
 * }
 *
 * // "state" is either DONE or FAIL
 * kr_resolve_finish(&request, state);
 *
 * @endcode
 */


struct kr_request;
/** Allocate buffer for answer's wire (*maxlen may get lowered).
 *
 * Motivation: XDP wire allocation is an overlap of library and daemon:
 *  - it needs to be called from the library
 *  - it needs to rely on some daemon's internals
 *  - the library (currently) isn't allowed to directly use symbols from daemon
 *    (contrary to modules), e.g. some of our lib-using tests run without daemon
 *
 * Note: after we obtain the wire, we're obliged to send it out.
 * (So far there's no use case to allow cancelling at that point.)
 */
typedef uint8_t * (*alloc_wire_f)(struct kr_request *req, uint16_t *maxlen);

/**
 * RRset rank - for cache and ranked_rr_*.
 *
 * The rank meaning consists of one independent flag - KR_RANK_AUTH,
 * and the rest have meaning of values where only one can hold at any time.
 * You can use one of the enums as a safe initial value, optionally | KR_RANK_AUTH;
 * otherwise it's best to manipulate ranks via the kr_rank_* functions.
 *
 * @note The representation is complicated by restrictions on integer comparison:
 * - AUTH must be > than !AUTH
 * - AUTH INSECURE must be > than AUTH (because it attempted validation)
 * - !AUTH SECURE must be > than AUTH (because it's valid)
 *
 * See also:
 *   https://tools.ietf.org/html/rfc2181#section-5.4.1
 *   https://tools.ietf.org/html/rfc4035#section-4.3
 */
enum kr_rank {
	/* Initial-like states.  No validation has been attempted (yet). */
	KR_RANK_INITIAL = 0, /**< Did not attempt to validate. It's assumed
					compulsory to validate (or prove insecure). */
	KR_RANK_OMIT,        /**< Do not attempt to validate.
					(And don't consider it a validation failure.) */
	KR_RANK_TRY,         /**< Attempt to validate, but failures are non-fatal. */

	/* Failure states.  These have higher value because they have more information. */
	KR_RANK_INDET = 4,   /**< Unable to determine whether it should be secure. */
	KR_RANK_BOGUS,       /**< Ought to be secure but isn't. */
	KR_RANK_MISMATCH,
	KR_RANK_MISSING,     /**< No RRSIG found for that owner+type combination. */

	/** Proven to be insecure, i.e. we have a chain of trust from TAs
	 * that cryptographically denies the possibility of existence
	 * of a positive chain of trust from the TAs to the record.
	 * Or it may be covered by a closer negative TA. */
	KR_RANK_INSECURE = 8,

	/** Authoritative data flag; the chain of authority was "verified".
	 *  Even if not set, only in-bailiwick stuff is acceptable,
	 *  i.e. almost authoritative (example: mandatory glue and its NS RR). */
	KR_RANK_AUTH = 16,

	KR_RANK_SECURE = 32,  /**< Verified whole chain of trust from the closest TA. */
	/* @note Rank must not exceed 6 bits */
};

/** Check that a rank value is valid.  Meant for assertions. */
bool kr_rank_check(uint8_t rank) KR_PURE;

/** Test the presence of any flag/state in a rank, i.e. including KR_RANK_AUTH. */
bool kr_rank_test(uint8_t rank, uint8_t kr_flag) KR_PURE KR_EXPORT;

/** Set the rank state. The _AUTH flag is kept as it was. */
static inline void kr_rank_set(uint8_t *rank, uint8_t kr_flag)
{
	if (kr_fails_assert(rank && kr_rank_check(*rank)))
		return;
	if (kr_fails_assert(kr_rank_check(kr_flag) && !(kr_flag & KR_RANK_AUTH)))
		return;
	*rank = kr_flag | (*rank & KR_RANK_AUTH);
}


/** @cond internal Array of modules. */
typedef array_t(struct kr_module *) module_array_t;
/* @endcond */

/**
 * Name resolution context.
 *
 * Resolution context provides basic services like cache, configuration and options.
 *
 * @note This structure is persistent between name resolutions and may
 *       be shared between threads.
 */
struct kr_context
{
	/** Default kr_request flags.  For startup defaults see init_resolver() */
	struct kr_qflags options;

	/** Default EDNS towards *both* clients and upstream.
	 * LATER: consider splitting the two, e.g. allow separately
	 * configured limits for UDP packet size (say, LAN is under control). */
	knot_rrset_t *downstream_opt_rr;
	knot_rrset_t *upstream_opt_rr;

	trie_t *trust_anchors;
	trie_t *negative_anchors;
	/** Validator's limit on the number of cryptographic steps for a single upstream packet. */
	int32_t vld_limit_crypto;

	struct kr_zonecut root_hints;
	struct kr_cache cache;
	unsigned cache_rtt_tout_retry_interval;
	module_array_t *modules;
	/* The cookie context structure should not be held within the cookies
	 * module because of better access. */
	struct kr_cookie_ctx cookie_ctx;
	kr_cookie_lru_t *cache_cookie;
	int32_t tls_padding; /**< See net.tls_padding in ../daemon/README.rst -- -1 is "true" (default policy), 0 is "false" (no padding) */
	knot_mm_t *pool;
};

/* Kept outside, because kres-gen.lua can't handle this depth
 * (and lines here were too long anyway). */
struct kr_request_qsource_flags {
	bool tcp:1; /**< true if the request is not on UDP; only meaningful if (dst_addr). */
	bool tls:1; /**< true if the request is encrypted; only meaningful if (dst_addr). */
	bool http:1; /**< true if the request is on HTTP; only meaningful if (dst_addr). */
	bool xdp:1; /**< true if the request is on AF_XDP; only meaningful if (dst_addr). */
};

/* Extended DNS Errors, RFC 8914 */
struct kr_extended_error {
	int32_t info_code;  /**< May contain -1 (KNOT_EDNS_EDE_NONE); filter before converting to uint16_t. */
	const char *extra_text; /**< Can be NULL.  Allocated on the kr_request::pool or static. */
};


typedef bool (*addr_info_f)(struct sockaddr*);
typedef void (*async_resolution_f)(knot_dname_t*, enum knot_rr_type);
typedef array_t(union kr_sockaddr) kr_sockaddr_array_t;

/**
 * Name resolution request.
 *
 * Keeps information about current query processing between calls to
 * processing APIs, i.e. current resolved query, resolution plan, ...
 * Use this instead of the simple interface if you want to implement
 * multiplexing or custom I/O.
 *
 * @note All data for this request must be allocated from the given pool.
 */
struct kr_request {
	struct kr_context *ctx;
	knot_pkt_t *answer; /**< See kr_request_ensure_answer() */
	struct kr_query *current_query;    /**< Current evaluated query. */
	struct {
		/** Address that originated the request. May be that of a client
		 * behind a proxy, if PROXYv2 is used. Otherwise, it will be
		 * the same as `comm_addr`. `NULL` for internal origin. */
		const struct sockaddr *addr;
		/** Address that communicated the request. This may be the address
		 * of a proxy. It is the same as `addr` if no proxy is used.
		 * `NULL` for internal origin. */
		const struct sockaddr *comm_addr;
		/** Address that accepted the request. `NULL` for internal origin.
		 * Beware: in case of UDP on wildcard address it will be wildcard;
		 * closely related: issue #173. */
		const struct sockaddr *dst_addr;
		const knot_pkt_t *packet;
		/** Request flags from the point of view of the original client.
		 * This client may be behind a proxy. */
		struct kr_request_qsource_flags flags;
		/** Request flags from the point of view of the client actually
		 * communicating with the resolver. When PROXYv2 protocol is used,
		 * this describes the request from the proxy. When there is no
		 * proxy, this will have exactly the same value as `flags`. */
		struct kr_request_qsource_flags comm_flags;
		size_t size; /**< query packet size */
		int32_t stream_id; /**< HTTP/2 stream ID for DoH requests */
		kr_http_header_array_t headers;  /**< HTTP/2 headers for DoH requests */
	} qsource;
	struct {
		unsigned rtt;                  /**< Current upstream RTT */
		const struct kr_transport *transport;   /**< Current upstream transport */
	} upstream;                        /**< Upstream information, valid only in consume() phase */
	struct kr_qflags options;
	int state;
	ranked_rr_array_t answ_selected;
	ranked_rr_array_t auth_selected;
	ranked_rr_array_t add_selected;
	bool answ_validated; /**< internal to validator; beware of caching, etc. */
	bool auth_validated; /**< see answ_validated ^^ ; TODO */

	/** Overall rank for the request.
	 *
	 * Values from kr_rank, currently just KR_RANK_SECURE and _INITIAL.
	 * Only read this in finish phase and after validator, please.
	 * Meaning of _SECURE: all RRs in answer+authority are _SECURE,
	 *   including any negative results implied (NXDOMAIN, NODATA).
	 */
	uint8_t rank;

	struct kr_rplan rplan;
	trace_log_f trace_log; /**< Logging tracepoint */
	trace_callback_f trace_finish; /**< Request finish tracepoint */
	int vars_ref; /**< Reference to per-request variable table. LUA_NOREF if not set. */
	knot_mm_t pool;
	unsigned int uid; /**< for logging purposes only */
	struct {
		addr_info_f is_tls_capable;
		addr_info_f is_tcp_connected;
		addr_info_f is_tcp_waiting;
		kr_sockaddr_array_t forwarding_targets; /**< When forwarding, possible targets are put here */
	} selection_context;
	unsigned int count_no_nsaddr;
	unsigned int count_fail_row;
	alloc_wire_f alloc_wire_cb; /**< CB to allocate answer wire (can be NULL). */
	struct kr_extended_error extended_error;  /**< EDE info; don't modify directly, use kr_request_set_extended_error() */
};

/** Initializer for an array of *_selected. */
#define kr_request_selected(req) { \
	[KNOT_ANSWER] = &(req)->answ_selected, \
	[KNOT_AUTHORITY] = &(req)->auth_selected, \
	[KNOT_ADDITIONAL] = &(req)->add_selected, \
	}

/**
 * Begin name resolution.
 *
 * @note Expects a request to have an initialized mempool.
 *
 * @param request request state with initialized mempool
 * @param ctx     resolution context
 * @return        CONSUME (expecting query)
 */
KR_EXPORT
int kr_resolve_begin(struct kr_request *request, struct kr_context *ctx);

/**
 * Ensure that request->answer->opt_rr is present if query has EDNS.
 *
 * This function should be used after clearing a response packet to ensure its
 * opt_rr is properly set. Returns the opt_rr (for convenience) or NULL.
 */
KR_EXPORT
knot_rrset_t * kr_request_ensure_edns(struct kr_request *request);

/**
 * Ensure that request->answer is usable, and return it (for convenience).
 *
 * It may return NULL, in which case it marks ->state with _FAIL and no answer will be sent.
 * Only use this when it's guaranteed that there will be no delay before sending it.
 * You don't need to call this in places where "resolver knows" that there will be no delay,
 * but even there you need to check if the ->answer is NULL (unless you check for _FAIL anyway).
 */
KR_EXPORT
knot_pkt_t * kr_request_ensure_answer(struct kr_request *request);

/**
 * Consume input packet (may be either first query or answer to query originated from kr_resolve_produce())
 *
 * @note If the I/O fails, provide an empty or NULL packet, this will make iterator recognize nameserver failure.
 *
 * @param  request request state (awaiting input)
 * @param  src     [in] packet source address
 * @param  packet  [in] input packet
 * @return         any state
 */
KR_EXPORT
int kr_resolve_consume(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet);

/**
 * Produce either next additional query or finish.
 *
 * If the CONSUME is returned then dst, type and packet will be filled with
 * appropriate values and caller is responsible to send them and receive answer.
 * If it returns any other state, then content of the variables is undefined.
 *
 * @param  request request state (in PRODUCE state)
 * @param  dst     [out] possible address of the next nameserver
 * @param  type    [out] possible used socket type (SOCK_STREAM, SOCK_DGRAM)
 * @param  packet  [out] packet to be filled with additional query
 * @return         any state
 */
KR_EXPORT
int kr_resolve_produce(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet);

/**
 * Finalises the outbound query packet with the knowledge of the IP addresses.
 *
 * @note The function must be called before actual sending of the request packet.
 *
 * @param  request request state (in PRODUCE state)
 * @param  src     address from which the query is going to be sent
 * @param  dst     address of the name server
 * @param  type    used socket type (SOCK_STREAM, SOCK_DGRAM)
 * @param  packet  [in,out] query packet to be finalised
 * @return         kr_ok() or error code
 */
KR_EXPORT
int kr_resolve_checkout(struct kr_request *request, const struct sockaddr *src,
                        struct kr_transport *transport, knot_pkt_t *packet);

/**
 * Finish resolution and commit results if the state is DONE.
 *
 * @note The structures will be deinitialized, but the assigned memory pool is not going to
 *       be destroyed, as it's owned by caller.
 *
 * @param  request request state
 * @param  state   either DONE or FAIL state (to be assigned to request->state)
 * @return         DONE
 */
KR_EXPORT
int kr_resolve_finish(struct kr_request *request, int state);

/**
 * Return resolution plan.
 * @param  request request state
 * @return         pointer to rplan
 */
KR_EXPORT KR_PURE
struct kr_rplan *kr_resolve_plan(struct kr_request *request);

/**
 * Return memory pool associated with request.
 * @param  request request state
 * @return         mempool
 */
KR_EXPORT KR_PURE
knot_mm_t *kr_resolve_pool(struct kr_request *request);

/**
 * Set the extended DNS error for request.
 *
 * The error is set only if it has a higher or the same priority as the one
 * already assigned.  The provided extra_text may be NULL, or a string that is
 * allocated either statically, or on the request's mempool. To clear any
 * error, call it with KNOT_EDNS_EDE_NONE and NULL as extra_text.
 *
 * To facilitate debugging, we include a unique base32 identifier at the start
 * of the extra_text field for every call of this function. To generate such an
 * identifier, you can use the command:
 * $ base32 /dev/random | head -c 4
 *
 * @param  request     request state
 * @param  info_code   extended DNS error code
 * @param  extra_text  optional string with additional information
 * @return             info_code that is set after the call
 */
KR_EXPORT
int kr_request_set_extended_error(struct kr_request *request, int info_code, const char *extra_text);

static inline void kr_query_inform_timeout(struct kr_request *req, const struct kr_query *qry)
{
	kr_request_set_extended_error(req, KNOT_EDNS_EDE_NREACH_AUTH, "RRPF");

	unsigned ind = 0;
	for (const struct kr_query *q = qry; q; q = q->parent)
		ind += 2;
	const uint32_t qid = qry ? qry->uid : 0;

	kr_log_req(req, qid, ind, WORKER, "internal timeout for resolving the request has expired\n");
}