/* dnstap support for NSD */ /* * Copyright (c) 2013-2014, Farsight Security, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "dnstap/dnstap_config.h" #ifdef USE_DNSTAP #include "config.h" #include #include #ifdef HAVE_SYS_STAT_H #include #endif #include #include #include "util.h" #include "options.h" #include #include #include "dnstap/dnstap.h" #include "dnstap/dnstap.pb-c.h" #ifdef HAVE_SSL #ifdef HAVE_OPENSSL_SSL_H #include #endif #ifdef HAVE_OPENSSL_ERR_H #include #endif #endif #define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap" #define DNSTAP_INITIAL_BUF_SIZE 256 struct dt_msg { void *buf; size_t len_buf; Dnstap__Dnstap d; Dnstap__Message m; }; static int dt_pack(const Dnstap__Dnstap *d, void **buf, size_t *sz) { ProtobufCBufferSimple sbuf; memset(&sbuf, 0, sizeof(sbuf)); sbuf.base.append = protobuf_c_buffer_simple_append; sbuf.len = 0; sbuf.alloced = DNSTAP_INITIAL_BUF_SIZE; sbuf.data = malloc(sbuf.alloced); if (sbuf.data == NULL) return 0; sbuf.must_free_data = 1; *sz = dnstap__dnstap__pack_to_buffer(d, (ProtobufCBuffer *) &sbuf); if (sbuf.data == NULL) return 0; *buf = sbuf.data; return 1; } static void dt_send(const struct dt_env *env, void *buf, size_t len_buf) { fstrm_res res; if (!buf) return; res = fstrm_iothr_submit(env->iothr, env->ioq, buf, len_buf, fstrm_free_wrapper, NULL); if (res != fstrm_res_success) free(buf); } static void dt_msg_init(const struct dt_env *env, struct dt_msg *dm, Dnstap__Message__Type mtype) { memset(dm, 0, sizeof(*dm)); dm->d.base.descriptor = &dnstap__dnstap__descriptor; dm->m.base.descriptor = &dnstap__message__descriptor; dm->d.type = DNSTAP__DNSTAP__TYPE__MESSAGE; dm->d.message = &dm->m; dm->m.type = mtype; if (env->identity != NULL) { dm->d.identity.data = (uint8_t *) env->identity; dm->d.identity.len = (size_t) env->len_identity; dm->d.has_identity = 1; } if (env->version != NULL) { dm->d.version.data = (uint8_t *) env->version; dm->d.version.len = (size_t) env->len_version; dm->d.has_version = 1; } } #ifdef HAVE_SSL /** TLS writer object for fstrm. */ struct dt_tls_writer { /* ip address */ char* ip; /* if connected already */ int connected; /* file descriptor */ int fd; /* TLS context */ SSL_CTX* ctx; /* SSL transport */ SSL* ssl; /* the server name to authenticate */ char* tls_server_name; }; void log_crypto_err(const char* str); /* in server.c */ /* Create TLS writer object for fstrm. */ static struct dt_tls_writer* tls_writer_init(char* ip, char* tls_server_name, char* tls_cert_bundle, char* tls_client_key_file, char* tls_client_cert_file) { struct dt_tls_writer* dtw = (struct dt_tls_writer*)calloc(1, sizeof(*dtw)); if(!dtw) return NULL; dtw->fd = -1; dtw->ip = strdup(ip); if(!dtw->ip) { free(dtw); return NULL; } dtw->ctx = SSL_CTX_new(SSLv23_client_method()); if(!dtw->ctx) { log_msg(LOG_ERR, "dnstap: SSL_CTX_new failed"); free(dtw->ip); free(dtw); return NULL; } #if SSL_OP_NO_SSLv2 != 0 if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) != SSL_OP_NO_SSLv2) { log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } #endif if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3) { log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_SSLv3"); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } #if defined(SSL_OP_NO_RENEGOTIATION) /* disable client renegotiation */ if((SSL_CTX_set_options(dtw->ctx, SSL_OP_NO_RENEGOTIATION) & SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { log_msg(LOG_ERR, "dnstap: could not set SSL_OP_NO_RENEGOTIATION"); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } #endif if(tls_client_key_file && tls_client_key_file[0]) { if(!SSL_CTX_use_certificate_chain_file(dtw->ctx, tls_client_cert_file)) { log_msg(LOG_ERR, "dnstap: SSL_CTX_use_certificate_chain_file failed for %s", tls_client_cert_file); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } if(!SSL_CTX_use_PrivateKey_file(dtw->ctx, tls_client_key_file, SSL_FILETYPE_PEM)) { log_msg(LOG_ERR, "dnstap: SSL_CTX_use_PrivateKey_file failed for %s", tls_client_key_file); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } if(!SSL_CTX_check_private_key(dtw->ctx)) { log_msg(LOG_ERR, "dnstap: SSL_CTX_check_private_key failed for %s", tls_client_key_file); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } } if(tls_cert_bundle && tls_cert_bundle[0]) { if(!SSL_CTX_load_verify_locations(dtw->ctx, tls_cert_bundle, NULL)) { log_msg(LOG_ERR, "dnstap: SSL_CTX_load_verify_locations failed for %s", tls_cert_bundle); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } if(SSL_CTX_set_default_verify_paths(dtw->ctx) != 1) { log_msg(LOG_ERR, "dnstap: SSL_CTX_set_default_verify_paths failed"); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } SSL_CTX_set_verify(dtw->ctx, SSL_VERIFY_PEER, NULL); } if(tls_server_name) { dtw->tls_server_name = strdup(tls_server_name); if(!dtw->tls_server_name) { log_msg(LOG_ERR, "dnstap: strdup failed"); SSL_CTX_free(dtw->ctx); free(dtw->ip); free(dtw); return NULL; } } return dtw; } /* Delete TLS writer object */ static void tls_writer_delete(struct dt_tls_writer* dtw) { if(!dtw) return; if(dtw->ssl) SSL_shutdown(dtw->ssl); SSL_free(dtw->ssl); dtw->ssl = NULL; SSL_CTX_free(dtw->ctx); if(dtw->fd != -1) { close(dtw->fd); dtw->fd = -1; } free(dtw->ip); free(dtw->tls_server_name); free(dtw); } /* The fstrm writer destroy callback for TLS */ static fstrm_res dt_tls_writer_destroy(void* obj) { struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj; tls_writer_delete(dtw); return fstrm_res_success; } /* The fstrm writer open callback for TLS */ static fstrm_res dt_tls_writer_open(void* obj) { struct sockaddr_storage addr; socklen_t addrlen; char* svr, *at = NULL; int port = 3333; int addrfamily; struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj; X509* x; /* skip action if already connected */ if(dtw->connected) return fstrm_res_success; /* figure out port number */ svr = dtw->ip; at = strchr(svr, '@'); if(at != NULL) { *at = 0; port = atoi(at+1); } /* parse addr */ memset(&addr, 0, sizeof(addr)); #ifdef INET6 if(strchr(svr, ':')) { struct sockaddr_in6 sa; addrlen = (socklen_t)sizeof(struct sockaddr_in6); memset(&sa, 0, addrlen); sa.sin6_family = AF_INET6; sa.sin6_port = (in_port_t)htons((uint16_t)port); if(inet_pton((int)sa.sin6_family, svr, &sa.sin6_addr) <= 0) { log_msg(LOG_ERR, "dnstap: could not parse IP: %s", svr); if(at != NULL) *at = '@'; return fstrm_res_failure; } memcpy(&addr, &sa, addrlen); addrfamily = AF_INET6; } else #else if(1) #endif { struct sockaddr_in sa; addrlen = (socklen_t)sizeof(struct sockaddr_in); memset(&sa, 0, addrlen); sa.sin_family = AF_INET; sa.sin_port = (in_port_t)htons((uint16_t)port); if(inet_pton((int)sa.sin_family, svr, &sa.sin_addr) <= 0) { log_msg(LOG_ERR, "dnstap: could not parse IP: %s", svr); if(at != NULL) *at = '@'; return fstrm_res_failure; } memcpy(&addr, &sa, addrlen); addrfamily = AF_INET; } if(at != NULL) *at = '@'; /* open socket */ dtw->fd = socket(addrfamily, SOCK_STREAM, 0); if(dtw->fd == -1) { log_msg(LOG_ERR, "dnstap: socket failed: %s", strerror(errno)); return fstrm_res_failure; } if(connect(dtw->fd, (struct sockaddr*)&addr, addrlen) < 0) { log_msg(LOG_ERR, "dnstap: connect failed: %s", strerror(errno)); return fstrm_res_failure; } dtw->connected = 1; /* setup SSL */ dtw->ssl = SSL_new(dtw->ctx); if(!dtw->ssl) { log_msg(LOG_ERR, "dnstap: SSL_new failed"); return fstrm_res_failure; } SSL_set_connect_state(dtw->ssl); (void)SSL_set_mode(dtw->ssl, SSL_MODE_AUTO_RETRY); if(!SSL_set_fd(dtw->ssl, dtw->fd)) { log_msg(LOG_ERR, "dnstap: SSL_set_fd failed"); return fstrm_res_failure; } if(dtw->tls_server_name && dtw->tls_server_name[0]) { if(!SSL_set1_host(dtw->ssl, dtw->tls_server_name)) { log_msg(LOG_ERR, "dnstap: TLS setting of hostname %s failed to %s", dtw->tls_server_name, dtw->ip); return fstrm_res_failure; } } /* handshake */ while(1) { int r; ERR_clear_error(); if( (r=SSL_do_handshake(dtw->ssl)) == 1) break; r = SSL_get_error(dtw->ssl, r); if(r != SSL_ERROR_WANT_READ && r != SSL_ERROR_WANT_WRITE) { if(r == SSL_ERROR_ZERO_RETURN) { log_msg(LOG_ERR, "dnstap: EOF on SSL_do_handshake"); return fstrm_res_failure; } if(r == SSL_ERROR_SYSCALL) { log_msg(LOG_ERR, "dnstap: SSL_do_handshake failed: %s", strerror(errno)); return fstrm_res_failure; } log_crypto_err("dnstap: SSL_do_handshake failed"); return fstrm_res_failure; } /* wants to be called again */ } /* check authenticity of server */ if(SSL_get_verify_result(dtw->ssl) != X509_V_OK) { log_crypto_err("SSL verification failed"); return fstrm_res_failure; } x = SSL_get_peer_certificate(dtw->ssl); if(!x) { log_crypto_err("Server presented no peer certificate"); return fstrm_res_failure; } X509_free(x); return fstrm_res_success; } /* The fstrm writer close callback for TLS */ static fstrm_res dt_tls_writer_close(void* obj) { struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj; if(dtw->connected) { dtw->connected = 0; if(dtw->ssl) SSL_shutdown(dtw->ssl); SSL_free(dtw->ssl); dtw->ssl = NULL; if(dtw->fd != -1) { close(dtw->fd); dtw->fd = -1; } return fstrm_res_success; } return fstrm_res_failure; } /* The fstrm writer read callback for TLS */ static fstrm_res dt_tls_writer_read(void* obj, void* buf, size_t nbytes) { /* want to read nbytes of data */ struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj; size_t nread = 0; if(!dtw->connected) return fstrm_res_failure; while(nread < nbytes) { int r; ERR_clear_error(); if((r = SSL_read(dtw->ssl, ((char*)buf)+nread, nbytes-nread)) <= 0) { r = SSL_get_error(dtw->ssl, r); if(r == SSL_ERROR_ZERO_RETURN) { log_msg(LOG_ERR, "dnstap: EOF from %s", dtw->ip); return fstrm_res_failure; } if(r == SSL_ERROR_SYSCALL) { log_msg(LOG_ERR, "dnstap: read %s: %s", dtw->ip, strerror(errno)); return fstrm_res_failure; } if(r == SSL_ERROR_SSL) { log_crypto_err("dnstap: could not SSL_read"); return fstrm_res_failure; } log_msg(LOG_ERR, "dnstap: SSL_read failed with err %d", r); return fstrm_res_failure; } nread += r; } return fstrm_res_success; } /* The fstrm writer write callback for TLS */ static fstrm_res dt_tls_writer_write(void* obj, const struct iovec* iov, int iovcnt) { struct dt_tls_writer* dtw = (struct dt_tls_writer*)obj; int i; if(!dtw->connected) return fstrm_res_failure; for(i=0; issl, iov[i].iov_base, (int)(iov[i].iov_len)) <= 0) { log_crypto_err("dnstap: could not SSL_write"); return fstrm_res_failure; } } return fstrm_res_success; } /* Create the fstrm writer object for TLS */ static struct fstrm_writer* dt_tls_make_writer(struct fstrm_writer_options* fwopt, struct dt_tls_writer* dtw) { struct fstrm_rdwr* rdwr = fstrm_rdwr_init(dtw); fstrm_rdwr_set_destroy(rdwr, dt_tls_writer_destroy); fstrm_rdwr_set_open(rdwr, dt_tls_writer_open); fstrm_rdwr_set_close(rdwr, dt_tls_writer_close); fstrm_rdwr_set_read(rdwr, dt_tls_writer_read); fstrm_rdwr_set_write(rdwr, dt_tls_writer_write); return fstrm_writer_init(fwopt, &rdwr); } #endif /* HAVE_SSL */ /* check that the socket file can be opened and exists, print error if not */ static void check_socket_file(const char* socket_path) { struct stat statbuf; memset(&statbuf, 0, sizeof(statbuf)); if(stat(socket_path, &statbuf) < 0) { log_msg(LOG_WARNING, "could not open dnstap-socket-path: %s, %s", socket_path, strerror(errno)); } } struct dt_env * dt_create(const char *socket_path, char* ip, unsigned num_workers, int tls, char* tls_server_name, char* tls_cert_bundle, char* tls_client_key_file, char* tls_client_cert_file) { #ifndef NDEBUG fstrm_res res; #endif struct dt_env *env; struct fstrm_iothr_options *fopt; struct fstrm_unix_writer_options *fuwopt = NULL; struct fstrm_tcp_writer_options *ftwopt = NULL; struct fstrm_writer *fw; struct fstrm_writer_options *fwopt; assert(num_workers > 0); if(ip == NULL || ip[0] == 0) { VERBOSITY(1, (LOG_INFO, "attempting to connect to dnstap socket %s", socket_path)); assert(socket_path != NULL); check_socket_file(socket_path); } else { VERBOSITY(1, (LOG_INFO, "attempting to connect to dnstap %ssocket %s", (tls?"tls ":""), ip)); } env = (struct dt_env *) calloc(1, sizeof(struct dt_env)); if (!env) return NULL; fwopt = fstrm_writer_options_init(); #ifndef NDEBUG res = #else (void) #endif fstrm_writer_options_add_content_type(fwopt, DNSTAP_CONTENT_TYPE, sizeof(DNSTAP_CONTENT_TYPE) - 1); assert(res == fstrm_res_success); if(ip == NULL || ip[0] == 0) { fuwopt = fstrm_unix_writer_options_init(); fstrm_unix_writer_options_set_socket_path(fuwopt, socket_path); } else { char* at = strchr(ip, '@'); if(!tls) { ftwopt = fstrm_tcp_writer_options_init(); if(at == NULL) { fstrm_tcp_writer_options_set_socket_address(ftwopt, ip); fstrm_tcp_writer_options_set_socket_port(ftwopt, "3333"); } else { *at = 0; fstrm_tcp_writer_options_set_socket_address(ftwopt, ip); fstrm_tcp_writer_options_set_socket_port(ftwopt, at+1); *at = '@'; } } else { #ifdef HAVE_SSL env->tls_writer = tls_writer_init(ip, tls_server_name, tls_cert_bundle, tls_client_key_file, tls_client_cert_file); #else (void)tls_server_name; (void)tls_cert_bundle; (void)tls_client_key_file; (void)tls_client_cert_file; log_msg(LOG_ERR, "dnstap: tls enabled but compiled without ssl."); #endif if(!env->tls_writer) { log_msg(LOG_ERR, "dt_create: tls_writer_init() failed"); fstrm_writer_options_destroy(&fwopt); free(env); return NULL; } } } if(ip == NULL || ip[0] == 0) fw = fstrm_unix_writer_init(fuwopt, fwopt); else if(!tls) fw = fstrm_tcp_writer_init(ftwopt, fwopt); #ifdef HAVE_SSL else fw = dt_tls_make_writer(fwopt, env->tls_writer); #endif assert(fw != NULL); fopt = fstrm_iothr_options_init(); fstrm_iothr_options_set_num_input_queues(fopt, num_workers); env->iothr = fstrm_iothr_init(fopt, &fw); if (env->iothr == NULL) { log_msg(LOG_ERR, "dt_create: fstrm_iothr_init() failed"); fstrm_writer_destroy(&fw); free(env); env = NULL; } fstrm_iothr_options_destroy(&fopt); if(ip == NULL || ip[0] == 0) fstrm_unix_writer_options_destroy(&fuwopt); else if(!tls) fstrm_tcp_writer_options_destroy(&ftwopt); fstrm_writer_options_destroy(&fwopt); return env; } static void dt_apply_identity(struct dt_env *env, struct nsd_options *cfg) { char buf[MAXHOSTNAMELEN+1]; if (!cfg->dnstap_send_identity) return; free(env->identity); if (cfg->dnstap_identity == NULL || cfg->dnstap_identity[0] == 0) { if (gethostname(buf, MAXHOSTNAMELEN) == 0) { buf[MAXHOSTNAMELEN] = 0; env->identity = strdup(buf); } else { error("dt_apply_identity: gethostname() failed"); } } else { env->identity = strdup(cfg->dnstap_identity); } if (env->identity == NULL) error("dt_apply_identity: strdup() failed"); env->len_identity = (unsigned int)strlen(env->identity); VERBOSITY(1, (LOG_INFO, "dnstap identity field set to \"%s\"", env->identity)); } static void dt_apply_version(struct dt_env *env, struct nsd_options *cfg) { if (!cfg->dnstap_send_version) return; free(env->version); if (cfg->dnstap_version == NULL || cfg->dnstap_version[0] == 0) env->version = strdup(PACKAGE_STRING); else env->version = strdup(cfg->dnstap_version); if (env->version == NULL) error("dt_apply_version: strdup() failed"); env->len_version = (unsigned int)strlen(env->version); VERBOSITY(1, (LOG_INFO, "dnstap version field set to \"%s\"", env->version)); } void dt_apply_cfg(struct dt_env *env, struct nsd_options *cfg) { if (!cfg->dnstap_enable) return; dt_apply_identity(env, cfg); dt_apply_version(env, cfg); if ((env->log_auth_query_messages = (unsigned int) cfg->dnstap_log_auth_query_messages)) { VERBOSITY(1, (LOG_INFO, "dnstap Message/AUTH_QUERY enabled")); } if ((env->log_auth_response_messages = (unsigned int) cfg->dnstap_log_auth_response_messages)) { VERBOSITY(1, (LOG_INFO, "dnstap Message/AUTH_RESPONSE enabled")); } } int dt_init(struct dt_env *env) { env->ioq = fstrm_iothr_get_input_queue(env->iothr); if (env->ioq == NULL) return 0; return 1; } void dt_delete(struct dt_env *env) { if (!env) return; VERBOSITY(1, (LOG_INFO, "closing dnstap socket")); fstrm_iothr_destroy(&env->iothr); free(env->identity); free(env->version); free(env); } static void dt_fill_timeval(const struct timeval *tv, uint64_t *time_sec, protobuf_c_boolean *has_time_sec, uint32_t *time_nsec, protobuf_c_boolean *has_time_nsec) { #ifndef S_SPLINT_S *time_sec = tv->tv_sec; *time_nsec = tv->tv_usec * 1000; #endif *has_time_sec = 1; *has_time_nsec = 1; } static void dt_fill_buffer(uint8_t* pkt, size_t pktlen, ProtobufCBinaryData *p, protobuf_c_boolean *has) { p->len = pktlen; p->data = pkt; *has = 1; } static void dt_msg_fill_net(struct dt_msg *dm, #ifdef INET6 struct sockaddr_storage *rs, struct sockaddr_storage *qs, #else struct sockaddr_in *rs, struct sockaddr_in *qs, #endif int is_tcp, ProtobufCBinaryData *raddr, protobuf_c_boolean *has_raddr, uint32_t *rport, protobuf_c_boolean *has_rport, ProtobufCBinaryData *qaddr, protobuf_c_boolean *has_qaddr, uint32_t *qport, protobuf_c_boolean *has_qport) { #ifdef INET6 assert(qs->ss_family == AF_INET6 || qs->ss_family == AF_INET); if (qs->ss_family == AF_INET6) { struct sockaddr_in6 *s = (struct sockaddr_in6 *) qs; /* socket_family */ dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET6; dm->m.has_socket_family = 1; /* addr: query_address or response_address */ qaddr->data = s->sin6_addr.s6_addr; qaddr->len = 16; /* IPv6 */ *has_qaddr = 1; /* port: query_port or response_port */ *qport = ntohs(s->sin6_port); *has_qport = 1; } else if (qs->ss_family == AF_INET) { #else if (qs->sin_family == AF_INET) { #endif /* INET6 */ struct sockaddr_in *s = (struct sockaddr_in *) qs; /* socket_family */ dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET; dm->m.has_socket_family = 1; /* addr: query_address or response_address */ qaddr->data = (uint8_t *) &s->sin_addr.s_addr; qaddr->len = 4; /* IPv4 */ *has_qaddr = 1; /* port: query_port or response_port */ *qport = ntohs(s->sin_port); *has_qport = 1; } #ifdef INET6 assert(rs->ss_family == AF_INET6 || rs->ss_family == AF_INET); if (rs->ss_family == AF_INET6) { struct sockaddr_in6 *s = (struct sockaddr_in6 *) rs; /* addr: query_address or response_address */ raddr->data = s->sin6_addr.s6_addr; raddr->len = 16; /* IPv6 */ *has_raddr = 1; /* port: query_port or response_port */ *rport = ntohs(s->sin6_port); *has_rport = 1; } else if (rs->ss_family == AF_INET) { #else if (rs->sin_family == AF_INET) { #endif /* INET6 */ struct sockaddr_in *s = (struct sockaddr_in *) rs; /* addr: query_address or response_address */ raddr->data = (uint8_t *) &s->sin_addr.s_addr; raddr->len = 4; /* IPv4 */ *has_raddr = 1; /* port: query_port or response_port */ *rport = ntohs(s->sin_port); *has_rport = 1; } if (!is_tcp) { /* socket_protocol */ dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP; dm->m.has_socket_protocol = 1; } else { /* socket_protocol */ dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP; dm->m.has_socket_protocol = 1; } } void dt_msg_send_auth_query(struct dt_env *env, #ifdef INET6 struct sockaddr_storage* local_addr, struct sockaddr_storage* addr, #else struct sockaddr_in* local_addr, struct sockaddr_in* addr, #endif int is_tcp, uint8_t* zone, size_t zonelen, uint8_t* pkt, size_t pktlen) { struct dt_msg dm; struct timeval qtime; gettimeofday(&qtime, NULL); /* type */ dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__AUTH_QUERY); if(zone) { /* query_zone */ dm.m.query_zone.data = zone; dm.m.query_zone.len = zonelen; dm.m.has_query_zone = 1; } /* query_time */ dt_fill_timeval(&qtime, &dm.m.query_time_sec, &dm.m.has_query_time_sec, &dm.m.query_time_nsec, &dm.m.has_query_time_nsec); /* query_message */ dt_fill_buffer(pkt, pktlen, &dm.m.query_message, &dm.m.has_query_message); /* socket_family, socket_protocol, query_address, query_port, reponse_address (local_address), response_port (local_port) */ dt_msg_fill_net(&dm, local_addr, addr, is_tcp, &dm.m.response_address, &dm.m.has_response_address, &dm.m.response_port, &dm.m.has_response_port, &dm.m.query_address, &dm.m.has_query_address, &dm.m.query_port, &dm.m.has_query_port); if (dt_pack(&dm.d, &dm.buf, &dm.len_buf)) dt_send(env, dm.buf, dm.len_buf); } void dt_msg_send_auth_response(struct dt_env *env, #ifdef INET6 struct sockaddr_storage* local_addr, struct sockaddr_storage* addr, #else struct sockaddr_in* local_addr, struct sockaddr_in* addr, #endif int is_tcp, uint8_t* zone, size_t zonelen, uint8_t* pkt, size_t pktlen) { struct dt_msg dm; struct timeval rtime; gettimeofday(&rtime, NULL); /* type */ dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE); if(zone) { /* query_zone */ dm.m.query_zone.data = zone; dm.m.query_zone.len = zonelen; dm.m.has_query_zone = 1; } /* response_time */ dt_fill_timeval(&rtime, &dm.m.response_time_sec, &dm.m.has_response_time_sec, &dm.m.response_time_nsec, &dm.m.has_response_time_nsec); /* response_message */ dt_fill_buffer(pkt, pktlen, &dm.m.response_message, &dm.m.has_response_message); /* socket_family, socket_protocol, query_address, query_port, response_address (local_address), response_port (local_port) */ dt_msg_fill_net(&dm, local_addr, addr, is_tcp, &dm.m.response_address, &dm.m.has_response_address, &dm.m.response_port, &dm.m.has_response_port, &dm.m.query_address, &dm.m.has_query_address, &dm.m.query_port, &dm.m.has_query_port); if (dt_pack(&dm.d, &dm.buf, &dm.len_buf)) dt_send(env, dm.buf, dm.len_buf); } #endif /* USE_DNSTAP */